Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
Configuring IPsec Tunnel between Azure and AWS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 85%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGA%3C/text%3E%3C/svg%3E)
George Aubin
0
Reputation points
I am trying to configure a VPN tunnel between a Virtual Network in Azure and a Network in AWS. I have configured this without BGP, and this is connecting and getting ingress but no egress.
From a troubleshoot the packets are getting dropped due to a mismatch in the Selectors however we have triple checked these selectors and they seem to be fine.
This is connecting to customer environment so do not have access to adjust AWS without looping them in but need to confirm what can be reviewed/changed further on our side to confirm why traffic is being dropped.
I have updated from Route to Policy based and manually input policies but this is still not resolving.
Any potential assistance in reviewing this further would be greatly appreciated
Azure VPN Gateway
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator2025-11-19T18:56:33.62+00:00 Hello @George Aubin,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand your question. You are trying to configure a VPN tunnel between an Azure Virtual Network and an AWS Network. The tunnel is established without BGP, and while ingress traffic is working, egress traffic is not flowing.When a VPN tunnel shows as connected but only incoming traffic is seen, with drops due to a traffic selector mismatch, it usually means one or more of the following:
- The IPsec policies’ local and remote address ranges do not exactly match the actual subnets sending traffic.
- Additional subnets are being routed but not included in the configured selectors.
- A mismatch exists in gateway type (route-based vs policy-based) or IPsec/IKE parameters causing Phase 1 but not Phase 2 to complete properly.
On the Azure side, you can review:
- Local Network Gateway address spaces exactly match the AWS networks.
- Azure VNet and peered subnet ranges using the tunnel are correct without overlap.
- IPsec policies for a policy-based gateway align with AWS expectations; route-based gateways are preferred.
- VM NIC routes send AWS traffic to the VPN gateway and no NSGs/firewalls block traffic.
- Azure VPN diagnostic logs for details on which traffic selectors cause drops, to help validate with the AWS team.
References:
- Troubleshooting Azure VPN traffic selector mismatch: https://www.bluematador.com/docs/troubleshooting/azure-vpn-connection-dropped-packets
- Azure VPN Gateway troubleshooting guide: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-site-to-site-error-codes
- Azure-to-AWS VPN configuration considerations: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp
Capture a sample traffic flow from Azure VPN diagnostics showing selector mismatch drops and share this with AWS. This helps AWS verify their tunnel policies, selectors, and settings match the traffic.
Kindly let us know if the above helps or you need further assistance on this issue.
-
George Aubin 0 Reputation points
2025-11-25T16:29:29.65+00:00 Thanks Jeevan,
Thanks for the information with regards to this. I am almost certain that the traffic selector mismatch is happening due to the difference between AWS and Azure. Unfortunately we are running into difficulty identifying where the issue lies within both portals as these are managed by two different companies!
From the Azure side, I am trying to run diagnostics that might identify where this is falling down however all the logs seem to just point to traffic selector mismatch without any further information. For example, this is what the Connection Stats show following the VPN Troubleshoot:
Connectivity State : Connected
Remote Tunnel Endpoint : ...
Ingress Bytes (since last connected) : 0 B
Egress Bytes (since last connected) : 0 B
Ingress Packets (since last connected) : 0 Packets
Egress Packets (since last connected) : 0 Packets
Ingress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 0 Packets
Egress Packets Dropped due to Traffic Selector Mismatch (since last connected) : 260 Packets
Bandwidth : 0 b/s
Peak Bandwidth : 0 b/s
Connected Since : 11/25/2025 3:30:59 PM
PeakPackets : 0
TotalFlowCount : 0
Throttle : False
DeviceId :
We have also completed a packet capture from Azure to confirm that traffic is arriving to our Virtual Machine over the tunnel but our VM cannot reach anything AWS side.
Thanks,
George
-
Jeevan Shanigarapu 3,355 Reputation points Microsoft External Staff Moderator
2025-11-25T19:26:46.6866667+00:00 Hello George,
Thank you for your detailed info. The issue with “Egress Packets Dropped due to Traffic Selector Mismatch” means Azure is sending traffic through the tunnel, but AWS isn’t accepting it because the subnets or policies don’t match perfectly.
Here’s what you can check from your side:
- Make sure the Azure Local Network Gateway IP ranges exactly match the AWS network ranges, and that your Azure VNet (and any peered VNets) have no extra or overlapping subnets.
- Confirm the exact subnet your VM uses is included in the Azure VPN connection’s configured address spaces or custom traffic selectors. If AWS expects a different range, it will drop packets.
- If using a route-based VPN with PolicyBasedTrafficSelector enabled, ensure the local and remote prefixes exactly match AWS settings. Where possible, prefer a pure route-based setup on both sides.
- Double-check IPsec/IKE settings (encryption, DH groups, lifetimes) to avoid Phase 2 negotiation issues that cause similar drops.
- Verify routes on your VM’s NIC send AWS traffic through the VPN gateway, and check if network security groups or firewalls allow outbound traffic.
- Enable Azure VPN diagnostics and check logs for negotiated traffic selector pairs. Share these exact pairs with the AWS admins to verify their policies.
If the issue still persists, kindly share the requested details in the private message, so we assist you further.
References for more help:Azure-to-AWS VPN setup and troubleshooting: Tutorial - Configure a BGP-enabled connection between Azure and Amazon Web Services (AWS) using the portal - Azure VPN Gateway | Microsoft Learn
Azure VPN troubleshooting error codes and logs: Troubleshoot Azure site-to-site issues using error codes - Azure VPN Gateway | Microsoft Learn
Sign in to comment
Sign in to answer