Forced Tunneling and Internet Breakout with Express Route & NVA Scenario

Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN or Express Route for inspection and auditing.

This is a critical security requirement for most enterprise IT policies. If you don’t configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.

There are scenarios when customers require to have both internet breakout from Azure and forced tunneling.

With Site-to-Site VPN redirecting traffic is expressed by mapping a UDR (User Defined Route) to your routing tables with the next hop as the virtual network gateway and associating the RTB (Routing Table) to your specific subnets.

However, with Express Route Gateways you must use BGP to advertise on-premises routes to the Microsoft Edge router. You can’t create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type ExpressRoute.

You can use user-defined routes for forcing traffic from the Express Route to, for example, a Network Virtual Appliance.

This article looks at how to accomplish forced tunnelling and internet breakout via Azure at the same time in scenarios when Express Route is being used…