Tutorial: Route network traffic with a route table using the Azure portal
Azure routes traffic between all subnets within a virtual network, by default. You can create your own routes to override Azure's default routing. Custom routes are helpful when, for example, you want to route traffic between subnets through a network virtual appliance (NVA).
In this tutorial, you learn how to:
- Create a virtual network and subnets
- Create an NVA that routes traffic
- Create a route table
- Create a route
- Associate a route table to a subnet
- Deploy virtual machines (VMs) into different subnets
- Route traffic from one subnet to another through an NVA
This tutorial uses the Azure portal. You can also complete it using the Azure CLI or PowerShell.
If you don't have an Azure subscription, create a free account before you begin.
Overview
This diagram shows the resources created in this tutorial along with the expected network routes.
Prerequisites
- An Azure subscription
Sign in to Azure
Sign in to the Azure portal.
Create a virtual network
In this section, you'll create a virtual network, three subnets, and a bastion host. You'll use the bastion host to securely connect to the virtual machines.
From the Azure portal menu, select + Create a resource > Networking > Virtual network, or search for Virtual Network in the portal search box.
Select Create.
On the Basics tab of Create virtual network, enter or select this information:
Setting Value Subscription Select your subscription. Resource group Select Create new, enter myResourceGroup. Select OK. Name Enter myVirtualNetwork. Region Select East US. Select the IP Addresses tab, or select the Next: IP Addresses button at the bottom of the page.
In IPv4 address space, select the existing address space and change it to 10.0.0.0/16.
Select + Add subnet, then enter Public for Subnet name and 10.0.0.0/24 for Subnet address range.
Select Add.
Select + Add subnet, then enter Private for Subnet name and 10.0.1.0/24 for Subnet address range.
Select Add.
Select + Add subnet, then enter DMZ for Subnet name and 10.0.2.0/24 for Subnet address range.
Select Add.
Select the Security tab, or select the Next: Security button at the bottom of the page.
Under BastionHost, select Enable. Enter this information:
Setting Value Bastion name Enter myBastionHost. AzureBastionSubnet address space Enter 10.0.3.0/24. Public IP Address Select Create new. Enter myBastionIP for Name. Select OK. Select the Review + create tab or select the Review + create button.
Select Create.
Create an NVA virtual machine
Network virtual appliances (NVAs) are virtual machines that help with network functions, such as routing and firewall optimization. In this section, you'll create an NVA using a Windows Server 2019 Datacenter virtual machine. You can select a different operating system if you want.
From the Azure portal menu, select + Create a resource > Compute > Virtual machine, or search for Virtual machine in the portal search box.
Select Create.
On the Basics tab of Create a virtual machine, enter or select this information:
Setting Value Project Details Subscription Select your subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVMNVA. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2019 Datacenter - Gen2. Azure Spot instance Select No. Size Choose VM size or take default setting. Administrator account Username Enter a username. Password Enter a password. The password must be at least 12 characters long and meet the defined complexity requirements. Confirm password Reenter password. Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select DMZ Public IP Select None NIC network security group Select Basic Public inbound ports network Select None. Select the Review + create tab, or select Review + create button at the bottom of the page.
Review the settings, and then select Create.
Create a route table
In this section, you'll create a route table.
From the Azure portal menu, select + Create a resource > Networking > Route table, or search for Route table in the portal search box.
Select Create.
On the Basics tab of Create route table, enter or select this information:
Setting Value Project details Subscription Select your subscription. Resource group Select myResourceGroup. Instance details Region Select East US. Name Enter myRouteTablePublic. Propagate gateway routes Select Yes. 
Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Create a route
In this section, you'll create a route in the route table that you created in the previous steps.
Select Go to resource or Search for myRouteTablePublic in the portal search box.
In the myRouteTablePublic page, select Routes from the Settings section.
In the Routes page, select the + Add button.
In Add route, enter or select this information:
Setting Value Route name Enter ToPrivateSubnet. Address prefix destination Select IP Addresses. Destination IP addresses/CIDR ranges Enter 10.0.1.0/24 (The address range of the Private subnet created earlier). Next hop type Select Virtual appliance. Next hop address Enter 10.0.2.4 (The address of myVMNVA VM created earlier in the DMZ subnet). 
Select Add.
Associate a route table to a subnet
In this section, you'll associate the route table that you created in the previous steps to a subnet.
Search for myVirtualNetwork in the portal search box.
In the myVirtualNetwork page, select Subnets from the Settings section.
In the virtual network's subnet list, select Public.
In Route table, select myRouteTablePublic that you created in the previous steps.
Select Save to associate your route table to the Public subnet.
Create public and private virtual machines
You'll create two virtual machines in myVirtualNetwork virtual network, then you'll allow Internet Control Message Protocol (ICMP) on them so you can use tracert tool to trace traffic.
Note
For production environments, we don't recommend allowing ICMP through the Windows Firewall.
Create public virtual machine
From the Azure portal menu, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVMPublic. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2019 Datacenter - Gen2. Azure Spot instance Select No. Size Choose VM size or take default setting. Administrator account Username Enter a username. Password Enter a password. The password must be at least 12 characters long and meet the defined complexity requirements. Confirm password Reenter password. Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select Public. Public IP Select None. NIC network security group Select Basic. Public inbound ports network Select None. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Create private virtual machine
From the Azure portal menu, select Create a resource > Compute > Virtual machine.
