Forum Discussion
Lechu
Feb 22, 2026Copper Contributor
Traffic processing BGP Azure VPN gateway A/A
Hello, Can someone explain how Azure processes the traffic with implemented a VPN gateway in Active Active mode?. Azure firewall premium is also configured. BGP is without preferences. The use...
Kidd_Ip
Jun 27, 2026MVP
Yes, I agreed asymmetric routing can occur in this scenario:
- Each VPN gateway instance may send outbound packets through a different tunnel interface.
- If your UDRs force inbound traffic through the firewall but outbound traffic bypasses it (or vice versa), the firewall sees only one direction of the flow.
- Azure Firewall drops asymmetric flows by design (stateful inspection requires both directions).
Suggest below:
- Avoid UDRs on GatewaySubnet. It won't affect VPN gateway routing and can cause confusion.
- Inspect traffic at spoke level. Apply UDRs on spoke subnets to route traffic through the firewall before reaching the gateway.
- Use BGP‑based route propagation control. Disable propagation on subnets where you apply UDRs to prevent conflicting routes.
- Consider Azure Route Server or NVA. For complex inspection and symmetric routing, Route Server can maintain consistent BGP paths.
- Monitor with Network Watcher. Use Connection Monitor and Effective Routes to verify path symmetry.