Tutorial: Route network traffic with a route table

• An Azure account with an active subscription. You can create an account for free.

• An Azure account with an active subscription. You can create an account for free.

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option	Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal.

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

If you don't have an Azure subscription, create an Azure free account before you begin.

• Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

• This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and a Bastion host:

1. In the portal, search for and select Virtual networks.

2. On the Virtual networks page, select + Create.

3. On the Basics tab of Create virtual network, enter, or select the following information:

   Развернуть таблицу

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select Create new. Enter test-rg for the name. Select OK.
   Instance details
   Name	Enter vnet-1.
   Region	Select East US 2.

   

4. Select Next to proceed to the Security tab.

5. In the Azure Bastion section, select Enable Azure Bastion.

   Bastion uses your browser to connect to VMs in your virtual network over Secure Shell (SSH) or Remote Desktop Protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information, see What is Azure Bastion?.

   Примечание

   Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

6. In Azure Bastion, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Azure Bastion host name	Enter bastion.
   Azure Bastion public IP address	Select Create a public IP address. Enter public-ip-bastion in Name. Select OK.

   

7. Select Next to proceed to the IP Addresses tab.

8. In the address space box in Subnets, select the default subnet.

9. In Edit subnet, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Subnet purpose	Leave the default of Default.
   Name	Enter subnet-1.
   IPv4
   IPv4 address range	Leave the default of 10.0.0.0/16.
   Starting address	Leave the default of 10.0.0.0.
   Size	Leave the default of /24 (256 addresses).

   

10. Select Save.

11. Select Review + create at the bottom of the window. When validation passes, select Create.

1. In the search box at the top of the portal, enter Virtual network. Select Virtual networks in the search results.

2. In Virtual networks, select vnet-1.

3. In vnet-1, select Subnets from the Settings section.

4. In the virtual network's subnet list, select + Subnet.

5. In Add subnet, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Subnet purpose	Leave the default of Default.
   Name	Enter subnet-private.
   IPv4
   IPv4 address range	Leave the default of 10.0.0.0/16.
   Starting address	Enter 10.0.2.0.
   Size	Leave the default of /24 (256 addresses).

6. Select Add.

7. Select + Subnet.

8. In Add subnet, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Subnet purpose	Leave the default of Default.
   Name	Enter subnet-dmz.
   IPv4
   IPv4 address range	Leave the default of 10.0.0.0/16.
   Starting address	Enter 10.0.3.0.
   Size	Leave the default of /24 (256 addresses).

9. Select Add.

Create a resource group with New-AzResourceGroup. The following example creates a resource group named test-rg for all resources created in this article.

$rg = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
}
New-AzResourceGroup @rg

Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named vnet-1 with the address prefix 10.0.0.0/16.

$vnet = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vnet-1"
    AddressPrefix = "10.0.0.0/16"
}

$virtualNetwork = New-AzVirtualNetwork @vnet

Create four subnets by creating four subnet configurations with New-AzVirtualNetworkSubnetConfig. The following example creates four subnet configurations for Public, Private, DMZ, and Azure Bastion subnets.

$subnetConfigPublicParams = @{
    Name = "subnet-1"
    AddressPrefix = "10.0.0.0/24"
    VirtualNetwork = $virtualNetwork
}

$subnetConfigBastionParams = @{
    Name = "AzureBastionSubnet"
    AddressPrefix = "10.0.1.0/24"
    VirtualNetwork = $virtualNetwork
}

$subnetConfigPrivateParams = @{
    Name = "subnet-private"
    AddressPrefix = "10.0.2.0/24"
    VirtualNetwork = $virtualNetwork
}

$subnetConfigDmzParams = @{
    Name = "subnet-dmz"
    AddressPrefix = "10.0.3.0/24"
    VirtualNetwork = $virtualNetwork
}

$subnetConfigPublic = Add-AzVirtualNetworkSubnetConfig @subnetConfigPublicParams
$subnetConfigBastion = Add-AzVirtualNetworkSubnetConfig @subnetConfigBastionParams
$subnetConfigPrivate = Add-AzVirtualNetworkSubnetConfig @subnetConfigPrivateParams
$subnetConfigDmz = Add-AzVirtualNetworkSubnetConfig @subnetConfigDmzParams

Write the subnet configurations to the virtual network with Set-AzVirtualNetwork, which creates the subnets in the virtual network:

$virtualNetwork | Set-AzVirtualNetwork

Create a public IP address for the Azure Bastion host with New-AzPublicIpAddress. The following example creates a public IP address named public-ip-bastion in the vnet-1 virtual network.

