You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: 'About forced tunneling and split tunneling'
3
-
description: Learn about forced tunneling and split tunneling for VPN Gateway site-to-site connections
2
+
title: 'About forced tunneling for site-to-site'
3
+
description: Learn about forced tunneling and split tunneling via UDRs for VPN Gateway site-to-site connections
4
4
titleSuffix: Azure VPN Gateway
5
5
author: cherylmc
6
6
ms.service: vpn-gateway
7
7
ms.topic: conceptual
8
-
ms.date: 08/01/2023
8
+
ms.date: 08/04/2023
9
9
ms.author: cherylmc
10
10
---
11
11
12
-
# About split tunneling and forced tunneling for site-to-site configurations
12
+
# About forced tunneling for site-to-site configurations
13
13
14
-
This article helps you understand the difference between forced tunneling and split tunneling for VPN Gateway site-to-site (S2S) IPsec connections. By default, Internet-bound traffic from your workloads and VMs within a virtual network is sent directly to the Internet.
14
+
This article helps you understand how forced tunneling works for site-to-site (S2S) IPsec connections. By default, Internet-bound traffic from your workloads and VMs within a virtual network is sent directly to the Internet.
15
15
16
16
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via S2S VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.
17
17
18
-
In some cases, you may want specific subnets to send and receive Internet traffic directly, without going through an on-premises location for inspection and auditing. You can specify this split tunneling behavior using [custom user-defined routes](../virtual-network/virtual-networks-udr-overview.md#user-defined) (UDRs). After configuring forced tunneling, specify a custom UDR for the subnet(s) for which you want to split tunnel Internet traffic. All other subnets continue to be force tunneled to the on-premises location.
18
+
In some cases, you may want specific subnets to send and receive Internet traffic directly, without going through an on-premises location for inspection and auditing. One way to achieve this is to specify routing behavior using [custom user-defined routes](../virtual-network/virtual-networks-udr-overview.md#user-defined) (UDRs). After configuring forced tunneling, specify a custom UDR for the subnet(s) for which you want to send Internet traffic directly to the Internet (not to the on-premises location). In this type of configuration, only the subnets that have a specified UDR send Internet traffic directly to the Internet. Other subnets continue to have Internet traffic force-tunneled to the on-premises location.
19
19
20
-
Split tunneling configurations can also be used when working with peered VNets. A custom UDR can be applied to a subnet of a peered VNet that traverses through the VNet containing the VPN Gateway S2S connection.
20
+
You can also create this type of configuration when working with peered VNets. A custom UDR can be applied to a subnet of a peered VNet that traverses through the VNet containing the VPN Gateway S2S connection.
21
21
22
22
## Considerations
23
23
@@ -29,32 +29,32 @@ Forced tunneling is configured using Azure PowerShell. You can't configure force
29
29
***On-premises routes:** To the Azure VPN gateway.
30
30
***Default route:** Directly to the Internet. Packets destined to the private IP addresses not covered by the previous two routes are dropped.
31
31
32
-
*Forced tunneling must be associated with a VNet that has a route-based VPN gateway. Your forced tunneling configuration overrides the default route for any subnet in its VNet. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
32
+
*In this scenario, forced tunneling must be associated with a VNet that has a route-based VPN gateway. Your forced tunneling configuration overrides the default route for any subnet in its VNet. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
33
33
34
34
* ExpressRoute forced tunneling isn't configured via this mechanism, but instead, is enabled by advertising a default route via the ExpressRoute BGP peering sessions. For more information, see the [ExpressRoute Documentation](../expressroute/index.yml).
35
35
36
36
## Forced tunneling
37
37
38
-
The following example shows all traffic being forced through the VPN gateway back to the on-premises location for inspection and auditing. Configure [forced tunneling](site-to-site-tunneling.md) by specifying a default site.
38
+
The following example shows all Internet traffic being forced through the VPN gateway back to the on-premises location for inspection and auditing. Configure [forced tunneling](site-to-site-tunneling.md) by specifying a default site.
You may want Internet-bound traffic from certain subnets (but not all subnets) to traverse from the Azure network infrastructure directly out to the Internet. This scenario can be configured using a combination of forced tunneling and virtual network custom user-defined routes. For steps, see [Split tunneling](site-to-site-tunneling.md).
46
+
You may want Internet-bound traffic from certain subnets (but not all subnets) to traverse from the Azure network infrastructure directly out to the Internet. This scenario can be configured using a combination of forced tunneling and virtual network custom user-defined routes. For steps, see [Forced tunneling and UDRs](site-to-site-tunneling.md).
***Frontend subnet**: Internet-bound traffic is split tunneled directly to the Internet using a custom UDR that specifies this setting. The workloads in the Frontend subnet can accept and respond to customer requests from the Internet directly.
52
+
***Frontend subnet**: Internet-bound traffic is tunneled directly to the Internet using a custom UDR that specifies this setting. The workloads in the Frontend subnet can accept and respond to customer requests from the Internet directly.
