|
1 | 1 | --- |
2 | 2 | title: Azure Firewall forced tunneling |
3 | 3 | description: You can configure forced tunneling to route Internet-bound traffic to another firewall or network virtual appliance for further processing. |
4 | | -services: firewall |
5 | 4 | author: duongau |
| 5 | +ms.author: duau |
6 | 6 | ms.service: azure-firewall |
7 | 7 | ms.topic: concept-article |
8 | | -ms.date: 09/10/2024 |
9 | | -ms.author: duau |
| 8 | +ms.date: 03/28/2026 |
10 | 9 | ms.custom: sfi-image-nochange |
11 | 10 | # Customer intent: As a network administrator, I want to route Internet-bound traffic through an on-premises firewall using forced tunneling, so that I can enhance security and control over outbound traffic processing before it reaches the Internet. |
12 | 11 | --- |
13 | 12 |
|
14 | 13 | # Azure Firewall forced tunneling |
15 | 14 |
|
16 | | -When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you could have a default route advertised via BGP or using User Defined Routes (UDRs) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. To support this configuration, you must create an Azure Firewall with the Firewall Management NIC enabled. |
| 15 | +When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you could have a default route advertised through BGP or by using user-defined routes (UDRs) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it goes to the Internet. To support this configuration, you must create an Azure Firewall with the Firewall Management network interface enabled. |
17 | 16 |
|
18 | | -:::image type="content" source="media/forced-tunneling/forced-tunneling-configuration.png" lightbox="media/forced-tunneling/forced-tunneling-configuration.png" alt-text="Screenshot showing configure forced tunneling."::: |
| 17 | +:::image type="content" source="media/forced-tunneling/forced-tunneling-configuration.png" lightbox="media/forced-tunneling/forced-tunneling-configuration.png" alt-text="Screenshot showing forced tunneling configuration."::: |
19 | 18 |
|
20 | | -You might prefer not to expose a public IP address directly to the Internet. In this case, you can deploy Azure Firewall with the Management NIC enabled without a public IP address. When the Management NIC is enabled, it creates a management interface with a public IP address that is used by Azure Firewall for its operations. The public IP address is used exclusively by the Azure platform and can't be used for any other purpose. The tenant data path network can be configured without a public IP address, and Internet traffic can be forced tunneled to another firewall or blocked. |
| 19 | +You might prefer not to expose a public IP address directly to the Internet. In this case, you can deploy Azure Firewall with the Management network interface enabled without a public IP address. When you enable the Management network interface, it creates a management interface with a public IP address that Azure Firewall uses for its operations. The public IP address is used exclusively by the Azure platform and can't be used for any other purpose. You can configure the tenant data path network without a public IP address, and you can force tunnel or block Internet traffic. |
21 | 20 |
|
22 | | -Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling configured, Internet-bound traffic might be SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md). |
| 21 | +Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling configured, Internet-bound traffic might be SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This SNAT hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md). |
23 | 22 |
|
24 | | -Azure Firewall also supports split tunneling, which is the ability to selectively route traffic. For example, you can configure Azure Firewall to direct all traffic to your on-premises network while routing traffic to the Internet for KMS activation, ensuring the KMS server is activated. You can do this using route tables on the AzureFirewallSubnet. For more information, see [Configuring Azure Firewall in Forced Tunneling mode - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-network-security-blog/configuring-azure-firewall-in-forced-tunneling-mode/ba-p/3581955). |
| 23 | +Azure Firewall also supports split tunneling, which is the ability to selectively route traffic. For example, you can configure Azure Firewall to direct all traffic to your on-premises network while routing traffic to the Internet for KMS activation, ensuring the KMS server is activated. You can do this by using route tables on the AzureFirewallSubnet. For more information, see [Configuring Azure Firewall in Forced Tunneling mode - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-network-security-blog/configuring-azure-firewall-in-forced-tunneling-mode/ba-p/3581955). |
25 | 24 |
|
26 | 25 | > [!IMPORTANT] |
27 | | -> Forced tunnel is available for Azure Firewall deployments in the Virtual WAN hub (secured Virtual hub) that utilize routing intent. See [internet access patterns in Virtual WAN](../virtual-wan/about-internet-routing.md) for more information. |
| 26 | +> Forced tunnel is available for Azure Firewall deployments in the Virtual WAN hub (secured Virtual hub) that utilize routing intent. See [internet access patterns in Virtual WAN](../virtual-wan/about-internet-routing.md) for more information. |
28 | 27 |
|
29 | 28 | > [!IMPORTANT] |
30 | | -> DNAT isn't supported with forced tunneling enabled. Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing. However, firewalls with a Management NIC still support DNAT. |
| 29 | +> DNAT isn't supported with forced tunneling enabled. Firewalls deployed with forced tunneling enabled can't support inbound access from the Internet because of asymmetric routing. However, firewalls with a Management network interface still support DNAT. |
31 | 30 |
|
32 | 31 | ## Forced tunneling configuration |
33 | 32 |
|
34 | | -When the Firewall Management NIC is enabled, the *AzureFirewallSubnet* can now include routes to any on-premises firewall or NVA to process traffic before it's passed to the Internet. You can also publish these routes via BGP to *AzureFirewallSubnet* if **Propagate gateway routes** is enabled on this subnet. |
| 33 | +When you enable the Firewall Management network interface, you can add routes to any on-premises firewall or NVA in the *AzureFirewallSubnet* to process traffic before it goes to the Internet. If you enable **Propagate gateway routes** on this subnet, you can also publish these routes through BGP to *AzureFirewallSubnet*. |
35 | 34 |
|
36 | 35 | For example, you can create a default route on the *AzureFirewallSubnet* with your VPN gateway as the next hop to get to your on-premises device. Or you can enable **Propagate gateway routes** to get the appropriate routes to the on-premises network. |
37 | 36 |
|
38 | | -If you configure forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall. |
| 37 | +If you configure forced tunneling, Azure Firewall SNATs Internet-bound traffic to one of the firewall private IP addresses in AzureFirewallSubnet, which hides the source from your on-premises firewall. |
39 | 38 |
|
40 | 39 | If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. However, you can configure Azure Firewall to **not** SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md). |
41 | 40 |
|
42 | 41 | ## Related content |
43 | 42 |
|
44 | | -- [Azure Firewall Management NIC](management-nic.md) |
| 43 | +- [Azure Firewall Management network interface](management-nic.md) |
45 | 44 |
|
0 commit comments