- When Azure’s built-in routing is sufficient vs. when you should customize routes.
- How to create and apply User Defined Routes (UDRs) to override system routes.
- Techniques to redirect outbound internet traffic (forced tunneling) to on-premises or security appliances.
- How dynamic routing (BGP) works with Azure and how to integrate Network Virtual Appliances (NVAs) for hybrid scenarios.
- Practical troubleshooting with Network Watcher, Effective Routes, and related tools to diagnose routing problems.
This lesson assumes a basic understanding of core Azure networking concepts such as VNets, subnets, NSGs, and peering.
Learning objectives (expanded)
- Understand Azure’s default (system) routes and how Azure determines next hops.
- Learn when automatic routes suffice and when to apply UDRs to control traffic flow.
- Configure forced tunneling to send outbound traffic to on-premises or third-party security stacks.
- Integrate BGP for dynamic routes across VPN/ExpressRoute and NVAs.
- Use Network Watcher, Effective Routes, and packet capture to validate and troubleshoot routing.
Key routing concepts (at-a-glance)
When to customize routing
Consider custom routing (UDRs, NVAs, BGP) when you need to:- Enforce centralized outbound inspection (e.g., route all internet egress through a firewall).
- Route traffic between VNets or on-prem through specific NVAs for inspection, transformation, or logging.
- Implement policy-based routing for segmentation, service chaining, or gateway-specific requirements.
- Integrate dynamic routes via BGP for high availability and automatic route propagation.
Routing precedence and behavior
Azure determines routing based on precedence rules. In general:- User-defined routes (UDRs) have higher priority than system routes when a UDR is associated with a subnet.
- More specific (longer prefix) routes are preferred.
- If no matching route is found, Azure drops the packet.
Troubleshooting routing issues
Use these tools and techniques:- Network Watcher → IP Flow Verify to validate reachability.
- Effective Routes for a VM’s network interface or subnet to see the applied routes and next hops.
- Connection Troubleshoot and packet capture (where permitted) to verify traffic flow.
- Review NSGs and Azure Firewall/NVA rules that may be blocking traffic even when routing is correct.
Links and references
- Azure Virtual Network routing overview
- User-defined routes (UDR) in Azure
- Azure BGP routing and ExpressRoute
- Network Watcher overview and tools