In Azure Virtual Networks (VNets), the platform automatically generates default system routes to facilitate communication between subnets, the Internet, and connected on-premises networks. However, specific security or architectural scenarios require overriding these defaults. This is achievable th…In Azure Virtual Networks (VNets), the platform automatically generates default system routes to facilitate communication between subnets, the Internet, and connected on-premises networks. However, specific security or architectural scenarios require overriding these defaults. This is achievable through User-Defined Routes (UDRs), configured within Azure Route Tables.
A UDR allows an Azure Administrator to steer traffic flows precisely. By associating a Route Table with a specific subnet, you force traffic leaving that subnet to traverse a specific path rather than going directly to the destination. The most common implementation is routing traffic through a Network Virtual Appliance (NVA), such as a firewall, for packet inspection and filtering.
When configuring a UDR, you define a destination CIDR block and a 'Next hop type.' Critical next hop types include:
• **Virtual Appliance:** Routes traffic to a specific IP address (e.g., a firewall VM).
• **Virtual Network Gateway:** Routes traffic to on-premises via VPN or ExpressRoute.
• **Internet:** Explicitly routes traffic externally.
• **None:** drops traffic intended for the destination address.
Azure determines which route to use based on the Longest Prefix Match (LPM) algorithm. Ideally, the route with the most specific address range is selected. If the prefix lengths are identical, User-Defined Routes take precedence over default System Routes.
For the AZ-104 exam, it is vital to remember that UDRs are applied at the subnet level, not the network interface level, and they are essential for implementing forced tunneling and secure hub-and-spoke topologies.
Azure User-Defined Routes (UDR): Concepts and Exam Guide
Introduction and Importance In Azure Virtual Networks (VNet), traffic flows automatically between subnets, fused virtual networks, and the internet via System Routes. However, there are scenarios where a network administrator requires granular control over traffic flow to improve security or network architecture. This is where User-Defined Routes (UDRs), often implemented via Route Tables, become essential. For the AZ-104 exam, understanding UDRs is critical because they are the primary mechanism for forcing traffic through firewalls or Network Virtual Appliances (NVAs).
What are User-Defined Routes (UDR)? A User-Defined Route is a custom static route that you create and associate with a specific subnet. These routes override the default system routes provided by Azure. By creating a Route Table resource and associating it with a subnet, you dictate the 'Next Hop' for packet destinations.
How it Works When traffic leaves a Virtual Machine, Azure determines where to send the packet based on the routing table. The routing selection logic follows specific rules: 1. Route Table Association: A UDR only affects the subnet it is explicitly associated with. 2. Next Hop Types: When creating a route, you must specify where the traffic goes next. Common types include: - Virtual Appliance: Directs traffic to a firewall or NVA (requires the private IP of the appliance). - Identify Virtual Network Gateway: Used for VPN or ExpressRoute traffic. - Internet: Forces traffic directly to the WAN (or routed differently if standard internet access isn't desired). - None: effectively drops the traffic (blackhole). 3. The Selection Algorithm: If multiple routes exist for a destination IP (System vs. UDR vs. BGP), Azure uses the Longest Prefix Match (LPM). If the prefix length is identical, the priority order is: User-Defined Route > BGP Route > System Route.
Exam Tips: Answering Questions on User-defined network routes (UDR) To score well on UDR questions in the AZ-104, apply the following logic to scenario-based questions:
1. The 'Longest Prefix Match' Rule is King This is the most common trick in the exam. If you have a route for 10.0.0.0/16 pointing to the Internet, but a specific route for 10.0.1.0/24 pointing to a Firewall, traffic destined for 10.0.1.5 will go to the Firewall. The /24 is more specific (longer) than /16. Always look at the CIDR mask first.
2. Forced Tunneling and NVAs If a scenario mentions a 'Hub and Spoke' topology and states that 'all traffic must be inspected for malicious activity,' the answer almost always involves creating a UDR to point next hop 0.0.0.0/0 to the private IP address of a Virtual Appliance (Firewall).
3. The 'IP Forwarding' Trap If you configure a UDR correctly pointing to a VM/NVA, but traffic fails, the exam might ask why. The answer is often: 'IP Forwarding is not enabled on the NVA's Network Interface.' Azure NICs drop traffic not destined for themselves unless IP Forwarding is enabled.
4. Stopping Traffic (The 'None' Hop) If a question asks how to strictly prevent a subnet from accessing the internet without using a Network Security Group (NSG), the answer is a UDR with the destination 0.0.0.0/0 and Next Hop type set to None.
5. Troubleshooting Connectivity (Effective Routes) If a question presents a VM that cannot connect to a destination, and you need to debug the routing, the correct tool is to view the Effective Routes on the VM's network interface. This view combines system routes, UDRs, and BGP routes so you can see exactly which route is 'Winning.'