Routing Inside Virtual Networks

This lesson explains how routing works inside:

• Azure Virtual Network
• Routing determines how traffic moves from one destination to another inside Azure and beyond.

1️⃣ What Is Routing?#

• Routing = The path traffic takes between networks.

Think of routes like:

• Roadways between cities
• Without them, traffic has nowhere to go

In Azure, routing determines:

• Private communication (VM ↔ VM)
• Internet access
• Hybrid connectivity (on-prem ↔ Azure)
• VNet peering traffic

2️⃣ Types of Routes in Azure#

Azure has three main route types:

3️⃣ System Routes (Default)#

Created automatically when:

• You create a VNet
• You create a subnet
• You deploy a VM

Examples:

• VNet local route
• Internet route (0.0.0.0/0)
• Peering route
• Service endpoint route

Important:

• ✔ Immutable ✔ Automatically applied ✔ Can be overridden

4️⃣ User-Defined Routes (UDRs)#

Created via:

• Azure Route Table

Steps:

• Create Route Table
• Add Route
• Associate Route Table to Subnet

UDRs allow you to:

• Override system routes
• Force traffic through firewall
• Drop traffic
• Send traffic to VPN gateway
• Send traffic to NVA (Network Virtual Appliance)

5️⃣ BGP Routes#

Used when:

• Hybrid connectivity exists
• Using VPN Gateway or ExpressRoute
• BGP enabled between Azure and on-prem
• Azure VPN Gateway Azure ExpressRoute

BGP automatically exchanges:

• On-prem routes
• Azure routes
• BGP routes override system routes but not UDRs.

6️⃣ Route Precedence Order (VERY IMPORTANT FOR EXAM)#

Priority order:

• 1️⃣ User-Defined Routes 2️⃣ BGP Routes 3️⃣ System Routes

If multiple routes match same prefix:

• Most specific prefix wins (Longest prefix match).

7️⃣ Demonstration Summary#

Created:

• Route table (rt-prod-01)

Route:

• 0.0.0.0/0 → Virtual Appliance → 172.16.0.6
• Associated route table to subnet

Result:

System default internet route:

• 0.0.0.0/0 → Internet
• Became: ❌ Invalid

User-defined route:

• 0.0.0.0/0 → Virtual Appliance
• Became: ✅ Active

This demonstrates:

• UDR overrides system route.

8️⃣ Next Hop Types Explained#

When creating a route, next hop options include:

Example Security Pattern:

Force all outbound internet traffic through firewall:

• 0.0.0.0/0 → Virtual Appliance (Firewall IP)

9️⃣ Subnet-Level Association#

Important:

• Route tables are associated at subnet level, not VNet level.

If you want routing applied to all subnets:

• Associate route table to each subnet

🔟 Effective Routes#

You can check:

• NIC → Effective Routes

This shows:

• Active routes
• Invalid routes
• Overridden routes
• Next hop type
• This is key for troubleshooting.

11️⃣ Security & Routing Relationship#

• Routing controls where traffic goes.
• Security controls whether traffic is allowed.

Security is enforced by:

• Azure Network Security Group

NSGs are:

• Layer 4 firewalls
• Stateful
• Applied at subnet or NIC

Important:

• Routing ≠ Security NSG blocks traffic even if route exists.

12️⃣ Common Enterprise Routing Patterns#

1️⃣ Forced Tunneling#

Send all internet traffic to firewall:

0.0.0.0/0 → Firewall

2️⃣ Hub-Spoke Architecture#

Spoke VNets:

Route → Hub Firewall

3️⃣ Hybrid Routing#

If BGP disabled:

Create UDR:

• OnPremSubnet → Virtual Network Gateway

13️⃣ Common Exam Scenarios (AZ-104 / AZ-700)#

🚩 Route table affects whole VNet → False (subnet only) 🚩 System routes can be deleted → False 🚩 BGP overrides UDR → False 🚩 UDR overrides system route → True 🚩 Most specific prefix wins → True

14️⃣ Troubleshooting Checklist#

If traffic fails:

• Check effective routes
• Confirm route table associated
• Verify next hop reachable
• Check NSG rules
• Confirm no conflicting UDR

If internet stops working after UDR:

• Check 0.0.0.0/0 override
• Confirm firewall reachable

15️⃣ Reference Documentation#

• Routing Overview
• System Routes
• Effective Routes
• BGP Routing
• Route Tables

Final Conceptual Summary#

Azure Routing Model:

• System routes = automatic
• UDRs = override control
• BGP = hybrid exchange
• UDR > BGP > System
• Subnet-level association
• Effective routes show final result
• Routing defines the path. NSGs define permission.
• Both must work together.

If you'd like next:

• 🧠 25 routing exam scenario questions
• 📊 Route precedence visual cheat sheet
• 🏗 Hub-spoke routing deep dive
• 📄 One-page AZ-104 networking cram sheet
• Tell me your target exam.