I like your thinking! There is only one case I can think of where it won't work - and that is if AutoVPN firewall rules are defined. The firewall rules are stateful. If a connection is initiated for a resource via the first VMX, the reply traffic has to come back via the same VMX. If the reply traffic comes back via the second VMX, it won't have an entry in its stateful firewall table to allow that traffic, and it will get blocked. You may not be able to horizontally scale either. If you use this approach, you would have to commit to never being able to add an AutoVPN firewall rule to control traffic in and out of Azure. I'm going to take a look into it further, especially the BGP approach. Using BGP it should be possible to guarantee symmetric traffic flows (by always making one VMX the primary). I also need to determine if the extra complexity added is worth it compared to the simplicity of a function. But great thinking! Thanks for posting this.
... View more