Tutorial: Route network traffic with a route table using the Azure portal
Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing. Custom routes are helpful when, for example, you want to route traffic between subnets through a network virtual appliance (NVA). In this tutorial, you learn how to:
- Create an NVA that routes traffic
- Create a route table
- Create a route
- Associate a route table to a subnet
- Deploy virtual machines (VM) into different subnets
- Route traffic from one subnet to another through an NVA
This tutorial uses the Azure portal. You can also use Azure CLI or Azure PowerShell.
Prerequisites
Before you begin, you require an Azure account with an active subscription. If you do not have one, you can create an account for free.
Prerequisites
- An Azure subscription.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
Create a virtual network
From the Azure portal menu, select Create a resource. From the Azure Marketplace, select Networking > Virtual network, or search for Virtual Network in the search box.
Select Create.
In Create virtual network, enter or select this information:
Setting Value Subscription Select your subscription. Resource group Select Create new, enter myResourceGroup. Select OK. Name Enter myVirtualNetwork. Location Select (US) East US. Select the IP Addresses tab, or select the Next: IP Addresses button at the bottom of the page.
In IPv4 address space, select the existing address space and change it to 10.0.0.0/16.
Select + Add subnet, then enter Public for Subnet name and 10.0.0.0/24 for Subnet address range.
Select Add.
Select + Add subnet, then enter Private for Subnet name and 10.0.1.0/24 for Subnet address range.
Select Add.
Select + Add subnet, then enter DMZ for Subnet name and 10.0.2.0/24 for Subnet address range.
Select Add.
Select the Security tab, or select the Next: Security button at the bottom of the page.
Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost AzureBastionSubnet address space Enter 10.0.3.0/24 Public IP Address Select Create new. For Name, enter myBastionIP. Select OK. Select the Review + create tab or select the Review + create button.
Select Create.
Create an NVA
Network virtual appliances (NVAs) are virtual machines that help with network functions, such as routing and firewall optimization. This tutorial assumes you're using Windows Server 2019 Datacenter. You can select a different operating system if you want.
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select myResourceGroup Instance details Virtual machine name Enter myVMNVA Region Select (US) East US Availability Options Select No infrastructure redundancy required Image Select Windows Server 2019 Datacenter Azure Spot instance Select No Size Choose VM size or take default setting Administrator account Username Enter a username Password Enter a password Confirm password Reenter password Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select DMZ Public IP Select None NIC network security group Select Basic Public inbound ports network Select None. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Create a route table
On the Azure portal menu or from the Home page, select Create a resource.
In the search box, enter Route table. When Route table appears in the search results, select it.
In the Route table page, select Create.
In Create route table in the Basics tab, enter or select the following information:
Setting Value Project details Subscription Select your subscription. Resource group Select myResourceGroup. Instance details Region Select East US. Name Enter myRouteTablePublic. Propagate gateway routes Select Yes. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Create a route
Go to the Azure portal to manage your route table. Search for and select Route tables.
Select the name of your route table myRouteTablePublic.
In the myRouteTablePublic page, in the Settings section, select Routes.
In the routes page, select the + Add button.
In Add route, enter or select this information:
Setting Value Route name Enter ToPrivateSubnet Address prefix Enter 10.0.1.0/24 (The address range of the Private subnet created earlier) Next hop type Select Virtual appliance. Next hop address Enter 10.0.2.4 (An address within the address range of the DMZ subnet) Select OK.
Associate a route table to a subnet
Go to the Azure portal to manage your virtual network. Search for and select Virtual networks.
Select the name of your virtual network myVirtualNetwork.
In the myVirtualNetwork page, in the Settings section, select Subnets.
In the virtual network's subnet list, select Public.
In Route table, choose the route table you created myRouteTablePublic.
Select Save to associate your route table to the Public subnet.
Turn on IP forwarding
Next, turn on IP forwarding for your new NVA virtual machine, myVMNVA. When Azure sends network traffic to myVMNVA, if the traffic is destined for a different IP address, IP forwarding sends the traffic to the correct location.
Go to the Azure portal to manage your VM. Search for and select Virtual machines.
Select the name of your virtual machine myVMNVA.
In the myVMNVA overview page, in Settings, select Networking.
In the Networking page of myVMNVA, select the network interface next to Network Interface. The name of the interface will begin with myvmnva.
In the network interface overview page, in Settings, select IP configurations.
In the IP configurations page, set IP forwarding to Enabled, then select Save.
Create public and private virtual machines
Create a public VM and a private VM in the virtual network. Later, you'll use them to see that Azure routes the Public subnet traffic to the Private subnet through the NVA.
