Although the default system routes in Azure handle traffic automatically, there are often cases where you prefer to control the routing of traffic on your own. Such cases are typical when you want to route traffic through a virtual appliance. To facilitate this capability, you can create user-defined routes (UDRs) that specify the next hop for packets that are bound for a specific subnet. With a UDR, you can direct such traffic to a virtual appliance instead, where the traffic can be filtered, captured, inspected, or whatever else you want done with it.
Configuring user-defined routes in Azure requires you to configure routing tables for your subnets as well as specific routes within those routing tables. You must then assign your routing tables to the correct subnets.
In this article, I am going to explain how to take traffic that flows from SubnetA directly to SubnetB, and re-route that traffic, so it flows from SubnetA to our pretend firewall (FW1) and then out to SubnetB. In this configuration, we could do any number of things with the traffic as it passes through FW1 (i.e. IDS).
To prepare my environment in Azure for this demonstration, I created a single Virtual Network (192.168.0.0/16) and three subnets: 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24. I spun up a Windows 2102 R2 box on each subnet and configured the server on the 192.168.0.0 subnet as an RRAS server.
For those who are more interested in diagrams (like me), this is how it looked:
As you can see in the diagram, ServerA resided on SubnetA, ServerB resided on SubnetB, and the FW1 server lived on the subnet labeled DMZ.