53
53
54
54
***Mid-tier and Backend subnets**: These subnets continue to be force tunneled because a default site has been specified for the VPN gateway. Any outbound connections from these two subnets to the Internet are forced or redirected back to an on-premises site via S2S VPN tunnels through the VPN gateway.
55
55
56
56
## Next steps
57
57
58
-
* See [How to configure split tunneling and forced tunneling for VPN Gateway S2S connections](site-to-site-tunneling.md).
58
+
* See [How to configure forced tunneling for VPN Gateway S2S connections](site-to-site-tunneling.md).
59
59
60
60
* For more information about virtual network traffic routing, see [VNet traffic routing](../virtual-network/virtual-networks-udr-overview.md).
Copy file name to clipboardExpand all lines: articles/vpn-gateway/site-to-site-tunneling.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,27 +1,27 @@
1
1
---
2
-
title: 'Configure split or forced tunneling for site-to-site connections: PowerShell'
2
+
title: 'Configure forced tunneling for site-to-site connections: PowerShell'
3
3
description: Learn how to split or force tunnel traffic for VPN Gateway site-to-site connections using PowerShell.
4
4
titleSuffix: Azure VPN Gateway
5
5
author: cherylmc
6
6
ms.service: vpn-gateway
7
7
ms.topic: how-to
8
-
ms.date: 08/01/2023
8
+
ms.date: 08/04/2023
9
9
ms.author: cherylmc
10
10
---
11
-
# Configure forced tunneling and split tunneling for site-to-site connections
11
+
# Configure forced tunneling for site-to-site connections
12
12
13
-
The steps in this article help you configure forced tunneling and split tunneling for site-to-site (S2S) IPsec connections. For more information, see [About forced tunneling and split tunneling for VPN Gateway](about-site-to-site-tunneling.md).
13
+
The steps in this article help you configure forced tunneling for site-to-site (S2S) IPsec connections. For more information, see [About forced tunneling for VPN Gateway](about-site-to-site-tunneling.md).
14
14
15
-
By default, Internet-bound traffic from your VMs goes directly to the Internet via the VPN gateway S2S connection. If you want to force all Internet-bound traffic through the VPN gateway to an on-premises site for inspection and auditing, you can do so by configuring **forced tunneling**. After you configure forced tunneling, if desired, you can split tunnel Internet-bound traffic for specified subnets using custom user-defined routes (UDRs).
15
+
By default, Internet-bound traffic from your VMs goes directly to the Internet. If you want to force all Internet-bound traffic through the VPN gateway to an on-premises site for inspection and auditing, you can do so by configuring **forced tunneling**. After you configure forced tunneling, if desired, you can route Internet-bound traffic directly to the Internet for specified subnets using custom user-defined routes (UDRs).
The following steps help you configure a forced tunneling scenario by specifying a default site. Optionally, using custom UDR, you can then split tunnel traffic by specifying that Internet-bound traffic from the Frontend subnet goes directly to the Internet, instead of to the on-premises site.
19
+
The following steps help you configure a forced tunneling scenario by specifying a default site. Optionally, using custom UDR, you can route traffic by specifying that Internet-bound traffic from the Frontend subnet goes directly to the Internet, rather than to the on-premises site.
20
20
21
21
* The VNet you create has three subnets: Frontend, Mid-tier, and Backend with four cross-premises connections: DefaultSiteHQ, and three branches.
22
-
* You specify the default site for your VPN gateway using PowerShell, which forces all traffic back to the on-premises location. The default site can't be configured using the Azure portal.
23
-
* The Frontend subnet is assigned a UDR to send traffic directly to the Internet, bypassing the VPN gateway.
24
-
* The Mid-tier and Backend subnets continue to have traffic force tunneled back to the on-premises site via the VPN gateway because a default site is specified.
22
+
* You specify the default site for your VPN gateway using PowerShell, which forces all Internet traffic back to the on-premises location. The default site can't be configured using the Azure portal.
23
+
* The Frontend subnet is assigned a UDR to send Internet traffic directly to the Internet, bypassing the VPN gateway. Other traffic is routed normally.
24
+
* The Mid-tier and Backend subnets continue to have Internet traffic force tunneled back to the on-premises site via the VPN gateway because a default site is specified.
25
25
26
26
## Create a VNet and subnets
27
27
@@ -134,7 +134,7 @@ To assign a default site for the gateway, you use the **-GatewayDefaultSite** pa
134
134
135
135
At this point, all Internet-bound traffic is now configured to be force tunneled to *DefaultSiteHQ*. Note that the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
136
136
137
-
* If you want to only configure forced tunneling, and not split tunnel Internet traffic for specific subnets, you can skip to the [Establish Connections](#establish-s2s-vpn-connections) section of this article to create your connections.
137
+
* If you want to only configure forced tunneling, and not route Internet traffic directly to the Internet for specific subnets, you can skip to the [Establish Connections](#establish-s2s-vpn-connections) section of this article to create your connections.
138
138
* If you want specific subnets to send Internet-bound traffic directly to the Internet, continue with the next sections to configure custom UDRs and assign routes.
0 commit comments