Configure user-defined network routes

Configure and manage virtual networks in Azure

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. Introduction to Routing in Azure

Azure virtual networks (VNets) use routing to decide how network traffic moves from one subnet to another, or from a subnet to external networks.

Azure automatically creates a default system routing table for every subnet. This system routing includes:

Route TypeDestinationNext Hop
Default route to the internet0.0.0.0/0Internet
Route within the VNetVNet address rangesVNet local
Route to on-premisesOn-prem prefixesGateway
Route for private endpointsPrivate Link rangesInterface

These built-in routes work well for most environments.

However, you may need custom routing when you want to control how traffic flows, especially in secure or complex architectures.

This is where User-Defined Routes (UDRs) come in.

2. What Are User-Defined Routes?

User-Defined Routes are custom routes created by administrators to override or add to Azure’s system routes.

UDRs help you control exactly where traffic should go, which is important in enterprise environments that use:

  • Network Virtual Appliances (NVAs)
  • Firewalls (Azure Firewall, Barracuda, Palo Alto, etc.)
  • Centralized security inspection
  • Traffic segmentation
  • Forced tunneling to on-premises

UDRs are stored inside a Route Table, and each Route Table can be assigned to one or more subnets.

3. Why Are User-Defined Routes Needed?

Azure’s default routes cannot handle every network design.
UDRs are used when you need to:

(1) Forward all outbound traffic to a firewall (Forced Tunneling)

Example:
All VMs in the workload subnet must send traffic to the Azure Firewall for inspection.

(2) Send traffic between subnets through a Network Virtual Appliance (NVA)

Example:
Traffic between Prod and Dev subnets must go through a security appliance.

(3) Override system routes

Example:
Azure may automatically route traffic directly between subnets, but you want it to route through a firewall.

(4) Define routes for custom IP ranges

Example:
An on-premises network adds new IP ranges that Azure is unaware of.

(5) Control routing for virtual appliances

Example:
You want to use a third-party router VM to manage traffic between VNets.

4. Key Concepts for UDRs

4.1 Route Tables

A Route Table is a container that stores one or more routes.

You associate a Route Table to a subnet (not a NIC or VM).

Important Exam Point:
Routes inside a Route Table apply to all resources inside that subnet.

4.2 Route Components

Each UDR contains:

ComponentDescription
Address PrefixThe destination IP range (CIDR).
Next Hop TypeThe next device Azure should send traffic to.
Next Hop AddressRequired for some hop types (e.g., Virtual Appliance).

4.3 Next Hop Types (Very Important for the Exam!)

Next Hop TypeUse Case
Virtual ApplianceSend traffic to a firewall/NVA (common).
Virtual Network GatewaySend traffic to on-premises.
InternetForce a subnet to use the internet directly.
NoneDrop the traffic (blackhole route).
Virtual NetworkUsed to override default VNet routes (rare).

Most common in enterprises:
✔ Virtual Appliance
✔ Virtual Network Gateway

5. How Azure Chooses Routes (Route Selection Order)

Azure follows a priority order when selecting a route:

Highest → Lowest Priority

  1. User-Defined Routes (UDRs)
  2. Border Gateway Protocol (BGP) routes (from VPN/ExpressRoute)
  3. System default routes

Meaning:
If a UDR exists, it overrides everything else.

6. Configuring UDRs (Step-by-Step)

Step 1: Create a Route Table

Azure Portal → Search Route tablesCreate → Fill:

  • Name
  • Region
  • Subscription
  • Resource group
  • Propagate gateway routes: Yes/No

Propagate Gateway Routes

  • Yes: BGP routes from on-prem automatically added
  • No: You want complete control (firewall-heavy designs)

Step 2: Add Routes

Inside the Route Table → Routes → Add

You specify:

  • Address prefix: e.g., 10.20.0.0/16
  • Next hop type: Virtual appliance
  • Next hop address: IP of firewall or NVA (must be inside the same VNet)

Step 3: Associate Route Table with a Subnet

Route Table → Subnets → Associate → Choose VNet + Subnet

Once associated, the UDRs apply immediately.

7. Important IT Use Cases (Exam-Relevant)

Use Case 1: Route all traffic through Azure Firewall

Route:

DestinationNext Hop
0.0.0.0/0Virtual appliance (Firewall IP)

Used for:

  • Internet-bound security inspection
  • Enterprise security compliance

Use Case 2: Forced tunneling to on-premises

Route:

DestinationNext Hop
0.0.0.0/0Virtual network gateway

Used when:

  • Company wants internet breakout from on-premises, not Azure
  • Azure VMs must follow the organization’s central firewall policies

Use Case 3: Directing subnet-to-subnet traffic through an NVA

Azure by default routes subnets directly.

If you want to inspect traffic:

Route (for Subnet A):

DestinationNext Hop
Subnet B’s prefixVirtual appliance (NVA IP)

Use Case 4: Blackhole Route (Drop Traffic)

Useful for security isolation.

Route:

DestinationNext Hop
10.30.0.0/16None

This blocks communication to that range entirely.

8. Limitations and Important Notes (Exam Critical)

(1) UDRs work at the subnet level only

You cannot assign a route table to:

  • VM
  • NIC
  • Virtual network

(2) Virtual appliance must be inside the same VNet

You cannot route traffic to an NVA IP in another VNet unless:

  • VNet peering is enabled
  • “Use remote gateways” + “Allow forwarded traffic” is allowed

(3) Azure Firewall must be in the same region

You can’t route cross-region traffic through Azure Firewall unless using secured hub.

(4) UDRs override system routes

Even if Azure automatically creates routes, UDRs win.

(5) Private endpoints ignore UDRs

Private endpoints use system routes only.

(6) UDRs do not affect traffic entering the subnet

They only control outbound traffic from the subnet.

9. Troubleshooting UDRs (Exam Scenarios)

Problem 1: VM loses internet access

Cause:
A UDR sends 0.0.0.0/0 to an appliance that cannot reach the internet.

Solution:
Add a return route or use Azure Firewall.

Problem 2: Traffic not reaching NVA

Cause:

  • NSG blocking traffic
  • “IP forwarding” not enabled on the NVA NIC

Solution:
Enable NIC IP forwarding → Required for all routers/firewalls.

Problem 3: On-premises routes not propagating

Cause:
Route Table has “Propagate gateway routes = No”.

Solution:
Enable propagation or manually add UDRs.

10. Exam Tips & Keywords to Remember

✔ UDRs override BGP and system routes
✔ Always associate Route Table with a subnet
✔ Used for Azure Firewall, NVA, forced tunneling
✔ IP forwarding must be enabled on NVAs
✔ 0.0.0.0/0 route is most common for security
✔ Private Endpoints ignore UDRs
✔ Next hop types: Virtual appliance, Internet, VNet Gateway, None

Conclusion

User-Defined Routes (UDRs) are an important part of configuring and managing Azure virtual networks.
They allow administrators to control traffic flow, enforce security policies, and integrate advanced routing solutions like firewalls and network virtual appliances.

Understanding UDRs is essential for both the AZ-104 exam and real-world Azure network design.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by