Azure Routing

Azure Routing

Olivier M. Olivier M.

Olivier M.

Former Azure MVP, Working at TomTom

发布日期: 2024年9月27日
+ 关注

Azure routing, can be effortless if you keep in mind two simple rules.

-????????? The biggest prefix always wins.

-????????? The routing decision goes to the most specific prefix. So between 10.0.0.0/16, 10.0.0.0/24 and 10.0.0.0/27 in a route table, Azure will always choose the biggest, the /27 to make the routing decision.


-????????? If for the same prefix, there are multiple routes Azure will use the route source to make the routing decision. A defined Route will be chosen first, if there is no UDR, the route from BGP sources (Express Route, BGP enabled VNG, vWan, route server) is chosen, and, for the same prefix there is no from UDR or BGP sources, default/system (from VNET and VNET peering) route is chosen.

-?????????

These two rules seem simple on paper but they demand to visualize route tables every time (you can see them but it requires a VM).

Imagine a fictional company with an on-premises network (10.0.0.0/16) connected to several landing zones (using 192.168.0.0/20) via a VPN or an Express Route.


Now the company wants to add some security layer by adding a firewall in a VM (very old school but it is an illustration not a best practice guide).

The firewall is connected to the Hub VNET (the one with the VNG) peered to all other VNETs.

领英推荐

To make sure that traffic from Azure VNETs to on-premises goes through the firewall you add an UDR to each subnets of each VNETs.

It works because in the route table, for the prefix 10.0.0.0/16 you have two entries.

-????????? ?The BGP one with the VNG as the next hop

-????????? The UDR one with the firewall as the next hop

And UDR won for these prefixes.

Now for traffic going from the on-premises network to Azure, a UDR is added to the gateway subnet with 192.168.0.0/20 (the generic prefix for Azure) with the firewall for the next hop.

Because an UDR is added doesn’t mean it will be used. Here each VNET peered to the HUB VNET use a specific prefix (192.168.0.0/24, 192.168.1.0/24…), not the generic one. So, the first rule is applied, Azure uses the most specific prefix (192.168.0.0/24 in the peering) and not the UDR (it will be used only if an IP in the generic prefix doesn’t belong to a VNET).

To make it work a UDR is needed for each prefix used in VNET.

Routing in azure is not easy you need to visualize route tables and ask yourself what will Azure do each time.


For more content follow me on Dev.to

要查看或添加评论,请登录

Olivier M.的更多文章

社区洞察

其他会员也浏览了