Author : MD TAREQ HASSAN | Updated : 2021/12/27
When to apply UDR
- To override system default routes (Next hop type: Virtual network)
- Forcing outbound internet traffic to Firewall (Address prefix: 0.0.0.0/0, Next hop type: Virtual appliance)
- Forcing incoming traffic to VNet Gateway from on-premise to Firewall (Address prefix: Spoke VNet address prefix, Next hop type: Virtual appliance)
- Dropping traffic (Next hop type: none)
- Redirecting traffic to on-premise (Next hop type: Virtual network gateway)
GatewaySubnet
- User-defined routes with destination ‘
0.0.0.0/0
’ is not allowed (‘0.0.0.0/0
’ represents all addresses that are not found in default routes, BGP routes & UDRs)- Gateways created with this configuration will be blocked from creation (Gateways require access to the management controllers in order to function properly)
- If applied, VNet Gateway (ExpressRoute or VPN) would not function properly
- BGP Route Propagation should be set to “Enabled” on the GatewaySubnet to ensure availability of the gateway. If this is set to disabled, the gateway will not function
See “Forcing On-premise Traffic Through Firewall” described below.
AzureFirewallSubnet
- User-defined routes with destination ‘
0.0.0.0/0
’ is not allowed- UDR with “Address prefix: 0.0.0.0/0, Next hop type: Internet” is not allowed
- Azure Firewall must have direct Internet connectivity (otherwise it would not work properly)
- No UDR is required on the AzureFirewallSubnet, as it learns routes from BGP
- If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity
ApplicationGatewaySubnet
- It is recommend that you don’t use UDRs on the Application Gateway
- Ensure that all management/control plane traffic is sent directly to the Internet and not through a virtual appliance or Firewall
- An incorrect configuration of the route table could result in asymmetrical routing in Application Gateway v2
- UDR for Virtual Appliances: Any scenario where 0.0.0.0/0 needs to be redirected through any virtual appliance, a hub/spoke virtual network, or on-premises (forced tunneling) isn’t supported for V2
- https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#supported-user-defined-routes
SqlManagedInstanceSubnet
- Route table must be created and attached to SqlManagedInstanceSubnet before provisioning Managed Instance (Azure Portal does it for you, in case of IaC you need to do it manually)
- Managed Instance adds its necessay routes for management traffic (service managed configurations)
0.0.0.0/0
route can be overridden if needed (management traffic will be fine because of automatically added routes for management traffic)
AKS Subnet
- It’s ok to override
0.0.0.0/0
route to force traffic through Firewall- Make sure to add application rule with AKS FQDN tag to firewall policy so that AKS management traffic does not get affected
- Set “Propagate gateway routes” to No, so that tarrfic destined to on-premise will also go through Firewall
- Traffic destined to other subnests (same VNet and peered VNet) will still go directly (bypassing Firewall) because of system default routes
To route the spoke subnet traffic through the hub firewall, you can use a User Defined route (UDR) that points to the firewall with the Virtual network gateway route propagation option disabled. The Virtual network gateway route propagation disabled option prevents route distribution to the spoke subnets. This prevents learned routes from conflicting with your UDR. If you want to keep Virtual network gateway route propagation enabled, make sure to define specific routes to the firewall to override those that are published from on-premises over BGP.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-portal-policy#prerequisites
See “Forcing On-premise Traffic Through Firewall” described below.
PrivateEndpointSubnet
- As of January’2022, UDR for private endpoint is in preview
- Check general avaialability and attach route table to PrivateEndpointSubnet if required
AzureBastionSubnet
- UDR isn’t supported on an Azure Bastion subnet
- See: https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#udr
DmsSubnet
No need to add UDR
DatabricksSubnet
- Add UDR if required (Databricks-managed routes will be added automatically)
- See: https://docs.microsoft.com/en-us/azure/databricks/administration-guide/cloud-configurations/azure/udr
Overriding 0.0.0.0/0 route
- Do not override
0.0.0.0/0
route for following subnets (because direct internet connection is required)- GatewaySubnet
- AzureFirewallSubnet
- ApplicationGatewaySubnet
- Normally when we need to override
0.0.0.0/0
route, we also set “Propagate gateway routes: No” in the route table to prevent assymatric route - Consequence of “Propagate gateway routes: No” and overriding
0.0.0.0/0
route- All unknown routes will go through netx hop i.e. Firewall / NVA
- The resources in the subnet will no longer be accessible directly (due to asymmetrical routing)
Forcing On-premise Traffic Through Firewall
See: Force incoming traffic to Virtual Network Gateway (from on-premise) through Firewall
Forcing inter-subnet traffic through Firewall
Traffic between directly peered VNets is routed directly even if a UDR points to Azure Firewall as the default gateway. To send subnet to subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.
Force traffic from spoke subnet to firewall
- Create route atble with “Virtual network gateway route propagation: disabled”
- Add UDR:
- Address prefix:
0.0.0.0/0
- Next hop type: Virtual appliance
- Next hop address:
x.x.x.x
(private IP of Firewall)
- Address prefix: