Forced Tunneling Exceptions with ExpressRoute to Internet

Forced Tunneling Exceptions with ExpressRoute to Internet

Understand what forced tunneling means with ExpressRoute in Azure.

Q. I am using Azure forced tunneling with ExpressRoute but need to offer a service directly to the Internet. How can I do this?

A. This is not possible. Forced tunneling, by definition, sends all traffic via ExpressRoute to on-premises, including outbound Internet traffic from a service. Any virtual network that is connected to ExpressRoute, for example, will send all traffic via ExpressRoute if forced tunelling is enabled by a BGP-defined default route (https://msdn.microsoft.com/en-us/library/azure/dn835140.aspx) for the circuit. This is different from forced tunelling when using a site-to-site VPN, which enables the forced tunelling to be enabled on a per-virtual-subnet basis.

One solution would be to use Network Security Groups (NSG) instead of forced tunelling. With NSGs you can define specific rules for specific types of traffic to flow between different virtual subnets, and also to the Internet from specific virtual subnets.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish