Q. I am using forced tunneling with ExpressRoute so all Internet traffic goes via on-premises however if ExpressRoute goes down the traffic goes to the Internet. How can I stop that?

A. Forced tunneling enables all traffic with an unknown route (i.e. Internet bound) to be sent to the ExpressRoute connection instead of direct to the Internet. This enables the Internet traffic to then be inspected by on-premises appliances/services. This is done via the advertisement of a 0.0.0.0/0 route. If ExpressRoute is down then the traffic would be sent to the Internet. If you need to stop this happening then you should use a Network Security Group and two rules would be required:

Priority Name Source Destination Service Action
100 AllowLocal Any VirtualNetwork Custom (Any/Any) Allow
110 DenyInternet Any Internet Custom (Any/Any) Deny

This works because with forced tunneling configured (0/0) then that route is considered part of the VirtualNetwork and therefore allowed. If ExpressRoute goes down then BGP will stop advertising 0/0 which means its no longer part of VirtualNetwork and instead becomes part of Internet and will be blocked.