$publicIpParams = @{
    ResourceGroupName = "test-rg"
    Name = "public-ip-bastion"
    Location = "EastUS2"
    AllocationMethod = "Static"
    Sku = "Standard"
}
New-AzPublicIpAddress @publicIpParams

Create an Azure Bastion host with New-AzBastion. The following example creates an Azure Bastion host named bastion in the AzureBastionSubnet subnet of the vnet-1 virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

$bastionParams = @{
    ResourceGroupName = "test-rg"
    Name = "bastion"
    VirtualNetworkName = "vnet-1"
    PublicIpAddressName = "public-ip-bastion"
    PublicIpAddressRgName = "test-rg"
    VirtualNetworkRgName = "test-rg"
}
New-AzBastion @bastionParams -AsJob

Create a resource group with az group create for all resources created in this article.

# Create a resource group.
az group create \
    --name test-rg \
    --location eastus2

Create a virtual network with one subnet with az network vnet create.

az network vnet create \
    --name vnet-1 \
    --resource-group test-rg \
    --address-prefix 10.0.0.0/16 \
    --subnet-name subnet-1 \
    --subnet-prefix 10.0.0.0/24

Create two more subnets with az network vnet subnet create.

# Create a bastion subnet.
az network vnet subnet create \
    --vnet-name vnet-1 \
    --resource-group test-rg \
    --name AzureBastionSubnet \
    --address-prefix 10.0.1.0/24

# Create a private subnet.
az network vnet subnet create \
    --vnet-name vnet-1 \
    --resource-group test-rg \
    --name subnet-private \
    --address-prefix 10.0.2.0/24

# Create a DMZ subnet.
az network vnet subnet create \
    --vnet-name vnet-1 \
    --resource-group test-rg \
    --name subnet-dmz \
    --address-prefix 10.0.3.0/24

Create a public IP address for the Azure Bastion host with az network public-ip create. The following example creates a public IP address named public-ip-bastion in the vnet-1 virtual network.

az network public-ip create \
    --resource-group test-rg \
    --name public-ip-bastion \
    --location eastus2 \
    --allocation-method Static \
    --sku Standard

Create an Azure Bastion host with az network bastion create. The following example creates an Azure Bastion host named bastion in the AzureBastionSubnet subnet of the vnet-1 virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

az network bastion create \
    --resource-group test-rg \
    --name bastion \
    --vnet-name vnet-1 \
    --public-ip-address public-ip-bastion \
    --location eastus2
    --no-wait

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. Select + Create then Azure virtual machine.

3. In Create a virtual machine enter or select the following information in the Basics tab:

   Развернуть таблицу

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-nva.
   Region	Select (US) East US 2.
   Availability options	Select No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Ubuntu Server 24.04 LTS - x64 Gen2.
   VM architecture	Leave the default of x64.
   Size	Select a size.
   Administrator account
   Authentication type	Select Password.
   Username	Enter a username.
   Password	Enter a password.
   Confirm password	Reenter password.
   Inbound port rules
   Public inbound ports	Select None.

4. Select Next: Disks then Next: Networking.

5. In the Networking tab, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-dmz (10.0.3.0/24).
   Public IP	Select None.
   NIC network security group	Select Advanced.
   Configure network security group	Select Create new. In Name enter nsg-nva. Select OK.

6. Leave the rest of the options at the defaults and select Review + create.

7. Select Create.

Create the VM with New-AzVM. The following example creates a VM named vm-nva.

# Create a credential object
$cred = Get-Credential

# Define the VM parameters
$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vm-nva"
    ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"
    Size = "Standard_DS1_v2"
    Credential = $cred
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-dmz"
    PublicIpAddressName = $null  # No public IP address
}

# Create the VM
New-AzVM @vmParams

Create a VM to be used as the NVA in the subnet-dmz subnet with az vm create.

az vm create \
    --resource-group test-rg \
    --name vm-nva \
    --image Ubuntu2204 \
    --public-ip-address "" \
    --subnet subnet-dmz \
    --vnet-name vnet-1 \
    --admin-username azureuser \
    --authentication-type password

The VM takes a few minutes to create. Don't continue to the next step until Azure finishes creating the VM and returns output about the VM.

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. Select + Create then Azure virtual machine.

