Enforcing All Traffic Through Azure Firewall with Site-to-Site VPN Between Azure Tenants – Asymmetric Routing and RDP Failure

Question

Enforcing All Traffic Through Azure Firewall with Site-to-Site VPN Between Azure Tenants – Asymmetric Routing and RDP Failure

Paul 0

Problem Statement

Scenario:

We have two Azure tenants (Tenant1 and Tenant2) connected via Site-to-Site VPN.

In Tenant1, we have deployed Azure Firewall in a hub virtual network.

All traffic must be forced through Azure Firewall for inspection, including any communication from VMs in Tenant1 to VMs in Tenant2.

To achieve this, we have applied a User-Defined Route (UDR) in the Tenant1 VM subnet:
```
  0.0.0.0/0 → Next hop: Azure Firewall
```
We created appropriate Firewall Network Rules allowing the necessary traffic flows.

Observed Behavior:

When this UDR is in place, RDP connections initiated from Tenant1 VMs to Tenant2 VMs fail (RDP hangs on connecting).

If we remove the UDR (allowing default system routing) or set the Next Hop to Virtual Network Gateway instead of Firewall, RDP works as expected.

Diagnosis:

The failure appears to be caused by asymmetric routing:

Outbound traffic from Tenant1 VMs to Tenant2 VMs flows through the Firewall and over the VPN.

  **Return traffic from Tenant2 VMs bypasses the Firewall** and flows directly back over the VPN tunnel to the Tenant1 VMs.

