NetworkingIntermediate45 min read

What Is User-defined route in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A user-defined route is like a custom sign you put up on a network to tell traffic exactly where to go, instead of letting it follow the normal automatic paths. In cloud and traditional networks, these routes are used when you need traffic to go through a firewall, a virtual private network gateway, or a specific inspection appliance. They give you control over how data moves between subnets, virtual networks, and the internet.

Common Commands & Configuration

aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-0abcd

Creates a route in the specified route table that directs all traffic (0.0.0.0/0) to a NAT gateway for internet access from private subnets.

Commonly tested in AWS SAA: understanding when to use NAT gateway vs. internet gateway vs. virtual private gateway.

az network route-table route create --resource-group myGroup --route-table-name myRouteTable --name toFirewall --address-prefix 10.0.0.0/16 --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.1.4

Creates a route in Azure that sends traffic destined for the 10.0.0.0/16 network to a virtual appliance firewall at IP 10.0.1.4.

Tested in AZ-104: you must know the next-hop-type values (VirtualAppliance, VirtualNetworkGateway, etc.) and their use cases.

gcloud compute routes create my-route --network=default --destination-range=192.168.0.0/16 --next-hop-vpn-tunnel=vpn-tunnel-1 --priority=200

Creates a route in Google Cloud that directs traffic to 192.168.0.0/16 through a VPN tunnel, with a priority of 200 (lower is higher preference).

Tested in Google ACE: understanding route priority and how it interacts with dynamic routing from Cloud Router.

aws ec2 enable-vgw-route-propagation --route-table-id rtb-12345678 --gateway-id vgw-98765432

Enables route propagation from a virtual private gateway into the specified route table, automatically adding BGP-learned routes from on-premises.

Critical for AWS SAA: route propagation must be enabled for hybrid connectivity; static routes take precedence over propagated routes.

New-AzRouteTable -ResourceGroupName 'RG1' -Name 'RouteTable1' -Location 'EastUS' $route = Get-AzRouteTable -ResourceGroupName 'RG1' -Name 'RouteTable1' Add-AzRouteConfig -RouteTable $route -Name 'ToOnPrem' -AddressPrefix '192.168.0.0/16' -NextHopType 'VirtualNetworkGateway' Set-AzRouteTable -RouteTable $route

PowerShell script to create a route table in Azure and add a route that sends traffic to the on-premises network via a virtual network gateway.

Tested in AZ-104: difference between using VirtualNetworkGateway for VPN/ExpressRoute and VirtualAppliance for third-party devices.

ip route 0.0.0.0 0.0.0.0 [next-hop-ip] (Cisco IOS command analog for static default route, often used in lab environments to emulate UDR concepts)

A static route in a traditional router that sets the default gateway, analogous to a cloud UDR for 0.0.0.0/0. Useful for understanding routing concepts.

Tested in CCNA and Network Plus: static routing basics, administrative distance, and why UDRs in the cloud differ from router static routes.

az network route-table update --resource-group myGroup --name myRouteTable --set disableBgpRoutePropagation=true

Disables BGP route propagation on an Azure route table, preventing dynamic routes from overriding custom UDRs.

Tested in AZ-104: when to disable propagation to maintain control over routing paths, especially in hub-and-spoke designs.

aws ec2 modify-subnet-attribute --subnet-id subnet-12345678 --map-public-ip-on-launch

Although not directly a route command, this modifies the subnet to assign a public IP to instances, which interacts with UDRs for internet access.

In AWS SAA exams, understanding how public IP assignment affects routing decisions (e.g., instances with public IPs ignore the default 0.0.0.0/0 route if it points to a NAT gateway).

User-defined route appears directly in 32exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

User-defined routes are a high-yield topic across multiple IT certification exams, particularly those focused on cloud networking and on-premises routing. The exam objectives for AWS Certified Solutions Architect Associate (SAA-C03) explicitly cover routing in VPCs, including user-defined routes, route tables, and how they interact with internet gateways, NAT gateways, and VPN connections. In the AWS SAA exam, you can expect scenario-based questions where you must design a VPC with public and private subnets, and you need to decide where a UDR is required (e.g., for forced tunneling all internet traffic through a VPN to a corporate data center).

For the CompTIA Network+ (N10-008) and CompTIA A+ exams, UDRs are covered in the context of routing fundamentals, static routes, and the difference between static and dynamic routing. Network+ exam objectives include routing table concepts, next-hop addresses, and administrative distance. Although Network+ does not focus deeply on cloud-specific UDRs, the core concept of a static route (which is essentially the on-premises equivalent of a UDR) is tested. You may see a question asking you to interpret a routing table and identify which route will be used for a given destination IP.

In the Cisco CCNA (200-301) exam, static routes and default routes are core topics. The CCNA curriculum covers configuring IPv4 and IPv6 static routes, including floating static routes (used as backup routes with a higher administrative distance). A static route in Cisco IOS is the classic example of a user-defined route. You must know how to configure it, verify it with show ip route, and understand prefix match logic. CCNA questions often present a network diagram and ask you to select the correct static route command to reach a remote network.

For Microsoft Azure (AZ-104), UDRs are a major topic under the network routing section. The exam covers Azure route tables, custom routes, system routes, and route propagation from virtual network gateways. You may be asked to troubleshoot a scenario where traffic is not flowing as expected between peered VNets, requiring you to add a UDR to the route table of a subnet. Azure also introduces the concept of forced tunneling by setting a default route (0.0.0.0/0) to a virtual appliance or VPN gateway.

For the CompTIA Security+ (SY0-601), UDRs are less central but appear in the context of network segmentation and traffic filtering. You might encounter a question about how to force traffic through a network firewall for inbound/outbound inspection, which is implemented using a UDR. For the Google Professional Cloud Architect (Google ACE), UDRs are covered as part of VPC networking, specifically custom static routes and dynamic routes via Cloud Router. Questions may involve designing a hybrid network with Cloud VPN or Direct Interconnect, and choosing between custom and dynamic routes.

