Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.3. User-Defined Routes (UDRs)

💡 First Principle: Azure routes traffic automatically using system routes. UDRs override these defaults to force traffic through specific paths—commonly used to route all traffic through a firewall.

Scenario: In a hub-and-spoke architecture, you want all outbound traffic from spoke VNets to flow through an Azure Firewall in the hub VNet for inspection.

Creating UDRs for Firewall Routing

  1. Create a route table
  2. Add a route: Address prefix = 0.0.0.0/0 (all traffic)
  3. Next hop type = Virtual appliance
  4. Next hop address = Firewall private IP
  5. Associate route table with spoke subnets
Visual: Hub-and-Spoke with UDRs
Loading diagram...

⚠️ Common Pitfall: Creating a route to 0.0.0.0/0 without also routing Azure management traffic correctly. Some Azure services require direct communication—use service tags in routes or ensure the firewall allows Azure management traffic.