Technical Lab: Configure Forced Tunneling
Questionsβ
Question 1 β Multiple Choiceβ
A company requires that all outbound traffic from VMs in a VNet be inspected by an on-premises corporate firewall before reaching the internet. The network engineer configures forced tunneling via a custom route with prefix 0.0.0.0/0 pointing to the VPN gateway.
What is the correct next hop type to be defined in this User Defined Route (UDR) to direct traffic to the VPN gateway?
A) Internet
B) VirtualNetworkGateway
C) VirtualAppliance
D) VnetLocal
Question 2 β Technical Scenarioβ
An administrator configures forced tunneling in a VNet with two subnets: AppSubnet and GatewaySubnet. He associates a route table with the route 0.0.0.0/0 β VirtualNetworkGateway directly to the GatewaySubnet.
After the configuration, the VPN tunnel to on-premises stops working and connectivity to the VNet is lost.
What is the most likely cause of this behavior?
A) The prefix 0.0.0.0/0 is not supported in UDRs associated with any subnet.
B) The VPN gateway does not support traffic routing with forced tunneling active.
C) Route tables with custom routes should not be associated with GatewaySubnet, as this can break gateway behavior.
D) The route should use the Internet next hop instead of VirtualNetworkGateway for return traffic.
Question 3 β Multiple Choiceβ
An organization uses Azure Virtual WAN with branches connected via Site-to-Site VPN. The security team requests that all internet traffic from branches be routed through the central hub before exiting to the internet, using forced tunneling.
Which configuration enables this behavior in the Virtual WAN context?
A) Create UDRs with 0.0.0.0/0 in each spoke VNet and associate with the default subnet.
B) Enable the Enable internet security option on the branch VPN connection and configure a static route 0.0.0.0/0 in the hub pointing to an NVA or Azure Firewall.
C) Configure BGP to advertise the prefix 0.0.0.0/0 from the hub to branches via route policy.
D) Associate a route table to the Virtual WAN hub with next hop VirtualNetworkGateway.
Question 4 β Technical Scenarioβ
An engineer needs to implement forced tunneling in a VNet that doesn't yet have a provisioned VPN gateway. He executes the following steps:
# Step 1: Create gateway subnet
az network vnet subnet create \
--name GatewaySubnet \
--vnet-name MyVNet \
--resource-group MyRG \
--address-prefix 10.0.255.0/27
# Step 2: Create route table and associate with AppSubnet
az network route-table create --name ForcedTunnelRT --resource-group MyRG
az network route-table route create \
--route-table-name ForcedTunnelRT \
--name DefaultRoute \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualNetworkGateway \
--resource-group MyRG
# Step 3: Associate route table with AppSubnet (not GatewaySubnet)
az network vnet subnet update \
--name AppSubnet \
--vnet-name MyVNet \
--resource-group MyRG \
--route-table ForcedTunnelRT
After execution, no traffic is redirected to on-premises. What is the root cause?
A) The prefix 0.0.0.0/0 in UDRs only works when the next hop is VirtualAppliance.
B) The route table was associated with AppSubnet instead of GatewaySubnet, which is mandatory for forced tunneling.
C) The VPN gateway has not yet been provisioned, therefore the next hop VirtualNetworkGateway has no resolvable destination to forward traffic to.
D) The /27 size of GatewaySubnet is insufficient and prevents gateway provisioning, blocking routing.
Question 5 β True or Falseβ
When enabling forced tunneling in a VNet, all traffic from configured subnets, including traffic destined for Azure PaaS services accessed through their public IP addresses, will be redirected through the VPN tunnel to on-premises, unless Private Endpoints or Service Endpoints are configured for those services.
Is this statement true or false?
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The VirtualNetworkGateway next hop is the correct type in a UDR when you want to redirect traffic through the VNet's VPN gateway. This next hop instructs Azure to forward matching packets to the gateway provisioned in the GatewaySubnet.
The distractor VirtualAppliance would be used if the forced tunneling destination were an NVA (Network Virtual Appliance), such as a third-party firewall or Azure Firewall itself, and would require specifying the appliance's private IP. The distractor Internet instructs Azure to route directly to the internet, nullifying any forced tunneling intention. VnetLocal represents internal VNet routing, without gateway or internet exit.
Answer Key β Question 2β
Answer: C
The GatewaySubnet is a subnet managed internally by Azure and has explicit configuration restrictions. Associating a custom route table with it, especially with routes that alter default next hop behavior, can interfere with the VPN gateway's control plane, causing tunnel maintenance failures and connectivity loss.
Microsoft documentation is clear in stating that route tables should not be associated with GatewaySubnet. This is one of the most common traps in forced tunneling scenarios, as the error is made on the wrong subnet. Forced tunneling UDRs should be applied to workload subnets, such as AppSubnet, WebSubnet, etc.
Answer Key β Question 3β
Answer: B
In the Azure Virtual WAN context, the forced tunneling mechanism for branches differs from the classic VNet model with UDRs. The Enable internet security option on the branch VPN connection is the control that instructs the hub to inspect and redirect the branch's internet traffic. Combined with a 0.0.0.0/0 route in the hub pointing to Azure Firewall or NVA, this configuration implements behavior equivalent to forced tunneling.
Associating UDRs directly to the Virtual WAN hub is not the correct mechanism; Virtual WAN hubs use hub route tables with a different model from classic VNets. BGP propagation of 0.0.0.0/0 can be part of advanced solutions, but is not the primary and managed mechanism for this scenario in Virtual WAN.
Answer Key β Question 4β
Answer: C
The VirtualNetworkGateway next hop type in a UDR requires that a VPN gateway be provisioned and in operational state in the VNet. Without the gateway, Azure has nowhere to forward traffic matching that route, and redirection simply doesn't occur. The route table configuration is correct in terms of structure and association (applied to AppSubnet, not GatewaySubnet).
The distractor about /27 is plausible because this size is the minimum recommended for gateways with advanced features like high-availability VPN Gateway, but a /27 is valid and doesn't prevent provisioning. The distractor about VirtualAppliance represents confusion between the two forced tunneling models (via VPN gateway versus via NVA).
Answer Key β Question 5β
Answer: True
When forced tunneling is implemented with a route 0.0.0.0/0 β VirtualNetworkGateway, all outbound traffic from configured subnets is affected, including requests to public endpoints of Azure PaaS services like Storage Accounts, SQL Database, and Key Vault accessed through their public IPs. This traffic will be forwarded to on-premises, which can cause high latency, VPN link bandwidth consumption, and even blocking if the on-premises firewall doesn't allow return traffic.
The statement is non-obvious precisely because many assume that "Azure-to-Azure traffic" would stay outside the tunnel. The mechanisms that avoid this behavior are Service Endpoints (which keep traffic within Azure's network, without passing through the gateway) and Private Endpoints (which replace the service's public IP with a private IP in the VNet, making the 0.0.0.0/0 route irrelevant for that service).