Routing Basics¶
Azure automatically creates system routes for each subnet in a VNet. User-Defined Routes (UDR) allow you to override these default system routes to steer traffic through virtual appliances or gateways.
mermaid flowchart TD A[Packet leaves subnet] --> B{Matching routes available?} B -->|Yes| C[Apply longest prefix match] B -->|No| G[Use default system route] C --> D{Same prefix length?} D -->|No| E[Select most specific route] D -->|Yes| F[Apply priority:<br/>UDR > BGP > system<br/>except preferred VNet/peering/service endpoint routes] E --> H[Forward to next hop] F --> H G --> H
| Next Hop Type | Description | Common Use Case |
|---|---|---|
| Virtual Network | Traffic stays within the VNet. | Standard VNet communication. |
| Internet | Traffic uses the Internet next hop when no more specific route matches. | Use an explicit outbound method (NAT Gateway, Standard LB outbound rules, public IP, or NVA/firewall); avoid default outbound access. |
| Virtual Appliance | Traffic sent to a VM or Firewall. | Centralized inspection. |
| VNet Gateway | Traffic sent to VPN/ExpressRoute. | Hybrid connectivity. |
| None | Traffic is dropped. | Black-holing unwanted traffic. |
Note
Azure selects routes by longest prefix match across all applicable routes. If multiple routes have the same prefix, Azure prefers UDR > BGP > system, except virtual network, peering, and service endpoint system routes are preferred.
Note
Use the "Effective Routes" tool in the Azure portal for any network interface to troubleshoot why traffic is taking a specific path.