In Create a virtual machine, enter or select this information in the Basics tab:
Setting Value Project Details Subscription Select your subscription. Resource Group Select myResourceGroup. Instance details Virtual machine name Enter myVMPrivate. Region Select (US) East US. Availability Options Select No infrastructure redundancy required. Security type Select Standard. Image Select Windows Server 2019 Datacenter - Gen2. Azure Spot instance Select No. Size Choose VM size or take default setting. Administrator account Username Enter a username. Password Enter a password. The password must be at least 12 characters long and meet the defined complexity requirements. Confirm password Reenter password. Inbound port rules Public inbound ports Select None. Select the Networking tab, or select Next: Disks, then Next: Networking.
In the Networking tab, select or enter:
Setting Value Network interface Virtual network Select myVirtualNetwork. Subnet Select Private. Public IP Select None. NIC network security group Select Basic. Public inbound ports network Select None. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
Review the settings, and then select Create.
Allow ICMP in Windows firewall
Select Go to resource or Search for myVMPrivate in the portal search box.
In the Overview page of myVMPrivate, select Connect then Bastion.
Enter the username and password you created for myVMPrivate virtual machine previously.
Select Connect button.
Open Windows PowerShell after you connect.
Enter this command:
New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4From PowerShell, open a remote desktop connection to the myVMPublic virtual machine:
mstsc /v:myvmpublicAfter you connect to myVMPublic VM, open Windows PowerShell and enter the same command from step 6.
Close the remote desktop connection to myVMPublic VM.
Turn on IP forwarding
To route traffic through the NVA, turn on IP forwarding in Azure and in the operating system of myVMNVA virtual machine. Once IP forwarding is enabled, any traffic received by myVMNVA VM that's destined for a different IP address, won't be dropped and will be forwarded to the correct destination.
Turn on IP forwarding in Azure
In this section, you'll turn on IP forwarding for the network interface of myVMNVA virtual machine in Azure.
Search for myVMNVA in the portal search box.
In the myVMNVA overview page, select Networking from the Settings section.
In the Networking page of myVMNVA, select the network interface next to Network Interface:. The name of the interface will begin with myvmnva.
In the network interface overview page, select IP configurations from the Settings section.
In the IP configurations page, set IP forwarding to Enabled, then select Save.
Turn on IP forwarding in the operating system
In this section, you'll turn on IP forwarding for the operating system of myVMNVA virtual machine to forward network traffic. You'll use the same bastion connection to myVMPrivate VM, that you started in the previous steps, to open a remote desktop connection to myVMNVA VM.
From PowerShell on myVMPrivate VM, open a remote desktop connection to the myVMNVA VM:
mstsc /v:myvmnvaAfter you connect to myVMNVA VM, open Windows PowerShell and enter this command to turn on IP forwarding:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1Restart myVMNVA VM.
Restart-Computer
Test the routing of network traffic
You'll test routing of network traffic using tracert tool from myVMPublic VM to myVMPrivate VM, and then you'll test the routing in the opposite direction.
Test network traffic from myVMPublic VM to myVMPrivate VM
From PowerShell on myVMPrivate VM, open a remote desktop connection to the myVMPublic VM:
mstsc /v:myvmpublicAfter you connect to myVMPublic VM, open Windows PowerShell and enter this tracert command to trace the routing of network traffic from myVMPublic VM to myVMPrivate VM:
tracert myvmprivateThe response is similar to this example:
Tracing route to myvmprivate.q04q2hv50taerlrtdyjz5nza1f.bx.internal.cloudapp.net [10.0.1.4] over a maximum of 30 hops: 1 1 ms * 2 ms myvmnva.internal.cloudapp.net [10.0.2.4] 2 2 ms 1 ms 1 ms myvmprivate.internal.cloudapp.net [10.0.1.4] Trace complete.You can see that there are two hops in the above response for tracert ICMP traffic from myVMPublic VM to myVMPrivate VM. The first hop is myVMNVA VM, and the second hop is the destination myVMPrivate VM.
Azure sent the traffic from Public subnet through the NVA and not directly to Private subnet because you previously added ToPrivateSubnet route to myRouteTablePublic route table and associated it to Public subnet.
Close the remote desktop connection to myVMPublic VM.
Test network traffic from myVMPrivate VM to myVMPublic VM
From PowerShell on myVMPrivate VM, and enter this tracert command to trace the routing of network traffic from myVmPrivate VM to myVmPublic VM.
tracert myvmpublicThe response is similar to this example:
Tracing route to myvmpublic.q04q2hv50taerlrtdyjz5nza1f.bx.internal.cloudapp.net [10.0.0.4] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms myvmpublic.internal.cloudapp.net [10.0.0.4] Trace complete.You can see that there's one hop in the above response, which is the destination myVMPublic virtual machine.
Azure sent the traffic directly from Private subnet to Public subnet. By default, Azure routes traffic directly between subnets.
Close the bastion session.
Clean up resources
When the resource group is no longer needed, delete myResourceGroup and all the resources it contains:
Enter myResourceGroup in the Search box at the top of the Azure portal. When you see myResourceGroup in the search results, select it.
Select Delete resource group.
Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.
Next steps
In this tutorial, you:
- Created a route table and associated it to a subnet.
- Created a simple NVA that routed traffic from a public subnet to a private subnet.
You can deploy different pre-configured NVAs from the Azure Marketplace, which provide many useful network functions.
To learn more about routing, see Routing overview and Manage a route table.
To learn how to restrict network access to PaaS resources with virtual network service endpoints, advance to the next tutorial.
Feedback
Submit and view feedback for