Forum Discussion
Traffic processing BGP Azure VPN gateway A/A
Yes, asymmetric routing can happen with active-active VPN Gateway and BGP. That matters if Azure Firewall or another stateful NVA is in the traffic path, because the firewall needs to see both directions of the flow.
Things to check:
1. Effective routes on the workload subnets.
2. BGP advertised routes from on-premises to Azure.
3. UDRs forcing spoke-to-on-prem traffic through Azure Firewall.
4. Return routing from on-premises back to the same Azure path.
5. Whether both active-active tunnels are advertising equivalent prefixes and causing ECMP/asymmetric return.
If the goal is inspection through Azure Firewall, use UDRs for the relevant on-premises prefixes toward the firewall and make sure the return route from on-premises also comes back through the firewall path. Otherwise, the firewall may see only one side of the session and drop the traffic.