In all these exams, the common thread is that UDRs are a way to implement policy-driven routing. Question types include multiple-choice questions that present a scenario and ask for the correct UDR configuration, as well as troubleshooting questions where you need to identify why traffic is not following the expected path. Be prepared to read route table entries and determine which route is most specific. Also, watch for traps related to route priority: a more specific UDR will override a less specific default route, even if the default route is a system route. Understanding the longest prefix match is crucial for exam success.

Simple Meaning

Imagine you live in a small town where there is one main road, and all traffic automatically follows that road to get from one place to another. That is the system-default route. Now imagine you build a new office on a side street, and you want all deliveries to go past a security checkpoint before arriving. You would put up custom road signs that say "Turn left for the office" and "All deliveries must go this way first." Those custom signs are like user-defined routes.

In networking, data travels in packets, kind of like individual letters traveling through a postal system. Normally, network devices like routers have a built-in map, called a routing table, that tells them where to send packets based on destination IP addresses. Without any manual changes, your network will send packets using these built-in default paths. However, sometimes you need packets to take a different route – for example, to be inspected by a security appliance, to go through a virtual private network (VPN) to another site, or to avoid a congested link.

User-defined routes let you insert your own rules into that routing table. You can tell the network: "If a packet is going to this specific destination, send it through this next-hop IP address instead of using the default path." This is a fundamental tool in cloud networking, especially in platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, as well as in traditional on-premises networks using routing protocols or static routes.

The beauty of user-defined routes is that they let you implement complex traffic policies without redesigning your entire network. For instance, you can force all outbound traffic to go through a centralized firewall for logging and filtering, or you can create a private path between two different cloud Virtual Private Clouds (VPCs) through a peering connection. They are the building blocks of network segmentation, security, and efficient data flow in modern IT environments.

Full Technical Definition

A user-defined route (UDR) is a manually configured route entry in a routing table, either in a cloud virtual network or on a physical router, that overrides or supplements the system-generated default routes. UDRs are essential for implementing custom traffic policies, such as forced tunneling, traffic inspection, or multi-homed connectivity, and are typically used when the default routing behavior of a network device or cloud service does not meet operational or security requirements.

In cloud networking, each Virtual Private Cloud (VPC) or virtual network (VNet) automatically gets a set of system routes. For example, in AWS, a VPC's main route table includes a local route for intra-VPC traffic (e.g., 10.0.0.0/16), a route to the internet via an internet gateway (0.0.0.0/0 -> igw-id), and a route to the virtual private gateway for VPN or Direct Connect. In Azure, a virtual network has default routes for internal traffic, internet-bound traffic (via a default route to the Azure backbone), and routes to peered networks using the Azure backbone. These default routes work for basic scenarios, but when you need to direct traffic through a network virtual appliance (NVA) like a firewall, intrusion detection system (IDS), or load balancer, you must create a UDR that overrides the default next hop.

A UDR consists of three key components: the destination prefix (CIDR block), the next hop type, and the next hop IP address (or instance ID). The destination prefix defines which traffic is affected, typically expressed in CIDR notation (e.g., 0.0.0.0/0 for all internet traffic, or 192.168.1.0/24 for a specific subnet). The next hop type specifies the kind of target – in AWS, options include internet gateway, NAT gateway, virtual private gateway, transit gateway, VPC peering connection, network interface, or instance ID. In Azure, next hop types include virtual appliance (with a private IP), virtual network gateway, internet, or none. The next hop IP address is the specific IP address of the target device, such as the private IP of an EC2 instance running firewall software or a virtual network gateway.

Routing precedence is critical in understanding UDR behavior. When a packet arrives at a router or cloud network edge, the system evaluates the routing table using the longest prefix match rule. The route with the most specific destination prefix (the longest subnet mask) wins over a less specific one. For example, a UDR with destination 10.0.1.0/24 will take precedence over the system's local route of 10.0.0.0/16 for traffic to 10.0.1.5. UDRs are typically placed at the subnet level in cloud environments, meaning each subnet in a VPC can have its own route table with a unique set of UDRs, allowing granular control per subnet.

Protocols and standards related to UDRs include Border Gateway Protocol (BGP), which is used in on-premises and some cloud environments to propagate routes dynamically. UDRs can coexist with BGP-learned routes, but administrative distance and route priority rules vary by platform. In AWS, BGP routes from Direct Connect or VPN have lower precedence than UDRs for the same destination, unless you use the longest prefix match. In Azure, BGP routes from ExpressRoute or VPN gateways can be overridden by UDRs, but you need to configure the route appropriately.

Real IT implementation aspects include forced tunneling (forcing all internet-bound traffic through an on-premises VPN or firewall for security auditing), multi-region and multi-VPC connectivity where UDRs direct traffic through transit gateways, and load balancing across multiple NVAs. UDRs can also be used for blackhole routing by setting a next hop to a non-existent or dropped interface, effectively blocking traffic to a specific destination. In traditional on-premises networks, UDRs are equivalent to static routes configured on routers or Layer 3 switches, which are used to reach networks not directly connected or to implement traffic engineering. Static routes are defined with a destination, mask, and next-hop IP, and are entered manually by network administrators.

Common standards like RFC 1918 for private IP addressing influence UDR design, as UDRs often involve private IP ranges. In cloud exam contexts (AWS SAA, Azure AZ-104, Google ACE), UDRs are tested as part of VPC/networking design, especially for hybrid connectivity, security group and NACL integration, and cost-optimized traffic flow. The implementation must consider route propagation, route table association, and propagation limits. In AWS, a VPC can have up to 200 route tables per VPC, and each route table can have up to 125 routes per table (though these limits are adjustable via service quotas).

