Forced Tunneling and Internet Breakout with Express Route & NVA Scenario

Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN or Express Route for inspection and auditing.

This is a critical security requirement for most enterprise IT policies. If you don’t configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.