Routing in Azure is the process of directing network traffic between different resources within Azure, on-premises networks, and the internet.
It defines how packets travel within virtual networks (VNets) or between VNets, subnets, and external networks.
Azure uses a combination of system routes and user-defined routes to manage and customize this traffic flow.
Key Concepts of Routing in Azure
System Routes
Azure automatically creates system routes for every subnet in a VNet.
These routes are managed by Azure and handle most common network traffic scenarios.
System routes include:
Local traffic: Routes within the same VNet.
Internet-bound traffic: Routes to and from the internet via the public IP of a resource.
VNet peering traffic: Routes between peered VNets.
Service traffic: Routes to Azure services using service endpoints or Private Link.
User-Defined Routes (UDRs)
Custom routes that override system routes for specific traffic flows.
Created by associating a route table with a subnet.
Commonly used for scenarios like:
Forcing internet-bound traffic through a Network Virtual Appliance (NVA) for inspection.
Creating routes to on-premises networks via VPN or ExpressRoute.
Route Tables
Logical containers for routing rules.
Can be associated with one or more subnets.
Rules define address prefixes, next hops, and priorities.
Next Hop Types
Azure routing supports various next hop options:
Virtual Network: Traffic within the VNet.
Internet: Routes traffic to the internet.
Virtual Network Gateway: Routes traffic to on-premises via VPN/ExpressRoute.
Network Virtual Appliance (NVA): A custom virtual appliance for advanced traffic handling.
None: Explicitly drops traffic.
Border Gateway Protocol (BGP) Routes
Routes propagated dynamically by ExpressRoute or VPN gateways.
Used for integrating on-premises networks with Azure VNets.
How Routing Works in Azure
1. Default System Routing
Azure automatically creates routes for traffic within a VNet and for internet-bound traffic if the resource has a public IP.
For example:
Traffic destined for
10.0.0.0/16is routed locally within the VNet.Traffic destined for
0.0.0.0/0is routed to the internet.
2. Customizing Routing with UDRs
Override system routes by attaching a route table to a subnet.
Example:
Force traffic destined for
0.0.0.0/0through a Network Virtual Appliance for inspection.
3. Integration with VPN or ExpressRoute
Traffic to on-premises networks is routed via Virtual Network Gateway routes.
BGP routes are used for dynamic routing between Azure and on-premises.
4. Routing Priority
Azure evaluates routes in the following order:
User-defined routes (UDRs) take precedence over system routes.
BGP routes override system routes but are overridden by UDRs.
Types of Routing Scenarios
1. Traffic Inspection
Objective
Direct all outbound traffic through a Network Virtual Appliance (NVA) for security inspection.
Solution
Create a route table with a route for
0.0.0.0/0.Set the next hop to the private IP of the NVA.
Associate the route table with the subnet.
2. Force-Tunneling to On-Premises
Objective
Send internet-bound traffic through on-premises firewalls for inspection.
Solution
Create a UDR with a route for
0.0.0.0/0.Set the next hop to a Virtual Network Gateway.
3. Service Endpoint Traffic
Objective
Route traffic to Azure services over the Azure backbone network instead of the internet.
Solution
Enable service endpoints for the required service (e.g., Azure Storage).
Azure automatically adds system routes for this traffic.
4. Peered VNets
Objective
Route traffic between peered VNets in different regions.
Solution
Azure automatically creates routes for peered VNet communication.
Add UDRs if you need traffic to flow through a specific appliance.
Routing Configuration: Step-by-Step
1. Configure System Routes
System routes are automatically configured, so no action is required unless you need custom routing.
2. Create a Route Table
Go to the Azure portal.
Navigate to Route Tables → + Create.
Provide details like name, region, and resource group.
3. Add Routes
Open the route table.
Select Routes → + Add.
Configure:
Address prefix: Destination traffic (e.g.,
0.0.0.0/0for all traffic).Next hop type: Choose the next hop (e.g., Virtual Appliance, Gateway).
Next hop address: Provide the IP address (if required).
4. Associate the Route Table with Subnets
Open the route table.
Select Subnets → + Associate.
Choose the VNet and subnet to associate with the route table.
5. Test Connectivity
Deploy a VM in the subnet.
Use tools like
tracerouteorpingto validate traffic routing.
Routing Use Cases
Use Case 1: Multi-Tier Applications
Scenario
A front-end subnet communicates with a back-end subnet through a firewall.
Solution
Create a UDR to route traffic from the front-end subnet to the firewall.
Set up another route from the firewall to the back-end subnet.
Use Case 2: Cross-Region VNet Communication
Scenario
VNets in different regions need to communicate securely.
Solution
Use VNet peering or a Virtual Network Gateway.
Add UDRs if traffic must pass through an NVA.
Use Case 3: Internet Traffic Restriction
Scenario
Prevent VMs in a subnet from accessing the internet.
Solution
Create a UDR with a next hop type of None for
0.0.0.0/0.
Routing Best Practices in Azure
1. Minimize Route Complexity
Use as few custom routes as necessary to simplify management.
2. Combine with NSGs
Use Network Security Groups (NSGs) to control traffic at the subnet level.
3. Monitor Routing
Use tools like Azure Network Watcher to monitor and diagnose routing issues.
4. Use Default Routes Wisely
Modify system routes only when necessary to avoid unintended traffic flows.
Summary
Routing in Azure provides the flexibility to manage traffic flows between Azure resources, VNets, and external networks.
By combining system routes, user-defined routes, and services like VPN/ExpressRoute, you can design secure and efficient network architectures tailored to your business needs.
Leave a Reply