Share via

Asymmetric Routing Issue with ExpressRoute – Return Traffic via Internet Instead of ER (Selective Routing Required

Sagar Sapkota 0 Reputation points
2026-03-17T11:56:39.4466667+00:00

I am working on a hybrid Azure environment with ExpressRoute connectivity to on-premises (Palo Alto firewall), and I am facing an asymmetric routing issue impacting SIP-based applications (IPFX softphone / mobility clients).

Current Setup:

  • Azure VNet connected to on-prem via ExpressRoute (BGP enabled)

Palo Alto firewall on-prem (stateful inspection)

SIP provider (2Talk) over public internet

IPFX server hosted on Azure VM

Internal desk phones (on-prem) working as expected

Issue occurs only for off-network/mobile clients

Observed Behavior:

Traffic from on-prem to Azure flows correctly via ExpressRoute

However, return traffic from Azure is going via Azure Internet/DC path instead of ExpressRoute

This causes asymmetric routing, and the Palo Alto firewall drops the sessions (state mismatch)

As per Microsoft documentation, asymmetric routing can occur when multiple paths (Internet + ExpressRoute) exist, and return traffic may take a different path than the original flow ().

Key Requirement:

I want to ensure symmetric routing (both directions via ExpressRoute) for specific application flows (SIP/IPFX)

At the same time, I do NOT want to force all traffic (0.0.0.0/0) via ExpressRoute or firewall, as I have other servers in the VNet that should continue using direct Internet breakout

What I am trying to achieve:

Selective routing for specific workloads/subnets

Avoid full forced tunneling for the entire VNet

Maintain proper return path consistency for stateful firewall inspection

Questions:

What is the recommended approach to enforce symmetric routing for specific subnets or workloads without using a global 0.0.0.0/0 route?

Can BGP attributes (Local Preference / AS Path prepending / more specific routes) reliably influence Azure return traffic in such scenarios?

How does Azure decide return path selection when both ExpressRoute and Internet routes are available (destination-based routing vs BGP preference)?

Would advertising more specific prefixes over ExpressRoute help ensure return traffic symmetry for selected IP ranges?

Is SNAT (via Azure Firewall or NVA) the only reliable approach when selective routing is required?

Are there any best practices for handling SIP/media traffic in hybrid environments without introducing asymmetric routing?

Any guidance, best practices, or real-world experience would be highly appreciated.

Thanks in advance! I am working on a hybrid Azure environment with ExpressRoute connectivity to on-premises (Palo Alto firewall), and I am facing an asymmetric routing issue impacting SIP-based applications (IPFX softphone / mobility clients).

Current Setup:

Azure VNet connected to on-prem via ExpressRoute (BGP enabled)

Palo Alto firewall on-prem (stateful inspection)

SIP provider (2Talk) over public internet

IPFX server hosted on Azure VM

Internal desk phones (on-prem) working as expected

Issue occurs only for off-network/mobile clients

Observed Behavior:

Traffic from on-prem to Azure flows correctly via ExpressRoute

However, return traffic from Azure is going via Azure Internet/DC path instead of ExpressRoute

This causes asymmetric routing, and the Palo Alto firewall drops the sessions (state mismatch)

As per Microsoft documentation, asymmetric routing can occur when multiple paths (Internet + ExpressRoute) exist, and return traffic may take a different path than the original flow ().

Key Requirement:

I want to ensure symmetric routing (both directions via ExpressRoute) for specific application flows (SIP/IPFX)

At the same time, I do NOT want to force all traffic (0.0.0.0/0) via ExpressRoute or firewall, as I have other servers in the VNet that should continue using direct Internet breakout

What I am trying to achieve:

Selective routing for specific workloads/subnets

Avoid full forced tunneling for the entire VNet

Maintain proper return path consistency for stateful firewall inspection

Questions:

What is the recommended approach to enforce symmetric routing for specific subnets or workloads without using a global 0.0.0.0/0 route?

Can BGP attributes (Local Preference / AS Path prepending / more specific routes) reliably influence Azure return traffic in such scenarios?

How does Azure decide return path selection when both ExpressRoute and Internet routes are available (destination-based routing vs BGP preference)?

Would advertising more specific prefixes over ExpressRoute help ensure return traffic symmetry for selected IP ranges?

Is SNAT (via Azure Firewall or NVA) the only reliable approach when selective routing is required?