  
     Because Azure Firewall is stateful, it expects the return packets to come back through itself to maintain connection state. When this does not happen, the connection breaks.
```---

---
**Specific Question:**

What is the recommended, supported approach to **enforce all traffic inspection through Azure Firewall while maintaining symmetric routing for inter-tenant VPN traffic**?

Should Azure Firewall **automatically SNAT** outbound traffic to private IP ranges (e.g., 172.16.0.0/12), or is there an explicit configuration required to force SNAT for these flows to avoid asymmetric return paths?

If the default SNAT behavior is insufficient, what best practices or design patterns are recommended to accomplish this scenario without compromising connectivity?

---
---

Paul 0 Reputation points

2025-07-12T04:35:20.0533333+00:00
Thanks for your detailed inputs on the Azure Firewall SNAT behavior and the guidance provided.

I wanted to share a summary of the testing performed and the remaining challenge:

Actions Taken So Far:

Configured Azure Firewall Policy to perform SNAT “Always.”

Added UDRs in Tenant1 VM subnet to force all traffic (0.0.0.0/0 and 172.18.0.0/16) through the Firewall.

Verified that outbound flows (Tenant1 VM initiating connections to Tenant2 VM) are now working successfully.

Firewall SNATs the flows.

Remaining Issue:

Inbound connections initiated from Tenant2 VMs to Tenant1 VMs still fail.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T18:33:23.9233333+00:00
Hey Paul

Thanks for the update and detailed testing summary. It's great to hear that outbound traffic from Tenant1 to Tenant2 is now working as expected via Azure Firewall with SNAT applied.

To fix the Inbound Traffic from Tenant2 to Tenant1, please follow

Add UDR on Tenant1 VM Subnet:

Route 172.18.0.0/16 via Azure Firewall private IP.

Enable SNAT for Return Traffic:

In Firewall Policy, add 172.18.0.0/16 under Private IP ranges (SNAT).

Check NSG Rules Allow inbound/outbound traffic to/from 172.18.0.0/16.

Verify Firewall Rules and ensure rules allow traffic from Tenant2 to Tenant1 and back.

Use Logs to Confirm

Check Azure Firewall logs or Network Watcher for flow validation like: Inbound packets reach the firewall, or Firewall forwards them to the VM.

Return packets are SNAT’d and routed correctly

I hope this helps! Do let me know if you have further questions.

If the above is unclear or you are unsure about something, please add a comment below.
Paul 0 Reputation points

2025-07-14T18:49:20.7133333+00:00

Enable SNAT for Return Traffic:

In Firewall Policy, add 172.18.0.0/16 under Private IP ranges (SNAT) Kindly elaborate this steps as I marked as Always.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T21:03:28.5133333+00:00

Hi Paul

Even with SNAT mode set to "Always", Azure Firewall still uses the Private IP ranges (SNAT) list to:

Identify which IP ranges are considered private.

Apply consistent SNAT behavior for traffic to/from those ranges.

Ensure session tracking and symmetric routing work correctly, especially in multi-tenant or hybrid environments.

So, adding 172.18.0.0/16 ensures that return traffic to Tenant2 is SNATed properly and avoids asymmetric routing issues.

Do let me know if you have further questions!
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-15T19:30:16.6866667+00:00

Hi Paul

I am following up to see if you have checked the above information, please let me know if you need further assistance.

I hope this has been helpful!
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-21T22:29:40.2533333+00:00

Hello PaulPlease don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

Paul 0 Reputation points

2025-07-12T04:35:20.0533333+00:00

Thanks for your detailed inputs on the Azure Firewall SNAT behavior and the guidance provided.

I wanted to share a summary of the testing performed and the remaining challenge:

Actions Taken So Far:

Configured Azure Firewall Policy to perform SNAT “Always.”

Added UDRs in Tenant1 VM subnet to force all traffic (0.0.0.0/0 and 172.18.0.0/16) through the Firewall.

Verified that outbound flows (Tenant1 VM initiating connections to Tenant2 VM) are now working successfully.

Firewall SNATs the flows.

Remaining Issue:

Inbound connections initiated from Tenant2 VMs to Tenant1 VMs still fail.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T18:33:23.9233333+00:00

Hey Paul

Thanks for the update and detailed testing summary. It's great to hear that outbound traffic from Tenant1 to Tenant2 is now working as expected via Azure Firewall with SNAT applied.

To fix the Inbound Traffic from Tenant2 to Tenant1, please follow

Add UDR on Tenant1 VM Subnet:

Route 172.18.0.0/16 via Azure Firewall private IP.

Enable SNAT for Return Traffic:

In Firewall Policy, add 172.18.0.0/16 under Private IP ranges (SNAT).

Check NSG Rules Allow inbound/outbound traffic to/from 172.18.0.0/16.

Verify Firewall Rules and ensure rules allow traffic from Tenant2 to Tenant1 and back.

Use Logs to Confirm

Check Azure Firewall logs or Network Watcher for flow validation like: Inbound packets reach the firewall, or Firewall forwards them to the VM.

Return packets are SNAT’d and routed correctly

I hope this helps! Do let me know if you have further questions.

If the above is unclear or you are unsure about something, please add a comment below.
Paul 0 Reputation points

2025-07-14T18:49:20.7133333+00:00

Enable SNAT for Return Traffic:

In Firewall Policy, add 172.18.0.0/16 under Private IP ranges (SNAT) Kindly elaborate this steps as I marked as Always.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-14T21:03:28.5133333+00:00

Hi Paul

Even with SNAT mode set to "Always", Azure Firewall still uses the Private IP ranges (SNAT) list to:

Identify which IP ranges are considered private.

Apply consistent SNAT behavior for traffic to/from those ranges.

Ensure session tracking and symmetric routing work correctly, especially in multi-tenant or hybrid environments.

So, adding 172.18.0.0/16 ensures that return traffic to Tenant2 is SNATed properly and avoids asymmetric routing issues.

Do let me know if you have further questions!
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-15T19:30:16.6866667+00:00

Hi Paul

I am following up to see if you have checked the above information, please let me know if you need further assistance.

I hope this has been helpful!
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-21T22:29:40.2533333+00:00

Hello PaulPlease don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Answer 1

Hello Paul

It looks like you're facing a challenge with enforcing traffic through Azure Firewall while maintaining symmetric routing for your VPN traffic between two Azure tenants.

Here's an approach you might consider:

By Default, Azure Firewall does not SNAT outbound traffic to private IP ranges (e.g., 172.16.0.0/12) per IANA RFC 1918 unless the organization uses a public IP range for private networks. For your scenario, since Tenant2 uses a private IP range, SNAT is not applied by default, leading to asymmetric routing.
Refer Doc 1: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq
Refer Doc 2: https://learn.microsoft.com/en-us/azure/firewall/features
To avoid asymmetric routing, you must explicitly configure the Azure Firewall Policy to SNAT traffic destined for Tenant2’s address space (e.g., 172.16.0.0/12).
This is done by modifying the “Private IP ranges (SNAT)” settings in the Firewall Policy to include Tenant2’s address space for SNAT, as described above.
After applying the SNAT configuration, verify that the source IP of outbound packets to Tenant2 is the Azure Firewall’s private IP (e.g., 10.0.1.4) using Azure Firewall logs or Network Watcher.

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-16T20:02:37.8866667+00:00

Hi Paul

please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Enforcing All Traffic Through Azure Firewall with Site-to-Site VPN Between Azure Tenants – Asymmetric Routing and RDP Failure

Problem Statement

1 answer

Your answer