AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Plan and implement user-defined routes

Configure and validate custom route tables

Default system routes in Azure let virtual machines within the same virtual network communicate and send traffic to the internet without extra steps. However, when you need deep packet inspection or strict security controls, you use user-defined routes (UDRs) to override these defaults. With UDRs, you force traffic through specific security appliances or gateways instead of letting Azure decide the path. This ensures all packets follow your organization’s security policies.

To build a custom route table, you start by defining address prefixes that match the traffic destinations you care about. Next, you pick a NextHopType to tell Azure where to send matching traffic. Common options include:

  • VirtualAppliance: routes packets to a network virtual appliance for inspection
  • VirtualNetworkGateway: sends traffic to a VPN or ExpressRoute gateway
  • Internet: forces egress traffic directly to the public internet
    By combining prefixes and next hops, you shape the path that your network traffic uses.

After creating routes, you associate the route table with one or more subnets. This subnet assignment ensures that all VMs in those subnets use your custom routes instead of the default system routes. To enforce forced tunneling, you can add a 0.0.0.0/0 route with NextHopType set to VirtualNetworkGateway or Internet. This guarantees that all internet-bound traffic goes through your security controls.

To validate your configuration, you inspect the effective routes for a network interface using Azure CLI or PowerShell. For example:

  • az network nic show-effective-route-table --name MyNic --resource-group MyRG
  • Get-AzEffectiveRouteTable -NetworkInterfaceName MyNic -ResourceGroupName MyRG
    These commands let you confirm that each addressPrefix directs traffic to the correct next hop and that no unexpected system routes are active.

When directing traffic to a network virtual appliance, you must enable IP forwarding on the appliance’s NIC. Without IP forwarding, Azure drops packets not addressed to the appliance, breaking your UDR path. Enabling this setting on the NIC lets the appliance receive and forward packets, ensuring your security chain remains intact.

Conclusion

In this section, you learned how to use user-defined routes to control traffic flow in Azure virtual networks. You saw how to define address prefixes, select the right NextHopType, and assign route tables to subnets for forced tunneling. You also explored methods to validate routes with Azure CLI and PowerShell and the importance of enabling IP forwarding on network virtual appliances. Together, these steps let you enforce consistent security inspection and meet compliance requirements across your Azure environment.