How to implement the Azure Forced Tunneling via S2S VPN

Hi, As you know, by default, resources deployed to an Azure virtual network that need access to the Internet will use the system-defined default routes to use the Azure backbone. Forced tunneling allows you to redirect all Internet-bound traffic to your on-premise location through a site-to-site VPN tunnel, thus allowing you to manage, inspect, and audit outgoing traffic on your Azure network. Requirements:

This tutorial assumes that you already have a Microsoft Azure account configured.
You already have a VPN Site-to-Site created and properly configured. If you want to know how to create it, see this link.

The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start.

Set the variables>

Set the variables #

Here, we define the characteristics of our environment and the properties of the connection.

$resourceGroupName = 'RG-DEMO-NE'
$location = 'northeurope'
$vNet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName

In my case, I have a single virtual network with two subnets:

Default subnet.
Gateway subnet.

Resource Deployment>

Resource Deployment #

In this section, we implement Azure resources. Once the routes table has been created, we can assign it to the desired subnet to finally update the configuration of our Azure Gateway.

Create the route table>

Create the route table #

First, you need to have an Azure route table. To create one, using the New-AzRouteTable cmdlet with the following syntax.

$rt = New-AzRouteTable -name "RT-DEMO-NE" \`
                       -ResourceGroupName $resourceGroupName \`
                       -Location $location

Adds a route to a route table>

Adds a route to a route table #

The next step is to add a route to the route table. To perform this task, you should use the Add-AzRouteConfig cmdlet. The following command adds a route named “DefaultRoute” to the route table stored in $rt variable. This route forwards Internet-bound traffic to the Virtual Network Gateway.

Add-AzRouteConfig `
    -name "DefaultRoute" `
    -AddressPrefix '0.0.0.0/0' `
    -NextHopType VirtualNetworkGateway `
    -RouteTable $rt

Set-AzRouteTable -RouteTable $rt

#

Associate the route table to a subnet.>

Associate the route table to a subnet. #

In this step, the subnet is configured with the route table created in the previous step. To associate the route table to the desired subnet. First, use the Set-AzVirtualNetworkSubnetConfig cmdlet to set the new configuration and then the Set-AzVirtualNetwork cmdlet to apply the changes.

Set-AzVirtualNetworkSubnetConfig `
    -name 'Default' `
    -VirtualNetwork $vNet `
    -AddressPrefix '192.168.66.0/24' `
    -RouteTable $rt

Set-AzVirtualNetwork -VirtualNetwork $vNet

#

Assign a default site to the virtual network gateway>

Assign a default site to the virtual network gateway #

And finally, to make the forced tunneling work, set the default site on the Azure gateway as the local network gateway.

$local = Get-AzLocalNetworkGateway -ResourceGroupName $resourceGroupName
$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $resourceGroupName

Set-AzVirtualNetworkGatewayDefaultSite `
    -GatewayDefaultSite $local `
    -VirtualNetworkGateway $gateway

keep in mind that it may be necessary to configure your on-premise firewall to allow outbound traffic.

Thanks for reading my post. I hope you find it useful.

If you want to know more about forced tunneling, check out this link.