Real-Life Example

Think of a large airport's baggage handling system. Every piece of luggage that comes off a plane has to go to the correct carousel. The airport has a default system: bags from domestic flights go to Carousel 1, and international bags go to Carousel 2. That is the default route. But now the airport decides that all bags from flights arriving from a specific high-security country must pass through an extra x-ray machine in a separate room before reaching the carousel. The airport cannot change the entire system, so they put up special signs for those specific bags: "All bags from Flight XY123: go to Room B for inspection first." That is your user-defined route.

In this analogy, the airport is your network, the planes are different sources of traffic (like subnets or the internet), the carousels are the final destinations (like a web server or a database). The default routing is the standard path that bags automatically follow. The special sign for bags from Flight XY123 is the UDR that sends those packets (bags) to a specific next hop (Room B) for processing (security inspection). After inspection, another UDR or default route takes the bag to its final carousel.

Now, imagine that a new airline starts operating and they want their bags to go to a completely different carousel because their ground crew is located there. The airport installs a special sign: "All bags from Airline Z: go to Carousel 6." This is another UDR. Over time, the airport has a mix of default routes for most flights and special custom routes for exceptions. Without UDRs, the airport would have to physically move all carousel assignments, which would be chaotic and inefficient. Similarly, in IT, UDRs allow you to apply custom traffic paths selectively without disrupting the entire network.

This analogy also helps explain a common mistake: if you put a UDR that points to Carousel 3 but that carousel is broken (the next-hop device is down), then bags will be lost. In networking, if a UDR points to an unreachable next hop, traffic is dropped, which can be a troubleshooting nightmare. Also, if you forget to remove a temporary UDR after the high-security flight leaves, it may continue to divert bags from other flights that were never meant to go to Room B. This is exactly why network administrators must carefully manage UDRs and remove them when no longer needed.

Why This Term Matters

User-defined routes matter because they give you the power to control network traffic in a way that default routes cannot. In modern IT infrastructure, especially in cloud environments, the ability to customize routing is critical for security, compliance, cost optimization, and performance. Without UDRs, you would be stuck with the built-in routing table that treats all outbound traffic the same, which is often insecure or inefficient.

Security is the primary driver. For example, in a corporate network that uses AWS, you might want to force all outbound traffic from a sensitive subnet (like a database subnet) to go through a centralized firewall or intrusion prevention system before reaching the internet. Without a UDR that sets the next hop to the firewall appliance, traffic would bypass inspection by using the default internet gateway route. Similarly, in a hybrid network connecting an on-premises data center to a cloud VPC, you might need all traffic between the two environments to traverse a dedicated VPN or Direct Connect circuit for encryption and monitoring. UDRs ensure that traffic does not accidentally leak over the public internet.

Cost optimization also comes into play. In a multi-region cloud deployment, you might have a NAT gateway or a transit gateway that is expensive to run. By using UDRs, you can direct only specific traffic through that expensive gateway while allowing other traffic to take the cheaper default route. For example, you could route traffic to a specific partner network through a private VPC peering connection (lower cost) instead of through a VPN (higher cost).

Performance is another factor. You might use a UDR to send traffic from one application tier to another through a more direct path, avoiding a congested interconnect. Or you might implement asymmetric routing intentionally to balance load across multiple firewalls. UDRs are the mechanism that makes such fine-grained traffic engineering possible.

Finally, in compliance-heavy industries like finance or healthcare, regulatory standards often mandate that all external traffic be inspected by a managed security appliance. UDRs are the tool used to enforce that requirement. Without them, auditors would see a gap between policy and actual traffic flow. For these reasons, understanding UDRs is not just an academic exercise – it is a practical skill that network engineers and cloud architects use daily.

How It Appears in Exam Questions

In IT certification exams, user-defined route questions typically fall into three categories: scenario-based design, configuration, and troubleshooting.

Scenario-based questions present a network architecture and ask you to determine where a UDR is required. For example, you might see a description of an AWS VPC with a public subnet (containing a web server) and a private subnet (containing a database). The question states that the database must not have direct internet access, but it must connect to an on-premises data center via a site-to-site VPN. The correct answer would involve adding a UDR to the private subnet's route table that directs all traffic destined for the on-premises network (e.g., 10.0.0.0/8) through the virtual private gateway. Another scenario might involve forcing all outbound internet traffic from a private subnet through a NAT gateway, which is actually a default route (0.0.0.0/0) pointing to the NAT gateway, but you need to ensure that route is in place.

Configuration questions ask you to identify the exact command or cloud console setting to create a UDR. In a Cisco CCNA context, you might be asked: "Which command adds a static route to network 192.168.2.0/24 with next-hop 10.0.0.1?" The answer is ip route 192.168.2.0 255.255.255.0 10.0.0.1. In AWS, you might be asked: "In the VPC route table, what next-hop option would you select to send traffic to a firewall instance?" The answer is the instance ID or the network interface of the firewall instance. In Azure, a question might present the portal interface for adding a route and ask which fields need to be filled: destination prefix, next hop type (virtual appliance), and next hop IP address.

Troubleshooting questions are common across all exams. A typical scenario: An organization has set up a VPN between their on-premises network and a cloud VPC. They can ping resources from on-premises to the cloud, but not from the cloud back to on-premises. The problem likely is that the VPC route table is missing a UDR for the on-premises IP range, and the default route (0.0.0.0/0) points to the internet gateway instead. The fix is to add a UDR for the on-premises prefix pointing to the VPN gateway. Another troubleshooting scenario: A user cannot access a web server behind a firewall NVA. You check the route tables: the public subnet has a default route to the internet gateway, and the private subnet has a default route to the NVA. But the NVA's own route table does not have a route back to the public subnet, so return traffic fails (asymmetric routing). The answer would be to add a UDR on the NVA's subnet pointing traffic for the public subnet to the internet gateway or directly to the subnet.