Are there any best practices for handling SIP/media traffic in hybrid environments without introducing asymmetric routing?

Any guidance, best practices, or real-world experience would be highly appreciated.

Thanks in advance!

Azure ExpressRoute
Azure ExpressRoute

An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 11,915 Reputation points Microsoft External Staff Moderator
    2026-03-25T17:35:32.3933333+00:00

    Hello Sagar Sapkota

    Azure routing is destination‑based, stateless, and asymmetric by design:

    • Azure does not track flow state when choosing a return path.
    • Return traffic is selected purely on best route to the destination IP, not “same path the packet arrived on”.
    • When both ExpressRoute and Internet paths exist, Azure may choose either depending on:
    • Longest Prefix Match (LPM)
    • Route origin (UDR > BGP > System)
      • Microsoft internal egress selection (nearest exit)

    Microsoft explicitly states this behavior and does not recommend architectures that rely on symmetric routing with multiple paths.

    Refer this docs: Asymmetric routing with multiple network paths

    “When an internet path and a private path exist to the same destination, traffic can go out one path and return on another. Stateful devices may drop this traffic.

    In hybrid Azure environments with ExpressRoute and Internet coexistence, Azure does not guarantee symmetric routing. BGP attributes cannot reliably influence Azure return traffic selection. When stateful firewalls are involved, symmetric routing must be enforced either through subnet‑scoped forced tunneling or SNAT. For SIP‑based workloads, these are the only supported and reliable approaches.

    Can you please update us if the action plan provided was helpful?

    Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

    If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.

    Was this answer helpful?

    0 comments
  2. Vallepu Venkateswarlu 9,655 Reputation points Microsoft External Staff Moderator
    2026-03-17T14:00:02.1566667+00:00

    Hi @ Sagar Sapkota,

    Welcome to Microsoft Q&A Platform.

    Azure returns traffic based on its routing table, and by default, Internet-destined traffic is routed through Internet egress, not through the ExpressRoute (ER) circuit.

    Since you want symmetry only for SIP/IPFX flows (and not full force tunneling 0.0.0.0/0), here are the two practical approaches:

    • Advertise a More Specific Route over ExpressRoute
    • Azure follows the longest prefix match (LPM) rule.

    If you advertise your mobile/P2S VPN client pool (or a fixed NAT pool) as an on-premises BGP prefix, return traffic will prefer the ExpressRoute path.

    Drawback:

    • You typically cannot advertise arbitrary public Internet prefixes for off-network softphones.

    Use Source NAT (SNAT) for SIP Traffic (Recommended):

    Deploy an Azure Firewall or Network Virtual Appliance (NVA) in front of your IPFX subnet (alternatively: NAT Gateway + UDR)

    Configure SNAT:

    • Translate all SIP client traffic into a small, routable on-premises prefix
    • Ensure this prefix is advertised over ExpressRoute

    Configure a User Defined Route (UDR) on the IPFX subnet:

      0.0.0.0/0 → Next hop = Firewall/NVA

    Result:

    • All outbound traffic passes through the SNAT device
    • Azure sees the destination as on-prem (advertised prefix)
    • Return traffic flows through ExpressRoute
    • Other subnets (without UDR/SNAT) continue using direct Internet breakout

    Why BGP Tweaks Alone Won’t Help: The Local Preference / AS Path prepending only affects route advertisement into ER and They do not override Azure’s LPM routing decision for outbound VM traffic

    You cannot selectively force Internet traffic via ER without SNAT, or

      Full 0.0.0.0/0 force tunneling

    Recommended Architecture for SIP Workloads

    • Place an SBC (Session Border Controller) or Azure Firewall/NVA in front of IPFX
    • Perform SNAT for SIP traffic into a known on-prem prefix
    • Advertise that prefix over ExpressRoute
    • Apply a UDR on the IPFX subnet to route traffic via the NAT device

    Benefits:

    • Ensures symmetric routing for SIP flows
    • Keeps other workloads on direct Internet breakout
    • Maintains stateful firewall consistency (e.g., Palo Alto)

    References

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-03-17T11:57:13.46+00:00

    Azure uses destination-based routing and standard BGP best-path logic. When both Internet and ExpressRoute paths exist to the same public IP, Microsoft will generally prefer the ExpressRoute path if:

    • The same prefix is seen via Internet and ExpressRoute, and
    • The prefix length is equal, or the ExpressRoute prefix is more specific.

