To clarify, persistence is not related to symmetry of the return traffic, but determines which firewall packets will be sent to. In theory the return packets can bypass the firewall regardless of the persistence setting. You are asking a valid question though and this is how it was previously with the “basic” Azure load balancer. There used to be a requirement to always configure source NAT behind the firewall’s internal interface for East-West traffic, otherwise the return packets were sent directly to the originating server, bypassing the firewall and creating asymmetric traffic flow. However sometime last year Azure introduced the “Standard” Load Balancer SKU, which fixed a lot of the issues with the basic SKU. One of them is that you no longer need to configure souce NAT and the load balancer takes care of the correct routing of packets, so they are sent to the correct firewall. Also previously we had to configure “session perssistance” on the LB, otherwise different packets of the same session could have been sent to different firewalls, which would have broken the session. Then again in the Standard SKU, they introduce a concept of “HA Ports”, desinged exactly for high availability. One of its attributes is that load balancing is done per flow and not per packet, ensuring that all packets for a session will be sent to a single firewall. "The load-balancing decision is made per flow. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol. " https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview Hope it makes sense. I did not explain it very well, but these are the reasons for no longer configuring persistence and source NAT.
... View more