Questions may also combine UDRs with other concepts like VPC peering, transit gateways, or network ACLs. For instance: "A company has two VPCs peered together. They can communicate over the peering connection, but after adding a UDR to direct traffic through a firewall, communication breaks. What is the most likely cause?" The answer is that the return traffic is not matching the correct route because the peered VPC does not have a corresponding UDR pointing back. Correct design requires symmetric routes for such scenarios.

Finally, some exams test the priority of UDRs versus system routes. A typical question: "A VPC route table has a system local route for 10.0.0.0/16 and a UDR for 10.0.1.0/24 pointing to a VPN. A packet is sent to 10.0.1.5. Which route will be used?" The answer is the UDR because it is more specific. Learners must understand that a longer prefix (24) wins over a shorter prefix (16), regardless of whether it is system or custom.

Practise User-defined route Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work for a company that uses Amazon Web Services (AWS). The company has a VPC with a public subnet and a private subnet. The public subnet contains a web server that needs to be accessible from the internet. The private subnet contains a backend database that should only be accessed by the web server. The company has a security policy that all outbound traffic from the database to the internet must be recorded for audit. There is a dedicated firewall appliance running on an EC2 instance in a third subnet (a management subnet).

Currently, the database can reach the internet using the VPC's default route (0.0.0.0/0) to the internet gateway. This violates the security policy. You must implement forced tunneling: any traffic originating from the private subnet and going to the internet must first pass through the firewall appliance.

To solve this, you create a custom route table for the private subnet. In that route table, you add a user-defined route: destination 0.0.0.0/0, next hop type: network interface of the firewall EC2 instance (or its instance ID). You also need to ensure that the firewall appliance itself can route traffic to the internet, so the firewall's own route table should have a default route (0.0.0.0/0) pointing to the internet gateway. After this configuration, when the database tries to reach an external website, the packet first goes to the firewall (due to the UDR), the firewall inspects and logs it, and then sends it to the internet gateway. This allows the company to meet its audit requirement.

Now, let us add complexity. The web server in the public subnet also needs to reach the database. The public subnet's route table currently has a local route (10.0.0.0/16) and a default route to the internet gateway. The database subnet has a local route (10.0.0.0/16) and the UDR for the firewall. For the web server to reach the database, the local route in both route tables covers intra-VPC traffic, so that works without any UDR. However, if the database tries to send a response to the web server, the response goes back via the local route because the destination (the web server's IP) is within the VPC CIDR. The UDR we added does not affect traffic within the VPC because it is more specific (0.0.0.0/0 vs 10.0.0.0/16). This is a common exam scenario that tests your understanding of route preference and the interplay between UDRs and system routes.

A mistake learners make here is to think that the UDR for 0.0.0.0/0 will also apply to traffic within the VPC. It does not, because the local route (10.0.0.0/16) is more specific. The UDR only applies to traffic whose destination does not match a more specific route. This scenario is excellent for demonstrating the concept of longest prefix match and the purpose of UDRs in enforcing security policy.

Common Mistakes

Assuming a user-defined route always overrides a system route regardless of specificity.

Route selection is based on the longest prefix match, not on whether the route is user-defined or system-generated. A system route with a more specific prefix (like a /24) will win over a UDR with a less specific prefix (like a /16).

Always compare the destination CIDR prefix length first. The route with the longest prefix wins, regardless of its source.

Forgetting to add a return route for symmetric traffic when using a Network Virtual Appliance.

When you force traffic through a firewall, the firewall must have a route that sends response traffic back to the source subnet. If the firewall's route table only has a default route to the internet, return traffic from the firewall to the original source will be sent to the internet instead, causing asymmetric routing and connection failure.

On the firewall, add a UDR that directs traffic destined for the source subnet back to the correct path, whether that is the internet gateway, a peering connection, or the VPC local route.

Placing a UDR for 0.0.0.0/0 in all subnets thinking it provides central control, without considering that it might break intra-VPC routing.

A 0.0.0.0/0 route only applies to traffic that does not match a more specific route. Intra-VPC traffic is covered by a local route (e.g., 10.0.0.0/16), so using 0.0.0.0/0 does not break it. However, if you accidentally delete the local system route (which is not possible in some platforms) or use a conflicting prefix, you can cause routing issues. Also, putting a 0.0.0.0/0 in a public subnet that goes to a firewall means internet-originated traffic to the public subnet would also go to the firewall first, which might not be intended.

Apply UDRs only to subnets where you need to override the default behavior. For public subnets, the default route to the internet gateway is usually correct. For private subnets, a default route to a NAT gateway or firewall is typical.

Thinking that UDRs can be applied globally to the entire VPC instead of per-subnet.

In AWS, Azure, and GCP, route tables are associated with individual subnets, not the entire VPC. A UDR placed in one route table affects only traffic originating from subnets associated with that route table. If you want the same rule for all subnets, you must associate each subnet with the custom route table, or modify the main route table, which then affects all subnets that do not have an explicit association.

Understand that route tables are subnet-level resources. Always specify which subnet the UDR applies to. Check the subnet association when troubleshooting.

Assuming that a UDR to a virtual appliance will work without changing the appliance's own routing.

When you send traffic to an NVA, the NVA must be configured to forward that traffic. In many OSes, IP forwarding must be enabled (e.g., sysctl net.ipv4.ip_forward=1 in Linux). Without it, the NVA will drop the packet even if the route table points to it. Also, the NVA's route table must have a route for the traffic's destination, or it cannot forward it further.

After creating the UDR, verify that the target instance has IP forwarding enabled and has its own routing table configured to route the traffic appropriately.

Confusing a UDR with a network ACL (NACL) or security group.

