- Check effective routes
- Use Azure Network Watcher
- Verify user-defined routes and route table associations
- Watch for asymmetric routing
- Confirm appliances and gateways are healthy
1) Check effective routes (what Azure is actually using)
Start by viewing the effective routes for the VM or its network interface. Effective routes reveal exactly how Azure will forward or drop packets right now. A missing, unexpected, or higher-priority user-defined route (UDR) is a frequent cause. You can view effective routes from the Azure Portal (select the VM → Networking → Effective routes), or use the Azure CLI:2) Use Azure Network Watcher to validate traffic paths
Azure Network Watcher provides tools to visualize traffic, validate hops, and find where packets are dropped.
Reference: Azure Network Watcher documentation
3) Verify user-defined routes (UDRs) and route table associations
UDRs let you steer traffic through firewalls, NVAs, or custom gateways for inspection, logging, or policy enforcement. Validate any custom routes for:- Correct destination prefixes (no accidental overlaps)
- Correct next hop type and next hop IP
- Appropriate priority (UDRs override system routes when applicable)
- Proper association with the intended subnet
Always verify route table associations on the subnet level. A mis-associated subnet will silently use system routes instead of your custom routes.
4) Watch for asymmetric routing (and why it breaks inspection)
Asymmetric routing happens when outbound and return traffic follow different paths. This often breaks stateful inspection in firewalls and NVAs or causes return packets to be dropped. How to avoid or detect asymmetric routing:- Ensure return paths traverse the same NVA or gateway (configure symmetric routing on both sides).
- For hub-and-spoke or forced-tunneling designs, make sure spokes and the hub have consistent route tables and next hops.
- Check for SNAT, BGP path changes, or source/destination-based routing that may alter the return path unexpectedly.
- Use Network Watcher’s Connection Troubleshoot and Next Hop tools to confirm both directions.
5) Confirm appliances, gateways, and load balancers are healthy
If you force traffic through an NVA or gateway, ensure those devices are online and functioning; otherwise you’ll see drops or blackholes. Common quick checks
Additional diagnostic tips
- Reproduce the failing flow and capture packet traces on the VM (packet capture) for suspicious behavior.
- Use incremental testing: validate routing on the VM/NIC, then subnet, then route tables, then NVAs/gateways.
- Keep a simple map of expected paths (e.g., source → next hop → final destination) to compare against effective routes.
Summary checklist
- View effective routes on the VM/NIC.
- Use Network Watcher tools (IP Flow Verify, Next Hop, Connection Troubleshoot, Packet capture).
- Validate UDRs and confirm correct subnet associations.
- Check for asymmetric routing and enforce symmetric return paths where required.
- Confirm NVAs, gateways, and load balancers are healthy and reachable.