Share via

How is traffic routed between subnets in same Azure VNet?

Justin Gawn 0 Reputation points
2024-01-03T10:39:53.3666667+00:00

Hello,

I have a Virtual Network with single address space of 10.0.0.0/16. Within this, there are two subnets:

  • SN-A: 10.0.1.0/24
  • SN-B: 10.0.2.0/24

Each subnet hosts a single virtual machine, addressed respectively:

  • VM-A: 10.0.1.4
  • VM-B: 10.0.2.4

Ipconfig from each of the VMs confirms their Default Gateway to be x.x.x.1 of their respective subnet.

Route print from each of the VMs shows no specific routes from SN-A to SN-B or vice versa - the only obvious route between them is the Default Gateway.

However when I tracert from VM-A to VM-B, there is no gateway hop:

Tracing route to 10.0.2.4 over a maximum of 30 hops

1 1 ms <1 ms 1 ms 10.0.2.4

Trace complete.

My questions are twofold:

  1. Why is there no initial hop of 10.0.1.1?
  2. If this is simply how VNets work, how is this functionality of exchanging packets between subnets with no obviously visible routing actually achieved?

Thanks in advance

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,777 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2024-01-03T13:08:51.1933333+00:00

    Hello @Justin Gawn ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how traffic is routed between subnets in same Azure VNet.

    Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. Each route contains an address prefix and next hop type. When traffic leaving a subnet is sent to an IP address within the address prefix of a route, the route that contains the prefix is the route Azure uses.

    When traffic is routed within the Virtual Network, it uses the below default route:

    Virtual network: Routes traffic between address ranges within the address space of a virtual network. Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. You don't need to define gateways for Azure to route traffic between subnets. Though a virtual network contains subnets, and each subnet has a defined address range, Azure doesn't create default routes for subnet address ranges. Each subnet address range is within an address range of the address space of a virtual network.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    The combination of routes you create, Azure's default routes, and any routes propagated from your on-premises network through an Azure VPN gateway (if your virtual network is connected to your on-premises network) via the border gateway protocol (BGP), are the effective routes for all network interfaces in a subnet. And you can view the effective routes for a network interface using the Azure portal, PowerShell, or the Azure CLI.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-network/diagnose-network-routing-problem

    https://learn.microsoft.com/en-us/azure/network-watcher/diagnose-vm-network-routing-problem#view-details-of-a-route

    Now, answering your questions below:

    Why is there no initial hop of 10.0.1.1?

    A default gateway makes it possible for devices in one network to communicate with devices in another network. When the source wants to reach a destination which is outside its network then, the source uses the default gateway to forward the data and locate the destination’s network so that data should reach its intended destination.

    Refer: https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcpip-addressing-and-subnetting#default-gateways

    In your case, VM-A and VM-B are both in the same network i.e. part of the same Virtual Network address space 10.0.0.0/16. So, you will not see a initial hop of default gateway address 10.0.1.1. You can see it when trying to access any other network or any Internet IP address.

    If this is simply how VNets work, how is this functionality of exchanging packets between subnets with no obviously visible routing actually achieved?

    This is how all networks work. When you do a route print on any machine or VM, you can see 2 types of next hops or gateway:

    • default gateway IP: this is used when the traffic is routed out of the local network and is destined for another network.
    • On-link: this is used when the traffic is routed locally within the same network. Used for direct connectivity.

    When you do a route print on an Azure VM, you can see both of the above next hop as below:

    User's image

    From the above screen shot you can see the 2 route types or next hops.

    0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 10 --> this route is used when you have to route traffic out of this Vnet and go to another network.

    10.0.0.0 255.255.255.0 On-link 10.0.0.4 266 --> this is the local route or used when subnets within the same Vnet wants to communicate with each other. And this will be a direct communication.

    Refer: https://www.rfc-editor.org/rfc/rfc2461#section-2.1

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.