Skip to main content
Control traffic flow inside an Azure virtual network by creating custom routing rules. User-defined routes (UDRs) let you override Azure system routes and direct traffic between subnets, VNets, and network appliances (for example, a firewall or network virtual appliance — NVA). On the left side of the diagram below you can see a virtual network split into subnets (front-end, back-end, and DMZ). A virtual appliance (commonly a firewall or NVA) is placed in the DMZ. Traffic from the front-end subnet is routed through the DMZ to the back-end. The route table controls exactly how this traffic is forwarded.
The image illustrates a virtual network traffic routing setup, showing a network diagram with subnets and a routing table, alongside a form for creating a route table.
To create UDRs you build an Azure route table, add routes that match the destination prefix (single IP, CIDR, or service tag), and associate the route table with a subnet. When a packet leaving the subnet matches a user-defined route, Azure forwards it to the specified next hop instead of following the default system path. The portal UI for creating a route table is shown on the right side of the diagram: you select subscription, resource group, name, and whether to propagate gateway routes. In most cases keep gateway route propagation enabled unless you have a specific reason to disable it. When adding a route you specify:
  • Route name
  • Destination address prefix (single IP, CIDR such as a subnet, or a service tag)
  • Next hop type (for NVAs choose VirtualAppliance)
  • Next hop IP address (the appliance private IP)
This redirects traffic to the appliance for inspection or filtering instead of sending it directly to the destination. Below is the portal dialog for associating a route table to a subnet — associating a route table to a subnet activates the UDR for that subnet.
The image shows a setup guide for creating a custom route and associating a route table to a subnet in a network configuration context, with fields for route name, destination type, and next hop details.
Summary: UDRs override Azure system routes and force traffic through NVAs or firewalls when needed — useful for enhanced security, packet inspection, or non-default traffic flows. When we cover Azure Firewall, UDRs will be used to steer traffic through the firewall. This lesson/demo deploys a simple topology and validates how UDRs force traffic to an NVA (a Linux VM with IP forwarding enabled). The topology contains two spoke VNets (East US and West US) peered to a central hub VNet that hosts the NVA. Infrastructure overview The demo can be deployed with PowerShell. The snippets below highlight variable declarations, public IPs, NSGs, NIC creation (with IP forwarding enabled on the NVA NIC), and VM configuration. This example is for lab/demo use only.
Create public IPs, NSGs, and NICs. Important: enable IP forwarding on the hub/NVA NIC so the VM can forward traffic.
Do not forget to enable IP forwarding inside the guest OS as well; the Azure NIC setting and guest OS setting are both required for full packet forwarding.
Do not store plain-text passwords in automation. The example uses a lab password for demonstration only. Use secure secrets management for production.
Create VM configs and use cloud-init for the NVA guest to enable net.ipv4.ip_forward. Pass the cloud-init to the VM (e.g., via -CustomData).
After deployment the private IPs in this demo are:
  • vm-az700-udr-spoke-eus-01 — 10.50.1.4
  • vm-az700-udr-spoke-wus-01 — 10.60.1.4
  • vm-az700-udr-hub-01 (NVA) — 10.70.1.4
Note: Both Azure NIC IP forwarding (-EnableIPForwarding $true) and the guest OS IP forwarding must be enabled for a VM to act as an NVA. With VNet peering configured (set to “Allow forwarded traffic”), spoke-to-spoke traffic normally travels over peering routes. The hub NVA will not see the traffic until you add a UDR to override the peering/system route. A UDR that matches the destination prefix and points to the hub NVA causes Azure to forward the packet to the virtual appliance. How to create a route table and add a UDR in the Azure Portal:
  1. Search for Route tables and click Create.
  2. Choose subscription, resource group, and region (create the route table in the same region as the subnet you intend to control).
  3. Name the route table (for example, RT-Spoke-EUS) and create it.
The image shows a Microsoft Azure portal interface for creating a route table, including fields for project details, instance details, and options to propagate gateway routes.
