Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
How to configure AZFWFlowTrace logs on Azure Firewall (Basic SKU) to debug Asymmetric routing
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 25%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Charith W
0
Reputation points
Hi, I have created a azure firewall on a VNET and i am trying to debug an issue related to asymmetric routing,
The scenario is a P2SVPN trying to communicate with a SQL Server (via private endpoint), the P2SVPN is in a hub vnet and the SQL Server is in a spoke vnet (hub vnet is peered to this spoke vnet), i believe best practice would be to route P2SVPN traffic via the firewall which i managed to do with the use of route tables however when i tried to add a route table in the private endpoint subnet (of my sql server), i was then unable to connect to my sql server at all (connection times out).
I assumed this is because of asymmetric routing ? where the response from my private endpoint is not being routed via the firewall to my P2SVPN resulting in the connection being dropped possibly and the goal is to try use AZFWFlowTrace logs to see if that is the case but unfortunately i cannot see any logs in this table even after i have configured diagnostic settings to send flow trace logs to my log analytics workspace.
Logs for other tables however, such as AZFWDnsFlowTrace and AZFWNetworkRule are displaying fine, would anyone be able to assist me with why the AZFWFlowTrace table is not filling up and also possibly a cause as to why i am unable to route a private endpoint return response via a firewall back to my P2SVPN Client ?
Azure Firewall
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thanmayi Godithi 8,310 Reputation points Microsoft External Staff Moderator2026-01-28T00:38:25.9933333+00:00 Hi @Charith W,
Thank you for reaching out on Microsoft Q&A forum.
Azure Private Endpoints do not support user-defined routes or forced tunneling through Azure Firewall or NVAs. Traffic to Private Endpoints uses platform-managed routing and bypasses network virtual appliances by design.
Associating a UDR to a Private Endpoint subnet results in connection timeouts, which explains why connectivity to the SQL Private Endpoint breaks when a route table is applied. Because this traffic never traverses Azure Firewall, it will not appear in AZFWFlowTrace logs.
Enabling
PrivateEndpointNetworkPolicieson a subnet allows UDRs only for the limited purpose of overriding the auto-injected /32 routes that Azure creates for traffic destined to Private Endpoints. This does not apply to return traffic from the Private Endpoint, which always follows the platform-defined path and cannot be redirected using UDRs.In this scenario, routing P2S VPN traffic through Azure Firewall while the return traffic from the Private Endpoint bypasses the firewall results in asymmetric routing. Since Private Endpoint return traffic cannot be forced through a firewall, Microsoft recommends using SNAT on the firewall when inspection is required.
With SNAT, the Private Endpoint responds to the firewall IP, restoring symmetric traffic flow. Without SNAT, return traffic from Private Endpoints will always bypass the firewall, and attempting to override this behavior using UDRs is unsupported.
AZFWFlowTrace logs remain empty because Private Endpoint traffic does not traverse Azure Firewall by design, so there is no data plane flow for the firewall to log.
References:
- Private Endpoint traffic flow and routing behavior https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-traffic-flow
- Azure Firewall SNAT behavior https://learn.microsoft.com/azure/firewall/snat-private-range
Kindly let us know if the above helps or you need further assistance on this issue.
If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sina Salam 28,361 Reputation points Volunteer Moderator2026-01-29T11:17:17.6533333+00:00 Hello Charith W,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to know how you can configure AZFWFlowTrace logs on Azure Firewall (Basic SKU) to debug Asymmetric routing.
Below are the fact and what you can do, kindly follow the steps accordingly:
- AZFWFlowTrace does not populate because Azure Firewall Basic does not support Flow Trace logs. this capability exists only in Standard and Premium SKUs. No PowerShell switch or diagnostic tweak can enable it on Basic. For validation on Basic, rely on
AZFWNetworkRule,AZFWApplicationRule, and DNS logs instead. Reference: https://learn.microsoft.com/azure/azure-monitor/reference/supported-logs/microsoft-network-azurefirewalls-logs - The SQL connection times out due to asymmetric routing introduced when a UDR is applied to the Private Endpoint subnet. Private Endpoints use system /32 routes and do not honor UDRs by default, causing return traffic to bypass the firewall. A stateful firewall drops such flows because it never sees both directions. - https://learn.microsoft.com/azure/private-link/private-endpoint-network-policies
- Do not place UDRs on the Private Endpoint subnet. Instead, force symmetry by ensuring the firewall performs SNAT so the SQL Private Endpoint replies to the firewall’s IP. This guarantees the return path traverses the firewall and preserves session state. - https://learn.microsoft.com/azure/firewall/firewall-snat
- Apply a UDR only on the P2S gateway or hub subnet to send traffic to the firewall, then allow TCP 1433 with a Network Rule; SNAT occurs by default on firewall egress. Validate routing using Effective Routes to confirm the path is P2S > Firewall > SQL PE > Firewall > P2S. - https://learn.microsoft.com/azure/virtual-network/effective-routes
- Confirm connectivity and inspection using supported logs on Basic with a simple KQL query:
AZFWNetworkRule | where DestinationPort == "1433" | order by TimeGenerated descYou should see allowed decisions with the firewall as the translated source, confirming symmetric flow and stable connectivity.
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
- AZFWFlowTrace does not populate because Azure Firewall Basic does not support Flow Trace logs. this capability exists only in Standard and Premium SKUs. No PowerShell switch or diagnostic tweak can enable it on Basic. For validation on Basic, rely on
-
Charith W 0 Reputation points
2026-01-30T04:25:15.6633333+00:00 Hi,
Thanks for your response, noted on SNAT, would this need to be done via the page in the screenshot ive attached ?
Additionally, i tried step 4 but even with a UDR applied to the GatewaySubnet that routes to the firewall (when the destination requested is the private endpoint subnet of the sql server) i now dont see logs in the AZFWNetworkRule table which im assuming means the traffic is not going through the firewall ?
-
Charith W 0 Reputation points
2026-04-03T03:39:29.41+00:00 Hi @Thanmayi Godithi ,
Hope you're well, it has been quite some time since we last synced on this topic but do you have any updates for me regarding what the cause of this issue is ?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Ravi Varma Mudduluru 9,285 Reputation points Microsoft External Staff Moderator2026-04-03T09:12:24.2766667+00:00 Hello @**Charith W,
We are still trying to identify the root cause of the issue. We are attempting to reproduce it, but the flow is missing. We are working on this and will provide you with an update.**
Sign in to comment
Sign in to answer