Merge pull request #252639 from cherylmc/vpn-forced-tunnel

Jill Grant · web-flow · commit 7fa45a429f8d · 2023-09-22T16:32:47.000-06:00
Add BGP
diff --git a/articles/vpn-gateway/about-site-to-site-tunneling.md b/articles/vpn-gateway/about-site-to-site-tunneling.md
@@ -1,11 +1,11 @@
 ---
 title: 'About forced tunneling for site-to-site'
-description: Learn about forced tunneling and split tunneling via UDRs for VPN Gateway site-to-site connections
+description: Learn about forced tunneling methods for VPN Gateway site-to-site connections.
 titleSuffix: Azure VPN Gateway
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 08/04/2023
+ms.date: 09/22/2023
 ms.author: cherylmc
 ---
 
@@ -15,46 +15,33 @@ This article helps you understand how forced tunneling works for site-to-site (S
 
 Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via S2S VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.
 
-In some cases, you may want specific subnets to send and receive Internet traffic directly, without going through an on-premises location for inspection and auditing. One way to achieve this is to specify routing behavior using [custom user-defined routes](../virtual-network/virtual-networks-udr-overview.md#user-defined) (UDRs). After configuring forced tunneling, specify a custom UDR for the subnet(s) for which you want to send Internet traffic directly to the Internet (not to the on-premises location). In this type of configuration, only the subnets that have a specified UDR send Internet traffic directly to the Internet. Other subnets continue to have Internet traffic force-tunneled to the on-premises location.
+The following example shows all Internet traffic being forced through the VPN gateway back to the on-premises location for inspection and auditing.
 
-You can also create this type of configuration when working with peered VNets. A custom UDR can be applied to a subnet of a peered VNet that traverses through the VNet containing the VPN Gateway S2S connection.
-
-## Considerations
-
-Forced tunneling is configured using Azure PowerShell. You can't configure forced tunneling using the Azure portal.
-
-* Each virtual network subnet has a built-in, system routing table. The system routing table has the following three groups of routes:
-  
-  * **Local VNet routes:** Directly to the destination VMs in the same virtual network.
-  * **On-premises routes:** To the Azure VPN gateway.
-  * **Default route:** Directly to the Internet. Packets destined to the private IP addresses not covered by the previous two routes are dropped.
-
-* In this scenario, forced tunneling must be associated with a VNet that has a route-based VPN gateway. Your forced tunneling configuration overrides the default route for any subnet in its VNet. You need to set a "default site" among the cross-premises local sites connected to the virtual network. Also, the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
-
-* ExpressRoute forced tunneling isn't configured via this mechanism, but instead, is enabled by advertising a default route via the ExpressRoute BGP peering sessions. For more information, see the [ExpressRoute Documentation](../expressroute/index.yml).
+:::image type="content" source="./media/about-site-to-site-tunneling/forced-tunnel.png" alt-text="Diagram shows forced tunneling." lightbox="./media/about-site-to-site-tunneling/forced-tunnel-high-res.png":::
 
-## Forced tunneling
+## Configuration methods for forced tunneling
 
-The following example shows all Internet traffic being forced through the VPN gateway back to the on-premises location for inspection and auditing. Configure [forced tunneling](site-to-site-tunneling.md) by specifying a default site.
+There are a few different ways that you can configure forced tunneling.
 
-**Forced tunneling example**
+### Configure using BGP
 
-:::image type="content" source="./media/about-site-to-site-tunneling/forced-tunnel.png" alt-text="Diagram shows forced tunneling." lightbox="./media/about-site-to-site-tunneling/forced-tunnel-high-res.png":::
+You can configure forced tunneling for VPN Gateway via BGP. You  need to advertise a default rout of 0.0.0.0/0 via BGP from your on-premises location to Azure so that all your Azure traffic is sent via the VPN Gateway S2S tunnel.
 
-## Forced tunneling and UDRs
+### Configure using Default Site
 
-You may want Internet-bound traffic from certain subnets (but not all subnets) to traverse from the Azure network infrastructure directly out to the Internet. This scenario can be configured using a combination of forced tunneling and virtual network custom user-defined routes. For steps, see [Forced tunneling and UDRs](site-to-site-tunneling.md).
+You can configure forced tunneling by setting the Default Site for your route-based VPN gateway. For steps, see [Forced tunneling via Default Site](site-to-site-tunneling.md).
 
