You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/long-running-sessions.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ This article explains the TCP idle timeout settings and the behavior of long-run
15
15
16
16
## Idle timeout settings
17
17
18
-
The TCP (Transmission Control Protocol) idle timeout specifies the duration a connection can stay inactive before being terminated by the Azure Firewall. This setting helps optimize the Azure Firewall by closing inactive connections and maintaining overall network performance.
18
+
The TCP (Transmission Control Protocol) idle timeout specifies the duration a connection can stay inactive before the Azure Firewall terminates the connection. This setting helps optimize the Azure Firewall by closing inactive connections and maintaining overall network performance.
In the aspect of the Azure Firewall, **north-south** traffic refers to the traffic that flows between the Azure Firewall and the Internet, while **east-west** traffic refers to the traffic that flows between Azure resources within the same region or across regions. This also includes traffic between Azure resources and on-premises resources connected through Azure VPN, Azure ExpressRoute, and Virtual network peering. The TCP idle timeout behavior in Azure Firewall is different for north-south and east-west traffic.
29
29
30
30
-**North-south**: The default TCP idle timeout is set to **4 minutes** to maintain active connections. You can increase the timeout to a maximum of **15 minutes** by submitting a support request through the Azure portal.
31
-
-**East-west**: There is a **5 minutes** TCP idle timeout on the Azure Firewall. This timeout isn't configurable.
31
+
-**East-west**: There's a **5 minutes** TCP idle timeout on the Azure Firewall. This timeout isn't configurable.
32
32
33
33
## Long-running TCP sessions
34
34
@@ -39,17 +39,19 @@ The following scenarios can potentially drop long-running TCP sessions:
39
39
-**Scale-in**: When Azure Firewall scales in, it puts the instance in drain mode for 90 seconds before recycling. Any long-running connections still active after this period are disconnected.
40
40
-**Firewall maintenance**: During maintenance updates, the firewall enters drain mode to allow short-lived sessions to complete. Long-running sessions that remain after the drain period are dropped during the restart.
41
41
-**Idle timeout**: Idle sessions are recycled based on the TCP idle timeout settings. For north-south traffic, you can request an increase in the timeout. For east-west traffic, the timeout is fixed at 5 minutes.
42
-
-**Autorecovery**: If an Azure Firewall instance becomes unresponsive, it is automatically recovered. This process can result in the disconnection of long-running sessions.
42
+
-**Autorecovery**: If an Azure Firewall instance becomes unresponsive, it's automatically recovered. This process can result in the disconnection of long-running sessions.
43
43
44
44
> [!IMPORTANT]
45
-
> To avoid connectivity issues, configure a keep-alive mechanism within your application that communicates through the Azure Firewall for east-west traffic. This ensures that long-running sessions remain active and are not affected by the idle timeout settings.
45
+
> To avoid connectivity issues, configure a keep-alive mechanism within your application that communicates through the Azure Firewall for east-west traffic. This ensures that long-running sessions remain active and aren't affected by the idle timeout settings.
46
46
47
47
## Applications sensitive to TCP session reset
48
48
49
-
Some applications, such as traditional SAP GUI and SAP RFC (Remote Function Call) based apps, are sensitive to TCP session resets and may not handle them gracefully. To protect these sensitive applications, use network security groups (NSGs). For more information, see [How to secure a virtual network](../virtual-network/virtual-network-vnet-plan-design-arm.md#security) and [Network security groups](../virtual-network/network-security-groups-overview.md).
49
+
Some applications, such as traditional SAP GUI and SAP RFC (Remote Function Call) based apps, are sensitive to TCP session resets and may not handle them gracefully. To protect these sensitive applications, use network security groups (NSGs).
50
+
51
+
For more information, see [How to secure a virtual network](../virtual-network/virtual-network-vnet-plan-design-arm.md#security) and [Network security groups](../virtual-network/network-security-groups-overview.md).
50
52
51
53
> [!NOTE]
52
-
> For north-south traffic, an idle timeout results in a RST (reset) packet being sent in both directions. In contrast, for east-west traffic, no RST packet is sent when an idle timeout occurs.
54
+
> For north-south traffic, an idle timeout results in a reset packet (RST) getting sent to both the source and destination. In contrast, for east-west traffic, a reset **isn't** sent when an idle timeout occurs.
0 commit comments