Tutorial: Route network traffic with a route table using the Azure portal

• 12/12/2018
• 9 minutes to read
• • 
  • 
  • 
  • 
  • 
  • +1

Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing. The ability to create custom routes is helpful if, for example, you want to route traffic between subnets through a network virtual appliance (NVA). In this tutorial, you learn how to:

If you prefer, you can finish this tutorial using the Azure CLI or Azure PowerShell.

If you don't have an Azure subscription, create a free account before you begin.

Sign in to Azure

Sign in to the Azure portal.

Create a route table

1. On the upper-left side of the screen, select Create a resource > Networking > Route table.

2. In Create route table, enter or select this information:

   Setting	Value
   Name	Enter myRouteTablePublic.
   Subscription	Select your subscription.
   Resource group	Select Create new, enter myResourceGroup, and select OK.
   Location	Leave the default East US.
   BGP route propagation	Leave the default Enabled.

3. Select Create.

Create a route

1. In the portal's search bar, enter myRouteTablePublic.

2. When myRouteTablePublic appears in the search results, select it.

3. In myRouteTablePublic under Settings, select Routes > + Add.

   

4. In Add route, enter or select this information:

   Setting	Value
   Route name	Enter ToPrivateSubnet.
   Address prefix	Enter 10.0.1.0/24.
   Next hop type	Select Virtual appliance.
   Next hop address	Enter 10.0.2.4.

5. Select OK.

Associate a route table to a subnet

Before you can associate a route table to a subnet, you have to create a virtual network and subnet.

Create a virtual network

1. On the upper-left side of the screen, select Create a resource > Networking > Virtual network.

2. In Create virtual network, enter or select this information:

   Setting	Value
   Name	Enter myVirtualNetwork.
   Address space	Enter 10.0.0.0/16.
   Subscription	Select your subscription.
   Resource group	Select Select existing > myResourceGroup.
   Location	Leave the default East US.
   Subnet - Name	Enter Public.
   Subnet - Address range	Enter 10.0.0.0/24.

3. Leave the rest of the defaults and select Create.

Add subnets to the virtual network

1. In the portal's search bar, enter myVirtualNetwork.

2. When myVirtualNetwork appears in the search results, select it.

3. In myVirtualNetwork, under Settings, select Subnets > + Subnet.

   

4. In Add subnet, enter this information:

   Setting	Value
   Name	Enter Private.
   Address space	Enter 10.0.1.0/24.

5. Leave the rest of the defaults and select OK.

6. Select + Subnet again. This time, enter this information:

   Setting	Value
   Name	Enter DMZ.
   Address space	Enter 10.0.2.0/24.

7. Like the last time, leave the rest of the defaults and select OK.

   Azure shows the three subnets: Public, Private, and DMZ.

Associate myRouteTablePublic to your Public subnet

1. Select Public.

2. In Public, select Route table > MyRouteTablePublic > Save.

   

Create an NVA

NVAs are VMs that help with network functions like routing and firewall optimization. You can select a different operating system if you want. This tutorial assumes you're using Windows Server 2016 Datacenter.

1. On the upper-left side of the screen, select Create a resource > Compute > Windows Server 2016 Datacenter.

2. In Create a virtual machine - Basics, enter or select this information:

   Setting	Value
   PROJECT DETAILS
   Subscription	Select your subscription.
   Resource group	Select myResourceGroup.
   INSTANCE DETAILS
   Virtual machine name	Enter myVmNva.
   Region	Select East US.
   Availability options	Leave the default No infrastructure redundancy required.
   Image	Leave the default Windows Server 2016 Datacenter.
   Size	Leave the default Standard DS1 v2.
   ADMINISTRATOR ACCOUNT
   Username	Enter a user name of your choosing.
   Password	Enter a password of your choosing. The password must be at least 12 characters long and meet the defined complexity requirements.
   Confirm Password	Reenter password.
   INBOUND PORT RULES
   Public inbound ports	Leave the default None.
   SAVE MONEY
   Already have a Windows license?	Leave the default No.

3. Select Next : Disks.

4. In Create a virtual machine - Disks, select the settings that are right for your needs.

5. Select Next : Networking.

6. In Create a virtual machine - Networking, select this information:

   Setting	Value
   Virtual network	Leave the default myVirtualNetwork.
   Subnet	Select DMZ (10.0.2.0/24).
   Public IP	Select None. You don't need a public IP address. The VM won't connect over the internet.

7. Leave the rest of the defaults and select Next : Management.

8. In Create a virtual machine - Management, for Diagnostics storage account, select Create New.

9. In Create storage account, enter or select this information:

   Setting	Value
   Name	Enter mynvastorageaccount.
   Account kind	Leave the default Storage (general purpose v1).
   Performance	Leave the default Standard.
   Replication	Leave the default Locally-redundant storage (LRS).

10. Select OK

11. Select Review + create. You're taken to the Review + create page and Azure validates your configuration.

12. When you see that Validation passed, select Create.

    The VM takes a few minutes to create. Don't keep going until Azure finishes creating the VM. The Your deployment is underway page will show you deployment details.

13. When your VM is ready, select Go to resource.

Turn on IP forwarding

Turn on IP forwarding for myVmNva. When Azure sends network traffic to myVmNva, if the traffic is destined for a different IP address, IP forwarding will send the traffic to the correct location.

