Forum Discussion

Lechu's avatar
Lechu
Copper Contributor
Feb 22, 2026

Traffic processing BGP Azure VPN gateway A/A

Hello,

 

Can someone explain how Azure processes the traffic with implemented a VPN gateway in Active Active mode?.

Azure firewall premium is also configured. BGP is without preferences. 

The user route definition is set up to the next hop Azure firewall . 

Is it possible in this scenario occurs the asymmetric routing with traffic drop by azure firewall ?

In my understand is that, if we need to configure User route definition on Gateway subnet to inspect traffic to peering subnet, so the firewall don't see traffic passing through VPN gateway. Traffic going through ipsec tunnels can go different paths and firewall do not interfere because everything is routed to it by user route definition. 

 

 

5 Replies

  • Yes, I agreed asymmetric routing can occur in this scenario:

    • Each VPN gateway instance may send outbound packets through a different tunnel interface.
    • If your UDRs force inbound traffic through the firewall but outbound traffic bypasses it (or vice versa), the firewall sees only one direction of the flow.
    • Azure Firewall drops asymmetric flows by design (stateful inspection requires both directions).

     

    Suggest below:

     

    • Avoid UDRs on GatewaySubnet. It won't affect VPN gateway routing and can cause confusion.
    • Inspect traffic at spoke level. Apply UDRs on spoke subnets to route traffic through the firewall before reaching the gateway.
    • Use BGP‑based route propagation control. Disable propagation on subnets where you apply UDRs to prevent conflicting routes.
    • Consider Azure Route Server or NVA. For complex inspection and symmetric routing, Route Server can maintain consistent BGP paths.
    • Monitor with Network Watcher. Use Connection Monitor and Effective Routes to verify path symmetry.
  • jaqsicoder's avatar
    jaqsicoder
    Tin Contributor

    This discussion gives a better understanding of how Azure VPN Gateway and Azure Firewall work together. The shared explanations are very helpful.

  • With an active-active VPN gateway, both gateway instances and tunnels can participate in routing, so you should plan for traffic to use either path unless your BGP policy makes one path preferred. The big thing with Azure Firewall or an NVA in the middle is symmetric routing. I would compare effective routes on the VM subnet with the BGP routes learned and advertised by the gateway, then check the on-prem local preference or AS path choices.

  • Yes, asymmetric routing can happen with active-active VPN Gateway and BGP. That matters if Azure Firewall or another stateful NVA is in the traffic path, because the firewall needs to see both directions of the flow.

     

    Things to check:

     

    1. Effective routes on the workload subnets.

    2. BGP advertised routes from on-premises to Azure.

    3. UDRs forcing spoke-to-on-prem traffic through Azure Firewall.

    4. Return routing from on-premises back to the same Azure path.

    5. Whether both active-active tunnels are advertising equivalent prefixes and causing ECMP/asymmetric return.

     

    If the goal is inspection through Azure Firewall, use UDRs for the relevant on-premises prefixes toward the firewall and make sure the return route from on-premises also comes back through the firewall path. Otherwise, the firewall may see only one side of the session and drop the traffic.

  • In the active-active mode, Azure runs two active instances of the gateway. Symmetric is not guaranteed, so a packet can enter from one instance and return from the other one.

    If you don’t put that UDR on GatewaySubnet, then traffic coming from the VPN gateway into Azure can follow Azure system routes directly to spokes/peering without ever hitting the firewall—so the firewall won’t “see” that direction.

    Final, yes it can happen. Azure Firewall is stateful. If only one direction is inspected (or return goes a different path), you can see drops or odd behavior depending on which direction is being inspected and where state is expected.