UDRs control the path traffic takes; NACLs and security groups control whether traffic is allowed or denied. A UDR does not filter traffic – it can only redirect it. A common misconception is that adding a UDR to a firewall will automatically block unwanted traffic; but without proper firewall rules on the appliance, the traffic may still pass.

Think of UDRs as signposts, not bouncers. They direct traffic, but they do not check credentials. Use NACLs and security groups for access control, and UDRs for path control.

Exam Trap — Don't Get Fooled

{"trap":"A question asks: 'You have a VPC with a public and a private subnet. You want all outbound internet traffic from the private subnet to go through a NAT gateway. You add a UDR in the private subnet's route table: destination 0.

0.0.0/0, target = NAT gateway. However, instances in the private subnet still cannot reach the internet. What is the problem?' Learners often answer that the NAT gateway is not in a public subnet or the route table is not associated."

,"why_learners_choose_it":"Learners assume the misconfiguration is about the NAT gateway's placement or route table association because those are common concepts. They also often forget the most basic requirement: the NAT gateway must have an Elastic IP and be in a public subnet with a route to the internet gateway.","how_to_avoid_it":"Always verify the NAT gateway's own setup.

The NAT gateway must be launched in a public subnet (one that has a 0.0.0.0/0 route to an internet gateway). The NAT gateway itself needs a public IP to translate the private IPs. The private subnet's UDR to the NAT gateway is correct, but if the NAT gateway cannot reach the internet due to missing EIP or incorrect routing, the traffic will fail.

Also, ensure the private subnet's route table includes a local route (VPC CIDR) or it will break internal communication. The trap is that many learners fixate on the UDR itself and ignore the underlying infrastructure requirements."

Commonly Confused With

User-defined routevsNetwork ACL (NACL)

A Network ACL is a stateless firewall that controls inbound and outbound traffic at the subnet level by allowing or denying packets based on rules. A user-defined route controls the path that traffic takes, not whether it is allowed. For example, a UDR might send traffic to a firewall, but the NACL on that subnet could still block the traffic before it reaches the firewall.

A UDR is like a road sign that directs traffic to a security checkpoint; a NACL is the checkpoint itself that can reject or let cars pass.

User-defined routevsSecurity Group

A security group acts as a stateful virtual firewall for instances, controlling inbound and outbound traffic at the instance level. It does not affect routing decisions. You can have a security group that allows all traffic, but if the UDR points to a dead next hop, the traffic will still be dropped. Conversely, a security group that blocks traffic will stop it even if the UDR is perfectly configured.

A security group is like a bouncer at a club entrance checking IDs; a UDR is the path the cab takes to get to the club.

User-defined routevsRoute Propagation (BGP)

Route propagation is a feature in cloud route tables that automatically adds routes learned via BGP from a VPN or Direct Connect (AWS) or ExpressRoute (Azure) to your route table. These are dynamic routes. User-defined routes are manually configured static routes. BGP-learned routes and UDRs coexist, but UDRs typically take precedence when there is a prefix conflict, unless the BGP route is more specific.

Route propagation is like having a GPS that updates your route in real time based on traffic; a UDR is like a printed map with a specific detour drawn in pen.

User-defined routevsDefault Route (0.0.0.0/0)

A default route is a catch-all route used when no other route matches the destination. It can be a system-generated route (like the default route in a VPC to an internet gateway) or a user-defined route (like a route to a NAT gateway). The term 'user-defined route' is broader – it includes any manually added route, not just the default route. A default route can be user-defined if you create it manually.

A default route is like a general delivery address for mail that does not have a specific street; a user-defined route can be that general address or a specific one you write yourself.

Step-by-Step Breakdown

1

Identify the traffic needing a custom path

First, determine which source subnets and destination IP ranges need a non-default route. For example, you may have a private subnet that must send all internet (0.0.0.0/0) traffic through a firewall, or you may need to route traffic to a specific on-premises network (10.10.0.0/16) through a VPN gateway. This step defines the destination prefix for your UDR.

2

Choose the next hop type and IP address

Decide what device will be the target for the traffic. In a cloud environment, next hop types include internet gateway, NAT gateway, virtual private gateway, transit gateway, network interface, or peering connection. The next hop IP must be reachable from the source subnet. For an NVA, you need the private IP of the appliance's network interface.

3

Create the custom route table (if needed) or locate the existing one

Cloud VPCs have a default route table (main route table) that applies to all subnets unless they have an explicit association. However, it is best practice to create a custom route table for each subnet that needs specific routing. This prevents affecting other subnets unintentionally. In AWS, you create a route table and then associate it with the desired subnet.

4

Add the UDR to the route table

In the cloud console (e.g., AWS VPC, Azure Route Tables), add a new route: specify the destination CIDR (e.g., 0.0.0.0/0 for all internet, or 192.168.1.0/24 for a specific network) and the target (next hop). In on-premises routers, you use a command like 'ip route 192.168.2.0 255.255.255.0 10.0.0.1'. Ensure you do not accidentally create duplicate routes that could cause routing loops.

5

Associate the route table with the subnet

After creating the route table with your UDR, associate it with the correct subnet. In cloud platforms, you navigate to the subnet properties and select the route table. If you skip this step, the subnet will still use the default (main) route table, and your UDR will not take effect.

6

Configure the next hop device properly

The target device (firewall, NVA, VPN gateway) must be configured to accept and forward the traffic. For an EC2 instance acting as a router, enable 'IP forwarding' in the instance's OS settings and in the AWS console (source/destination check must be disabled). For on-premises routers, ensure the interface is up and routing protocols are not conflicting. Also, the target device must have a route back to the source, or return traffic will fail.

7

Test the route and verify with trace tools

Use ping, traceroute, or cloud-specific diagnostics (like AWS Reachability Analyzer or Azure Network Watcher) to verify that traffic follows the intended path. For example, from an instance in the private subnet, run 'traceroute 8.8.8.8' and check that the first hop is the firewall's IP (your UDR target). Also, verify that response traffic returns correctly. If not, check routes on the target device and its network interfaces.

