Why Do I Need Additional Routes in UDR When Using 0.0.0.0/0?

You can actually disable BGP propagation on your route tables and manually define all your routes. I’ve set this up for certain VNets where those auto-routed paths are not desirable. Just keep in mind it can lead to more maintenance effort unless you have a strong automation setup.

In Azure, two key rules to remember: 1. Longer prefixes win, like 10.0.0.0/24 over 0.0.0.0/0, and 2. Azure automatically advertises routes for subnets within the same and peered VNets. If a VM in one subnet tries to reach another in a peered VNet, the default routes can bypass your firewall unless you add those specific entries in your UDR to override them. If you're interested, there's a detailed article on Azure's routing that dives deeper into this.

When you connect VNets, they share routes, so your UDR must have specifics to beat those shared routes. Just adding 0.0.0.0/0 won't suffice because that longer prefix rule applies here too, meaning you need to create extra routes to ensure traffic goes where you want it to.

You’re on the right track with the 0.0.0.0/0 idea, but Azure has built-in default routes that may interfere. You need to manually set up routes for other prefixes to disable the default ones and ensure your specific routes are used instead. Check the 'effective routes' tab to get a clearer picture of what’s going on.

The reason you can’t just use 0.0.0.0/0 and expect it to handle all traffic is due to the longer prefix rule. If you have any routes advertised via BGP or peering, those will take precedence over your UDR, even if 0.0.0.0/0 is there to guide traffic through the firewall.