Virtual Machines (VMs) replicated to an Azure VMware Solution (AVS) SDDC using HCX lose outbound internet connectivity if VMware Tools is installed.

• VMs on L2 extended segments cannot reach external internet destinations.
• The connectivity issue is immediately resolved by uninstalling VMware Tools and rebooting the VM.
• Traceflow analysis within NSX-T confirms that traffic from the affected VM successfully leaves the Tier-0 gateway (T0), indicating the problem occurs after T0 egress or at the segment/host level.

• Azure VMware Solution (AVS) Private Cloud
• VMware HCX (Migration or Disaster Recovery setup)
• L2 Extended Segments
• VMware Tools installed on the Guest OS.

The suspected cause is a known conflict when HCX Mobility Optimized Networking (MON) is enabled on L2 extended segments, coupled with the presence of VMware Tools on the VM.

• A missing Local Egress (LE) flag in the network configuration, which prevents proper communication for VMs in certain HCX/NSX deployments when VMware Tools is installed. This behavior is documented in Broadcom KB VM's on L2 extended segments unable to communicate when MON enabled due to missing Local Egress (LE) flag.

The primary solution is to contact Broadcom/Azure support to address the underlying configuration issue related to the missing Local Egress (LE) flag in the HCX/NSX environment.

• Workaround 1: Route to On-Premises Router Configure the affected VMs to route their internet traffic back to the on-premises router/firewall. This utilizes the L2 extension for the LAN but forces the egress path through the known-functional on-premises gateway, bypassing the faulty local AVS egress path.

• Workaround 2: Use a Cloud-Only Segment Create a new segment natively within the AVS cloud that does not use HCX L2 extension or MON. Move the affected VMs to this new segment and apply a new IP address specific to that segment to restore connectivity. This isolates the issue to the HCX/MON layer.