Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Before I address your questions, you must understand How Azure Routing works
- In simple, it used L****ongest prefix match algorithm
When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure directs traffic destined for 10.0.0.5 to the next hop type specified in the route with the 10.0.0.0/24 address prefix. This process occurs because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 falls within both address prefixes. Azure directs traffic destined for 10.0.1.5 to the next hop type specified in the route with the 10.0.0.0/16 address prefix. This process occurs because 10.0.1.5 isn't included in the 10.0.0.0/24 address prefix, making the route with the 10.0.0.0/16 address prefix the longest matching prefix.
- By default, every subnet would learn the address ranges of other subnet. This is possible using Default System routes
- This means, traffic from one subnet goes directly to another subnet within the VNET
- You have to override the System routes with User-defined Custom routes and L****ongest prefix match algorithm. Here, "and" being the important concept.
- So, you have to manually create add subnet address prefixes in the UDR for this to use the Azure Firewall (nextHop defined in the Route Table)
Now, coming to your queries.
1.You mention 'subnet routes of equal or greater length'. Do you mean a subnet mask of equal or greater length? e.g. Could we put a single route 10.5.0.0/19 (being the address space in our entire network) or do we need to individually add the series of /24 subnets (or /25, /26...) to make UDR over-ride the Azure default routing?
- This should be series of subnets like /24 subnets (or /25, /26...)
2.We have no UDR in the Azure Firewall Subnet (e.g. 10.5.15.0/26, which contains 10.5.15.4). Could you confirm that would be correct?
- Correct
3.Also for added security... We have an Az Application Gateway (Internet <-> AG <-> Firewall <-> Subnets and have a route to a required internal subnet via the firewall. In order to ensure no traffic could go directly (e.g. to another subnet, if (mis)configured on the AG, I guess we should also include the list of subnets in the UDR for the AG subnet... otherwise traffic would flow directly from AG to subnet, wouldn't it..)
- I am confused here.
- Is this for "Internet to VM" or "East West Traffic"
- What exactly is the requirement here?
4.Is there any way to query the resultant routes (assembled from BGP, UDR & default Azure routing knowledge)? Output like 'route print' showing destination subnets, metrics, preferences etc... This would help me understand what is actually happening within the environment rather than it being something of a 'black-box' situation.
- Yes
- This requires the VM be in a turned on state.
- See : Diagnose a virtual machine routing
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil