When you deploy infrastructure in a public cloud environment like Azure, AWS, or Google Cloud, one of the foundational pieces of networking you’ll encounter is the route table.
Route tables define how network traffic flows between different parts of your environment whether between subnets, virtual networks, the internet, or private resources like VPNs and firewalls. Done right, they enable controlled, efficient, and secure communication across cloud workloads. Done wrong, they can cause application failures, security risks, or service disruptions.
This post breaks down what route tables are, how they work in cloud environments, and what best practices businesses should follow.
What Is a Route Table?
A route table is a set of rules (routes) that determine where network traffic is sent based on the destination IP address.
Each rule in the table consists of:
- Destination: The IP address range the route applies to (e.g.,
10.1.0.0/16,0.0.0.0/0) - Next hop: Where traffic is forwarded (e.g., a virtual appliance, internet gateway, or another subnet)
In traditional networks, this logic exists in routers and firewalls. In the cloud, you define these routing behaviors directly at the subnet or network interface level using cloud-native route tables.
How Route Tables Work in Azure and AWS
Azure
In Microsoft Azure, route tables are called User-Defined Routes (UDRs) and are associated with subnets in a Virtual Network (VNet).
Default behavior:
- Azure automatically creates system routes that allow communication within the VNet.
- Internet traffic is routed through a default gateway.
- You can override or add routes using custom UDRs.
Common next hop types in Azure:
- Virtual network gateway (for VPNs)
- Internet
- Virtual appliance (e.g., firewall or NVA)
- None (drop the traffic)
AWS
In Amazon Web Services, each VPC (Virtual Private Cloud) has one or more route tables that you associate with subnets.
Default behavior:
- A main route table is automatically created for every VPC.
- Routes to other subnets in the VPC are included by default.
- You add custom routes for VPNs, NAT gateways, or peered VPCs.
Common next hops in AWS:
- Local (within the VPC)
- Internet Gateway
- NAT Gateway
- Virtual private gateway (for VPNs)
- VPC peering connection
Why Route Tables Matter in the Cloud
In cloud environments, routing is no longer something abstract that “just works.” You are expected to define your network architecture intentionally.
Use cases include:
- Controlling egress to the internet
- Prevent outbound internet access from specific subnets (e.g., backend servers)
- Directing traffic through a firewall or proxy
- Send all traffic from a subnet through a Network Virtual Appliance (NVA)
- Hybrid connectivity
- Route traffic destined for on prem networks through a VPN or ExpressRoute
- Spoke-to-spoke VNet communication
- In a hub-and-spoke design, you may need to add custom routes to allow communication between spoke VNets
Common Routing Scenarios
| Scenario | Destination | Next Hop |
|---|---|---|
| Internet access for users | 0.0.0.0/0 | Internet Gateway (AWS) / Internet (Azure) |
| Secure outbound via firewall | 0.0.0.0/0 | Virtual Appliance (NVA) |
| On-prem traffic via VPN | 10.0.0.0/8 | Virtual Network Gateway |
| East-West communication in hub-spoke | 10.2.0.0/16 | Hub NVA or Peering Gateway |
| Drop traffic to unwanted subnets | 10.99.0.0/16 | None |
Troubleshooting Tip
Route table misconfigurations are a common cause of cloud networking issues. If a VM or service can’t reach a destination:
- Check the route table associated with the subnet
- Ensure there’s a specific route to the destination
- Validate the next hop is reachable
- Confirm NSGs or security groups are not blocking traffic
Best Practices
- Keep route tables simple: Avoid unnecessary complexity unless your architecture requires it
- Use naming conventions: Identify route tables by purpose (e.g.,
RT-Web,RT-DB,RT-Spoke1) - Isolate sensitive traffic: Send certain subnets through firewalls or inspect outbound flows
- Audit changes: Use change tracking or automation to manage route modifications
- Test connectivity: Use
ping,tracert, or tools like Azure Network Watcher or AWS VPC Reachability Analyzer
How Exodata Helps
At Exodata, we help businesses design and manage secure, reliable cloud networks. Whether you’re migrating to Azure or AWS, or optimizing your existing environment, our experts ensure your routing is intentional, predictable, and compliant.
We offer:
- Cloud network architecture assessments
- Secure routing design for hub-and-spoke or hybrid networks
- Firewall and virtual appliance routing implementation
- Automated deployments using infrastructure as code
👉 Talk to us about how to streamline your cloud routing with confidence.
