Control routing and use virtual appliances (classic) using PowerShell

Although the use of system routes facilitates traffic automatically for your deployment, there are cases in which you want to control the routing of packets through a virtual appliance. You can do so by creating user defined routes that specify the next hop for packets flowing to a specific subnet to go to your virtual appliance instead, and enabling IP forwarding for the VM running as the virtual appliance.

Some of the cases where virtual appliances can be used include:

  • Monitoring traffic with an intrusion detection system (IDS)
  • Controlling traffic with a firewall

For more information about UDR and IP forwarding, visit User Defined Routes and IP Forwarding.

Important

Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. Make sure you understand deployment models and tools before you work with any Azure resource. You can view the documentation for different tools by selecting an option at the top of this article. This article covers the classic deployment model.

Scenario

To better illustrate how to create UDRs, this document uses the following scenario:

IMAGE DESCRIPTION

In this scenario, you create one UDR for the Front-end subnet and another UDR for the Back-end subnet, as follows:

  • UDR-FrontEnd. The front-end UDR is applied to the FrontEnd subnet, and contain one route:
    • RouteToBackend. This route sends all traffic to the back-end subnet to the FW1 virtual machine.
  • UDR-BackEnd. The back-end UDR is applied to the BackEnd subnet, and contain one route:
    • RouteToFrontend. This route sends all traffic to the front-end subnet to the FW1 virtual machine.

The combination of these routes ensures that all traffic destined from one subnet to another is routed to the FW1 virtual machine, which is being used as a virtual appliance. You also need to turn on IP forwarding for the FW1 VM, to ensure it can receive traffic destined to other VMs.

The sample Azure PowerShell commands below expect a simple environment already created based on the scenario above. If you want to run the commands as they are displayed in this document, create the environment shown in create a VNet (classic) using PowerShell.

Prerequisite: Install the Azure PowerShell module

To perform the steps in this article, you need to install and configure the Azure PowerShell module. Be sure to complete all of the instructions. After the installation is finished, sign in to Azure and select your subscription.

Note

You need an Azure account to complete these steps. If you don't have an Azure account, you can sign up for a free trial.

Create the UDR for the front end subnet

To create the route table and route needed for the front end subnet based on the scenario above, follow the steps below.

  1. Run the following command to create a route table for the front-end subnet:

    New-AzureRouteTable -Name UDR-FrontEnd -Location uswest `
    -Label "Route table for front end subnet"
    
  2. Run the following command to create a route in the route table to send all traffic destined to the back-end subnet (192.168.2.0/24) to the FW1 VM (192.168.0.4):

    Get-AzureRouteTable UDR-FrontEnd `
    |Set-AzureRoute -RouteName RouteToBackEnd -AddressPrefix 192.168.2.0/24 `
    -NextHopType VirtualAppliance `
    -NextHopIpAddress 192.168.0.4
    
  3. Run the following command to associate the route table with the FrontEnd subnet:

    Set-AzureSubnetRouteTable -VirtualNetworkName TestVNet `
    -SubnetName FrontEnd `
    -RouteTableName UDR-FrontEnd
    

Create the UDR for the back-end subnet

To create the route table and route needed for the back end subnet based on the scenario, complete the following steps:

  1. Run the following command to create a route table for the back-end subnet:

    New-AzureRouteTable -Name UDR-BackEnd `
    -Location uswest `
    -Label "Route table for back end subnet"
    
  2. Run the following command to create a route in the route table to send all traffic destined to the front-end subnet (192.168.1.0/24) to the FW1 VM (192.168.0.4):

    Get-AzureRouteTable UDR-BackEnd
    | Set-AzureRoute `
    -RouteName RouteToFrontEnd `
    -AddressPrefix 192.168.1.0/24 `
    -NextHopType VirtualAppliance `
    -NextHopIpAddress 192.168.0.4
    
  3. Run the following command to associate the route table with the BackEnd subnet:

    Set-AzureSubnetRouteTable -VirtualNetworkName TestVNet `
    -SubnetName BackEnd `
    -RouteTableName UDR-BackEnd
    

Enable IP forwarding on the FW1 VM

To enable IP forwarding in the FW1 VM, complete the following steps:

  1. Run the following command to check the status of IP forwarding:

    Get-AzureVM -Name FW1 -ServiceName TestRGFW `
    | Get-AzureIPForwarding
    
  2. Run the following command to enable IP forwarding for the FW1 VM:

    Get-AzureVM -Name FW1 -ServiceName TestRGFW `
    | Set-AzureIPForwarding -Enable