Configure user-defined network routes

Routes determine how traffic flows between virtual machines, subnets, virtual networks and the internet.

System routes are created and managed by Azure. They are automatically configured for each subnet. Define by default for traffic within a virtual network, traffic between virtual networks if peered and traffic to the internet. You cannot delete of modify a system routes. 

User-Defined (Custom) Routes on the other hand are managed by users, they take precedence can override system routes when and where specified.  They control network traffic by defining routes that specify the next hop of the traffic flow. The next hop can be virtual network gateway, virtual network internet or network virtual appliance. 

To configure custom route for a subnet, first create a route table, then add routes and associate route table with subnet. 

Azure CLI 

az network route-table create\  

--name <route-table-name> \ 

--resource-group <resource-group-name>\ 

--location <location> 

az network route-table route create\  

--name <route-name>\  

--resource-group <resource-group-name>\ 

--route-table-name <route-table-name>\ 

--address-prefix <address-prefix>\ 

--next-hop-type <next-hop-type>\ 

--next-hop-ip-address <next-hop-ip-address> 

PowerShell 

New-AzRouteTable -Name <route-table-name>\ 

-ResourceGroupName <resource-group-name>\ 

-Location <location> 

Add-AzRouteConfig -Name <route-name>\ 

-RouteTable <route-table-name>\ 

-AddressPrefix <address-prefix>\ 

-NextHopType <next-hop-type>\ 

-NextHopIpAddress <next-hop-ip-address> 

Service Endpoints 

A service endpoint is a connection between your Azure virtual network and Azure service. It allows traffic to flow securely between your virtual network and an Azure service. With a service endpoint, you create a direct, private access (the endpoint) that connects securely to the service. 

Service endpoints allow your virtual network to secure connect to Aure services, extending your virtual network identity to those services. You can use network rules to determine what traffic should be allowed to your resources for security purpose.  

To further 'illusxplain' how this works, let’s say you have a virtual machine running in a subnet within a virtual network, and you want the virtual machine to access the Azure Storage account securely, without exposing the resource to the public internet. That can be done by configuring a service endpoint for the subnet traffic to reach the Azure Storage account while blocking public internet access, with virtual network rules. 

Azure Private Link and endpoint usage cases 

Azure private link and private endpoints enable secure connectivity to Azure services without exposing them to the public internet.  

Private links provide a secure private connection to your Azure virtual network and Azure PaaS services like Azure Storage, SQL Database and Cosmos DB, without exposing them publicly to the internet. You can also use private links to connect to on-premises resources from Azure without exposing them to the internet. And as well establish secure connections between Azure and other cloud providers or your private data centres.  

Private endpoint is a network interface that securely connects a virtual network to a specific PaaS service or Azure service. The private endpoint is assigned a private IP address from your virtual network address space, which is used to access the PaaS service from within your virtual network. It allows you to access the PaaS service as if it were part of your virtual network.