Thanks for the guidance Scott, I was chasing Microsoft for this since many days but didn't get any concrete reply so far regarding the Internal LB working. Appreciate your big help. I understand it as - Because I have multiple front-end IPs on Internal LB with traffic crossing the zones on firewall, I have to source NAT the traffic as Internal LB cannot maintain symmetry in this case. If in another case where the traffic communication would have been on same front-end IP in same zone on firewall then source NAT wouldn't be required as the symmetry will be maintained by the Internal LB.
... View more
I have a use-case: There are 2 VM-Series Palo-alto firewalls deployed in Azure behind Internal Load Balancer. Each firewall has 3 private zone interfaces and Internal LB has 3 Frontend-IPs, one for each firewall interface subnet, the request traffic from one private azure subnet lands on Internal LB Frontend-IP1 and distributed to firewall1 interface1 for processing, the response traffic as part of a same session lands on same Internal LB Frontend-IP2 and getting distributed to firewall2 on interface2, this is causing asymmetry and hence the communication is getting dropped on firewall2. This is happening in Azure internal communication as well as Azure to on-premise communication. I was expecting Internal LB to distribute the same session traffic to just firewall1 and not to firewall2 as I have read in Azure docs that Internal Load Balancer always maintains 5 tuple hash to maintain session. Does Internal LB maintains session hash if the communication is between different Frontend IPs ? I'm using original IPs (without Source NAT) to communicate between private zones. I have attached an architecture diagram for reference. Please advise.
... View more