as far as I know you can’t force the R7 Insight Agent to take a specific route, It’ll always check the possibilities e.g. direct route or via the collector and if there are multiple collectors, which one of those.
However, you can block the direct communication blocking the specific IP-Addresses for your Data Region, see here: Networking | Insight Agent Documentation if thats what you need.
But I wouldn’t recommend it unless you have at least two collectors set up for redundancy. I use the direct connection for redundancy purposes as well. All of my clients which can reach the collector, use the collector. Only remote/roaming computers that are not directly connected to our network go right into the Cloud.
In our environment (~ 750 Assets) we use the token-based deployment and are very happy with it (mass-deploying the Client with PDQ).