Forum Discussion
Traffic processing BGP Azure VPN gateway A/A
Hello,
Can someone explain how Azure processes the traffic with implemented a VPN gateway in Active Active mode?.
Azure firewall premium is also configured. BGP is without preferences.
The user route definition is set up to the next hop Azure firewall .
Is it possible in this scenario occurs the asymmetric routing with traffic drop by azure firewall ?
In my understand is that, if we need to configure User route definition on Gateway subnet to inspect traffic to peering subnet, so the firewall don't see traffic passing through VPN gateway. Traffic going through ipsec tunnels can go different paths and firewall do not interfere because everything is routed to it by user route definition.
1 Reply
- rgarofalo
Microsoft
In the active-active mode, Azure runs two active instances of the gateway. Symmetric is not guaranteed, so a packet can enter from one instance and return from the other one.
If you don’t put that UDR on GatewaySubnet, then traffic coming from the VPN gateway into Azure can follow Azure system routes directly to spokes/peering without ever hitting the firewall—so the firewall won’t “see” that direction.
Final, yes it can happen. Azure Firewall is stateful. If only one direction is inspected (or return goes a different path), you can see drops or odd behavior depending on which direction is being inspected and where state is expected.