3. In Create a virtual machine enter or select the following information in the Basics tab:

   Развернуть таблицу

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-public.
   Region	Select (US) East US 2.
   Availability options	Select No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Ubuntu Server 24.04 LTS - x64 Gen2.
   VM architecture	Leave the default of x64.
   Size	Select a size.
   Administrator account
   Authentication type	Select Password.
   Username	Enter a username.
   Password	Enter a password.
   Confirm password	Reenter password.
   Inbound port rules
   Public inbound ports	Select None.

4. Select Next: Disks then Next: Networking.

5. In the Networking tab, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-1 (10.0.0.0/24).
   Public IP	Select None.
   NIC network security group	Select None.

6. Leave the rest of the options at the defaults and select Review + create.

7. Select Create.

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. Select + Create then Azure virtual machine.

3. In Create a virtual machine enter or select the following information in the Basics tab:

   Развернуть таблицу

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Virtual machine name	Enter vm-private.
   Region	Select (US) East US 2.
   Availability options	Select No infrastructure redundancy required.
   Security type	Select Standard.
   Image	Select Ubuntu Server 24.04 LTS - x64 Gen2.
   VM architecture	Leave the default of x64.
   Size	Select a size.
   Administrator account
   Authentication type	Select Password.
   Username	Enter a username.
   Password	Enter a password.
   Confirm password	Reenter password.
   Inbound port rules
   Public inbound ports	Select None.

4. Select Next: Disks then Next: Networking.

5. In the Networking tab, enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Network interface
   Virtual network	Select vnet-1.
   Subnet	Select subnet-private (10.0.2.0/24).
   Public IP	Select None.
   NIC network security group	Select None.

6. Leave the rest of the options at the defaults and select Review + create.

7. Select Create.

Create a VM in the subnet-1 subnet with New-AzVM. The following example creates a VM named vm-public in the subnet-public subnet of the vnet-1 virtual network.

# Create a credential object
$cred = Get-Credential

# Define the VM parameters
$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vm-public"
    ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"
    Size = "Standard_DS1_v2"
    Credential = $cred
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-1"
    PublicIpAddressName = $null  # No public IP address
}

# Create the VM
New-AzVM @vmParams

Create a VM in the subnet-private subnet.

# Create a credential object
$cred = Get-Credential

# Define the VM parameters
$vmParams = @{
    ResourceGroupName = "test-rg"
    Location = "EastUS2"
    Name = "vm-private"
    ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"
    Size = "Standard_DS1_v2"
    Credential = $cred
    VirtualNetworkName = "vnet-1"
    SubnetName = "subnet-private"
    PublicIpAddressName = $null  # No public IP address
}

# Create the VM
New-AzVM @vmParams

The VM takes a few minutes to create. Don't continue with the next step until the VM is created and Azure returns output to PowerShell.

Create a VM in the subnet-1 subnet with az vm create. The --no-wait parameter enables Azure to execute the command in the background so you can continue to the next command.

az vm create \
    --resource-group test-rg \
    --name vm-public \
    --image Ubuntu2204 \
    --vnet-name vnet-1 \
    --subnet subnet-1 \
    --public-ip-address "" \
    --admin-username azureuser \
    --authentication-type password \
    --no-wait

Create a VM in the subnet-private subnet.

az vm create \
    --resource-group test-rg \
    --name vm-private \
    --image Ubuntu2204 \
    --vnet-name vnet-1 \
    --subnet subnet-private \
    --public-ip-address "" \
    --admin-username azureuser \
    --authentication-type password

1. In the search box at the top of the portal, enter Virtual machine. Select Virtual machines in the search results.

2. In Virtual machines, select vm-nva.

3. In vm-nva, expand Networking then select Network settings.

4. Select the name of the interface next to Network Interface:. The name begins with vm-nva and has a random number assigned to the interface. The name of the interface in this example is vm-nva313.

   

5. In the network interface overview page, select IP configurations from the Settings section.

6. In IP configurations, select the box next to Enable IP forwarding.

   

7. Select Apply.

Enable IP forwarding for the network interface of the vm-nva virtual machine with Set-AzNetworkInterface. The following example enables IP forwarding for the network interface named vm-nva313.