8

Monitor and maintain the UDR

UDRs are static, so they do not adapt to changes. If the target device fails or is replaced, the UDR will point to a dead next hop and traffic will be dropped. Regularly audit route tables for stale routes or misconfigurations. Consider using dynamic routing (BGP) for large environments to reduce manual maintenance. Document all UDRs with reason and date for future troubleshooting.

9

Remove or update the UDR when no longer needed

When the policy changes or a firewall is decommissioned, remove the associated UDR to avoid routing traffic into a black hole. In cloud platforms, delete the route from the route table. In on-premises routers, use 'no ip route' commands. Always test after removal to ensure connectivity is still functional via default routes or other paths.

User-Defined Route Fundamentals

A user-defined route (UDR) is a custom routing table entry in a virtual network that overrides the system default routes. In cloud environments like AWS, Azure, and Google Cloud, each subnet or virtual network interface is automatically assigned a system route table that handles basic traffic, such as directing traffic within the virtual network, routing internet-bound traffic through the internet gateway, and sending traffic to peered virtual networks. However, when network administrators need to enforce specific traffic paths, such as routing traffic through a network virtual appliance (NVA) for inspection, or sending traffic to a virtual private network (VPN) gateway or a private connection like AWS Direct Connect or Azure ExpressRoute, they must configure UDRs.

UDRs are crucial for implementing security policies, traffic steering, and network segmentation. For example, in AWS, you can create a custom route table and associate it with a subnet, then add a route that directs 0.0.0.0/0 traffic to a NAT gateway or a virtual private gateway. Similarly, in Azure, you can create a route table and associate it with a subnet, adding routes that direct traffic to a firewall or a virtual appliance. The fundamental principle is that UDRs have a higher priority than system routes, and the longest prefix match determines which route applies. Understanding the order of evaluation-first user-defined routes, then system routes, and then any Border Gateway Protocol (BGP) propagated routes-is essential for certification exams.

When configuring UDRs, administrators must consider route propagation settings. In Azure, you can enable BGP route propagation, which allows your virtual network gateway to automatically inject routes learned via BGP into the route table. In AWS, you can enable route propagation from a virtual private gateway to a route table. These features are often tested in exams like Azure AZ-104 and AWS SAA. Route table limits (e.g., maximum routes per route table) vary by provider and must be understood to avoid design errors. UDRs are also used in hub-and-spoke architectures where the hub contains shared services like a firewall, and spokes route all traffic through the hub using a UDR. This pattern is critical for the Security Plus and Network Plus exams, as it demonstrates implementation of network segmentation and least privilege.

UDRs can be statically defined or dynamically learned. Static UDRs are manually entered by the administrator and remain until removed. Dynamic routes come from BGP or other routing protocols. The combination of static and dynamic routes must be managed carefully because overlapping routes can cause asymmetric routing. For example, if a UDR sends traffic to a VPN gateway but the VPN gateway returns traffic through a different path, connectivity issues occur. This scenario is a common troubleshooting topic in CCNA and Network Plus. Finally, UDRs support routing policies like forcing all internet traffic through a security appliance for logging and inspection, which is a key requirement for compliance frameworks tested in Security Plus.

User-Defined Route Cost and Next Hop Types

The cost or metric associated with a user-defined route is not explicit in cloud routing tables like in traditional routing protocols (e.g., OSPF, EIGRP). Instead, the route selection is based on the longest prefix match. However, the 'next hop type' determines the actual destination and indirectly influences cost. For instance, in AWS, next hop types include: internet gateway, NAT gateway, virtual private gateway, transit gateway, network interface, egress-only internet gateway, VPC peering connection, and gateway endpoint. In Azure, next hop types include: virtual network, virtual network gateway, virtual appliance, internet, and none. Google Cloud uses a similar model with next hops like internet gateway, VPN tunnel, and Cloud NAT.

The cost of using a UDR can be thought of in terms of performance and monetary cost. For example, routing traffic through a NAT gateway incurs hourly charges and data processing fees, while using an internet gateway for public subnet traffic is free for the gateway itself but data transfer out to the internet costs money. Similarly, routing traffic through an Azure Firewall or third-party NVA adds both latency and cost. Exam questions often test the trade-offs: using a central firewall for all traffic increases security but adds cost and potential bottleneck; using a NAT gateway versus a NAT instance for outbound internet access-where the instance is a simple EC2 with a script but requires management overhead.

When multiple UDRs exist in a route table with the same destination prefix, the next hop type with the most specific prefix wins. There is no configurable metric like 'route preference' in cloud routing tables. However, in Azure, you can influence behavior using effective routes and route table priorities. For example, if you have a route for 0.0.0.0/0 pointing to a virtual appliance and another route for 10.0.0.0/16 via a VPN gateway, the more specific 10.0.0.0/16 takes precedence for traffic bound to that range. This logic is fundamental for exam scenarios in Azure AZ-104 and AWS SAA, where you must choose the correct next hop type based on the architecture.

UDRs can be used with service endpoints or private endpoints. For instance, in Azure, if you want to force traffic from a subnet to an Azure Storage account to always go through the Microsoft backbone instead of the internet, you can use a UDR with a next hop of VirtualNetworkServiceEndpoint. This does not incur extra cost like a firewall, but it ensures traffic stays within the Azure network. In AWS, Gateway Endpoints for S3 and DynamoDB provide a similar pattern without UDRs, but you still must add a route to the prefix list. Understanding these cost and performance implications is critical for architecting cost-optimized and secure solutions in certification exams.