Public VM
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select myResourceGroup Instance details Virtual machine name Enter myVMPublic Region Select (US) East US Availability Options Select No infrastructure redundancy required Image Select Windows Server 2019 Datacenter Azure Spot instance Select No Size Choose VM size or take default setting Administrator account Username Enter a username Password Enter a password Confirm password Reenter password Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select Public Public IP Select None NIC network security group Select Basic Public inbound ports network Select None. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Private VM
On the upper-left side of the portal, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, type or select the values in the Basics tab:
Setting Value Project Details Subscription Select your Azure subscription Resource Group Select myResourceGroup Instance details Virtual machine name Enter myVMPrivate Region Select (US) East US Availability Options Select No infrastructure redundancy required Image Select Windows Server 2019 Datacenter Azure Spot instance Select No Size Choose VM size or take default setting Administrator account Username Enter a username Password Enter a password Confirm password Reenter password Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select Private Public IP Select None NIC network security group Select Basic Public inbound ports network Select None. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Route traffic through an NVA
Sign in to private vm
Go to the Azure portal to manage your private VM. Search for and select Virtual machines.
Pick the name of your private virtual machine myVmPrivate.
In the VM menu bar, select Connect, then select Bastion.
In the Connect page, select the blue Use Bastion button.
In the Bastion page, enter the username and password you created for the virtual machine previously.
Select Connect.
Configure firewall
In a later step, you'll use the trace route tool to test routing. Trace route uses the Internet Control Message Protocol (ICMP), which the Windows Firewall denies by default.
Enable ICMP through the Windows firewall.
In the bastion connection of myVMPrivate, open PowerShell with administrative privileges.
Enter this command:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
You'll be using trace route to test routing in this tutorial. For production environments, we don't recommend allowing ICMP through the Windows Firewall.
Turn on IP forwarding within myVMNVA
You turned on IP forwarding for the VM's network interface using Azure. The virtual machine's operating system also has to forward network traffic.
Turn on IP forwarding for myVMNVA with these commands.
From PowerShell on the myVMPrivate VM, open a remote desktop to the myVMNVA VM:
mstsc /v:myvmnva
From PowerShell on the myVMNVA VM, enter this command to turn on IP forwarding:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
Restart myVMNVA.
Restart-Computer
After myVMNVA restarts, create a remote desktop session to myVMPublic.
While still connected to myVMPrivate, open PowerShell and run this command:
mstsc /v:myvmpublic
In the remote desktop of myVMPublic, open PowerShell.
Enable ICMP through the Windows firewall by entering this command:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4
Test the routing of network traffic
First, let's test routing of network traffic from myVMPublic to myVMPrivate.
From PowerShell on myVMPublic, enter this command:
tracert myvmprivate
The response is similar to this example:
Tracing route to myvmprivate.q04q2hv50taerlrtdyjz5nza1f.bx.internal.cloudapp.net [10.0.1.4] over a maximum of 30 hops: 1 1 ms * 2 ms myvmnva.internal.cloudapp.net [10.0.2.4] 2 2 ms 1 ms 1 ms myvmprivate.internal.cloudapp.net [10.0.1.4] Trace complete.
You can see the first hop is to 10.0.2.4, which is myVMNVA's private IP address.
The second hop is to the private IP address of myVMPrivate: 10.0.1.4.
Earlier, you added the route to the myRouteTablePublic route table and associated it to the Public subnet. Azure sent the traffic through the NVA and not directly to the Private subnet.
Close the remote desktop session to myVMPublic, which leaves you still connected to myVMPrivate.
Open PowerShell on myVMPrivate, enter this command:
tracert myvmpublic
This command tests the routing of network traffic from the myVmPrivate VM to the myVmPublic VM. The response is similar to this example:
Tracing route to myvmpublic.q04q2hv50taerlrtdyjz5nza1f.bx.internal.cloudapp.net [10.0.0.4] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms myvmpublic.internal.cloudapp.net [10.0.0.4] Trace complete.
You can see that Azure routes traffic directly from myVMPrivate to myVMPublic. By default, Azure routes traffic directly between subnets.
Close the bastion session to myVMPrivate.
Clean up resources
When the resource group is no longer needed, delete myResourceGroup and all the resources it contains:
Go to the Azure portal to manage your resource group. Search for and select Resource groups.
Select the name of your resource group myResourceGroup.
Select Delete resource group.
In the confirmation dialog box, enter myResourceGroup for TYPE THE RESOURCE GROUP NAME, and then select Delete.
Next steps
In this tutorial, you:
- Created a route table and associated it to a subnet.
- Created a simple NVA that routed traffic from a public subnet to a private subnet.
You can deploy different pre-configured NVAs from the Azure Marketplace, which provide many useful network functions.
To learn more about routing, see Routing overview and Manage a route table.
To filter network traffic in a virtual network, see: