Hello @Ghulam Abbas ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to change your existing setup with Azure Firewall from Force Tunneling to use the Azure Firewall for Internet traffic.
As mentioned, and confirmed by you in the Azure Firewall documentation, the following limitation applies to the Azure firewall forced tunneling mode:
Once you configure Azure Firewall to support forced tunneling, you can't undo the configuration. If you remove all other IP configurations on your firewall, the management IP configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP configuration can't be removed, but you can assign a different public IP address.
Also, you cannot deploy more than one Azure Firewall to the same Vnet.
So, the only option in this case would be to delete the existing Azure Firewall with forced tunneling mode and recreate a new Azure Firewall without the forced tunneling mode.
I would suggest you do this change during a dedicated downtime window for minimal impact to your existing setup.
- You can remove the existing UDR from all your subnets to make sure that the traffic is routed directly to Internet.
- Then delete the Azure Firewall with forced tunneling mode.
- Recreate Azure Firewall without the forced tunneling mode.
- Add UDRs to all subnets with 0.0.0.0/0 route with next hop Azure Firewall.
- Add the required network rules in the Azure Firewall.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.