Finally, migrating from default routes to UDRs often involves complex testing to avoid asymmetric routing. For example, if you add a UDR directing all traffic to an NVA, the NVA must have its own route table to send traffic back to the internet without looping back to the same NVA. This is a classic exam trap in Network Plus and Security Plus, testing understanding of routing loops. UDR cost is not a numeric metric but a combination of operational complexity, latency, and monetary expense associated with the chosen next hop type.

User-Defined Route Propagation and State Management

User-defined routes (UDRs) exist in specific states depending on how they are created and propagated. The most common state is 'Active', meaning the route is installed in the route table and is used for packet forwarding. When a UDR is created or modified, there is a brief propagation delay before it becomes effective. In AWS, this delay is typically a few seconds but can be longer if the route table is large. In Azure, the propagation is near-instant after the route table is saved and associated with the subnet. Google Cloud shows a similar behavior.

Another important state is 'Propagated' or 'BGP learned' routes. In Azure, you can enable 'Virtual network gateway route propagation' on a route table. When enabled, the route table automatically learns routes from the connected virtual network gateway, which may be a VPN gateway or ExpressRoute gateway. These propagated routes appear in the effective routes for the subnet. If you also have a static UDR with the same prefix, the static route takes precedence. This interaction is frequently tested in Azure AZ-104 exams, where you must understand how to prevent learned routes from overriding your custom paths.

In AWS, route propagation from a virtual private gateway is enabled at the route table level. Once enabled, the route table automatically receives routes from the on-premises network via BGP. These propagated routes are added alongside existing static routes. The effective route evaluation still uses longest prefix match. However, if a static UDR and a propagated route have the same prefix and length, the static UDR takes precedence. This is a critical point for AWS SAA exam questions that involve VPN connectivity and hybrid networking.

there is a state called 'Effective route' which is computed by the cloud provider. In AWS, you can view effective routes for a subnet by looking at the route table and checking 'Route Propagation'. In Azure, the 'Effective Routes' blade shows what routes are actually applied to a network interface, taking into account UDRs, BGP, and system routes. This tool is invaluable for troubleshooting. For example, if you create a UDR to force all traffic through a firewall but the effective routes still show the default internet path, the route table might not be associated with the correct subnet. This symptom is a common troubleshooting clue in Network Plus and CCNA exams.

Another state consideration is the order of operations when you disassociate a route table from a subnet. The subnet immediately reverts to the default (system) route table. If you delete a UDR, any subnet using it will revert to the default route for that prefix. If there is no effective route, traffic fails. This is tested in scenarios where a route to a VPN is deleted, causing on-premises connectivity to drop. Finally, understanding that UDRs are per-subnet (or per-network interface in some cases) is crucial. In AWS, each subnet must have a route table; if you do not create one, the main route table is used. In Azure, each subnet must be associated with a route table; if none is assigned, the system routes are used. These states are foundational for exam preparation.

User-Defined Route Security Implications and Compliance Patterns

User-defined routes (UDRs) are a cornerstone of network security in cloud environments because they allow administrators to control traffic flow through security appliances, enforce traffic inspection, and prevent data exfiltration. One of the primary security patterns using UDRs is forced tunneling, where all internet-bound traffic from a subnet is routed to a centralized firewall or VPN appliance before reaching the internet. In AWS, this is achieved by creating a route for 0.0.0.0/0 with a next hop of a network interface or a NAT gateway that is part of the security device. In Azure, you create a route for 0.0.0.0/0 with next hop 'Virtual appliance' and point it to the private IP of the firewall. This ensures that no traffic can leave the network without being inspected, meeting compliance requirements like PCI DSS or HIPAA.

UDRs also play a critical role in isolating resources. For example, in a multi-tier application, you can create separate subnets for web, application, and database tiers. By using UDRs, you can restrict the database subnet to only accept traffic from the application subnet through a firewall, while preventing direct internet access to the database. This pattern is tested in Security Plus, where understanding network segmentation and zone-based security is required. In AWS, you can also use a UDR with a prefix that matches a VPC endpoint to ensure traffic to AWS services stays within the Amazon network, reducing exposure to the internet.

Another security implication involves preventing asymmetric routing. When you deploy a UDR that sends all traffic through a network virtual appliance (NVA), the NVA must have a route back to the destination without going through itself. If the NVA has a default route of 0.0.0.0/0 also pointing to itself (a common misconfiguration), a routing loop occurs. This is a classic exam trap in Azure AZ-104 and AWS SAA, testing the candidate's ability to design proper return paths. The solution is to ensure the NVA's own network interface has route tables that send internet traffic to the internet gateway or a VPN gateway, not back to the same UDR.

UDRs also enhance security by enabling private connectivity to on-premises networks via VPN or Direct Connect. By adding a UDR for the on-premises IP range (e.g., 192.168.0.0/16) with next hop set to the virtual private gateway, you ensure that traffic to and from the cloud always goes through the encrypted VPN tunnel. If someone creates a static route that directs that traffic to the internet, security is breached. This scenario is used in AWS SAA exam questions about hybrid network security.

UDRs can be used to implement egress-only internet access for IPv6, which is a security best practice. In AWS, an egress-only internet gateway combined with a UDR ensures that instances in a private subnet can initiate outbound connections to the IPv6 internet but cannot be reached from the internet. This is tested in the AWS SAA exam. In Azure, similar functionality is achieved using a NAT64 translation or firewall rules.

Finally, compliance frameworks often require logging of all traffic going through firewalls. UDRs are essential for directing traffic to logging-capable devices. For instance, PCI DSS requires that all traffic from the cardholder data environment pass through an intrusion detection system. By implementing a UDR pointing to an IDS/IPS appliance, the requirement is satisfied. Security Plus exam questions often present a scenario requiring you to choose the correct UDR configuration to meet a compliance objective. Understanding these security implications is vital for both certification success and real-world network design.

Troubleshooting Clues

No internet access from private subnet

Symptom: Instances in private subnet cannot reach the internet (e.g., cannot download updates).

