Route tables and impact on service tag VirtualNetwork
jpjm opened this issue · 2 comments
Creating an issue
We prefer that you create documentation feedback issues using the Feedback link on the published article - the feedback control on the doc page creates an issue that contains all the article details so you can focus on the feedback part.
I did look for this option but it's not appearing any more inside Learn regardless of whether I am logged in, using an ad blocker etc.
This feedback is related to https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal and probably also relevant in https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
My test environment for this is a single vnet with address space 10.0.0.0/24. There are two subnets in this vnet, 10.0.0.8/29 for a client VM, and 10.0.0.0/29 for a router VM. When I associate a route table to a subnet it looks like the destinations within that table are added to the VirtualNetwork service tag and then used within the default NSG rules to permit outbound traffic to the virtual appliance. However if the custom route is not to a destination already in the vnet IP space it is necessary to add an inbound rule to the NSG managing traffic for the virtual appliance, as it doesn't have the route associated and therefore doesn't have the destination route in the VirtualNetwork service tag.
I can't see a reference in the route table documentation that VirtualNetwork is updated to contain the custom route destinations in this way (but it is in the service tag documentation https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#:~:text=and%20address%20prefixes%20used%20on%20user%2Ddefined%20routes), and it would be good to expand on the example in https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal to show that if the route is to a destination outside of the vnet, that the NSG on the virtual appliance will need updating.
It also creates a situation where the VirtualNetwork tag values can be different within the same vnet, while that isn't a documentation feedback point it might be worth discussing whether adding a feature to the network watcher to show the networks associated with a service tag on a selected NIC might be a useful tool to have.
@jpjm
Thanks for your feedback! We will investigate and update as appropriate.
@jpjm
Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.