How to Create Custom Routes in Azure

Sven Malvik Sven Malvik Connect Dec 24, 2020 · 4 mins read
How to Create Custom Routes in Azure

Custom Routes, or user defined routing, is part of the az-303 certification for becoming an Azure Solution Architect. In this video I tell why you would want a custom route, and then demonstrate how to create one based on a use case.

AZ-303: Azure Custom RoutesWatch Azure Custom Routes in preparation for the AZ-303 exam

Pre-provisioned setup

I have provisioned a virtual network with the default IP address range Within this range I created 4 subnets, subnetA, subnetB, subnetC, and AzureBastionSubnet, all with a small IP address range of /29. Azure Bastion needs at least a range of /27, and we use it to login to the virtual machines that I created inside the subnets. All VMs are of the same type Windows Server 2016 Datacenter. On the virtual machine that I named c-vm, I installed the Internet Information Service IIS.

Pre setup of custom routesPre setup of custom routes

Use Case

Here’s want we can do, but probably shouldn’t be allowed to. We send a GET request from a-vm to c-vm to access the IIS directly on port 80.

Connection from a-vm to c-vmConnection from a-vm to c-vm

Imagine that we have to protect the workload or data that is running on c-vm. Every package that is going into this virtual machine can potentially be harmful and damage what’s stored there. If we can’t trust a-vm, maybe it’s a better idea to not access c-vm directly.

a-vm sending harmful packages to c-vma-vm sending harmful packages to c-vm

What we can do instead is to inspect the traffic to another virtual machine b-vm that c-vm trusts. This b-vm can run software that checks all incoming traffic before forwarding it to c-vm.

Using another VM to inspect packagesUsing another VM to inspect packages

The virtual machine a-vm will still send its traffic to c-vm. To be able to get b-vm inspect the traffic, we will re-route the traffic coming from subnetA where the VM a-vm is running, to b-vm that can do its work before forwarding all packages to c-vm. To keep it simple, we will let b-vm forward all traffic to c-vm without inspecting the packages first.

We will create a route table with a route that applies for the traffic within subnetA, subnetB, and subnetC. Bastion can’t be part of this route. Otherwise we couldn’t use it as a jump host anymore.

Diagram for Azure Route TableDiagram for Azure Route Table


To demonstrate that we can (for now) access the IIS that is running on c-vm, I used Azure Bastion to login to a-vm, and send a request to the private IP address of c-vm. This works fine as expected as we haven’t done anything yet.

Accessing IIS from a-vmAccessing IIS from a-vm

I will now re-route the traffic to go through b-vm by first creating an Azure Route table.

Create Azure Route tableCreate Azure Route table

The only parameters we need to set here is the resource group, region, and a name. Then we click on Create.

Configure Azure Route tableConfigure Azure Route table

We can now create a route which needs an Address prefix. It’s the IP address range for that the route will apply to. In our case we set which includes all the subnets except the one for Bastion.

Configuring a route 1Configuring a route 1

As Next hop address, we set the private IP address of b-vm.

Configuring a route 2Configuring a route 2

After we have created a route, we should see it in the route table.

Route table with one routeRoute table with one route

Right now we have created a route table and a route. What’s left is to associate the route to subnet subnetA where the VM a-vm is running.

Associate subnet to routeAssociate subnet to route

If we would test again, we wouldn’t be able to access c-vm from a-vm because we haven’t told b-vm what to do yet. The VM b-vm shall forward all traffic to the IP address that was originally requested from the client, in our case a-vm. We do this in the IP configurations of the VM b-vm.

Forward traffic in IP configurationsForward traffic in IP configurations

All is set now, and we can try to send a request again from a-vm to c-vm. The traffic is now going through b-vm.

Sending a request vi b-vmSending a request vi b-vm

Join Newsletter
Get the latest updates right in your inbox. I never spam!
Sven Malvik
Written by Sven Malvik