IP forwarding
User-defined routes (UDR) change the default system routes that Azure creates for you in an Azure VNet. In the virtual appliance scenario, UDRs forward traffic to a virtual appliance such as a firewall, which is running as an Azure virtual machine.
By default, a virtual machine in Azure will not accept a network packet addressed to a different IP address. For that traffic to be allowed to pass into that virtual appliance, you must enable IP forwarding on the network interface of the virtual machine. This configura- tion doesn’t typically involve any changes to the Azure UDR or VNet, but depending on the scenario, you might need to make some configuration changes in the VM’s operating system to enable this to work correctly.
IP forwarding can be enabled on a network interface by using the Azure portal, PowerShell, or the Azure CLI. In Figure 4-14, Enable IP Forwarding is selected for the network interface of the NGFW1 VM. This VM is now able to accept and send packets that were not originally intended for this VM.
FIGURE 4-14 IP forwarding enabled on network interface
How routes are applied
A given network packet may match multiple route table rules. When designing and imple- menting custom routes, it’s important to understand the precedence rules that Azure applies.
If multiple routes contain the same address prefix, Azure selects the route type, based on
the following priorities:
- User-defined routes
- System routes for traffic in a virtual network, across a virtual network peering, or to a
virtual network service endpoint - BGP routes
- Other system routes
Within a single route table, a given network packet may match multiple routing rules. There is no explicit precedence order on the rules in a route table. Instead, precedence is given to the rule with the most specific match to the destination IP address. If an IP address matches two rules, the longest prefix match algorithm is used to select the route.
For example, if a route table contains one rule for prefix 10.10.0.0/16, and another rule for 10.10.30.0/28, then any traffic to IP address 10.10.30.4 will be matched against the second rule in preference to the first.
When troubleshooting networking issues, it can be useful to have deeper insight into exactly which routes are being applied to a given network interface. Using the Effective Routes feature of each network interface, you can see the full details of every network route applied to that network interface, giving you full insight into how each outbound connection will be routed based on the destination IP address.