    This is exactly what causes asymmetric routing when a stateful device (like Palo Alto) sees only one side of the flow.

    Below are the options that are supported and documented for avoiding asymmetric routing while keeping selective routing.

    1. Recommended approach for symmetric routing without 0.0.0.0/0

    Use distinct NAT IP ranges and careful route advertisement so that:

    • The public IPs used for SIP/IPFX flows that must return via ExpressRoute are only advertised over ExpressRoute, not to the Internet.
    • The public IPs used for workloads that should use direct Internet breakout are only advertised to the Internet, not over ExpressRoute.

    Key points from the guidance:

    • Do not advertise the same public IP route to the Internet and over ExpressRoute. Use a NAT IP range for ExpressRoute that is not advertised to the Internet at all.
    • If that is not possible, advertise a more specific range over ExpressRoute than the one advertised to the Internet, so ExpressRoute is the preferred path for those flows.

    This lets specific workloads/subnets use symmetric ExpressRoute paths without forcing a global 0.0.0.0/0 default route over ExpressRoute.

    1. Use of BGP attributes vs prefix specificity

    Within Microsoft, the decisive factor is prefix specificity, not customer-controlled attributes like Local Preference:

    • If Microsoft receives multiple advertisements for the same IP, the path with the longer subnet mask (more specific route) is selected.
    • Documentation explicitly calls out that more specific prefixes advertised over ExpressRoute will be preferred.

    Therefore:

    • Rely on more specific prefixes over ExpressRoute to influence return path.
    • Do not rely on Local Preference or AS-path prepending to control Microsoft’s choice; those are not the primary knobs in this scenario.
    1. How Azure/Microsoft chooses the return path

    When both Internet and ExpressRoute paths exist:

    • Routing between external networks is based on BGP best path.
    • If the same IP is reachable via both, the more specific prefix wins.
    • If Microsoft receives the same prefix with the same mask from Internet and ExpressRoute, the ExpressRoute path is preferred.

    This is why:

    • If the same NAT pool is advertised to both Internet and ExpressRoute, requests that arrive via Internet can have replies sent via ExpressRoute, creating asymmetric routing.
    1. Advertising more specific prefixes over ExpressRoute

    Yes, advertising more specific prefixes over ExpressRoute is a supported way to ensure return traffic symmetry for selected IP ranges, with constraints:

    • For IPs that must return via ExpressRoute, advertise those public IPs (or a more specific block containing them) over ExpressRoute.
    • Do not advertise that same block to the Internet, or advertise a less specific block to the Internet.

    This ensures:

    • Requests from Microsoft to those IPs go via ExpressRoute.
    • Replies from those IPs to Microsoft also prefer ExpressRoute.
    1. Role of SNAT for selective routing

    SNAT is a primary tool for fixing asymmetric routing when selective routing is required:

    • For flows that must stay on the Internet (for example, SMTP or SIP flows that should not use ExpressRoute), SNAT at the Internet edge to an internal IP or to a public IP that is not advertised over ExpressRoute.
    • For inbound flows from Microsoft over the Internet, SNAT them at the Internet edge before they enter segments that have visibility into ExpressRoute. This forces the return path back to the same edge and avoids asymmetric routing.

    Microsoft explicitly recommends SNAT at the Internet edge for Microsoft traffic to prevent asymmetric routing when ExpressRoute is present.

    1. Best practices for SIP/media traffic in hybrid environments

    From the ExpressRoute/asymmetric routing guidance, the following patterns apply well to SIP/media:

    • Avoid advertising the same NAT pool to both Internet and ExpressRoute.
    • Use separate NAT pools for:
      • ExpressRoute-facing traffic (advertised only over ExpressRoute), and
      • Internet-facing SIP/media traffic (advertised only to the Internet).
    • For inbound SIP/media flows that must remain on the Internet, perform source NAT at the Internet edge before those flows enter any segment that has ExpressRoute routes.
    • Ensure that any on-prem SIP/media servers that should use ExpressRoute have their public IPs advertised over ExpressRoute without NAT, so that both directions use ExpressRoute.

    In summary:

    • Enforce symmetry by controlling which public IPs are advertised where and by using distinct NAT pools for Internet vs ExpressRoute.
    • Use more specific prefixes over ExpressRoute to bias return traffic for selected ranges.
    • Use SNAT at the Internet edge to keep Internet-only flows symmetric and avoid ExpressRoute on the return path.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.