Route Network Traffic With a Route Table

Create a virtual network

In this section, you’ll create a virtual network, three subnets, and a bastion host. You’ll use the bastion host to securely connect to the virtual machines.

1. From the Azure portal menu, select + Create a resource > Networking > Virtual network, or search for Virtual Network in the portal search box.
2. Select Create.
3. On the Basics tab of Create virtual network, enter or select this information:
   1. Subscription: Select your subscription.
   2. Resource group: Select Create new, enter myResourceGroup.
   3. Name: Enter myVirtualNetwork.
   4. Region: Select East US.
4. Select the IP Addresses tab, or select the Next: IP Addresses button at the bottom of the page.
5. In IPv4 address space, select the existing address space and change it to 10.0.0.0/16.
6. Select + Add subnet, then enter Public for Subnet name and 10.0.0.0/24 for Subnet address range.
7. Select Add.
8. Select + Add subnet, then enter Private for Subnet name and 10.0.1.0/24 for Subnet address range.
9. Select Add.
10. Select + Add subnet, then enter DMZ for Subnet name and 10.0.2.0/24 for Subnet address range.
11. Select Add.
12. Select the Security tab, or select the Next: Security button at the bottom of the page.
13. Under BastionHost, select Enable. Enter this information:
    1. Bastion name: Enter myBastionHost.
    2. AzureBastionSubnet address space: Enter 10.0.3.0/24.
    3. Enter: myBastionIP for Name.
14. Select the Review + create tab or select the Review + create button.
15. Select Create.

Create an NVA virtual machine

1. From the Azure portal menu, select + Create a resource > Compute > Virtual machine, or search for Virtual machine in the portal search box.
2. Select Create.
3. On the Basics tab of Create a virtual machine, enter or select this information:
   1. Subscription: Select your subscription.
   2. Resource Group: Select myResourceGroup.
   3. Virtual machine name: Enter myVMNVA.
   4. Region: Select (US) East US.
   5. Availability Options: Select No infrastructure redundancy required.
   6. Security type: Select Standard.
   7. Image: Select Windows Server 2019 Datacenter - Gen2.
   8. Azure Spot instance: Select No.
   9. Size: Choose VM size or take default setting.
   10. Username: Enter a username.
   11. Password: Enter a password. The password must be at least 12 characters long and meet the defined complexity requirements.
   12. Confirm password: Reenter password.
4. Select the Networking tab, or select Next: Disks, then Next: Networking.
5. In the Networking tab, select or enter:
   1. Virtual network: Select myVirtualNetwork.
   2. Subnet: Select DMZ
   3. Public IP: Select None
   4. NIC network security group: Select Basic
   5. Public inbound ports network: Select None.
6. Select the Review + create tab, or select Review + create button at the bottom of the page.
7. Review the settings, and then select Create.

Create a route table

1. From the Azure portal menu, select + Create a resource > Networking > Route table, or search for Route table in the portal search box.
2. Select Create.
3. On the Basics tab of Create route table, enter or select this information:
   1. Subscription: Select your subscription.
   2. Resource group: Select myResourceGroup.
   3. Region: Select East US.
   4. Name: Enter myRouteTablePublic.
   5. Propagate gateway routes: Select Yes.
      
4. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

Create a route

1. Select Go to resource or Search for myRouteTablePublic in the portal search box.
2. In the myRouteTablePublic page, select Routes from the Settings section.
3. In the Routes page, select the + Add button.
4. In Add route, enter or select this information:
   
5. Select Add.

Associate a route table to a subnet

1. Search for myVirtualNetwork in the portal search box.
2. In the myVirtualNetwork page, select Subnets from the Settings section.
3. In the virtual network’s subnet list, select Public.
4. In Route table, select myRouteTablePublic that you created in the previous steps.
5. Select Save to associate your route table to the Public subnet.
   

Create public and private virtual machines

Create public virtual machine

1. From the Azure portal menu, select Create a resource > Compute > Virtual machine.
2. In Create a virtual machine, enter or select this information in the Basics tab:
   1. Subscription: Select your subscription.
   2. Resource Group: Select myResourceGroup.
   3. Virtual machine name: Enter myVMPublic.
   4. Region: Select (US) East US.
   5. Availability Options: Select No infrastructure redundancy required.
   6. Security type: Select Standard.
   7. Image: Select Windows Server 2019 Datacenter – Gen2.
   8. Azure Spot instance: Select No.
   9. Size: Choose VM size or take default setting.
   10. Username: Enter a username.
   11. Password: Enter a password. The password must be at least 12 characters long and meet the defined complexity requirements.
       Confirm password Reenter password.
   12. Public inbound ports: Select None.
3. Select the Networking tab, or select Next: Disks, then Next: Networking.
4. In the Networking tab, select or enter:
   1. Virtual network: Select myVirtualNetwork.
   2. Subnet: Select Public.
   3. Public IP: Select None.
   4. NIC network security group: Select Basic.
   5. Public inbound ports network: Select None.
5. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
6. Review the settings, and then select Create.

