You use traffic forwarding profiles in Global Secure Access to apply policies to the network traffic that your organization wants to secure and manage. Network traffic is evaluated against the traffic forwarding policies you configure. The profiles are applied and the traffic goes through the service to the appropriate apps and resources.
This article describes the traffic forwarding profiles and how they work.
Traffic forwarding
Traffic forwarding enables you to configure the type of network traffic to tunnel through the Microsoft Entra Private Access and Microsoft Entra Internet Access services. You set up profiles to manage how specific types of traffic are managed.
When traffic comes through Global Secure Access, the service evaluates the type of traffic first through the Microsoft access profile, then through the Private access profile, and finally through the Internet access profile. Any traffic that doesn't match these three profiles isn't forwarded to Global Secure Access.
For each traffic forwarding profile, you can configure three main details:
Which users and which traffic to forward to the service
What Conditional Access policies to apply
How your end-users connect to the service
Microsoft traffic
The Microsoft traffic forwarding profile includes Microsoft Entra ID/ Microsoft Graph, SharePoint Online, Exchange Online, and other Microsoft apps. Traffic forwarding policies are grouped based on the workload and you can choose to either forward the traffic from each group to Global Secure Access, or bypass it.
With the Private Access profile, you can route traffic to your private resources. This traffic forwarding profile requires configuring Quick Access, which includes the fully qualified domain names (FQDNs) and IP addresses of the private apps and resources you want to forward to the service.
With the internet access profile, you can route traffic to the public internet, including traffic to SaaS apps. This traffic forwarding profile consists of a pre-populated list of regular expressions for fully qualified domain names (FQDNs) and IP addresses representing the public internet.
The modern workforce transitioned from traditional office settings to working from nearly anywhere. This change in working location necessitates an identity-aware, cloud-delivered network perimeter. This identity-aware perimeter is known as Security Service Edge (SSE). The Microsoft SSE solution includes Microsoft Entra Internet Access and Microsoft Entra Private Access, collectively referred to as Global Secure Access. This solution is founded on Zero Trust principles, emphasizing least privilege, explicit