.png?width=100&auto=webp&quality=80&disable=upscale "Picture of John Savill")
.png?width=400&auto=webp&quality=80&disable=upscale "John Savill")
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Block Internet traffic in Azure with forced tunneling
Block the internet if ExpressRoute is down with forced tunneling.
John Savill
May 13, 2017
1 Min Read
Q. I am using forced tunneling with ExpressRoute so all Internet traffic goes via on-premises however if ExpressRoute goes down the traffic goes to the Internet. How can I stop that?
A. Forced tunneling enables all traffic with an unknown route (i.e. Internet bound) to be sent to the ExpressRoute connection instead of direct to the Internet. This enables the Internet traffic to then be inspected by on-premises appliances/services. This is done via the advertisement of a 0.0.0.0/0 route. If ExpressRoute is down then the traffic would be sent to the Internet. If you need to stop this happening then you should use a Network Security Group and two rules would be required:
Priority | Name | Source | Destination | Service | Action |
100 | AllowLocal | Any | VirtualNetwork | Custom (Any/Any) | Allow |
110 | DenyInternet | Any | Internet | Custom (Any/Any) | Deny |
This works because with forced tunneling configured (0/0) then that route is considered part of the VirtualNetwork and therefore allowed. If ExpressRoute goes down then BGP will stop advertising 0/0 which means its no longer part of VirtualNetwork and instead becomes part of Internet and will be blocked.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
