Azure Route Tables provide network-level traffic control by defining custom routing paths between subnets. Unlike Network Security Groups (NSGs) that filter traffic at the protocol/port level, route tables control traffic flow by directing packets to specific destinations or dropping them entirely. This approach is particularly effective for implementing network segmentation and microsegmentation strategies.
Use Case Overview
This guide demonstrates creating traffic isolation between security and media workloads using route tables to prevent lateral movement between sensitive network segments.
Network Architecture:
- Security Subnet: 10.0.1.0/24 (VM1: 10.0.1.4)
- Media Subnet: 10.0.2.0/24 (VM2: 10.0.2.4)
- Objective: Block all traffic from Security subnet to Media subnet
Prerequisites
- Azure Subscription with Contributor or higher permissions
- Virtual Network with multiple subnets configured
- Virtual Machines deployed in target subnets
- Basic connectivity established between subnets (for testing)
Route Tables vs. Network Security Groups
| Feature | Route Tables | Network Security Groups |
|---|---|---|
| Control Level | Network routing (Layer 3) | Traffic filtering (Layer 4-7) |
| Application | Subnet-wide | VM/subnet level |
| Granularity | IP ranges/subnets | Protocols, ports, IPs |
| Traffic Handling | Route or drop | Allow or deny |
Step 1: Create Route Table
Navigate to Route Tables
- In Azure Portal, search for “Route tables”
- Click Create to begin configuration
Configure Basic Settings
Project Details:
- Subscription: Select appropriate subscription
- Resource Group: Choose same group as your VNet
- Region: Must match your Virtual Network region
Instance Details:
- Name:
rt-security-deny-media - Propagate gateway routes: Yes (recommended for hybrid connectivity)
Click Review + create then Create.
Step 2: Associate Route Table with Subnet
Access Route Table Configuration
- Navigate to your newly created route table
- Select Subnets from the left menu
- Click Associate
Configure Subnet Association
Subnet Association:
- Virtual Network: Select your target VNet
- Subnet: Choose Security subnet (10.0.1.0/24)
Click OK to associate the route table.
Note: Route tables affect all traffic from the associated subnet, providing subnet-wide control.
Step 3: Create Traffic Blocking Route
Add Custom Route
- In the route table, select Routes from the left menu
- Click Add to create a new route
Configure Route Parameters
Route Configuration:
- Route name:
block-media-subnet - Address prefix:
10.0.2.0/24(Media subnet CIDR) - Next hop type:
None - Next hop address: N/A (automatically disabled)
Click Add to save the route.
Route Behavior Explanation
Next Hop Types:
- Virtual Network Gateway: Routes to on-premises via VPN/ExpressRoute
- Virtual Network: Routes within the VNet (default behavior)
- Internet: Routes to public internet
- Virtual Appliance: Routes to Network Virtual Appliance (NVA)
- None: Drops traffic (creates black hole route)
Step 4: Verify Route Table Configuration
Check Route Table Status
- Navigate to Route tables > [Your Route Table]
- Verify Associated subnets shows Security subnet
- Confirm Routes contains your custom blocking route
Review Effective Routes
- Go to Virtual machines > VM1 > Networking
- Select the network interface
- Click Effective routes to view active routing table
- Confirm custom route appears in the list
Step 5: Test Traffic Blocking
Establish Baseline Connectivity
Before Route Table Application:
- RDP to VM1 (10.0.1.4) using public IP
- From VM1, attempt RDP to VM2 (10.0.2.4)
- Verify successful connection
Test Route Table Effectiveness
After Route Table Application:
- Maintain RDP session to VM1
- Attempt to connect to VM2 (10.0.2.4):
# Test basic connectivityping 10.0.2.4# Test RDP connectivitytelnet 10.0.2.4 3389# Test HTTP connectivity (if web server running)telnet 10.0.2.4 80
Expected Results:
- ❌ All connection attempts should fail
- ❌ Ping requests receive no response (packets dropped)
- ❌ RDP connections cannot establish
Verify Traffic Direction
Important: Test connectivity from Media subnet to Security subnet:
- RDP to VM2 using its public IP
- Attempt connection to VM1 (10.0.1.4)
- Connection should succeed (route table only affects outbound from Security subnet)
Troubleshooting Common Issues
Route Table Not Applied
Symptoms: Traffic still flows between subnets Solutions:
- Verify route table association with correct subnet
- Check route configuration for typos in address prefix
- Confirm Next hop type is set to “None”
Unintended Traffic Blocking
Symptoms: Required services become unavailable Solutions:
- Review all routes for conflicts
- Check route precedence (longest prefix match)
- Verify subnet associations are correct
Performance Impact
Symptoms: Increased network latency Solutions:
- Minimize number of custom routes
- Use specific prefixes instead of broad ranges
- Consider route consolidation
Monitoring and Maintenance
Route Table Monitoring
Azure Monitor Integration:
- Track route table changes via Activity Log
- Monitor effective routes on network interfaces
- Set up alerts for route table modifications
Regular Maintenance:
- Review route tables quarterly
- Document route purposes and business justification
- Test network connectivity after changes
Compliance Considerations
Network Segmentation Requirements:
- Document route tables for compliance audits
- Implement change management processes
- Regular validation of traffic isolation
Security Best Practices
Defense in Depth
Layered Security Approach:
- Route Tables: Network-level traffic control
- NSGs: Protocol and port filtering
- Azure Firewall: Application-level inspection
- VM-level firewalls: Host-based protection
Access Control
Route Table Management:
- Limit administrative access using Azure RBAC
- Implement approval workflows for route changes
- Monitor privileged operations
Documentation
Maintain Records:
- Network topology diagrams
- Route table purposes and business justification
- Change history and approval records
Route tables provide powerful network segmentation capabilities in Azure, enabling administrators to implement zero-trust network architectures and prevent lateral movement between sensitive workloads. When combined with NSGs and other security controls, they form a comprehensive network security strategy.
