Configure Forced Tunneling

Welcome — this guide explains how to configure forced tunneling in Azure to route outbound internet traffic through an on-premises security stack over a site-to-site VPN. Forced tunneling is commonly used to inspect, filter, or apply corporate policies to internet-bound traffic for compliance and security reasons. At a high level, forced tunneling redirects internet-bound traffic from selected Azure subnets to the Azure VPN Gateway, which forwards that traffic over the site-to-site VPN to your on-premises environment. There, firewalls, proxies, or IDS/IPS appliances can inspect or process the traffic before allowing it to the internet. How forced tunneling works:

Create a user-defined route (UDR) that overrides Azure system routes for selected subnets.
Add a default route (0.0.0.0/0) in the UDR with next hop type VirtualNetworkGateway so traffic is sent to the VPN Gateway.
Associate that route table with the subnet(s) you want to force through the VPN (for example, backend and mid-tier).
Keep other subnets (e.g., frontend) without the UDR association so they use Azure system routes and can access the internet directly.
Ensure the VPN Gateway is route-based and that the site-to-site VPN and on-premises devices are prepared for the returned and outbound flows.

A network diagram showing forced tunneling for a virtual network: traffic from backend/mid-tier subnets is routed through a VPN gateway to on‑premises via a site‑to‑site VPN while the frontend subnet goes directly to the internet. A checklist of configuration steps (create route table, add default route to VPN gateway, associate with subnet, use route‑based VPN, set default site connection, use 0.0.0.0/0 on VPN device) is shown on the right.

Key concepts and configuration steps

Azure system routes include a default route to the internet. To intercept internet-bound traffic, you must create a user-defined route (UDR). See: User-defined routes (UDR) overview.
Add a 0.0.0.0/0 route in the UDR with —next-hop-type VirtualNetworkGateway. This causes internet-bound traffic from the subnet to be forwarded to the VPN Gateway rather than directly to the internet.
Associate the UDR with the subnet(s) that should use the forced tunnel (for example, backend and mid-tier). Any subnet without the association will continue to use Azure system routes (for example, frontend).
Use a route-based VPN Gateway for forced tunneling; policy-based VPN gateways do not support this scenario. See: Azure VPN Gateway types and limitations.
Ensure the site-to-site VPN connection is active and that your on-premises firewall/router is configured to accept the tunneled internet-bound flows — including NAT (SNAT), inspection, and forwarding to the internet.
If you use BGP, verify route propagation so on-premises devices know how to route return traffic back to Azure. See: BGP with Azure VPN Gateway.

Azure CLI examples

Create a route table:

az network route-table create \
  --name ForcedTunnelRT \
  --resource-group MyRG \
  --location eastus

Add a 0.0.0.0/0 route pointing to the virtual network gateway:

az network route-table route create \
  --resource-group MyRG \
  --route-table-name ForcedTunnelRT \
  --name DefaultRoute \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualNetworkGateway

Associate the route table with a subnet:

az network vnet subnet update \
  --resource-group MyRG \
  --vnet-name MyVNet \
  --name BackendSubnet \
  --route-table ForcedTunnelRT

Create a route-based VPN Gateway (example):

az network vnet-gateway create \
  --resource-group MyRG \
  --name MyVNetGateway \
  --vnet MyVNet \
  --public-ip-address MyGatewayIP \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1

Operational checklist

Check	Why it matters	Action example
UDR association	Ensures chosen subnet traffic is routed to VPN Gateway	Verify route table is associated to target subnet(s) and contains 0.0.0.0/0 → VirtualNetworkGateway
VPN connection state	VPN must be up to carry traffic	Confirm site-to-site connection status in Azure portal or az network vpn-connection show
On-prem routing	Return traffic must be routed back to Azure	Ensure on-prem device has routes to Azure subnets (via BGP or static routes)
NAT/SNAT and inspection	On-premises device must be able to NAT/inspect traffic	Verify firewall/proxy is configured to SNAT and permit outbound connections
NSG rules	NSGs can block forwarded traffic	Review Network Security Groups applied to subnets and NICs for blocking rules
Service exceptions	Some services require direct outbound access	Validate Microsoft/third-party service requirements and create exceptions if needed

Validation and troubleshooting

From a VM in the forced-tunnel subnet, test outbound connectivity to a public IP and capture packet traces to confirm the path goes to the VPN Gateway.
Check the effective routes on the VM’s NIC/subnet in the Azure portal to confirm the UDR takes precedence over system routes.
Confirm the on-premises firewall logs to validate traffic is received, inspected, and forwarded.
Monitor latency and throughput once forced tunneling is enabled — added hops can affect performance.
If using BGP, inspect route advertisements and learned routes on both sides to ensure correct return paths.

User-defined routes (UDRs) take precedence over Azure system routes. Adding a 0.0.0.0/0 UDR with next hop VirtualNetworkGateway ensures that a subnet’s internet-bound traffic is forwarded to the VPN Gateway instead of going directly to the internet.

Forced tunneling can add latency and incur bandwidth costs. It may also prevent direct access to some Azure or third-party services that expect direct outbound connectivity. Identify required service endpoints and plan exceptions or proxy rules before rolling out forced tunneling broadly.

Useful links and references

Resource	Purpose
Azure VPN Gateway overview	VPN types, SKUs, and capabilities
User-defined routes (UDR) overview	Controls routing for subnets
BGP with Azure VPN Gateway	Route propagation and BGP setup
Azure CLI documentation	General Azure CLI usage and reference
Network Security Groups (NSGs) overview	Filtering rules that may affect forwarded traffic

Summary Configuring forced tunneling in Azure enables centralized inspection and enforcement of outbound traffic policies by sending internet-bound flows from selected subnets over your site-to-site VPN to on-premises security appliances. Use UDRs to override system routes, ensure a route-based VPN gateway, prepare on-prem devices for NAT/inspection/return routing, and validate the design with testing and monitoring before broad deployment.

Watch Video

Configure Azure Route Server

Configure User Defined Routes

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Configure Forced Tunneling

Watch Video