Network Traffic Control and Segmentation with Azure Route Tables
Implement network segmentation by controlling traffic flow between subnets
Azure Route Tables provide network-level traffic control by defining custom routing paths between subnets. Unlike Network Security Groups (NSGs) that filter traffic at the protocol/port level, route tables control traffic flow by directing packets to specific destinations or dropping them entirely.
Use Case Overview
This guide demonstrates creating traffic isolation between security and media workloads using route tables to prevent lateral movement between sensitive network segments.
Network Architecture
- Security Subnet: 10.0.1.0/24 (VM1: 10.0.1.4)
- Media Subnet: 10.0.2.0/24 (VM2: 10.0.2.4)
- Objective: Block all traffic from Security subnet to Media subnet
Prerequisites
- Azure Subscription with Contributor or higher permissions
- Virtual Network with multiple subnets configured
- Virtual Machines deployed in target subnets
- Basic connectivity established between subnets (for testing)
Route Tables vs. Network Security Groups
| Feature | Route Tables | Network Security Groups |
|---|---|---|
| Control Level | Network routing (Layer 3) | Traffic filtering (Layer 4-7) |
| Application | Subnet-wide | VM/subnet level |
| Granularity | IP ranges/subnets | Protocols, ports, IPs |
| Traffic Handling | Route or drop | Allow or deny |
Step 1: Create Route Table
Navigate to Route Tables
1. In Azure Portal, search for "Route tables"
2. Click Create to begin configurationConfigure Basic Settings
# Project Details
Subscription: Select appropriate subscription
Resource Group: Choose same group as your VNet
Region: Must match your Virtual Network region
# Instance Details
Name: rt-security-deny-media
Propagate gateway routes: Yes (recommended for hybrid connectivity)Step 2: Associate Route Table with Subnet
# Access Route Table Configuration
1. Navigate to your newly created route table
2. Select Subnets from the left menu
3. Click Associate
# Configure Subnet Association
Virtual Network: Select your target VNet
Subnet: Choose Security subnet (10.0.1.0/24)
Click OK to associateNote: Route tables affect all traffic from the associated subnet, providing subnet-wide control.
Step 3: Create Traffic Blocking Route
Add Custom Route
# Add Custom Route
1. In the route table, select Routes from the left menu
2. Click Add to create a new route
# Configure Route Parameters
Route name: block-media-subnet
Address prefix: 10.0.2.0/24 (Media subnet CIDR)
Next hop type: None
Next hop address: N/A (automatically disabled)Next Hop Types Explained
- Virtual Network Gateway: Routes to on-premises via VPN/ExpressRoute
- Virtual Network: Routes within the VNet (default behavior)
- Internet: Routes to public internet
- Virtual Appliance: Routes to Network Virtual Appliance (NVA)
- None: Drops traffic (creates black hole route)
Step 4: Verify Route Table Configuration
Check Route Table Status
# Verify Route Table Configuration
1. Navigate to Route tables > [Your Route Table]
2. Verify Associated subnets shows Security subnet
3. Confirm Routes contains your custom blocking route
# Review Effective Routes
1. Go to Virtual machines > VM1 > Networking
2. Select the network interface
3. Click Effective routes to view active routing table
4. Confirm custom route appears in the listStep 5: Test Traffic Blocking
Establish Baseline Connectivity
Before applying the route table, verify connectivity works:
# Before Route Table Application
1. RDP to VM1 (10.0.1.4) using public IP
2. From VM1, attempt RDP to VM2 (10.0.2.4)
3. Verify successful connectionTest Route Table Effectiveness
# After Route Table Application
# From VM1 (10.0.1.4) - all should fail
# Test basic connectivity
ping 10.0.2.4
# Test RDP connectivity
telnet 10.0.2.4 3389
# Test HTTP connectivity (if web server running)
telnet 10.0.2.4 80Expected Results
- ❌ All connection attempts should fail
- ❌ Ping requests receive no response (packets dropped)
- ❌ RDP connections cannot establish
Verify Traffic Direction
Test that traffic flows in the opposite direction (route table only affects outbound from Security subnet):
# From VM2 (Media subnet) to VM1 (Security subnet)
1. RDP to VM2 using its public IP
2. Attempt connection to VM1 (10.0.1.4)
3. Connection should succeed ✅Troubleshooting Common Issues
Route Table Not Applied
Symptoms: Traffic still flows between subnets
Solutions:
- Verify route table association with correct subnet
- Check route configuration for typos in address prefix
- Confirm Next hop type is set to “None”
Unintended Traffic Blocking
Symptoms: Required services become unavailable
Solutions:
- Review all routes for conflicts
- Check route precedence (longest prefix match)
- Verify subnet associations are correct
Conclusion
Route tables provide powerful network segmentation capabilities in Azure, enabling administrators to implement zero-trust network architectures and prevent lateral movement between sensitive workloads. When combined with NSGs and other security controls, they form a comprehensive network security strategy.
Best Practice: Use route tables for network-level segmentation and NSGs for protocol/port-level filtering to create layered security controls.
