Image from: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
A hybrid cloud project I helped with a while ago required all outbound traffics generated on Azure must route back to ground (Customer’s local data center) for filtering. There is where Azure forced tunneling kicks in.
The idea of forced tunneling and setting it up is pretty simple. Basically you create a route table using Azure route table service, attach the route table to the subnet you like to forced the traffic, and that’s it!
Azure has a very detailed walk through here using PowerShell. I will show it in GUI form.
Scenario
Establish a site-to-site VPN connection between AWS and Azure. I have already done this part, please refer:
Once established, force outbound traffic generated from Azure to AWS FortiGate thought VPN connection. In other words, Azure VM can only access internet through AWS FortiGate.
Let’s get start!
Assuming you have all the resources already built such as VPC, subnets, VM in subnet, VPN connection established, the last thing we left to do is configure forced tunneling and verify the result.
Goes to Route tables and create your route table.
Once done, click into the route table just create follow by creating a Route.
Here we are simply defining to WHERE the traffic we want to route and WHAT is the next hop. In my configuration, I set ALL traffic to route to VNG, which is the VPN Gateway.
Next we associate subnet to the route we just created. This is saying that all traffics generated within the subnet we applied at are sent to VPN Gateway.
A finish view. Of course more subnets can be associated by repeating the associate step above.
Lastly, a very CRUCIAL step must be done by PowerShell, not GUI. You can refer here at Step 7.
$LocalGateway = Get-AzLocalNetworkGateway -Name “DefaultSiteHQ” -ResourceGroupName “ForcedTunneling”
$VirtualGateway = Get-AzVirtualNetworkGateway -Name “Gateway1” -ResourceGroupName “ForcedTunneling”
Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
What the script is doing is, getting your Virtual Network Gateway and Local Network Gateway information, which both services built up the VPN service. The last command then setup a AzVirtualNetworkGatewayDefaultSite base on the information acquired previously. I don’t know how exactly AzVirtualNetworkGatewayDefaultSite works but it is the thing that does the magic!
Lastly, verify the connection from Azure VM. If everything is setup correctly, Azure VM will be accessing internet through FortiGate at AWS!
We can see that Azure VM has private IP only and by checking its outbound IP, which is the public IP of AWS FortiGate public IP.
