Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
421 questions
Internal Load Balancer is doing asymmetric routing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 78%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
Prashant Gaur
0
Reputation points
We are facing an asymmetric routing issue with the Azure Private (Internal) loadbalancer.
Our Deployment topology is HUB and spoke which are peered together.
Inbound Traffic :
HUB [Public LB -> Firewall/VM] -> Spoke [Application Server/VM]
Path : 1 -> 2 -> 3 in the above image
Outbound Traffic :
Spoke [App Server -> Internal Loadbalancer -> Hub [Firewall/VM -> Public Load Balancer]
Path : 4 -> 5 in the above image
Issue :
=====
When the outbound traffic from the spoke (App Server), going to the Internal load balancer and finally to Firewall, we observe that the session stickiness is not maintained, due to which we see the asymmetric routing and the packets are getting dropped.
We have configured the ILB to use "Client IP", to maintain the session persistency/stickiness.
Is there any issue/bug with the Azure internal load balancer in terms of session stickiness when Client IP is configured for session persistency ?
Surprisingly, if we enable the option: "Client IP + Protocol" for session persistency, this asymmetric routing issue is not observed.
What is the exact difference between these 2 options for session persistency (CLient IP Vs Client IP + Protocol) ?
What is the recommendation from Azure team ?
Thanks,
Prashant
{count} votes
-
GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee2023-02-28T17:00:17.1566667+00:00 Hello @Prashant Gaur ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a hub and spoke topology with 2 load balancers (one public and one internal) which is integrated with Azure Firewall for inbound & outbound traffic, but you are facing asymmetric routing issue with the Azure Private (Internal) load balancer.
Integration of an Azure Standard Load Balancer (either public or internal) with your Azure firewall scenarios are explained in the below doc:
https://video2.skills-academy.com/en-us/azure/firewall/integrate-lb
Asymmetric routing issue only happens with the public load balancer scenario.
Refer: https://video2.skills-academy.com/en-us/azure/firewall/integrate-lb#asymmetric-routing
There's no asymmetric routing issue with an internal load balancer scenario.
Refer: https://video2.skills-academy.com/en-us/azure/firewall/integrate-lb#internal-load-balancer
However, the above scenarios assumes that you are using either a public load balancer or an internal load balancer and routing all traffic to Azure Firewall via UDR.
Your setup is explained in the below doc:
Here, you can see the cause of asymmetric routing:
For traffic between Azure and the public Internet, each direction of the traffic flow will cross a different Azure Load Balancer (the ingress packet through the public ALB, and the egress packet through the internal ALB). As a consequence, if traffic symmetry is required, Source Network Address Translation (SNAT) needs to be performed by the NVA instances (Azure Firewall instances in your case) to attract the return traffic and avoid traffic asymmetry.
I'm not sure how your Azure Firewall has been configured but coming back to your question, I see you've mentioned that your setup works fine when you enable the option: "Client IP + Protocol" for session persistence in your internal load balancer but doesn't work when you configure "Client IP" for session persistence.
More information on Azure load balancer session persistence:
I checked internally and couldn't find any issue/bug with the Azure internal load balancer in terms of session stickiness when Client IP is configured for session persistency.
I also found that you've created a support request for this issue. It would be better to troubleshoot this issue over a remote session as the support engineer can look into your environment and collect required logs. So, I'll track the support request from my end and will add an answer once the root cause of the issue is found.
Regards,
Gita
-
GitaraniSharma-MSFT 49,261 Reputation points Microsoft Employee
2023-03-10T10:04:14.9666667+00:00 @Prashant Gaur , on checking the support case, I found that you were able to resolve the issue by configuring SNAT for symmetric routing. Do let us know if you need further assistance on this issue. Thanks!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 67%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
James White 5 Reputation points2023-06-12T18:57:14.6233333+00:00 Hi Prashant,
Can I just ask what you did to fix this please? I am having the exact same issue where traffic is routing through one firewall but due to using two route table, it can route back out of the other.
Cheers
James
Sign in to comment