The subnet route table likely lacks a route for 0.0.0.0/0 to a NAT gateway or internet gateway. If the subnet is private, the route must point to a NAT gateway. If it points to an internet gateway (IGW), the IGW is not accessible because private subnets have no public IPs.

Exam clue: Exam question: 'You deploy a private subnet with a NAT gateway but instances still can't reach the internet. What is the most likely cause?' Answer: Missing route for 0.0.0.0/0 to the NAT gateway.

Asymmetric routing with network virtual appliance

Symptom: Traffic is sent to an NVA but never returns, or connections are one-way.

The UDR sends traffic to the NVA, but the NVA's own route table does not have a proper return path. For example, the NVA sends the traffic to the internet via its own default route, which points back to itself, causing a loop. Or the NVA sends traffic directly to the destination without going through the correct gateway.

Exam clue: Classic AWS SAA and AZ-104 question: 'You configure a firewall NVA with a UDR for 0.0.0.0/0 pointing to the NVA. Traffic stops working. What is the cause?'

Updates to UDRs not taking effect immediately

Symptom: After adding or modifying a route in the route table, traffic still uses the old path.

Route table updates may take a few seconds to propagate to all network interfaces. In rare cases, if the subnet is associated with a different route table than expected (e.g., the main route table is used instead of the custom one), changes won't apply.

Exam clue: Troubleshooting question: 'You add a route to a route table but subnet traffic still follows the old route. What should you check?' Answer: Ensure the correct route table is associated with the subnet and allow time for propagation.

Overlapping routes causing unexpected traffic path

Symptom: Traffic to a specific IP range goes through a different next hop than intended.

If you have two routes with overlapping prefixes, the most specific prefix (longest match) takes precedence. For example, a route for 10.0.1.0/24 pointing to a firewall will override a route for 10.0.0.0/16 pointing to a VPN gateway.

Exam clue: Exam scenario: 'You have a UDR for 0.0.0.0/0 to a NAT gateway and a more specific route for 10.0.0.0/8 to a VPN. Traffic to an on-premises 10.1.0.1 works, but traffic to 172.16.0.1 goes through the NAT. Why?' Answer: 172.16.0.0/12 is not covered by the 10.0.0.0/8 route.

BGP propagated routes overriding static UDRs

Symptom: After enabling route propagation, some static routes are no longer effective for certain destinations.

Although static UDRs take precedence over propagated routes for the same prefix, if the static route is more specific than the propagated route, it will be used. But if the static route is less specific (e.g., 0.0.0.0/0) and the propagated route covers the same prefix, the static route still wins because it is statically defined. However, if the propagated route is more specific (e.g., 10.0.0.0/8), it will override the static default route for that range.

Exam clue: Common in AWS SAA: 'Your on-premises routes learned via BGP are not being used. What is the likely cause?' Answer: A static route with a longer prefix exists in the route table.

Route table association lost

Symptom: Subnet loses Internet connectivity or custom routing, even though the route table exists.

The subnet may have been disassociated from the custom route table, perhaps by accident or during reconfiguration. When a subnet is disassociated, it reverts to the main (default) route table, which may not have the required UDRs.

Exam clue: Exam question: 'After a security audit, you remove a route table association from a subnet. The subnet loses connectivity. Why?' Answer: The subnet inherits the main route table which lacks necessary routes.

Unable to create a route with next hop type 'VirtualAppliance'

Symptom: Azure portal or CLI fails to create a UDR with next hop type 'VirtualAppliance' and the specified IP address.

The virtual appliance must be reachable from the subnet via a private IP. If the appliance's IP is not in a directly connected subnet or the appliance is not properly configured, the route creation may fail or the route will be inactive.

Exam clue: Troubleshooting in AZ-104: 'You attempt to add a route to a firewall appliance but get an error. What should you verify?' Answer: The firewall is deployed and its private IP is in the same VNet or directly peered.

Route to VPC endpoint not working

Symptom: Instances cannot reach S3 or DynamoDB via gateway endpoint even though the route exists.

The gateway endpoint route must point to the endpoint's prefix list (e.g., com.amazonaws.us-east-1.s3). If the route table does not have this specific route or the route is pointing to a different endpoint, traffic will try to go through the internet.

Exam clue: AWS SAA question: 'You create an S3 gateway endpoint and add a route to the prefix list. Instances still cannot access S3. What is the likely issue?' Answer: The route table is not associated with the subnet.

Learn This Topic Fully

This glossary page explains what User-defined route means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.A company has a VPC with a public subnet and a private subnet. The private subnet needs outbound internet access. Which combination of resources is required?

2.In Azure, a network engineer creates a route table with a route for 0.0.0.0/0 next hop type 'VirtualAppliance' and IP 10.0.1.4. The subnet is associated with this route table. However, traffic destined for the internet still goes through the default internet path. What is the most likely cause?

3.An administrator configures a route table with a static route for 10.0.0.0/16 pointing to a VPN gateway. Route propagation is enabled from the virtual private gateway. The on-premises network announces 10.0.1.0/24 via BGP. Which path will traffic to 10.0.1.5 take?

4.A company uses a hub-and-spoke topology in Azure with the hub containing a firewall. All spokes must route internet traffic through the firewall. After configuring route tables in the spoke subnets with a UDR for 0.0.0.0/0 pointing to the firewall's private IP, internet traffic still goes directly to the internet. What should the administrator check first?

5.In Google Cloud, a network engineer creates a custom route for 10.0.0.0/8 with a next hop of a VPN tunnel and priority 500. The VPC also has a dynamic route learned via Cloud Router for 10.0.0.0/8 with priority 250. Which route will be used for traffic to 10.0.0.1?

6.A network administrator wants to force all traffic from an AWS VPC subnet to the on-premises network through a Direct Connect connection. Which action is required?