Taffic flow through public Load balancer

Question

Taffic flow through public Load balancer

Manni Negi 0

I have below traffic flow Internet Users (2.2.2.2) -> WAF(3.3.3.3) --> Azure Publc LB(10.10.10.10) ----> VM1 (192.168.1.1)

Forward Path User -> Src (2.2.2.2) Des (10.10.10.10) WAF -> Src (3.3.3.3) Des (10.10.10.10) Azure LB -> Src (3.3.3.3) Des (192.168.1.1)

Retrun Path VM1 -> Src (192.168.1.1) Des (3.3.3.3)

Can someone please explain that with below UDR in VM route table, now traffic will go directly to Public internet or Azure LB front end IP

0.0.0.0 Internet

Ganesh Patapati 10,460 Reputation points Microsoft External Staff Moderator

2025-10-13T18:35:14.1166667+00:00
Hello Manni Negi

With that UDR in Route table

Forward path remains the same (Internet → WAF → LB → VM1).

Return path changes (VM1 → Internet directly), breaking WAF session and possibly LB health probes. Outbound traffic from VM1 will bypass the Azure Load Balancer and WAF and go directly to the Internet. Azure LB only handles inbound traffic; outbound routing is controlled by system routes unless overridden by UDR.

By forcing 0.0.0.0/0 → Internet, you override Azure’s default system route (which normally sends outbound traffic via Azure’s default SNAT through the LB if needed).

NOTE: UDR overrides the system route for internet-bound traffic.

With this route, all outbound traffic from VM1 (including to 3.3.3.3) will be sent directly to the internet, bypassing the Azure Load Balancer and WAF.

This breaks the symmetric routing required for stateful connections, causing asymmetric routing

If you need all outbound traffic inspected, use:

Azure Firewall or NVA as next hop in UDR (0.0.0.0/0 → VirtualAppliance).

Or NAT Gateway for predictable outbound IP without breaking symmetry

Reference Links:

What is Azure Load Balancer?

Insights into VMs not connected to Load Balancer

Configure Azure Load Balancer

https://v4.hkg1.meaqua.org/en-us/answers/questions/2287668/azure-public-lb-traffic-flow

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Manni Negi 0 Reputation points

2025-10-14T02:02:13.81+00:00
1.I am wondering in below secnario, who will do SNAT for the VM1 private IP (192.168.1.1) before going to Internet

{Return path changes (VM1 → Internet directly), breaking WAF session and possibly LB health probes. Outbound traffic from VM1 will bypass the Azure Load Balancer and WAF and go directly to the Internet. }

Whether this design create any issue ? ( Apart from Assymetric routing as I think it will not create any issue to access the application)
Ganesh Patapati 10,460 Reputation points Microsoft External Staff Moderator

2025-10-14T18:51:14.05+00:00

Hello Manni Negi

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat for further troubleshooting.

1 answer

Your answer

Ganesh Patapati 10,460 Reputation points Microsoft External Staff Moderator

2025-10-13T18:35:14.1166667+00:00

Hello Manni Negi

With that UDR in Route table

Forward path remains the same (Internet → WAF → LB → VM1).

Return path changes (VM1 → Internet directly), breaking WAF session and possibly LB health probes. Outbound traffic from VM1 will bypass the Azure Load Balancer and WAF and go directly to the Internet. Azure LB only handles inbound traffic; outbound routing is controlled by system routes unless overridden by UDR.

By forcing 0.0.0.0/0 → Internet, you override Azure’s default system route (which normally sends outbound traffic via Azure’s default SNAT through the LB if needed).

NOTE: UDR overrides the system route for internet-bound traffic.

With this route, all outbound traffic from VM1 (including to 3.3.3.3) will be sent directly to the internet, bypassing the Azure Load Balancer and WAF.

This breaks the symmetric routing required for stateful connections, causing asymmetric routing

If you need all outbound traffic inspected, use:

Azure Firewall or NVA as next hop in UDR (0.0.0.0/0 → VirtualAppliance).

Or NAT Gateway for predictable outbound IP without breaking symmetry

Reference Links:

What is Azure Load Balancer?

Insights into VMs not connected to Load Balancer

Configure Azure Load Balancer

https://v4.hkg1.meaqua.org/en-us/answers/questions/2287668/azure-public-lb-traffic-flow

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Manni Negi 0 Reputation points

2025-10-14T02:02:13.81+00:00

1.I am wondering in below secnario, who will do SNAT for the VM1 private IP (192.168.1.1) before going to Internet

{Return path changes (VM1 → Internet directly), breaking WAF session and possibly LB health probes. Outbound traffic from VM1 will bypass the Azure Load Balancer and WAF and go directly to the Internet. }

Whether this design create any issue ? ( Apart from Assymetric routing as I think it will not create any issue to access the application)
Ganesh Patapati 10,460 Reputation points Microsoft External Staff Moderator

2025-10-14T18:51:14.05+00:00

Hello Manni Negi

Thanks for the reply!

I have Initiated a private message with you. Kindly provide the necessary details in the private chat for further troubleshooting.

Answer 1

Hello Manni Negi

Current Traffic Flow

Forward Path:
- Internet User → WAF → Azure Public Load Balancer → VM1
- The source and destination change as expected since the WAF acts as a reverse proxy.
Return Path:
- VM1 → WAF → Internet User This works because the WAF expects return traffic at its IP address (3.3.3.3).

What Does the UDR Do?

You mentioned the VM’s route table has 0.0.0.0/0 → Internet.

This means all outbound traffic from VM1 bypasses Azure’s default system routes and goes directly to the Internet via the default gateway, such as the Azure fabric or a specified next hop like a firewall/NVA.

Impact on Return Path

Normally, VM1 would send return traffic to the Azure LB frontend IP (10.10.10.10) due to SNAT and session persistence.
With the UDR set to Internet, VM1 will not send traffic through the Azure LB or WAF. Instead:
- It attempts to route directly to 3.3.3.3 (WAF public IP) over the Internet.

This disrupts the expected flow because:

The source IP is VM1’s private IP (192.168.1.1), which isn’t routable on the Internet.
The WAF will drop the packet since it expects return traffic from the LB, not directly from VM1.

Result

Traffic will not go to the Azure LB frontend IP.
It will attempt to go out to the Internet, causing asymmetric routing and session issues.
RDP/HTTP sessions may break due to the inconsistent return path.

Best Practice

Do not set 0.0.0.0/0 → Internet on the VM unless a NAT gateway or firewall is handling SNAT.
If outbound Internet access is needed, use:
- Azure NAT Gateway or
  - Keep the default system route so return traffic flows through the LB/WAF as expected.

Reference Article:

Would you like me to create a diagram illustrating the correct routing for forward and return paths with and without UDR?

Or should I also add a recommended UDR configuration for WAF and LB scenarios?

I hope this has been helpful!

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Taffic flow through public Load balancer

1 answer

Your answer