Skip to main content
Implementing virtual network traffic routing in Azure In this lesson we’ll break down how network traffic is routed inside Azure so you can control, understand, and optimize communication between resources—both within a virtual network (VNet) and to/from external networks. What you’ll gain from this lesson:
  • When Azure’s built-in routing is sufficient vs. when you should customize routes.
  • How to create and apply User Defined Routes (UDRs) to override system routes.
  • Techniques to redirect outbound internet traffic (forced tunneling) to on-premises or security appliances.
  • How dynamic routing (BGP) works with Azure and how to integrate Network Virtual Appliances (NVAs) for hybrid scenarios.
  • Practical troubleshooting with Network Watcher, Effective Routes, and related tools to diagnose routing problems.
This lesson assumes a basic understanding of core Azure networking concepts such as VNets, subnets, NSGs, and peering.
We’ll start with Azure’s default routing behavior and built-in system routes, then progressively introduce customization, forced tunneling, dynamic routing with BGP, and troubleshooting techniques.

Learning objectives (expanded)

  • Understand Azure’s default (system) routes and how Azure determines next hops.
  • Learn when automatic routes suffice and when to apply UDRs to control traffic flow.
  • Configure forced tunneling to send outbound traffic to on-premises or third-party security stacks.
  • Integrate BGP for dynamic routes across VPN/ExpressRoute and NVAs.
  • Use Network Watcher, Effective Routes, and packet capture to validate and troubleshoot routing.

Key routing concepts (at-a-glance)

When to customize routing

Consider custom routing (UDRs, NVAs, BGP) when you need to:
  • Enforce centralized outbound inspection (e.g., route all internet egress through a firewall).
  • Route traffic between VNets or on-prem through specific NVAs for inspection, transformation, or logging.
  • Implement policy-based routing for segmentation, service chaining, or gateway-specific requirements.
  • Integrate dynamic routes via BGP for high availability and automatic route propagation.

Routing precedence and behavior

Azure determines routing based on precedence rules. In general:
  1. User-defined routes (UDRs) have higher priority than system routes when a UDR is associated with a subnet.
  2. More specific (longer prefix) routes are preferred.
  3. If no matching route is found, Azure drops the packet.
Understanding precedence avoids common mistakes like accidentally creating blackholes or bypassing inspection appliances.

Troubleshooting routing issues

Use these tools and techniques:
  • Network Watcher → IP Flow Verify to validate reachability.
  • Effective Routes for a VM’s network interface or subnet to see the applied routes and next hops.
  • Connection Troubleshoot and packet capture (where permitted) to verify traffic flow.
  • Review NSGs and Azure Firewall/NVA rules that may be blocking traffic even when routing is correct.
We’ll begin with Azure’s default routing behavior and built-in system routes.

Watch Video