-**Forced tunneling and UDRs example**
+* You assign a Default Site for the virtual network gateway using PowerShell.
+* The on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
 
-:::image type="content" source="./media/about-site-to-site-tunneling/tunnel-user-defined-routing.png" alt-text="Diagram shows split tunneling." lightbox="./media/about-site-to-site-tunneling/tunnel-user-defined-routing-high-res.png":::
+## Routing Internet-bound traffic for specific subnets
 
-* **Frontend subnet**: Internet-bound traffic is tunneled directly to the Internet using a custom UDR that specifies this setting. The workloads in the Frontend subnet can accept and respond to customer requests from the Internet directly.
+By default, all Internet-bound traffic goes directly to the Internet if you don't have forced tunneling configured. When forced tunneling is configured, all Internet-bound traffic is sent to your on-premises location.
 
-* **Mid-tier and Backend subnets**: These subnets continue to be force tunneled because a default site has been specified for the VPN gateway. Any outbound connections from these two subnets to the Internet are forced or redirected back to an on-premises site via S2S VPN tunnels through the VPN gateway.
+In some cases, you may want Internet-bound traffic only from certain subnets (but not all subnets) to traverse from the Azure network infrastructure directly out to the Internet, rather than to your on-premises location. This scenario can be configured using a combination of forced tunneling and virtual network custom user-defined routes (UDRs). For steps, see [Route Internet-bound traffic for specific subnets](site-to-site-tunneling.md#udr).
 
 ## Next steps
 
-* See [How to configure forced tunneling for VPN Gateway S2S connections](site-to-site-tunneling.md).
+* See [How to configure forced tunneling via Default Site for VPN Gateway S2S connections](site-to-site-tunneling.md).
 
 * For more information about virtual network traffic routing, see [VNet traffic routing](../virtual-network/virtual-networks-udr-overview.md).
diff --git a/articles/vpn-gateway/site-to-site-tunneling.md b/articles/vpn-gateway/site-to-site-tunneling.md
@@ -1,28 +1,28 @@
 ---
-title: 'Configure forced tunneling for site-to-site connections: PowerShell'
-description: Learn how to split or force tunnel traffic for VPN Gateway site-to-site connections using PowerShell.
+title: 'Configure forced tunneling for S2S connections - Default Site: PowerShell'
+description: Learn how to force tunnel traffic for VPN Gateway site-to-site connections by specifying the Default Site setting - PowerShell. Also learn how to specify Internet-bound traffic routing for specific subnets.
 titleSuffix: Azure VPN Gateway
 author: cherylmc
 ms.service: vpn-gateway
 ms.custom: devx-track-azurepowershell
 ms.topic: how-to
-ms.date: 08/04/2023
+ms.date: 09/22/2023
 ms.author: cherylmc
 ---
-# Configure forced tunneling for site-to-site connections
+# Configure forced tunneling using Default Site for site-to-site connections
 
-The steps in this article help you configure forced tunneling for site-to-site (S2S) IPsec connections. For more information, see [About forced tunneling for VPN Gateway](about-site-to-site-tunneling.md).
+The steps in this article help you configure forced tunneling for site-to-site (S2S) IPsec connections by specifying a Default Site. For information about configuration methods for forced tunneling, including configuring forced tunneling via BGP, see [About forced tunneling for VPN Gateway](about-site-to-site-tunneling.md).
 
 By default, Internet-bound traffic from your VMs goes directly to the Internet. If you want to force all Internet-bound traffic through the VPN gateway to an on-premises site for inspection and auditing, you can do so by configuring **forced tunneling**. After you configure forced tunneling, if desired, you can route Internet-bound traffic directly to the Internet for specified subnets using custom user-defined routes (UDRs).
 
 :::image type="content" source="./media/about-site-to-site-tunneling/tunnel-user-defined-routing.png" alt-text="Diagram shows split tunneling." lightbox="./media/about-site-to-site-tunneling/tunnel-user-defined-routing-high-res.png":::
 
-The following steps help you configure a forced tunneling scenario by specifying a default site. Optionally, using custom UDR, you can route traffic by specifying that Internet-bound traffic from the Frontend subnet goes directly to the Internet, rather than to the on-premises site.
+The following steps help you configure a forced tunneling scenario by specifying a Default Site. Optionally, using custom UDR, you can route traffic by specifying that Internet-bound traffic from the Frontend subnet goes directly to the Internet, rather than to the on-premises site.
 
 * The VNet you create has three subnets: Frontend, Mid-tier, and Backend with four cross-premises connections: DefaultSiteHQ, and three branches.
-* You specify the default site for your VPN gateway using PowerShell, which forces all Internet traffic back to the on-premises location. The default site can't be configured using the Azure portal.
+* You specify the Default Site for your VPN gateway using PowerShell, which forces all Internet traffic back to the on-premises location. The Default Site can't be configured using the Azure portal.
 * The Frontend subnet is assigned a UDR to send Internet traffic directly to the Internet, bypassing the VPN gateway. Other traffic is routed normally.
-* The Mid-tier and Backend subnets continue to have Internet traffic force tunneled back to the on-premises site via the VPN gateway because a default site is specified.
+* The Mid-tier and Backend subnets continue to have Internet traffic force tunneled back to the on-premises site via the VPN gateway because a Default Site is specified.
 