$nicParams = @{
  Name = "vm-nva"
  ResourceGroupName = "test-rg"
}
$nic = Get-AzNetworkInterface @nicParams

$nic.EnableIPForwarding = $true

Set-AzNetworkInterface -NetworkInterface $nic

Enable IP forwarding for the network interface of the vm-nva virtual machine with az network nic update. The following example enables IP forwarding for the network interface named vm-nvaVMNic.

az network nic update \
    --name vm-nvaVMNic \
    --resource-group test-rg \
    --ip-forwarding true

1. In the search box at the top of the portal, enter Route table. Select Route tables in the search results.

2. Select + Create.

3. In Create Route table enter or select the following information:

   Развернуть таблицу

   Setting	Value
   Project details
   Subscription	Select your subscription.
   Resource group	Select test-rg.
   Instance details
   Region	Select East US 2.
   Name	Enter route-table-public.
   Propagate gateway routes	Leave the default of Yes.

4. Select Review + create.

5. Select Create.

In this section, create a route in the route table that you created in the previous steps.

1. In the search box at the top of the portal, enter Route table. Select Route tables in the search results.

2. Select route-table-public.

3. Expand Settings then select Routes.

4. Select + Add in Routes.

5. Enter or select the following information in Add route:

   Развернуть таблицу

   Setting	Value
   Route name	Enter to-private-subnet.
   Destination type	Select IP Addresses.
   Destination IP addresses/CIDR ranges	Enter 10.0.2.0/24.
   Next hop type	Select Virtual appliance.
   Next hop address	Enter 10.0.3.4. This is the IP address of the vm-nva you created in the earlier steps..

6. Select Add.

7. Select Subnets in Settings.

8. Select + Associate.

9. Enter or select the following information in Associate subnet:

   Развернуть таблицу

   Setting	Value
   Virtual network	Select vnet-1 (test-rg).
   Subnet	Select subnet-1.

10. Select OK.

Create a route table with New-AzRouteTable. The following example creates a route table named route-table-public.

$routeTableParams = @{
    Name = 'route-table-public'
    ResourceGroupName = 'test-rg'
    Location = 'eastus2'
}
$routeTablePublic = New-AzRouteTable @routeTableParams

Create a route by retrieving the route table object with Get-AzRouteTable, create a route with Add-AzRouteConfig, then write the route configuration to the route table with Set-AzRouteTable.

$routeTableParams = @{
    ResourceGroupName = "test-rg"
    Name = "route-table-public"
}

$routeConfigParams = @{
    Name = "to-private-subnet"
    AddressPrefix = "10.0.2.0/24"
    NextHopType = "VirtualAppliance"
    NextHopIpAddress = "10.0.3.4"
}

$routeTable = Get-AzRouteTable @routeTableParams
$routeTable | Add-AzRouteConfig @routeConfigParams | Set-AzRouteTable

Associate the route table with the subnet-1 subnet with Set-AzVirtualNetworkSubnetConfig. The following example associates the route-table-public route table with the subnet-1 subnet.

$vnetParams = @{
    Name = 'vnet-1'
    ResourceGroupName = 'test-rg'
}
$virtualNetwork = Get-AzVirtualNetwork @vnetParams

$subnetParams = @{
    VirtualNetwork = $virtualNetwork
    Name = 'subnet-1'
    AddressPrefix = '10.0.0.0/24'
    RouteTable = $routeTablePublic
}
Set-AzVirtualNetworkSubnetConfig @subnetParams | Set-AzVirtualNetwork

Create a route table with az network route-table create. The following example creates a route table named route-table-public.

# Create a route table
az network route-table create \
    --resource-group test-rg \
    --name route-table-public

Create a route in the route table with az network route-table route create.

az network route-table route create \
    --name to-private-subnet \
    --resource-group test-rg \
    --route-table-name route-table-public \
    --address-prefix 10.0.2.0/24 \
    --next-hop-type VirtualAppliance \
    --next-hop-ip-address 10.0.3.4

Associate the route-table-subnet-public route table to the subnet-1 subnet with az network vnet subnet update.

az network vnet subnet update \
    --vnet-name vnet-1 \
    --name subnet-1 \
    --resource-group test-rg \
    --route-table route-table-public

When you finish using the resources that you created, you can delete the resource group and all its resources.

1. In the Azure portal, search for and select Resource groups.

2. On the Resource groups page, select the test-rg resource group.

3. On the test-rg page, select Delete resource group.

4. Enter test-rg in Enter resource group name to confirm deletion, and then select Delete.

When no longer needed, use Remove-AzResourcegroup to remove the resource group and all of the resources it contains.

$rgParams = @{
    Name = "test-rg"
}
Remove-AzResourceGroup @rgParams -Force

When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

az group delete \
    --name test-rg \
    --yes \
    --no-wait