Please enable out-of-order UDP fragment reassembly for our subscription in westus2.

Question

Please enable out-of-order UDP fragment reassembly for our subscription in westus2.

Arsen Abayan 0

Hello,

We have an Azure Linux VM in West US 2 that receives UDP traffic from the public Internet.

When incoming UDP packets require IPv4 fragmentation because the resulting packet is larger than the standard 1500-byte MTU, a significant portion of the fragmented packets is lost. In repeated tests, more than half of such packets can be lost.

The application works normally when we avoid outer UDP/IP fragmentation by lowering the tunnel MTU. The issue appears only when the Azure VM needs to receive and reassemble fragmented UDP/IP packets from the Internet.

This looks consistent with Azure dropping out-of-order UDP/IP fragments before the VM can reassemble them.

According to related Microsoft Q&A answers, Azure Support can enable a platform-side feature usually referred to as out-of-order UDP fragment reassembly / UDP fragment reordering.

Could an Azure support engineer confirm whether this feature can be enabled for a VM/VNet in West US 2, and how we should request it under a Developer support plan where the Azure Support API rejects ticket creation with InvalidSupportPlan?

I can provide subscription ID, resource IDs, public IP and packet-capture details privately if a Microsoft engineer needs them.

Thank you.

Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2026-05-02T17:36:34.1866667+00:00
Hello **Arsen Abayan
**It looks like you’re running into Azure’s default behavior of dropping out-of-order UDP fragments when they arrive at the VM’s public IP in West US 2. Azure can enable a platform-side “UDP fragment reordering” flag for your subscription so your Linux VM can reassemble those fragments, but it has to be turned on by the networking team. Here’s what you can do:

Make sure the UDP traffic is coming in over a public IP directly attached to your VM. (ExpressRoute or VPN Gateway paths aren’t supported for UDP reordering.)

Confirm your VM is deployed on one of the supported hardware clusters.

Verify there’s no NAT Gateway, load-balancer or Azure Firewall in front of your VM IP.
Arsen Abayan 0 Reputation points

2026-05-02T19:16:47.7366667+00:00
Hello,

Thanks for the confirmation.

I checked the requested prerequisites:

The UDP traffic is coming in over a public IP directly attached to the VM NIC. This is not ExpressRoute or VPN Gateway traffic. The VM has a Standard static Public IP associated directly with the primary IP configuration of its NIC.

I cannot confirm the "supported hardware cluster" requirement from the customer side. Azure CLI and IMDS expose the VM region/size and fault/update domain, but not a hardware cluster identifier. The VM is in West US 2 and uses Standard_B2pts_v2. Please confirm from the Azure networking side whether the current host/cluster supports UDP fragment reordering.

There is no NAT Gateway, public Load Balancer, or Azure Firewall in front of this VM public IP. The subnet has no NAT Gateway and no route table, the effective default route is Internet, and the NIC is not attached to any Load Balancer backend pool or inbound NAT rule.

We also tried enabling IP forwarding on the VM NIC, but it did not change the behavior.

Please let us know the secure way to provide the subscription/resource details, because we do not want to post subscription IDs or exact resource identifiers publicly on Q&A.

If possible, it would be very helpful to enable this UDP fragment reordering capability at the tenant or subscription level rather than only for this single VM/resource. We may deploy similar UDP/WireGuard workloads in other Azure regions, and we would prefer not to open a separate request for each individual VM if this can be enabled more broadly.
Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2026-05-22T21:07:29.02+00:00

Hello Arsen Abayan

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 answers

Your answer

Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2026-05-02T17:36:34.1866667+00:00

Hello **Arsen Abayan
**It looks like you’re running into Azure’s default behavior of dropping out-of-order UDP fragments when they arrive at the VM’s public IP in West US 2. Azure can enable a platform-side “UDP fragment reordering” flag for your subscription so your Linux VM can reassemble those fragments, but it has to be turned on by the networking team. Here’s what you can do:

Make sure the UDP traffic is coming in over a public IP directly attached to your VM. (ExpressRoute or VPN Gateway paths aren’t supported for UDP reordering.)

Confirm your VM is deployed on one of the supported hardware clusters.

Verify there’s no NAT Gateway, load-balancer or Azure Firewall in front of your VM IP.
Arsen Abayan 0 Reputation points

2026-05-02T19:16:47.7366667+00:00

Hello,

Thanks for the confirmation.

I checked the requested prerequisites:

The UDP traffic is coming in over a public IP directly attached to the VM NIC. This is not ExpressRoute or VPN Gateway traffic. The VM has a Standard static Public IP associated directly with the primary IP configuration of its NIC.