Create private virtual machine

1. From the Azure portal menu, select Create a resource > Compute > Virtual machine.
2. In Create a virtual machine, enter or select this information in the Basics tab:
   1. Subscription: Select your subscription.
   2. Resource Group: Select myResourceGroup.
   3. Virtual machine name: Enter myVMPrivate.
   4. Region: Select (US) East US.
   5. Availability Options: Select No infrastructure redundancy required.
   6. Security type: Select Standard.
   7. Image: Select Windows Server 2019 Datacenter – Gen2.
   8. Azure Spot instance: Select No.
   9. Size: Choose VM size or take default setting.
3. Select the Networking tab, or select Next: Disks, then Next: Networking.
4. In the Networking tab, select or enter:
   1. Virtual network: Select myVirtualNetwork.
   2. Subnet: Select Private.
   3. Public IP: Select None.
   4. NIC network security group: Select Basic.
   5. Public inbound ports network: Select None.
5. Select the Review + create tab, or select the blue Review + create button at the bottom of the page.
6. Review the settings, and then select Create.

Allow ICMP in Windows firewall

1. Select Go to resource or Search for myVMPrivate in the portal search box.
2. In the Overview page of myVMPrivate, select Connect then Bastion.
3. Enter the username and password you created for myVMPrivate virtual machine previously.
4. Select Connect button.
5. Open Windows PowerShell after you connect.
6. Enter this command:

   New-NetFirewallRule –DisplayName "Allow ICMPv4-In" –Protocol ICMPv4

7. From PowerShell, open a remote desktop connection to the myVMPublic virtual machine:

   mstsc /v:myvmpublic

8. After you connect to myVMPublic VM, open Windows PowerShell and enter the same command from step 6.
9. Close the remote desktop connection to myVMPublic VM.

Turn on IP forwarding

To route traffic through the NVA, turn on IP forwarding in Azure and in the operating system of myVMNVA virtual machine. Once IP forwarding is enabled, any traffic received by myVMNVA VM that’s destined for a different IP address, won’t be dropped and will be forwarded to the correct destination.

1. Search for myVMNVA in the portal search box.
2. In the myVMNVA overview page, select Networking from the Settings section.
3. In the Networking page of myVMNVA, select the network interface next to Network Interface:. The name of the interface will begin with myvmnva.
   
4. In the network interface overview page, select IP configurations from the Settings section.
5. In the IP configurations page, set IP forwarding to Enabled, then select Save.
   

Turn on IP forwarding in the operating system

1. From PowerShell on myVMPrivate VM, open a remote desktop connection to the myVMNVA VM:

   mstsc /v:myvmnva

2. After you connect to myVMNVA VM, open Windows PowerShell and enter this command to turn on IP forwarding:

   Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1

3. Restart myVMNVA VM.

   Restart-Computer

Test network traffic from myVMPublic VM to myVMPrivate VM

1. From PowerShell on myVMPrivate VM, open a remote desktop connection to the myVMPublic VM:

   mstsc /v:myvmpublic

2. After you connect to myVMPublic VM, open Windows PowerShell and enter this tracert command to trace the routing of network traffic from myVMPublic VM to myVMPrivate VM:

   tracert myvmprivate

   You can see that there are two hops in the above response for tracert ICMP traffic from myVMPublic VM to myVMPrivate VM. The first hop is myVMNVA VM, and the second hop is the destination myVMPrivate VM.

   Azure sent the traffic from Public subnet through the NVA and not directly to Private subnet because you previously added ToPrivateSubnet route to myRouteTablePublic route table and associated it to Public subnet.

3. Close the remote desktop connection to myVMPublic VM.

Test network traffic from myVMPrivate VM to myVMPublic VM

1. From PowerShell on myVMPrivate VM, and enter this tracert command to trace the routing of network traffic from myVmPrivate VM to myVmPublic VM.

   tracert myvmpublic

   You can see that there’s one hop in the above response, which is the destination myVMPublic virtual machine.

   Azure sent the traffic directly from Private subnet to Public subnet. By default, Azure routes traffic directly between subnets.

2. Close the bastion session.