• Virtual Machines (VMs) replicated to an Azure VMware Solution (AVS) SDDC using HCX lose outbound internet connectivity if VMware Tools is installed.
• VMs on L2 extended segments cannot reach external internet destinations.
• The connectivity issue is immediately resolved by uninstalling VMware Tools and rebooting the VM.
• Traceflow analysis within NSX-T confirms that traffic from the affected VM successfully leaves the Tier-0 gateway (T0), indicating the problem occurs after T0 egress or at the segment/host level.

• Azure VMware Solution (AVS) Private Cloud
• VMware NSX-T Data Center
• Azure Virtual Network (VNet) utilizing a Gateway Subnet and Azure Route Table.

The root cause is a missing or incorrect route configuration on the Azure side of the AVS network integration.

• Specific Cause: When a new NSX-T segment is created, its subnet is propagated up to the NSX T0 router and the AVS ExpressRoute circuit. However, Azure does not automatically learn and propagate the route for this new subnet back into the VNet's default route table.

• Mechanism: Traffic returning from the Azure VNet to the new NSX segment requires an explicit route—a User Defined Route (UDR)—in the VNet's route table that points the segment's subnet back to the AVS ExpressRoute circuit via the Virtual Network Gateway IP. The absence of this UDR causes the return packets to be dropped.

The issue is resolved by manually adding a User Defined Route (UDR) to the Azure Route Table associated with the Gateway Subnet of the Azure VNet connecting to AVS.

1. Identify the CIDR block of the new NSX segment that is experiencing the routing failure (e.g., 10.#.1.0/24).

2. Determine the Next Hop IP, which is the AVS ExpressRoute Gateway IP (typically the private cloud's gateway IP used for the ExpressRoute connection).

3. Navigate to the Azure Route Table attached to the VNet's Gateway Subnet in the Azure portal.

4. Add a new route with the following parameters:

   • Route Name: Use a descriptive name (e.g., ROUTE-NSX-SEGMENT-NEW).
   • Address prefix: The CIDR block of the new NSX segment (e.g., 10.#.1.0/24).
   • Next hop type: Select Virtual network gateway.

Adding this UDR explicitly tells the Azure VNet to send traffic destined for the new segment's subnet to the Virtual network gateway, thereby establishing the required return path and resolving the asymmetric routing failure.