I cannot confirm the "supported hardware cluster" requirement from the customer side. Azure CLI and IMDS expose the VM region/size and fault/update domain, but not a hardware cluster identifier. The VM is in West US 2 and uses Standard_B2pts_v2. Please confirm from the Azure networking side whether the current host/cluster supports UDP fragment reordering.

There is no NAT Gateway, public Load Balancer, or Azure Firewall in front of this VM public IP. The subnet has no NAT Gateway and no route table, the effective default route is Internet, and the NIC is not attached to any Load Balancer backend pool or inbound NAT rule.

We also tried enabling IP forwarding on the VM NIC, but it did not change the behavior.

Please let us know the secure way to provide the subscription/resource details, because we do not want to post subscription IDs or exact resource identifiers publicly on Q&A.

If possible, it would be very helpful to enable this UDP fragment reordering capability at the tenant or subscription level rather than only for this single VM/resource. We may deploy similar UDP/WireGuard workloads in other Azure regions, and we would prefer not to open a separate request for each individual VM if this can be enabled more broadly.
Praveen Bandaru 11,635 Reputation points Microsoft External Staff Moderator

2026-05-22T21:07:29.02+00:00

Hello Arsen Abayan

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Arsen Abayan hi & thanks for join me here at Q&A portal,

yes, this is a known Azure networking behavior with fragmented UDP traffic, and the practical fix is either avoid IP fragmentation by lowering MTU, or ask Microsoft support to enable UDP fragment reordering for the affected subscription or VM path. This is not a Linux setting if fragments are dropped before reaching the VM.

Your test already points in the right direction. If the app works when u lower tunnel MTU and fails only when public Internet UDP packets arrive fragmented, then the issue is the Azure fabric handling of out-of-order IP fragments. There are Microsoft Q&A cases describing the same request as “UDP packet re-ordering” or “out-of-order UDP fragment reassembly”, and support involvement is required. https://learn.microsoft.com/en-us/answers/questions/5536544/need-udp-fragmentation-packet-reorder-applied-to-a

Do not rely on the VM OS to fix this. The VM can only reassemble fragments it actually receives. If Azure drops out-of-order fragments before delivery, Linux never sees the full datagram. Cisco even documents this Azure-specific workaround for similar fragmented UDP cases and calls out the enable-udp-fragment-reordering option. https://www.cisco.com/c/en/us/support/docs/troubleshooting/222339-troubleshoot-fragmentation-issues-affec.html

Send support a focused request like enable UDP fragment reordering for subscription <sub-id> in westus2, affected public IP, NIC, VM resource ID, and VNet. Include packet captures from sender and VM showing first fragments arrive but later out-of-order fragments are missing, plus the MTU workaround proving the app works without outer fragmentation.

if Azure Support API returns InvalidSupportPlan, create the case from Azure Portal instead of API, category Virtual Network or Virtual Machines networking, problem type Connectivity, and put “enable UDP fragment reordering” in the title. If the portal still blocks technical case creation, use billing or subscription support only to fix the support-plan entitlement issue first, then open the networking case. Actually Q&A moderators cannot safely collect subscription IDs or enable the flag publicly. Long term, the cleaner fix is still to avoid public Internet UDP fragmentation lower tunnel MTU, enable path MTU discovery where possible, reduce encapsulated packet size, or move the UDP service behind a design that does not depend on fragmented UDP over the Internet.

rgds,

Alex

&

If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal

Answer 2

Hello Arsen Abayan

Based on the details you provided, your configuration—UDP traffic coming directly from the internet to a VM using a Standard Public IP attached to the NIC, without a Load Balancer, NAT Gateway, Azure Firewall, or VPN/ExpressRoute—matches a supported scenario where Azure can consider enabling UDP fragment reordering at the platform level.

However, whether out-of-order UDP fragment reassembly is supported depends on certain backend factors that are not visible or accessible to customers. This capability is linked to the Azure host networking stack and the hardware cluster hosting the VM. Although you can view VM size, region, and fault/update domains with CLI or IMDS, there is currently no way to identify the hardware cluster or verify its support for UDP fragment reordering. Only the Azure networking or host engineering teams can perform this validation internally.

Additionally, UDP fragment reordering is not enabled by default in Azure. This is by design, as dropping out-of-order fragments helps mitigate security risks and maintains consistent platform performance. If enabled, the platform can buffer and reassemble out-of-order fragments, but this introduces extra processing and may affect how traffic is handled by the host networking stack.

Regarding broader enablement, this feature is scoped at the subscription and region level. It cannot be enabled globally at the tenant level, and it does not apply automatically across all regions or subscriptions. Even when enabled for a subscription, it only works for workloads on compatible backend clusters. If existing VMs are not on supported hardware, enabling the feature may require redeployment or moving to compatible infrastructure.

Share via

Please enable out-of-order UDP fragment reassembly for our subscription in westus2.

2 answers

Your answer