Network Traffic Management – Key Concepts (Azure)
1. System Routes (Default Routing)
Azure automatically creates system routes to manage traffic flow without manual configuration.
System routes handle:
-
VM ↔ VM traffic within the same subnet
-
VM ↔ VM traffic across subnets in the same VNet
-
VM ↔ Internet
-
Site-to-Site VPN and ExpressRoute traffic via gateways
Important facts
-
Stored in a route table
-
Evaluated based on destination IP
-
If no route matches → packet is dropped
-
Associated at the subnet level
2. Route Tables
A route table contains routing rules that define how outbound packets from a subnet are handled.
Key rules
-
One subnet → 0 or 1 route table
-
One route table → multiple subnets
-
No additional cost for route tables
Next hop options
-
Virtual appliance (NVA)
-
Virtual network gateway
-
Virtual network
-
Internet
-
None (blackhole traffic)
3. User-Defined Routes (UDRs)
UDRs allow you to override system routes to control traffic flow.
When to use UDRs
-
Force traffic through:
-
Firewalls
-
Routers
-
WAN optimizers
-
-
Implement hub-and-spoke
-
Enforce forced tunneling
UDRs always take precedence over system routes
4. Routing Example (Public → NVA → Private)
Scenario
-
Subnets: Public, DMZ, Private
-
NVA located in DMZ
-
Requirement: All Public subnet traffic to Private must go via NVA
Steps
-
Create a route table
-
Add route:
-
Address prefix:
10.0.1.0/24 -
Next hop: Virtual appliance
-
Next hop IP:
10.0.2.4
-
-
Associate route table with Public subnet
Important
-
Enable IP forwarding on the NVA
-
NVA should not have a public IP
5. Virtual Network Gateway Route Propagation
-
Uses BGP
-
Automatically propagates routes from:
-
VPN Gateway
-
ExpressRoute Gateway
-
-
Usually enabled, especially for ExpressRoute scenarios
6. Service Endpoints
Service endpoints extend VNet identity to Azure PaaS services.
What changes
-
Source IP changes from public IP → private VNet IP
-
Traffic stays on the Azure backbone
Benefits
-
Improved security (no public internet exposure)
-
Works with forced tunneling
-
No NAT, gateways, or public IPs required
-
Simple subnet-level configuration
Important caution
-
Existing firewall rules using public IPs may break
-
Can cause brief service interruption during setup
7. Common Services Supporting Endpoints
-
Azure Storage
-
Azure SQL Database / SQL DW
-
Azure Cosmos DB
-
Azure Key Vault
-
Azure Service Bus & Event Hubs
-
Azure Database for PostgreSQL/MySQL
8. Private Link
Private Link provides private access to Azure PaaS services via private endpoints.
Key benefits
-
No public internet exposure
-
No NAT, gateways, VPN, or ExpressRoute required
-
Works across:
-
Regions
-
VNets
-
On-premises networks
-
-
Prevents data exfiltration
-
Supports cross-tenant access
How it works
-
Maps a service to a private IP in your VNet
-
All traffic stays on the Microsoft global network
9. Service Endpoints vs Private Link (Quick Comparison)
| Feature | Service Endpoint | Private Link |
|---|---|---|
| Public IP exposure | No | No |
| Private IP in VNet | No | Yes |
| Works across VNets | Limited | Yes |
| On-prem access | Limited | Yes |
| Granular control | Medium | High |
| Recommended for new designs | ❌ | ✅ |
