Virtual Network Traffic Routing

Virtual network traffic routing In this lesson we explain how Azure routes traffic inside a Virtual Network (VNet). Understanding Azure routing is essential for controlling how resources communicate within Azure and with external networks. This article covers how to inspect effective routes, the types of routes Azure uses, how Azure chooses a route (longest-prefix match), how to create and apply a user-defined route (UDR), common next-hop types, and troubleshooting tips. Inspecting effective routes Use the Azure portal to view the effective routes for a network interface (NIC). The Effective routes view shows the combined set of routes that apply to traffic leaving that interface — similar to running the route command on a VM. It merges system-provided routes, any Azure default behavior, user-defined routes attached to the subnet, and BGP-learned routes when present.

Types of routes in Azure Azure routes fall into three main categories. The table below summarizes their purpose and typical use cases.

Route type	Purpose	Typical use case
System routes	Automatically created and managed by Azure to provide baseline connectivity	Intra-VNet routing, VNet peering routes, and default internet or gateway routes
Default routes	Azure’s built-in routing behavior for common scenarios	Outbound internet connectivity and VNet-to-gateway traffic handled automatically
Custom routes (UDRs)	User-defined routes that override or supplement system/default behavior	Force traffic through a firewall/NVA, implement hub-and-spoke or on-prem routing patterns

How Azure evaluates routes When deciding how to forward a packet, Azure performs a longest-prefix match across all effective routes for the NIC’s subnet. Effective routes include:

System routes (automatically created by Azure)
User-defined routes associated with the subnet (UDRs)
BGP-learned routes (if using a gateway with BGP)

If multiple routes match the destination, the route with the most specific prefix (longest prefix) wins. UDRs let you override Azure defaults by specifying matching prefixes and an explicit next hop.

To validate which route is applied for a NIC, use the Effective routes blade in the Azure portal. It displays the route source (System, User, or BGP), the address prefix, and the selected next hop.

Important: route table association User-defined routes are associated at the subnet level by assigning a route table to the subnet. They are not attached directly to individual NICs. Quick example — create and apply a user-defined route The following Azure CLI example creates a route table, adds a default route (0.0.0.0/0) that forwards internet-bound traffic to a virtual appliance (an NVA or firewall at 10.0.0.4), and associates the route table with a subnet.

# Create a route table
az network route-table create \
  --resource-group MyResourceGroup \
  --name myRouteTable

# Create a route that sends all internet-bound traffic to a virtual appliance
az network route-table route create \
  --resource-group MyResourceGroup \
  --route-table-name myRouteTable \
  --name DefaultToNVA \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address 10.0.0.4

# Associate the route table with a subnet
az network vnet subnet update \
  --resource-group MyResourceGroup \
  --vnet-name myVNet \
  --name mySubnet \
  --route-table myRouteTable

Common next hop types Below are common next-hop types you’ll encounter when creating routes, with typical usage.

Next hop type	Description	Use case
VirtualAppliance	Forward traffic to an IP address (NVA/firewall)	Centralized inspection, filtering, or logging
Internet	Send traffic to the internet	Direct internet egress
VirtualNetworkGateway	Forward to a VPN or ExpressRoute gateway	Site-to-site/VPN and ExpressRoute paths
VirtualNetworkLocal	Keep traffic inside the VNet	Intra-VNet traffic handling
None	Drop traffic	Blackhole traffic for specific prefixes

Troubleshooting tips

Verify route precedence: confirm the effective route shows the expected source (User/System/BGP) and prefix used.
For VirtualAppliance routes: ensure the appliance IP is reachable and that IP forwarding is enabled on the NIC of the appliance if required.
Check Network Security Groups (NSGs) and Azure Firewall rules — routing only directs where packets go; access rules can still block traffic.
When using BGP, validate that BGP-learned prefixes appear in the effective routes and have the expected priority.

Be careful when creating broad UDRs (for example, 0.0.0.0/0). They can unintentionally reroute all outbound traffic — including traffic needed by Azure-managed services — to an appliance. Test changes in a staging environment before applying them to production.

Summary Azure uses layered routing to control traffic flow:

System routes provide baseline connectivity (intra-VNet, peering, and default internet/gateway paths).
Built-in/default behaviors give a working network out of the box.
User-defined routes (UDRs) let you take precise control over traffic paths for firewalls, NVAs, and custom topologies.

With this understanding, you can inspect the Effective routes blade, create route tables and UDRs, and direct traffic through your preferred network appliances or gateways to meet your network design and security requirements. Links and References

Watch Video

Diagnose a Routing Problem

Introduction

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Virtual Network Traffic Routing

Watch Video