3.1.3. User-Defined Routes (UDRs)

💡 First Principle: Azure routes traffic automatically using system routes. UDRs override these defaults to force traffic through specific paths—commonly used to route all traffic through a firewall.

Scenario: In a hub-and-spoke architecture, you want all outbound traffic from spoke VNets to flow through an Azure Firewall in the hub VNet for inspection.

Creating UDRs for Firewall Routing

1. Create a route table
2. Add a route: Address prefix = 0.0.0.0/0 (all traffic)
3. Next hop type = Virtual appliance
4. Next hop address = Firewall private IP
5. Associate route table with spoke subnets

Visual: Hub-and-Spoke with UDRs

💡 Key Insight: The UDR forces ALL outbound traffic (0.0.0.0/0) through the firewall's private IP. Without this route, VMs would use Azure's default internet routing, bypassing inspection entirely.

⚠️ Exam Trap: Creating a route to 0.0.0.0/0 without also routing Azure management traffic correctly. Some Azure services require direct communication—use service tags in routes or ensure the firewall allows Azure management traffic.