az-303,

How to Create Custom Routes in Azure

Sven Malvik Sven Malvik Connect Dec 24, 2020 · 4 mins read
How to Create Custom Routes in Azure

Custom Routes, or user defined routing, is part of the az-303 certification for becoming an Azure Solution Architect. In this video I tell why you would want a custom route, and then demonstrate how to create one based on a use case.

AZ-303: Azure Custom RoutesWatch Azure Custom Routes in preparation for the AZ-303 exam

Pre-provisioned setup

I have provisioned a virtual network with the default IP address range 10.0.0.0/16. Within this range I created 4 subnets, subnetA, subnetB, subnetC, and AzureBastionSubnet, all with a small IP address range of /29. Azure Bastion needs at least a range of /27, and we use it to login to the virtual machines that I created inside the subnets. All VMs are of the same type Windows Server 2016 Datacenter. On the virtual machine that I named c-vm, I installed the Internet Information Service IIS.

Pre setup of custom routesPre setup of custom routes

Use Case

Here’s want we can do, but probably shouldn’t be allowed to. We send a GET request from a-vm to c-vm to access the IIS directly on port 80.

Connection from a-vm to c-vmConnection from a-vm to c-vm

Imagine that we have to protect the workload or data that is running on c-vm. Every package that is going into this virtual machine can potentially be harmful and damage what’s stored there. If we can’t trust a-vm, maybe it’s a better idea to not access c-vm directly.

a-vm sending harmful packages to c-vma-vm sending harmful packages to c-vm

What we can do instead is to inspect the traffic to another virtual machine b-vm that c-vm trusts. This b-vm can run software that checks all incoming traffic before forwarding it to c-vm.

Using another VM to inspect packagesUsing another VM to inspect packages

The virtual machine a-vm will still send its traffic to c-vm. To be able to get b-vm inspect the traffic, we will re-route the traffic coming from subnetA where the VM a-vm is running, to b-vm that can do its work before forwarding all packages to c-vm. To keep it simple, we will let b-vm forward all traffic to c-vm without inspecting the packages first.

We will create a route table with a route that applies for the traffic within subnetA, subnetB, and subnetC. Bastion can’t be part of this route. Otherwise we couldn’t use it as a jump host anymore.

Diagram for Azure Route TableDiagram for Azure Route Table

Demo

To demonstrate that we can (for now) access the IIS that is running on c-vm, I used Azure Bastion to login to a-vm, and send a request to the private IP address of c-vm. This works fine as expected as we haven’t done anything yet.

Accessing IIS from a-vmAccessing IIS from a-vm

I will now re-route the traffic to go through b-vm by first creating an Azure Route table.

Create Azure Route tableCreate Azure Route table

The only parameters we need to set here is the resource group, region, and a name. Then we click on Create.

Configure Azure Route tableConfigure Azure Route table

We can now create a route which needs an Address prefix. It’s the IP address range for that the route will apply to. In our case we set 10.0.1.0/27 which includes all the subnets except the one for Bastion.

Configuring a route 1Configuring a route 1

As Next hop address, we set the private IP address of b-vm.

Configuring a route 2Configuring a route 2

After we have created a route, we should see it in the route table.

Route table with one routeRoute table with one route

Right now we have created a route table and a route. What’s left is to associate the route to subnet subnetA where the VM a-vm is running.

Associate subnet to routeAssociate subnet to route

If we would test again, we wouldn’t be able to access c-vm from a-vm because we haven’t told b-vm what to do yet. The VM b-vm shall forward all traffic to the IP address that was originally requested from the client, in our case a-vm. We do this in the IP configurations of the VM b-vm.

Forward traffic in IP configurationsForward traffic in IP configurations

All is set now, and we can try to send a request again from a-vm to c-vm. The traffic is now going through b-vm.

Sending a request vi b-vmSending a request vi b-vm

Join Newsletter
Get the latest updates right in your inbox. I never spam!
Sven Malvik
Written by Sven Malvik