1. On myVmNva, under Settings, select Networking.

2. Select myvmnva123. That's the network interface Azure created for your VM. It will have a string of numbers to make it unique for you.

   

3. Under Settings, select IP configurations.

4. On myvmnva123 - IP configurations, for IP forwarding, select Enabled and then select Save.

   

Create public and private virtual machines

Create a public VM and a private VM in the virtual network. Later, you'll use them to see that Azure routes the Public subnet traffic to the Private subnet through the NVA.

Complete steps 1-12 of Create an NVA. Use most of the same settings. These values are the ones that have to be different:

You can create the myVmPrivate VM while Azure creates the myVmPublic VM. Don't continue with the rest of the steps until Azure finishes creating both VMs.

Route traffic through an NVA

Sign in to myVmPrivate over remote desktop

1. In the portal's search bar, enter myVmPrivate.

2. When the myVmPrivate VM appears in the search results, select it.

3. Select Connect to create a remote desktop connection to the myVmPrivate VM.

4. In Connect to virtual machine, select Download RDP File. Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.

5. Open the downloaded .rdp file.

   1. If prompted, select Connect.

   2. Enter the user name and password you specified when creating the Private VM.

   3. You may need to select More choices > Use a different account, to use the Private VM credentials.

6. Select OK.

   You may receive a certificate warning during the sign in process.

7. Select Yes to connect to the VM.

Enable ICMP through the Windows firewall

In a later step, you'll use the trace route tool to test routing. Trace route uses the Internet Control Message Protocol (ICMP), which the Windows Firewall denies by default. Enable ICMP through the Windows firewall.

1. In the Remote Desktop of myVmPrivate, open PowerShell.

2. Enter this command:

   New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
   

   You're using trace route to test routing in this tutorial. For production environments, we don't recommend allowing ICMP through the Windows Firewall.

Turn on IP forwarding within myVmNva

You turned on IP forwarding for the VM's network interface using Azure. The VM's operating system also has to forward network traffic. Turn on IP forwarding for myVmNva VM's operating system with these commands.

1. From a command prompt on the myVmPrivate VM, open a remote desktop to the myVmNva VM:

   mstsc /v:myvmnva
   

2. From PowerShell on the myVmNva, enter this command to turn on IP forwarding:

   Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
   

3. Restart the myVmNva VM. From the taskbar, select Start button > Power button, Other (Planned) > Continue.

   That also disconnects the remote desktop session.

4. After the myVmNva VM restarts, create a remote desktop session to the myVmPublic VM. While still connected to the myVmPrivate VM, open a command prompt and run this command:

   mstsc /v:myVmPublic
   

5. In the Remote Desktop of myVmPublic, open PowerShell.

6. Enable ICMP through the Windows firewall by entering this command:

   New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
   

Test the routing of network traffic

First, let's test routing of network traffic from the myVmPublic VM to the myVmPrivate VM.

1. From PowerShell on the myVmPublic VM, enter this command:

   tracert myVmPrivate
   

   The response is similar to this example:

   Tracing route to myVmPrivate.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.1.4]
   over a maximum of 30 hops:
   
   1    <1 ms     *        1 ms  10.0.2.4
   2     1 ms     1 ms     1 ms  10.0.1.4
   
   Trace complete.
   

   You can see the first hop is to 10.0.2.4. It's NVA's private IP address. The second hop is to the private IP address of the myVmPrivate VM: 10.0.1.4. Earlier, you added the route to the myRouteTablePublic route table and associated it to the Public subnet. As a result, Azure sent the traffic through the NVA and not directly to the Private subnet.

2. Close the remote desktop session to the myVmPublic VM, which leaves you still connected to the myVmPrivate VM.

3. From a command prompt on the myVmPrivate VM, enter this command:

   tracert myVmPublic
   

   It tests the routing of network traffic from the myVmPrivate VM to the myVmPublic VM. The response is similar to this example:

   Tracing route to myVmPublic.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.0.4]
   over a maximum of 30 hops:
   
   1     1 ms     1 ms     1 ms  10.0.0.4
   
   Trace complete.
   

   You can see Azure routes traffic directly from the myVmPrivate VM to the myVmPublic VM. By default, Azure routes traffic directly between subnets.

4. Close the remote desktop session to the myVmPrivate VM.

Clean up resources

When no longer needed, delete the resource group and all resources it has:

1. In the portal's search bar, enter myResourceGroup.

2. When you see myResourceGroup in the search results, select it.

3. Select Delete resource group.

4. Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

Next steps

In this tutorial, you created a route table and associated it to a subnet. You created a simple NVA that routed traffic from a public subnet to a private subnet. Now that you know how to do that, you can deploy different pre-configured NVAs from the Azure Marketplace. They carry out many network functions you'll find useful. To learn more about routing, see Routing overview and Manage a route table.

While you can deploy many Azure resources within a virtual network, Azure can't deploy resources for some PaaS services into a virtual network. It's possible to restrict access to the resources of some Azure PaaS services. The restriction must only be traffic from a virtual network subnet though. To learn how to restrict network access to Azure PaaS resources, advance to the next tutorial.