User-Defined Routes (UDRs) in Azure
Why User-Defined Routes Matter
User-Defined Routes (UDRs) are essential for controlling network traffic flow within Azure Virtual Networks. By default, Azure automatically routes traffic between subnets, virtual networks, and on-premises networks. However, there are scenarios where you need to override these default routes to enforce security policies, route traffic through network virtual appliances (NVAs), or implement specific network architectures.
What Are User-Defined Routes?
UDRs are custom routes that you create to override Azure's default system routes. They are associated with route tables, which are then linked to one or more subnets within a virtual network. When a packet leaves a subnet, Azure uses the routes in the associated route table to determine where to send the traffic.
Key components include:
• Route Tables - Containers for user-defined routes
• Routes - Individual entries specifying address prefixes and next hop types
• Next Hop Types - Virtual appliance, Virtual network gateway, Virtual network, Internet, or None
How UDRs Work
When traffic leaves a VM, Azure evaluates all applicable routes and selects the most specific match using the longest prefix match algorithm. The route with the longest matching prefix wins.
Next Hop Types Explained:
• Virtual Appliance - Routes traffic to a specific IP address (typically an NVA like a firewall)
• Virtual Network Gateway - Routes traffic through a VPN or ExpressRoute gateway
• Virtual Network - Routes traffic within the virtual network address space
• Internet - Routes traffic to the internet
• None - Drops the traffic (acts as a black hole)
Common Use Cases
1. Force Tunneling - Route all internet-bound traffic through on-premises network
2. Network Virtual Appliances - Force traffic through firewalls or intrusion detection systems
3. Hub-and-Spoke Topology - Route spoke-to-spoke traffic through a central hub
4. Traffic Isolation - Prevent certain subnets from communicating
Important Considerations
• UDRs override default system routes but not BGP routes in all cases
• When using NVAs, ensure IP forwarding is enabled on the NVA's network interface
• Route tables are regional resources and can only be associated with subnets in the same region
• Each subnet can have zero or one route table associated with it
Exam Tips: Answering Questions on User-Defined RoutesKey Points to Remember:1.
Next Hop Type Selection - Know when to use each next hop type. For NVAs, always use 'Virtual Appliance' and specify the private IP address of the NVA.
2.
IP Forwarding Requirement - When routing through an NVA, IP forwarding must be enabled on the Azure NIC AND within the guest OS. This is a frequently tested concept.
3.
Route Priority - Remember the order: User-defined routes take precedence over default system routes. The longest prefix match determines which route is selected.
4.
Gateway Route Propagation - Understand when to disable gateway route propagation to prevent BGP routes from being added to a subnet's route table.
5.
None vs Virtual Appliance - Use 'None' to drop traffic completely. This is useful for creating security boundaries.
6.
0.0.0.0/0 Route - This address prefix is used to route all traffic not matching other routes. Commonly used for force tunneling scenarios.
7.
Subnet Association - Route tables must be associated with subnets to take effect. A route table not associated with any subnet has no impact.
Common Exam Scenarios:• Forcing internet traffic through an on-premises firewall
• Routing between spokes in a hub-spoke architecture
• Blocking traffic between specific subnets
• Configuring NVA high availability with UDRs