1.3 Design and Implement VNet Connectivity and Routing
📘Microsoft Azure Networking Solutions (AZ-700)
What Is Forced Tunneling?
Forced tunneling is an Azure networking configuration that forces all internet-bound traffic from Azure virtual machines (VMs) to go through an on-premises network or security device instead of going directly to the internet.
By default, Azure allows VMs to access the internet directly.
Forced tunneling changes this behavior so traffic must follow a specific, controlled path.
Why Forced Tunneling Is Used
Forced tunneling is mainly used to:
- Inspect traffic using on-premises firewalls or security appliances
- Apply security rules before traffic reaches the internet
- Meet compliance and audit requirements
- Centralize outbound traffic control
- Prevent direct internet access from Azure VMs
In enterprise IT environments, organizations often want full visibility and control over outbound traffic.
Default Azure Routing (Important for the Exam)
Before understanding forced tunneling, you must know how Azure routes traffic by default.
Default System Routes in Azure
Azure automatically creates system routes for every subnet:
| Destination | Next Hop |
|---|---|
| Virtual network address space | Virtual network |
| On-premises networks | Virtual network gateway |
| Internet (0.0.0.0/0) | Internet |
Key Point:
Without forced tunneling, internet traffic goes directly to the internet.
What Forced Tunneling Changes
Forced tunneling overrides the default internet route.
Instead of:
0.0.0.0/0 → Internet
Traffic is forced to:
0.0.0.0/0 → On-premises network or firewall
This ensures no VM can access the internet directly.
How Forced Tunneling Works (Concept)
- A VM sends traffic destined for the internet
- Azure checks the routing table
- A custom route overrides the default route
- Traffic is sent to:
- A VPN Gateway
- An ExpressRoute Gateway
- A Network Virtual Appliance (NVA) (firewall)
Two Ways to Configure Forced Tunneling
1️⃣ Using User-Defined Routes (UDRs) – Most Common
This is the recommended and exam-important method.
Steps:
- Create a route table
- Add a route:
- Address prefix:
0.0.0.0/0 - Next hop type: Virtual appliance or Virtual network gateway
- Address prefix:
- Associate the route table with a subnet
This forces all outbound traffic to follow that route.
2️⃣ Using VPN Gateway Forced Tunneling (Legacy Method)
This is an older method, less flexible, but still appears in exams.
- Forced tunneling is configured at the VPN gateway level
- Requires Azure VPN Gateway
- Traffic is routed through the on-premises VPN device
⚠️ Limitation:
This method applies to all connected VNets and is not subnet-specific.
User-Defined Routes (UDRs) in Forced Tunneling
What Is a UDR?
A User-Defined Route (UDR) is a custom routing rule created by an administrator to override Azure’s system routes.
Key UDR Settings for Forced Tunneling
| Setting | Value |
|---|---|
| Address prefix | 0.0.0.0/0 |
| Next hop type | Virtual appliance or Virtual network gateway |
| Associated to | Subnet |
Next Hop Options Used in Forced Tunneling
1️⃣ Virtual Network Gateway
- Used with VPN Gateway or ExpressRoute
- Sends traffic to on-premises networks
2️⃣ Virtual Appliance (NVA)
- Used for firewalls (Azure Firewall, third-party firewall)
- Traffic flows through the appliance first
Forced Tunneling with Azure Firewall
This is a very common exam scenario.
How It Works:
- Subnets use a UDR
- Default route (
0.0.0.0/0) points to Azure Firewall - Firewall controls and logs outbound traffic
- Firewall sends traffic to the internet or on-premises network
Benefits:
- Centralized security
- Traffic inspection
- Logging and monitoring
Important Exam Note: Where UDRs Are Applied
- UDRs are applied to subnets
- They are not applied directly to VMs
- All VMs in the subnet follow the same routing rules
Forced Tunneling and Internet Access
What Happens to Internet Access?
- VMs cannot access the internet directly
- Internet access only works if:
- On-premises firewall allows it
- NVA forwards traffic correctly
If Not Configured Properly:
- Internet connectivity breaks
- Azure services may become unreachable
Forced Tunneling and Azure Services
Some Azure services require direct internet access, such as:
- Azure platform services
- Software updates
- Management endpoints
Best Practice:
Use service tags or specific routes to allow required Azure services while forcing other traffic.
Forced Tunneling with ExpressRoute
- ExpressRoute supports forced tunneling
- Internet traffic is routed:
- From Azure → On-premises → Internet
- Common in high-security enterprise environments
Limitations and Considerations (Exam Important)
- Misconfigured forced tunneling can:
- Break internet access
- Block Azure service connectivity
- Requires careful planning
- Increases latency due to extra hops
- Needs proper firewall rules
When to Use Forced Tunneling (Exam Scenario)
Forced tunneling is used when:
- Direct internet access is not allowed
- Traffic inspection is mandatory
- Centralized security is required
- Compliance policies demand full control
Key Differences: Forced Tunneling vs Default Routing
| Feature | Default Routing | Forced Tunneling |
|---|---|---|
| Internet access | Direct | Controlled |
| Traffic inspection | No | Yes |
| Security control | Limited | High |
| Routing method | System routes | UDR / Gateway |
Exam Keywords to Remember
- Forced tunneling
- User-defined routes (UDRs)
- 0.0.0.0/0
- Virtual network gateway
- Network virtual appliance (NVA)
- Azure Firewall
- ExpressRoute
- VPN Gateway
- Subnet-level routing
Exam Tips ⭐
- Forced tunneling = override default internet route
- UDR with 0.0.0.0/0 is the key
- Applied at subnet level
- Used for security and compliance
- Often combined with Azure Firewall or VPN Gateway
