Forced tunneling in Azure requires routing all internet-bound traffic through Azure Firewall — but the default Terraform setup hits a cycle error and breaks Windows activation and Azure AD authentication.
This template solves the ordering problem and includes the required bypass routes.
What’s included
- Cycle-error-free resource ordering for forced tunneling deployment
- KMS bypass route — Windows VMs activate correctly
- Azure AD bypass route — Managed Identities and auth flows work
- Basic FQDN rules for Windows Updates and core Microsoft services
Limitations (Base Edition)
Static subnet binding, hardcoded IP addresses in rules. The Enterprise Edition adds dynamic for_each subnet binding, IP Group-based policies, and full FQDN baseline rulesets.