Azure Route Tables
Categories:
6 minute read
A route table in Azure is used to direct outgoing network traffic to a next hop based on the destination IP address or range. When a virtual machine or other resource in an Azure virtual network sends a packet, the route table is consulted to determine the next hop for the packet. The next hop could be an Azure Virtual Network Gateway, an Internet Gateway, or a virtual appliance, depending on how the route table is configured. Once the next hop is determined, the packet is forwarded to the appropriate destination.
It’s important to note that Azure Route Table is only used for outbound traffic routing. Inbound traffic routing is handled by Azure Load Balancer or Application Gateway, depending on the specific requirements of the application or workload.
The route table services specific to network traffic routing in Azure are Azure Route Table and Azure Route Server.
Azure Route Table
Azure Route Table is designed to provide flexible and granular control over network traffic routing within an Azure virtual network. It allows you to create and manage custom routing tables and rules that direct traffic to specific destinations based on various factors, such as IP address, subnet, or service tag.
The service uses a routing table object that can be created and managed. Once you have created a routing table, you can define custom routes to specify the next hop for traffic destined for a particular IP address or range.
Routes can be configured to direct traffic to an Internet Gateway, Azure Virtual Network Gateway, or virtual appliance, giving you complete control over how traffic flows between resources within the virtual network or between on-premises networks and Azure.
Azure Route Table also allows associating a routing table with one or more subnets within a virtual network. This means traffic originating from a specific subnet can be directed through a particular routing table, allowing you to segment and manage traffic flows within the virtual network.
Azure Route Server
An Azure route server is a service in the Azure cloud platform that provides a centralized routing hub for Azure virtual networks. It allows you to simplify network configuration by providing dynamic routing between virtual networks, and between on-premises networks and Azure virtual networks.
With the Azure route server, you can eliminate the need for manually configuring and managing multiple routing tables, which can be time-consuming and error-prone. The route server automatically learns routes from all connected virtual networks and propagates them to all other virtual networks, making it easy to maintain consistent routing across your entire network infrastructure.
The Azure route server is built on industry-standard routing protocols such as BGP (Border Gateway Protocol) and supports both IPv4 and IPv6. This makes it a highly scalable and flexible solution for managing complex network topologies in the cloud.
Example routing scenario
In this example, the Route Table has four routes defined.
The first route directs traffic destined for the 10.0.1.0/24 subnet to the virtual appliance with IP address 192.168.1.1.
The second route directs traffic destined for the 10.0.2.0/24 subnet to a VNet Peering connection.
The third route directs traffic destined for the 172.16.1.0/24 subnet to an ExpressRoute Circuit.
The fourth route is a default route that directs all other traffic to the Internet Gateway.
Destination | Next Hop Type | Next Hop IP Address |
---|---|---|
10.0.1.0/24 | Virtual Appliance | 192.168.1.1 |
10.0.2.0/24 | VNet Peering | — |
172.16.1.0/24 | Express Route Gateway | — |
0.0.0.0/0 | Internet Gateway | — |
Virtual machines or other resources in the network to which this route table is attached, consult the Azure Route Table to determine the next hop for the packet.
Virtual Appliance
Packets destined for an IP address within the 10.0.1.0/24 subnet are sent to the virtual appliance with IP address 192.168.1.1.
This route is useful when sending network traffic to a network security device, such as a firewall, intrusion detection system, or network monitoring tool. You can inspect and monitor traffic for potential security threats or network performance issues by directing traffic to a virtual appliance. This can help you identify and mitigate security vulnerabilities and optimize network performance by identifying and resolving network bottlenecks.
For example, suppose you have a virtual network that hosts multiple web servers. In that case, you may want to inspect and filter incoming traffic to the web servers using a virtual firewall appliance. By routing traffic through the virtual firewall appliance, you can inspect and filter traffic before it reaches the web servers, ensuring that only legitimate traffic can pass through.
Another example use case is when you have a virtual network that spans multiple regions or availability zones, and you want to monitor network traffic between the regions or zones. By routing traffic through a virtual monitoring appliance, you can monitor and analyze the network traffic flows, identifying potential issues or optimizing network performance.
VNet Peering
If the packet is destined for an IP address within the 10.0.2.0/24 subnet, it is sent through the VNet Peering connection.
The VNet Peering route does not have a next hop because VNet Peering is a direct connection between two virtual networks in Azure without needing a separate network appliance or gateway. When two virtual networks are peered, they share their address space, and traffic can flow between them without any additional routing configuration. Therefore, when traffic is destined for an IP address within the 10.0.2.0/24 subnet, the Azure Route Table forwards the traffic to the VNet Peering connection, which routes the traffic to the appropriate destination within the peered virtual network.
This direct communication between the peered virtual networks allows faster, more efficient communication between resources without additional network appliances or gateways.
Express Route Gateway
If the packet is destined for the 172.16.1.0/24 subnet, it is sent through the ExpressRoute Circuit.
This route helps establish a dedicated, private connection between your on-premises infrastructure and Azure virtual network.
An ExpressRoute Circuit provides a direct, private connection between your on-premises infrastructure and Azure data centers, bypassing the public Internet. This connection can provide higher bandwidth, lower latency, and higher security than a traditional VPN connection over the Internet.
You create a route in the Azure Route Table that directs traffic destined for the on-premises network address space to the ExpressRoute Circuit. This route ensures traffic between your on-premises infrastructure and your Azure virtual network is routed through the ExpressRoute Circuit, providing a secure and private connection between the two environments.
Internet Gateway
If the packet is destined for any other IP address, it is sent to the Internet Gateway for further routing.
This route is useful when you want to enable resources within your Azure virtual network to access resources on the Internet.
The Azure Internet Gateway provides a managed gateway for outbound Internet connectivity for resources within an Azure virtual network. It allows you to access resources on the Internet, such as websites, cloud services, or other resources outside of the Azure virtual network.
Azure provides a default Internet Gateway for each virtual network, which is automatically created when the virtual network is created.
References
Virtual network traffic routing
Manage and control traffic flow in your Azure deployment with routes