 ## Create a VNet and subnets
 
@@ -114,31 +114,35 @@ In this section, you request a public IP address and create a VPN gateway that's
    New-AzVirtualNetworkGateway -Name "VNet1GW" -ResourceGroupName "TestRG1" -Location "EastUS" -IpConfigurations $gwipconfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku VpnGw2 -VpnGatewayGeneration "Generation2"
    ```
 
-## Configure forced tunneling
+## Configure forced tunneling - Default Site
 
-Configure forced tunneling by assigning a default site to the virtual network gateway. If you don't specify a default site, Internet traffic isn't forced through the VPN gateway and will, instead, traverse directly out to the Internet for all subnets (by default).
+Configure forced tunneling by assigning a Default Site to the virtual network gateway. If you don't specify a Default Site, Internet traffic isn't forced through the VPN gateway and will, instead, traverse directly out to the Internet for all subnets (by default).
 
-To assign a default site for the gateway, you use the **-GatewayDefaultSite** parameter. Be sure to assign this properly.
+To assign a Default Site for the gateway, you use the **-GatewayDefaultSite** parameter. Be sure to assign this properly.
 
-1. First, declare the variables that specify the virtual network gateway information and the local network gateway for the default site, in this case, DefaultSiteHQ.
+1. First, declare the variables that specify the virtual network gateway information and the local network gateway for the Default Site, in this case, DefaultSiteHQ.
 
    ```azurepowershell-interactive
    $LocalGateway = Get-AzLocalNetworkGateway -Name "DefaultSiteHQ" -ResourceGroupName "TestRG1"
    $VirtualGateway = Get-AzVirtualNetworkGateway -Name "VNet1GW" -ResourceGroupName "TestRG1"
    ```
 
-1. Next, set the virtual network gateway default site using [Set-AzVirtualNetworkGatewayDefaultSite](/powershell/module/az.network/set-azvirtualnetworkgatewaydefaultsite).
+1. Next, set the virtual network gateway Default Site using [Set-AzVirtualNetworkGatewayDefaultSite](/powershell/module/az.network/set-azvirtualnetworkgatewaydefaultsite).
 
    ```azure-powershell-interactive
    Set-AzVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
    ```
 
-At this point, all Internet-bound traffic is now configured to be force tunneled to *DefaultSiteHQ*. Note that the on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
+At this point, all Internet-bound traffic is now configured to be force tunneled to *DefaultSiteHQ*. The on-premises VPN device must be configured using 0.0.0.0/0 as traffic selectors.
 
 * If you want to only configure forced tunneling, and not route Internet traffic directly to the Internet for specific subnets, you can skip to the [Establish Connections](#establish-s2s-vpn-connections) section of this article to create your connections.
 * If you want specific subnets to send Internet-bound traffic directly to the Internet, continue with the next sections to configure custom UDRs and assign routes.
 
-## Create route tables and routes
+## <a name="udr"></a>Route Internet-bound traffic for specific subnets
+
+As an option, if you want Internet-bound traffic to be sent directly to the Internet for specific subnets (rather than to your on-premises network), use the following steps. These steps apply to forced tunneling that has been configured either by specifying a Default Site, or that has been configured via BGP.
+
+### Create route tables and routes
 
 To specify that Internet-bound traffic should go directly to the Internet, create the necessary route table and route. You'll later assign the route table to the Frontend subnet.
 
@@ -164,7 +168,7 @@ To specify that Internet-bound traffic should go directly to the Internet, creat
       | Set-AzRouteTable
    ```
 
-## Assign routes
+### Assign routes
 
 In this section, you assign the route table and routes to the Frontend subnet using the following PowerShell commands: [GetAzRouteTable](/powershell/module/az.network/get-azroutetable), [Set-AzRouteConfig](/powershell/module/az.network/set-azrouteconfig), and [Set-AzVirtualNetwork](/powershell/module/az.network/set-azvirtualnetwork).
 
@@ -183,7 +187,7 @@ In this section, you assign the route table and routes to the Frontend subnet us
    Set-AzVirtualNetwork
    ```
   
-## Establish S2S VPN connections
+### Establish S2S VPN connections
 
 Use [New-AzVirtualNetworkGatewayConnection](/powershell/module/az.network/new-azvirtualnetworkgatewayconnection) to establish the S2S connections.
 
