When you create subnets, Azure creates system routes that enable all the resources in a subnet so that they can communicate with each other. Every subnet has a default system route table, which contains the following minimum routes:

• Local VNet: This is a route for resources that reside in the VNet. For these routes, there is no next hop address. If the destination IP address contains the local VNet prefix, traffic is routed there. 
• On-premises: This is a route for defined on-premises address spaces. For this route, the next hop address will be the VNet gateway. If the destination IP address contains the on-premises address prefix, traffic is routed there.
• Internet: This route is for all the traffic that goes over the public internet, and the internet gateway is always the next hop address. If the destination IP address doesn't contain the VNet or on-premises prefixes, traffic is routed to the internet using network address translation (NAT).

You can override these system routes by creating user-defined routes (UDRs). This way, you can force traffic to follow a particular route. For instance, you have a network that consists of two subnets and you want to add a VM that is used as a demilitarized zone (DMZ) and has a firewall installed on it. You only want traffic to go through the firewall and not between the two subnets. To create UDRs and enable IP forwarding, you have to create a routing table in Azure. When this table is created and there are custom routes in there, Azure prefers the custom routes over the default system routes.