Once the route table exists, open it and add a route. Destination types include:
  • IP address (single host) — 10.60.1.4/32
  • CIDR (subnet) — 10.60.0.0/16
  • Service tag (Azure-managed set of addresses)
  • Virtual network, Internet, None, etc.
For this demo we add a route that forces the remote spoke VM IP through the hub NVA:
  • Route name: RT-NVA-Forward (example)
  • Address prefix: 10.60.1.4/32 (force traffic to that single IP)
  • Next hop type: Virtual appliance
  • Next hop address: 10.70.1.4 (hub NVA private IP)
The image shows the Microsoft Azure portal interface for creating a route table. It displays configuration options such as subscription, resource group, region, name, and the option to propagate gateway routes.
Wait for deployment to complete, then open the route table resource and add the route.
The image shows a Microsoft Azure portal page where a deployment named "Microsoft.RouteTable-20250817201428" is in progress, including details like resource group and deployment status.
Inside the route table, click Routes → Add and fill in the route details:
  • Name
  • Destination type: IP Address
  • Destination: 10.60.1.4/32
  • Next hop type: Virtual appliance
  • Next hop address: 10.70.1.4
The image shows the Microsoft Azure portal with a screen for adding a route to a route table. It includes fields for route name, destination type, and next hop address within a network configuration setting.
After adding the route, associate the route table to the East US subnet (the source VM’s subnet). Association makes the UDR take effect for that subnet.
The image shows a Microsoft Azure portal interface displaying a route table configuration named "rt-spoke-eus." It lists a route with an address prefix of "10.60.1.4/32" and a next hop type labeled as "VirtualAppliance."
Click Associate, then select the East US virtual network and its subnet.
The image shows a screenshot of the Microsoft Azure portal, specifically the subnet association panel of a route table. It displays options for selecting a virtual network and subnet for association.
Verify the effective routes on the spoke VM’s NIC (Network Interface → Effective routes). You should see the user-defined /32 route taking precedence over a broader peering route (for example, a /16).
Route precedence: Azure uses longest prefix match — the most specific route wins. A /32 (single IP) overrides a /16 (subnet) for the same destination.
Verification using tcpdump and traceroute
  1. On the hub NVA (10.70.1.4) run tcpdump to inspect incoming traffic:
You can filter tcpdump for specific IPs:
  1. From the East US spoke VM (10.50.1.4), ping the West US VM (10.60.1.4):
Sample ping output (truncated):
  1. Run traceroute (or tracepath) from the source to confirm the path goes via the NVA (10.70.1.4):
Example trace showing the NVA as the first hop, then the destination:
Before the UDR, traffic used the peering route directly to the destination. After adding the UDR and associating the route table, traffic matches the /32 route and is forwarded to the virtual appliance first. If you want the West US spoke to also send traffic through the NVA, repeat the process in the West US region: create a route table in West US, add a route (for example, destination 10.50.1.4/32 next hop 10.70.1.4), and associate it with the West US subnet.
The image shows a Microsoft Azure portal interface for adding a user-defined route in a route table. It includes fields for route name, destination type, destination IP address, next hop type, and next hop address, with a button labeled "Add" at the bottom.
After adding and associating the route in the West US subnet, traceroute from the West US spoke to the East US VM should show the NVA hop first. On the hub NVA you will see ICMP/UDP or other traffic as the NVA forwards packets between spokes. Example tcpdump output (truncated):
Wrap-up — best practices and checklist
  • Use UDRs to override Azure system routes and force traffic through NVAs or firewalls for inspection and security controls.
  • Create route tables in the same region as the target subnet and add routes that match the desired destination prefixes.
  • Associate route tables with subnets to make UDRs active.
  • Enable IP forwarding both on the Azure NIC (-EnableIPForwarding $true) and inside the guest OS (net.ipv4.ip_forward=1) for VM-based NVAs.
  • Remember route selection is longest-prefix-match — a /32 is more specific and overrides a /16.
Links and references This completes the User-Defined Routes lesson and a validation demo showing how UDRs direct traffic through an NVA.

Watch Video