Hi, As you know, by default, resources deployed to an Azure virtual network that need access to the Internet will use the system-defined default routes to use the Azure backbone. Forced tunneling allows you to redirect all Internet-bound traffic to your on-premise location through a site-to-site VPN tunnel, thus allowing you to manage, inspect, and audit outgoing traffic on your Azure network.


  • This tutorial assumes that you already have a Microsoft Azure account configured.
  • You already have a VPN Site-to-Site created and properly configured. If you want to know how to create it, see this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.

If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you’re ready to start.

Set the variables

Here, we define the characteristics of our environment and the properties of the connection.

In my case, I have a single virtual network with two subnets:

  • Default subnet.
  • Gateway subnet.

Resource Deployment

In this section, we implement Azure resources. Once the routes table has been created, we can assign it to the desired subnet to finally update the configuration of our Azure Gateway.

Create the route table

First, you need to have an Azure route table. To create one, using the New-AzRouteTable cmdlet with the following syntax.

Adds a route to a route table

The next step is to add a route to the route table. To perform this task, you should use the Add-AzRouteConfig cmdlet. The following command adds a route named “DefaultRoute” to the route table stored in $rt variable. This route forwards Internet-bound traffic to the Virtual Network Gateway.


Associate the route table to a subnet.

In this step, the subnet is configured with the route table created in the previous step. To associate the route table to the desired subnet. First, use the Set-AzVirtualNetworkSubnetConfig cmdlet to set the new configuration and then the Set-AzVirtualNetwork cmdlet to apply the changes.


Assign a default site to the virtual network gateway

And finally, to make the forced tunneling work, setting the default site on the Azure gateway as the local network gateway.

forced tunneling

keep in mind that it may be necessary to configure your on-premise firewall to allow outbound traffic.

Thanks for reading my post. I hope you find it useful.

If you want to know more about forced tunneling, check out this link: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways