We have an Azure VMSS scale set deployed with an internal and external load balancer. We are having issues getting internal hosts to access the internet. I created a HIDE NAT as follows:

Original src=10.40.1.5, Original dest=ANY, Original service=ANY

Translated src=VMSS firewall object (HIDE)

I also have a policy rule permitting both the original src and the scale set access to ANY dest on ANY port

When I try to go to the Internet form host 10.40.1.5 I see the traffic come into the vmss on eth1 and leave on eth0 (translated) but I get no return traffic from the Internet.

Is there something additional (besides the HIDE NAT) that we need to configure on the VMSS? Or is the issue outside the VMSS (in Azure).