United States | Azure Load Balancer Breaks the Internet

Neil Hoffman - 10.12.2021

Azure Load Balancer Breaks the Internet

United States | Azure Load Balancer Breaks the Internet

This blog discusses a very specific situation which many people come across when using Azure Standard Load Balancers for the first time. It is not meant to be an exhaustive discussion on how load balancers work or other loosely related topics. My assumption is you have stumbled upon this blog in researching this specific situation and are looking for answers 🙂

THE SCENARIO

Consider the following, you are building an application in Azure to run on redundant, highly available server VMs. The first tool you will become familiar with is an Azure Load Balancer, a native Azure service which will allow you to build this type of design quite easily. Here is a basic diagram illustrating both a public-facing as well as internal load balancer on port 80 and 443 respectively:

United States | Azure Load Balancer Breaks the Internet

Let’s say the application you are building is going to use an Internal load balancer. Now, in an effort to squeeze every ounce of resiliency into the design, you decide to take advantage of Azure Availability Zones, which are defined as “unique physical locations within a region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking”.

What a fantastic idea! Here is a graphical depiction of Availability Zones within an Azure Region:

United States | Azure Load Balancer Breaks the Internet

BUILDING THE DESIGN

Ok, so now you are cooking with gas, right? You have your application which can support multiple VM nodes, you’ve placed them in separate Availability Zones, and now you are getting ready to put a load balancer in front of them!

As you begin building the solution, you are suddenly made aware supporting this design will require you to deploy a Standard Load Balancer instead of the good old fashioned Basic Load Balancer. I won’t get into a full comparison of the two, however suffice to say the Standard SKU can span Availability Zones and the Basic, well, it can’t. Here is a full feature comparison of Azure Standard versus Basic Load Balancer SKUs.

This is what a Zone Redundant configuration would look like:

United States | Azure Load Balancer Breaks the Internet

THE PROBLEM

Ok so now you’ve built this application with highly available Zonal VMs front-ended with a Zone Redundant Standard Internal Load Balancer, and you’ve gone ahead and configured all the other components needed for an Azure Load Balancer such as a Probe, Backend Pool and Load Balancing Rule. What you will soon discover, however, is although the application is assessable from the Load Balancer Frontend IP, your VM has lost outbound Internet access!

The good news is you have not broken anything, and in fact, this is expected. Unlike Basic Internal Load Balancers, which just allow VMs in Backend Pools to get outbound Internet access with some sneaky networking trickery, Standard Internal Load Balancers by design do not. 

THE SOLUTION

Assuming your VMs need Internet access, which is likely why you’ve made it to this point in the blog, here are your options:

  1. Add a Public IP address directly to the VM.  This will allow outbound Internet access using the Public IP you’ve added. This is ugly, however, and most will not like this solution. I mean who wants to put public IP addresses on each server behind an internal load balancer!?? And on top of this, it is just plain wasteful! There are only so many IPv4 addresses left in the world and here you are wasting them just to grant Internet access to a VM on a private network. Reduce-Reuse-Recycle… NEXT!
  2. Attach a NAT Gateway to the Subnet the Azure VM lives on. This is an elegant solution; the NAT Gateway will manage all outbound Internet access from all VMs on whatever subnet it’s connected to. Clean and nice. There are some use cases, however, where this may not be possible or desired
  3. Use a new or existing Standard External Load Balancer and create an Outbound rule to allow the same VMs that are a Backend Pool of the Internal Load Balancer Outbound Internet access. Any VM can be a member of two Load Balancer Backend Pools, one Internal and one External. You will need to create a new Standard Public IP address (or optionally a Public IP Prefix if there will be a lot of VMs using it) for Outbound access and associate that Frontend IP Address or Prefix when creating the Outbound rule

To summarize, when using a Standard Internal Load Balancer in Azure, your Backend Pool VMs will lose Internet access once you define a load balancing rule.  These are the 3 options available to quickly get this resolved. 

Truth be told, there are even more options such as:

4. Using a NVA (Network Virtual Appliance) Firewall appliance to provide Internet access to those internal VMs

5. Using Azure Firewall to provide Internet access to those internal VMs

I won’t go deep into these last two since they would require significantly more effort to implement and are certainly beyond the scope of this blog.

I know some will run into this issue and quickly see the first option in an online forum however if you take a deeper look, there are better options in #2 and #3 above or possibly even #4 and #5 if those make sense for your deployment.

I hope this helps and happy Load Balancing! If you are interested in engaging with us to help architect your Azure design, please reach out!

For more from yours truly, all my blogs can be accessed here.

THANK YOU FOR YOUR SUBMISSION!

United States | Azure Load Balancer Breaks the Internet

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United States | Azure Load Balancer Breaks the Internet

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.