Block Internet traffic in Azure with forced tunneling

Forced tunneling enables all traffic with an unknown route (i.e. Internet bound) to be sent to the ExpressRoute connection instead of direct to the Internet. This enables the Internet traffic to then be inspected by on-premises appliances/services. This is done via the advertisement of a route. If ExpressRoute is down then the traffic would be sent to the Internet. If you need to stop this happening then you should use a Network Security Group and two rules would be required:

Priority Name         Source Destination     Service Action
100      AllowLocal   Any    VirtualNetwork  Custom  (Any/Any) Allow
110      DenyInternet Any    Internet        Custom  (Any/Any) Deny

This works because with forced tunneling configured (0/0) then that route is considered part of the VirtualNetwork and therefore allowed. If ExpressRoute goes down then BGP will stop advertising 0/0 which means its no longer part of VirtualNetwork and instead becomes part of Internet and will be blocked.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s