Routing Fundamentals: How Traffic Finds Its Way
Understand how Azure decides which path your network traffic takes β the GPS of your VNet
π’ Beginner
β± 15 Minutes
π AZ-104 Β· Module 04
Why This Matters
You've created a VNet with subnets and locked them down with NSGs. But how does traffic actually find its way from your web server to your database? Routing is the "GPS" of your network β it decides which path traffic takes. Understand routing, and you'll understand how your entire network communicates.
Before You Start
| Prerequisites | VNets & Subnets and Network Security Groups |
|---|
| Time to understand | 15 minutes |
|---|
| Difficulty | π’ Beginner (builds on NSGs, no advanced networking needed) |
|---|
| What you'll learn | How Azure routes traffic, system vs. custom routes, common routing patterns |
|---|
The Simple Idea
What Is Routing?
Routing = Deciding the path that network traffic takes from source to destination.
Think of it like GPS for data packets.
Your data packet: "I need to go from 10.0.1.5 to 10.0.3.20"
β
Azure routing table
β
"I know a route to 10.0.3.0/24
Go through subnet 10.0.3.0/24"
β
Data arrives at destination β
How Azure Decides Routes
Azure has a routing table (like a GPS navigation database) that says:
- "To reach 10.0.1.0/24, use local VNet"
- "To reach 10.0.2.0/24, use local VNet"
- "To reach 192.168.0.0/16, use VPN Gateway"
- "To reach anything else, use internet"
Two Types of Routes
| Route Type | What It Does | Examples |
|---|
| System Routes | Built-in, automatic, managed by Azure | Internal VNet traffic, internet |
| Custom Routes (UDR) | You create them for special cases | Send traffic through firewall, VPN |
How It Actually Works
Step 1: Traffic Arrives at Your Subnet
Data packet arrives:
From: 10.0.1.5 (WebServer)
To: 10.0.3.20 (Database)
Step 2: Subnet Looks at Its Routing Table
Destination Next Hop Purpose
ββββββββββββββββββββββββββββββββββββββββββββ
10.0.0.0/16 Local VNet Traffic within VNet stays local
10.0.1.0/24 Local Subnet Traffic to this subnet is direct
10.0.2.0/24 Local Subnet Traffic to app subnet is direct
10.0.3.0/24 Local Subnet Traffic to DB subnet is direct
0.0.0.0/0 Internet Everything else goes to internet
Step 3: Routing Lookup
Packet destination: 10.0.3.20
Azure checks routing table:
ββ Does it match 10.0.0.0/16? YES β
ββ Next hop: "Local VNet"
ββ Route: Send directly to destination within VNet
Result: Packet goes from 10.0.1.5 β 10.0.3.20 (direct path)
Step 4: NSG Check
Packet arrives at DB subnet:
ββ NSG checks inbound rule
"Is source 10.0.2.0/24 on port 1433?"
β YES β
ββ NSG allows traffic
Result: Database receives the packet β
Mental Model: Routing as GPS Navigation
You're driving from point A to point B.
Your GPS (routing table):
ββ Route 1: "If destination is nearby, drive directly" (system route)
ββ Route 2: "If destination is far, take the highway" (system route)
ββ Route 3: "If you need to go through a checkpoint, use Route 66" (custom route)
ββ Route 4: "If no route exists, go to the main road" (default route)
Your data packet follows the same logic:
ββ System routes handle normal traffic (within VNet, to internet)
ββ Custom routes handle special cases (through firewall, VPN, etc.)
System Routes vs. Custom Routes
System Routes (Created Automatically)
Every VNet automatically gets these routes:
Destination Next Hop Created Automatically?
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
10.0.0.0/16 Local VNet β Yes (VNet address space)
0.0.0.0/0 Internet β Yes (default internet route)
Examples of what each means:
| Route | Destination | Next Hop | When Used |
|---|
| Local VNet | 10.0.0.0/16 | Local | Traffic within your entire VNet |
| Internet | 0.0.0.0/0 | Internet | Traffic to anywhere not in your VNet |
Custom Routes (UDRs - User-Defined Routes)
You create these for special cases:
Example UDR:
Destination: 192.168.0.0/16 (on-premises)
Next Hop: VPN Gateway
Purpose: Send traffic to on-premises through VPN
Why you'd create custom routes:
| Use Case | Custom Route | Benefit |
|---|
| Send traffic through firewall | Destination: 0.0.0.0/0 β Next Hop: Firewall IP | All internet-bound traffic passes through firewall |
| Connect to on-premises | Destination: 192.168.0.0/16 β Next Hop: VPN Gateway | Corporate network access |
| Send to security appliance | Destination: 10.0.0.0/16 β Next Hop: NVA (network appliance) | All internal traffic inspected |
Worked Example: Real Scenario
The Scenario
TechCorp's network:
- 3 subnets within VNet: Web (10.0.1.0/24), App (10.0.2.0/24), DB (10.0.3.0/24)
- Azure Firewall in hub VNet protecting everything
- VPN connection to on-premises network (192.168.0.0/16)
Goal: Route traffic correctly through firewall and VPN.
Step 1: Default System Routes (Automatic)
App Subnet (10.0.2.0/24) Routing Table (Default):
βββββββββββββββββββββββββββββββββββββββββββββββββ
Destination Next Hop Priority
βββββββββββββββββββββββββββββββββββββββ
10.0.0.0/16 Local VNet 1 (All internal VNet traffic)
0.0.0.0/0 Internet 2 (Everything else to internet)
AppServer (10.0.2.10) wants to send data:
Case 1: To Database (10.0.3.20)
ββ Destination: 10.0.3.20
ββ Match: 10.0.0.0/16? YES β
ββ Route: Local VNet (direct path)
ββ Result: 10.0.2.10 β 10.0.3.20 directly β
Case 2: To Internet
ββ Destination: 8.8.8.8 (Google)
ββ Match: 10.0.0.0/16? NO
ββ Match: 0.0.0.0/0? YES β
ββ Route: Internet (default route)
ββ Result: 10.0.2.10 β Internet directly β (No firewall!)
Problem: Traffic to internet bypasses firewall. We need custom routes.
Step 2: Add Custom Routes (Force Through Firewall)
Admin creates custom route:
Destination: 0.0.0.0/0 (all internet traffic)
Next Hop: Azure Firewall (10.0.0.4)
Priority: Higher than default
App Subnet (10.0.2.0/24) Routing Table (Updated):
ββββββββββββββββββββββββββββββββββββββββββββββββββ
Destination Next Hop Priority
βββββββββββββββββββββββββββββββββββββββ
0.0.0.0/0 Firewall IP 1 (Custom route - checked first!)
10.0.0.0/16 Local VNet 2
0.0.0.0/0 Internet 3 (Default - not used now)
AppServer (10.0.2.10) wants to send data:
Case 1: To Database (10.0.3.20)
ββ Destination: 10.0.3.20
ββ Match: 0.0.0.0/0? YES, but next hop is 10.0.0.0/16
ββ No wait, check priority 2 first
ββ Match: 10.0.0.0/16? YES β
ββ Route: Local VNet (direct, bypass firewallβOK for internal)
ββ Result: 10.0.2.10 β 10.0.3.20 directly β
Case 2: To Internet
ββ Destination: 8.8.8.8 (Google)
ββ Match: 0.0.0.0/0? YES β (custom route, high priority)
ββ Route: Firewall IP (10.0.0.4)
ββ Result: 10.0.2.10 β Firewall β Internet β (Firewall inspects!)
Result: Custom route forces internet-bound traffic through firewall.
Step 3: Add VPN Route (For On-Premises Access)
Admin creates another custom route:
Destination: 192.168.0.0/16 (on-premises)
Next Hop: VPN Gateway
Priority: 1
App Subnet (10.0.2.0/24) Routing Table (Final):
ββββββββββββββββββββββββββββββββββββββββββββββββ
Destination Next Hop Priority
ββββββββββββββββββββββββββββββββββ
192.168.0.0/16 VPN Gateway 1 (On-prem traffic via VPN)
0.0.0.0/0 Firewall IP 2 (Internet via firewall)
10.0.0.0/16 Local VNet 3 (Internal via VNet)
0.0.0.0/0 Internet 4 (Default - not reached)
AppServer (10.0.2.10) wants to send data:
Case 1: To Database (10.0.3.20)
ββ Match: 192.168.0.0/16? NO
ββ Match: 0.0.0.0/0? YES, but check next priority
ββ Match: 10.0.0.0/16? YES β
ββ Route: Local VNet
ββ Result: Direct to database β
Case 2: To On-Premises Server (192.168.1.50)
ββ Match: 192.168.0.0/16? YES β
ββ Route: VPN Gateway
ββ Result: 10.0.2.10 β VPN Gateway β VPN Tunnel β On-premises β
Case 3: To Internet (8.8.8.8)
ββ Match: 192.168.0.0/16? NO
ββ Match: 0.0.0.0/0? YES β
ββ Route: Firewall IP
ββ Result: 10.0.2.10 β Firewall β Internet β
Common Mistakes (What NOT to Do)
β Mistake 1: Unexpected Default Route
Wrong
Admin creates custom route:
Destination: 0.0.0.0/0 β VPN Gateway
All traffic goes to VPN, including:
ββ Internal traffic (should stay local) β
ββ Internet traffic (should go to internet or firewall) β
ββ Database traffic (should be direct) β
Result: Everything bottlenecks through VPN
Fix
Be more specific:
ββ 192.168.0.0/16 β VPN Gateway (only on-prem traffic)
ββ 10.0.0.0/16 β Local VNet (internal traffic)
ββ 0.0.0.0/0 β Internet or Firewall (external traffic)
Each traffic type follows the correct path β
Why it fails: Too broad a route causes unnecessary traffic redirection.
β Mistake 2: Routing Loop
Wrong
Custom route 1: 0.0.0.0/0 β Firewall (10.0.0.4)
Custom route 2: 0.0.0.4/32 β Internet
Packet goes: App β Firewall β Internet
But what if firewall tries to reach internet?
ββ Matches 0.0.0.0/0 β Firewall again
ββ Infinite loop! β
Fix
Firewall routes to internet directly (exclude from custom route):
ββ Custom route: 0.0.0.0/0 β Firewall
ββ Except: Firewall's NIC route: 0.0.0.0/0 β Internet (direct)
Packet goes: App β Firewall β Internet (no loop) β
Why it fails: Packet gets stuck in a loop.
β Mistake 3: Too Many Custom Routes
Wrong
Create 100 custom routes for every possible destination
ββ 8.8.8.8/32 β Internet
ββ 1.1.1.1/32 β Internet
ββ ... (95 more individual IPs)
ββ 192.168.0.0/16 β VPN
Result:
ββ Difficult to maintain
ββ Error-prone
ββ Confusing for other admins
ββ Harder to troubleshoot
Fix
Use aggregate routes (CIDR notation):
ββ 0.0.0.0/0 β Firewall (one route handles everything)
ββ 192.168.0.0/16 β VPN (one route for all on-prem)
Much simpler and easier to manage β
Why it fails: Complexity = mistakes and maintenance headaches.
Routing Decision Order (Route Priority)
When traffic arrives, Azure checks routes in this order:
1. Most Specific Match (Longest Prefix)
Destination: 10.0.2.5
Routes available:
ββ 10.0.2.0/25 (specific)
ββ 10.0.2.0/24 (less specific)
ββ 10.0.0.0/16 (even less specific)
Azure picks: 10.0.2.0/25 (most specific) β
2. Custom Routes Before System Routes
If both custom and system routes exist for same destination:
ββ Custom route wins
3. Default Deny If No Match
If no route matches:
ββ Traffic is dropped (denied) β
Routing Decision Flowchart
Packet arrives at subnet
β
Check routing table
β
βββββββ΄βββββββ
β β
Custom route? | System route?
β β
v v
Found match? β Yes β Next hop identified
β β
βββ No β Check next route / Default (drop)
β
NSG checks permission
β
βββββββ΄βββββββ
β β
ALLOW DENY
β β
Forward Drop
packet packet
Summary: Three Layers of Network Control
| Layer | Tool | Controls | Example |
|---|
| 1. Routing | Routing Tables (System + UDR) | Which path traffic takes | Route all internet traffic through firewall |
| 2. Security | Network Security Groups (NSG) | Which traffic is allowed | Allow port 443 from web subnet to app subnet |
| 3. Access | RBAC | Who can change routing/NSGs | Only network admins can modify routing tables |
All three together provide complete network control.
How This Connects to Other Topics
Related to Module 01 (Identity & Governance)
- RBAC + Routing: Use RBAC to control who can modify routing tables
- Policy + Routing: Enforce routing policies (e.g., all traffic must go through firewall)
Related to Module 02 (Storage)
- Storage Firewall Routes: Combined with routing, restrict storage access to specific networks
- Service Endpoints: Routes direct traffic to storage without public internet
Related to Module 03 (Compute)
- VM to VM Communication: VMs in same VNet route directly (system route)
- VM to Database: Routing determines path through NSG and firewall
Related to Module 05 (Monitor)
- Route Metrics: Monitor traffic flow through different routes
- Network Watcher: Trace routing paths to diagnose connectivity issues
Key Takeaways
π‘ Summary
- Routing = GPS for data packets (decides which path traffic takes)
- System routes are automatic (internal traffic, internet access)
- Custom routes (UDRs) are for special cases (firewall, VPN, appliances)
- More specific route wins (longer CIDR prefix = higher priority)
- Custom routes override system routes (same destination priority)
- Traffic flows based on routing table then checked by NSG rules
- Routing + NSG = complete traffic control (routing decides path, NSG decides permission)