Configuring Network Routing in Azure: A Step-by-Step Guide

Introduction

In any cloud deployment, network routing is a core component of security and traffic management. By default, Azure automatically handles routing within a virtual network. However, in scenarios where outbound traffic must be filtered and inspected by a firewall, custom routes are required.

This guide walks you through the process of configuring network routing in Azure by creating a route table, associating it with subnets, and directing outbound traffic through an Azure Firewall for inspection and policy enforcement.

Skilling Objectives

By completing this walkthrough, you will learn how to:

1. Create and configure a custom route table.
2. Associate the route table with frontend and backend subnets.
3. Add a route that forces outbound traffic through a firewall’s private IP.

Architecture Overview

The architecture consists of a single application virtual network (app-vnet) with multiple subnets:

1. A frontend subnet hosting the application’s frontend workloads.
2. A backend subnet hosting the application’s backend workloads.
3. An Azure Firewall deployed inside the virtual network to filter and inspect traffic.
4. A route table that overrides Azure’s default system routes and sends all outbound traffic through the firewall.

This design ensures that every outbound request from your workloads is inspected by the firewall before leaving the virtual network.

Step 1: Record the Firewall’s Private IP Address

Before you configure the route table, you need the firewall’s private IP address.

1. In the Azure portal, search for Firewall and select your firewall instance (for example, app-vnet-firewall).
   
   

2. From the Overview page, copy the Private IP address.
   

3. This private IP will be used as the next hop in your custom route.

Step 2: Create a Route Table

Now create a custom route table to override Azure’s system routes.

1. In the Azure portal, search for Route tables and select + Create.
   
   

2. Use your existing subscription and resource group (for example, RG1).

3. Choose the region (such as East US).

4. Name the route table (for example, app-vnet-firewall-rt).

5. Select Review + create, then Create.
   

6. Once deployment is complete, open the new route table.
   

Step 3: Associate the Route Table with Subnets

Next, you need to link the route table to the subnets where traffic should be filtered.

1. Open the route table you just created.
2. In the Settings blade, select Subnets and then choose + Associate.

3. Associate the route table with the frontend subnet of app-vnet.
   

4. Repeat the same process and associate it with the backend subnet.
   

Now both frontend and backend workloads will send traffic using this route table.

Step 4: Create a Route in the Route Table

Finally, you’ll create a custom route that directs all outbound traffic to the firewall.

1. Open the same route table and select Routes under the Settings blade.
2. Choose + Add to create a new route.
3. Enter a route name such as outbound-firewall.
4. For destination type, select IP addresses.
5. Enter 0.0.0.0/0 as the destination address range to capture all outbound traffic.
6. For the next hop type, select Virtual appliance.
7. Enter the private IP address of the firewall you recorded earlier.
8. Select Add to save the route.

Conclusion

In this walkthrough, you configured network routing in Azure to ensure all outbound traffic passes through a firewall for inspection. You created a route table, associated it with your application’s frontend and backend subnets, and defined a custom route that directs all traffic to the firewall.

With this setup, your workloads are protected by centralized routing rules, ensuring that security policies are consistently enforced across the environment.