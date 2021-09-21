I have a use-case: There are 2 VM-Series Palo-alto firewalls deployed in Azure behind Internal Load Balancer. Each firewall has 3 private zone interfaces and Internal LB has 3 Frontend-IPs, one for each firewall interface subnet, the request traffic from one private azure subnet lands on Internal LB Frontend-IP1 and distributed to firewall1 interface1 for processing, the response traffic as part of a same session lands on same Internal LB Frontend-IP2 and getting distributed to firewall2 on interface2, this is causing asymmetry and hence the communication is getting dropped on firewall2. This is happening in Azure internal communication as well as Azure to on-premise communication. I was expecting Internal LB to distribute the same session traffic to just firewall1 and not to firewall2 as I have read in Azure docs that Internal Load Balancer always maintains 5 tuple hash to maintain session. Does Internal LB maintains session hash if the communication is between different Frontend IPs ? I'm using original IPs (without Source NAT) to communicate between private zones. I have attached an architecture diagram for reference. Please advise.

SOFTWARE ・ 10 DAYS AGO