🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 1
Domain 1 — Module 4 of 7 57%
4 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 1: Core Networking Infrastructure Free ⏱ ~15 min read

Routing: UDRs, Route Server & NAT Gateway

Control traffic flow in Azure with user-defined routes, understand BGP route exchange via Route Server, and configure NAT Gateway for predictable outbound internet access.

Routing: UDRs, Route Server & NAT Gateway

Azure automatically routes traffic between subnets, to the internet, and to on-premises. But the real power — and what the exam tests — is overriding those defaults with custom routes. This module covers the full routing stack.

🎬 Video coming soon

Routing, UDRs, Route Server & NAT Gateway

Routing, UDRs, Route Server & NAT Gateway

~15:00
☕ Simple explanation

Routing is the GPS of your network — it decides which path every packet takes. Azure handles most routing automatically. But sometimes you need to override the GPS: send traffic through a firewall, force internet traffic through on-premises, or tell Azure about routes your NVA knows. That’s where user-defined routes (UDRs) come in.

Azure uses a routing table to forward traffic, evaluated in priority order: User-defined routes (UDRs) have highest priority, then BGP routes from on-premises, then system routes (Azure defaults). Within UDRs, longest prefix match wins. Key concepts include next hop types, forced tunneling, effective routes, and Azure Route Server for dynamic BGP exchange.

System Routes — The Defaults

Every VNet comes with system routes that Azure creates automatically:

DestinationNext HopPurpose
VNet address spaceVNet (direct)Intra-VNet traffic between subnets
0.0.0.0/0InternetDefault outbound internet access
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16None (drop)RFC 1918 ranges not in your VNet are dropped
VNet peering rangesVNet peeringAdded when peering is configured
VNG learned routesVirtual network gatewayAdded when VPN/ER gateway with BGP

System routes work fine for basic scenarios. But enterprise architectures need control — that’s where UDRs come in.

User-Defined Routes (UDRs)

UDRs override system routes. You create a route table, add routes, and associate it with one or more subnets.

Next hop types:

Next Hop TypeWhat It DoesCommon Use
Virtual applianceSends traffic to a specific IP (NVA or firewall)Force traffic through Azure Firewall
Virtual network gatewaySends traffic to VPN/ER gatewayForced tunneling to on-premises
Virtual networkKeeps traffic in the VNet (overrides dropped routes)Re-enable routes that system routes block
InternetSends traffic directly to internetBypass firewall for specific destinations
NoneDrops the traffic (black hole)Block specific ranges

🔒 Aisha’s scenario: Sentinel Banking requires all traffic to flow through Azure Firewall for inspection. She creates UDRs on every workload subnet:

Route Table: rt-workload-subnets
  Route 1: 0.0.0.0/0 → Virtual appliance → 10.10.1.4 (Firewall private IP)
  Route 2: 10.20.0.0/16 → Virtual appliance → 10.10.1.4 (Spoke-to-spoke via firewall)

This overrides the default internet route and forces all outbound traffic through the firewall. Without these UDRs, traffic would go directly to the internet.

Route Priority

When multiple routes match a destination, Azure uses this priority order:

Exam Tip — Route Priority:

  1. User-defined routes (highest priority)
  2. BGP routes (from VPN/ER gateway)
  3. System routes (lowest priority)

Within the same priority level, longest prefix match wins. A /24 route beats a /16 route for the same destination because it’s more specific.

Example: If you have a system route for 0.0.0.0/0 to Internet and a UDR for 0.0.0.0/0 to Virtual appliance, the UDR wins. If you also have a UDR for 10.20.5.0/24 to a different appliance, that /24 beats the /0 for addresses in that range.

Forced Tunneling

🏢 Ravi’s scenario: Pinnacle Financial’s compliance team requires that all internet-bound traffic from Azure goes through the on-premises proxy for logging and inspection.

Ravi creates a UDR with 0.0.0.0/0 → Virtual network gateway. This forces all internet traffic from Azure through the VPN/ExpressRoute tunnel to on-premises, where the proxy inspects it before sending it to the internet.

Important caveat: Forced tunneling increases latency and can break Azure services that expect direct internet access. Platform services (like Azure Backup, Windows activation, Azure Monitor) may need service tags or specific route exceptions to function correctly.

Default Outbound Access — Going Away

ℹ️ Default Outbound Access Retirement

Historically, Azure VMs without an explicit outbound method (public IP, LB, NAT Gateway) could still reach the internet via default outbound access — a hidden SNAT that Azure provided automatically.

This is being retired:

  • 30 September 2025: New resources in new subscriptions no longer get default outbound internet access
  • 31 March 2026: New VNets have subnets that are private by default — no outbound unless you configure an explicit method

Existing VMs with default outbound access are not affected by these dates. However, Microsoft strongly recommends migrating to explicit outbound. Plan to use:

  • NAT Gateway (recommended — best practice)
  • Azure Firewall with SNAT rules
  • Standard Load Balancer outbound rules
  • Public IP on the NIC

The exam will test that you know default outbound is going away and what replaces it.

Azure Route Server

Route Server is a fully managed service that enables your Network Virtual Appliances (NVAs) to exchange routes with Azure’s network fabric via BGP.

Manual UDRs vs Azure Route Server
FeatureManual UDRsAzure Route Server
Route managementCreate/update manually for each subnetAutomatic BGP route exchange
ScalabilityComplex at scale — each route needs manual entryNVA advertises routes via BGP, Azure learns them
Dynamic updatesStatic — you must update routes when topology changesDynamic — routes update automatically
NVA supportUDRs point to NVA IPNVA peers with Route Server via BGP
DeploymentRoute tables on subnetsRouteServerSubnet (/27 minimum)
Transit routingManual UDRs requiredEnables transit between ER and VPN when configured

Route Server as a BGP route reflector: When you enable branch-to-branch on Route Server, it reflects routes between your VPN/ER gateways and NVAs. This enables transit routing — for example, on-premises traffic arriving via ExpressRoute can transit through an NVA and reach a branch office connected via S2S VPN.

NAT Gateway

NAT Gateway provides outbound-only internet access for resources in a subnet using one or more static public IPs.

🏪 Sam’s scenario: Harbour Retail’s 50 stores each connect to Azure APIs. Sam needs consistent outbound IPs so his vendors can allowlist them, and he needs to avoid SNAT port exhaustion.

Outbound Internet Options
FeaturePublic IP on NICLoad Balancer OutboundNAT Gateway
ScopePer-VMPer-backend poolPer-subnet
Static IPsYes (Standard SKU)YesYes
SNAT ports64,000 per IPShared across pool (configurable)64,000 per IP per destination
Port exhaustion riskLow (single VM)Medium-high (shared pool)Very low (dynamic allocation)
Zone redundancyStandard SKU onlyStandard SKU onlyYes (with zone-redundant IPs)
ManagementPer-VM configLB outbound rulesSubnet association — automatic for all resources
CostPublic IP costLB + IP costNAT Gateway + IP cost

Exam Tip — NAT Gateway Priority: NAT Gateway takes precedence over all other outbound methods for a subnet. If a VM has a public IP on its NIC and is also in a subnet with NAT Gateway, the NAT Gateway wins for outbound traffic. This is a common exam question.

NAT Gateway key facts:

  • Supports up to 16 public IPs or public IP prefixes
  • Provides up to 50,000 concurrent connections per IP to the same destination
  • No inbound initiation — outbound only, return traffic allowed
  • Subnet-level association — all resources in the subnet use it automatically
  • Not compatible with Basic SKU resources in the same subnet

Diagnosing Routing Issues

When traffic isn’t flowing as expected, use these Network Watcher tools:

ToolWhat It Shows
Effective RoutesAll routes applied to a NIC — system, UDR, and BGP combined
Next HopWhich next hop Azure will use for a specific source/destination pair
Connection TroubleshootTests end-to-end connectivity and shows where it breaks

🔒 Aisha’s debugging: A workload VM can’t reach the internet. She checks Effective Routes and sees her UDR (0.0.0.0/0 to firewall) is active. She checks the firewall and finds the application rule for outbound HTTPS is missing. Problem solved — the route was correct, the firewall rule was the issue.

Key Takeaways

  • UDRs override system routes; longest prefix match resolves conflicts within the same priority
  • Forced tunneling sends all internet traffic through on-premises via 0.0.0.0/0 to gateway
  • Default outbound access is retiring — plan explicit outbound (NAT Gateway recommended)
  • Route Server enables dynamic BGP route exchange with NVAs
  • NAT Gateway takes priority over all other outbound methods on a subnet

Test Your Knowledge

Question

What is the route priority order in Azure?

Click or press Enter to reveal answer

Answer

1. User-defined routes (highest) 2. BGP routes (from gateways) 3. System routes (lowest). Within the same level, longest prefix match wins.

Click to flip back
Question

What happens when a VM has a public IP and its subnet has a NAT Gateway?

Click or press Enter to reveal answer

Answer

NAT Gateway wins for outbound traffic. It takes precedence over public IPs on NICs, load balancer outbound rules, and default outbound access.

Click to flip back
Question

What is forced tunneling?

Click or press Enter to reveal answer

Answer

A UDR that sets 0.0.0.0/0 to Virtual Network Gateway, forcing all internet-bound traffic through VPN or ExpressRoute to on-premises for inspection. Can break Azure services that need direct internet access.

Click to flip back
Question

What does Azure Route Server do?

Click or press Enter to reveal answer

Answer

A fully managed service that enables BGP route exchange between NVAs and Azure. It replaces manual UDR management with dynamic route learning and can act as a route reflector for transit routing.

Click to flip back
Question

When is default outbound access being retired?

Click or press Enter to reveal answer

Answer

30 September 2025: new resources in new subscriptions lose default outbound. 31 March 2026: new VNets have subnets that are private by default. Existing VMs are not affected, but Microsoft recommends migrating to explicit outbound (NAT Gateway, Firewall, LB outbound rules, or public IP).

Click to flip back
Knowledge Check

Aisha wants all workload traffic to flow through Azure Firewall at 10.10.1.4. What UDR should she create?
Knowledge Check

A subnet has both a UDR for 10.20.0.0/16 pointing to a firewall and a BGP route for 10.20.5.0/24 from VPN. Which route wins for traffic to 10.20.5.10?
Knowledge Check

Which outbound method takes highest precedence when associated with a subnet?

Next up: VNet Peering and Connectivity — Connect VNets with peering, enable gateway transit, and explore Azure Virtual Network Manager.

← Previous

Name Resolution: Azure DNS

Next →

VNet Peering and Connectivity

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.