Azure Load Balancer (Part-1)

Load balancing involves the efficient distribution of incoming network traffic across multiple backend servers or resources.

Azure Load Balancer operates at Layer 4 of the OSI model, acting as clients' single point of contact. It routes inbound traffic that arrives at its front end to backend pool instances, such as Azure Virtual Machines or Virtual Machine Scale Sets, based on predefined load-balancing rules and health probes.

A public load balancer enables outbound connections for virtual machines (VMs) within your virtual network by translating private IP addresses to public ones. This makes it ideal for managing internet traffic to your VMs.

An internal (or private) load balancer is used when only private IP addresses are required on the front end. It distributes traffic within a virtual network and supports hybrid scenarios, allowing access from on-premises networks.

Why Use Azure Load Balancer?

Azure Load Balancer allows you to scale your applications and build highly available services by supporting both inbound and outbound traffic scenarios. It delivers low latency, high throughput, and can handle millions of TCP and UDP flows.

Here are some key use cases for Azure Standard Load Balancer:        

• Internal and External Traffic Balancing: Distribute traffic efficiently to Azure Virtual Machines, whether for internal networks or public-facing services.
• Ultra-Low Latency: Pass-through load balancing minimizes latency for high-performance applications.
• Increased Availability: Distribute resources across multiple availability zones, improving redundancy and uptime.
• Outbound Connectivity: Enable outbound internet access for Azure Virtual Machines.
• Health Monitoring: Use health probes to continuously monitor the status of load-balanced resources.
• Port Forwarding: Access VMs in a virtual network via public IP addresses and ports.
• IPv6 Support: Load balance traffic for IPv6 applications.
• Comprehensive Metrics: Azure Monitor provides detailed, multi-dimensional metrics that track the performance and health of your services. Insights for Azure Load Balancer include a pre-built dashboard for easier monitoring.
• Multi-Port/Multiple IP Load Balancing: Balance services across different ports and IP addresses.
• Cross-Region Load Balancing: Move load balancer resources between Azure regions to meet disaster recovery or performance requirements.
• HA Ports: Load balances all TCP and UDP flows on all ports simultaneously with High Availability (HA) ports.
• Gateway Load Balancer Integration: Chain Standard Load Balancer with Gateway Load Balancer for more advanced routing scenarios.

Security

Azure Standard Load Balancer is built on the zero-trust security model and is secure by default within your virtual network, which is private and isolated. Standard Load Balancers, along with public IP addresses, are closed to inbound connections unless explicitly permitted by Network Security Groups (NSGs). NSGs allow you to control traffic to your resources, ensuring only allowed traffic reaches your virtual machines.

Unlike the Standard Load Balancer, the Basic Load Balancer is open to the internet by default. Importantly, Azure Load Balancer does not store customer data.

Azure Load Balancer Components

Azure Load Balancer includes a few key components. These components can be configured in your subscription through the Azure portal, Azure CLI, Azure PowerShell, Resource Manager Templates, or appropriate alternatives.

Frontend IP Configuration

The IP address assigned to your Azure Load Balancer serves as the primary contact point for clients. This address can be one of two types:

• Public IP Address
• Private IP Address

The type of IP address you select determines the type of load balancer created. Choosing a private IP address configures an internal load balancer, while a public IP address sets up a public load balancer.

Backend Pool

The backend pool consists of virtual machines or instances in a virtual machine scale set that handles incoming requests. To efficiently manage high traffic volumes, it is recommended to scale by adding more instances to the backend pool.

The load balancer automatically adjusts itself when instances are scaled up or down. Adding or removing VMs from the backend pool triggers automatic reconfiguration, without requiring additional steps. The backend pool can include any virtual machine within the same virtual network.

Health Probes

Health probes monitor the status of instances in the backend pool to ensure they are capable of receiving traffic. When creating a load balancer, you configure a health probe to assess the health of each instance.

You can set an unhealthy threshold for the probes. If an instance fails the probe, the load balancer stops routing new traffic to that instance. However, existing connections remain unaffected and will continue until one of the following occurs:

• The application completes the session
• An idle timeout is reached
• The virtual machine shuts down

Load Balancer Rules

Load balancer rules determine how incoming traffic is distributed across instances in the backend pool. These rules map a specific frontend IP configuration and port to multiple backend IP addresses and ports. Load balancer rules apply exclusively to inbound traffic.

For example, a load balancer rule for port 80 routes traffic from the frontend IP to port 80 on the backend instances.

High Availability Ports

A load balancer rule configured with "protocol - all" and "port - 0" is referred to as a High Availability (HA) port rule. This rule allows a single configuration to load-balance all TCP and UDP traffic across all ports of an internal Standard Load Balancer.

Load-balancing decisions are made on a per-flow basis, using the following five-tuple information:

• Source IP address
• Source port
• Destination IP address
• Destination port
• Protocol

HA port rules are especially useful in scenarios requiring high availability and scalability, such as for network virtual appliances (NVAs) within virtual networks, or when load-balancing traffic across a large number of ports.

Inbound NAT Rules

An inbound NAT rule forwards incoming traffic directed to a specific frontend IP address and port combination to a designated virtual machine or instance in the backend pool. The traffic is routed using the same hash-based distribution method as load balancing for port forwarding.

Outbound Rules

An outbound rule configures outbound Network Address Translation (NAT) for all virtual machines or instances within the backend pool. This rule allows instances in the backend to initiate outbound communication to the internet or other external endpoints.

Limitations          

• Supported Protocols: Load balancers support load balancing and port forwarding for specific TCP and UDP protocols. Load-balancing rules and inbound NAT rules only support TCP and UDP, excluding other IP protocols such as ICMP.
• Private Endpoints: A Load Balancer backend pool cannot contain a Private Endpoint.
• Outbound Flow: Outbound traffic from a backend VM to the front end of an internal Load Balancer will fail.
• Virtual Network Scope: Load balancer rules cannot span multiple virtual networks. All frontends and backend instances must reside within the same virtual network.
• IP Fragmentation: Load-balancing rules do not support forwarding of IP fragments. Fragmentation of UDP and TCP packets is also not supported.
• Load Balancers Per Availability Set: You can have only one public and one internal load balancer (NIC-based) per availability set. This limitation doesn't apply to IP-based load balancers.

Setting Up a Public Load Balancer to Load Balance using the Azure Portal        

Get started with Azure Load Balancer by using the Azure portal to create a public load balancer for a backend pool with two virtual machines. Other resources include Azure Bastion, NAT Gateway, a virtual network, and the required subnets.

Prerequisites

• An Azure account with an active subscription. You can create a free account.
• Sign in to Azure by accessing the Azure portal.

Create a NAT Gateway          

In this section, you will create a NAT gateway to enable outbound internet access for resources within your virtual network. For alternative options regarding outbound rules, refer to Network Address Translation (SNAT) for outbound connections.

1. Sign in to the Azure portal.

2. In the search bar at the top of the portal, type NAT gateway. Click on NAT gateways from the search results.

3. Select + Create.

4. In the Basics tab of the Create network address translation (NAT) gateway section, provide the required information.

5. Then, click on the Outbound IP tab or select the Next: Outbound IP at the bottom of the page.

6. Under Public IP addresses, choose Create a new public IP address.

7. In the Add a Public IP address section, enter nat-gw-public-ip as the name.

8. Click OK.

9. At the bottom of the page, click the blue Review + Create button, or navigate to the Review + Create tab.

10. Finally, click Create.

Create a Virtual Network and Bastion Host        

In this section, you will create a virtual network that includes a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.

1. In the portal, search for and select Virtual networks.

2. On the Virtual Networks page, click + Create.

3. In the Basics tab of the Create Virtual Network page, enter or select the required information.

4. Then, proceed by selecting the Security tab or click the Next button at the bottom of the page.

5. Under Azure Bastion, enter or select the necessary details.

6 Then, navigate to the IP addresses tab or click Next at the bottom of the page.

7. On the Create Virtual Network page, enter or select the required information and click Save.

8. Click Review + Create at the bottom of the screen. Once validation passes, click Create.

Create Load Balancer        

In this section, you will create a zone-redundant load balancer to distribute traffic among virtual machines (VMs). With zone redundancy, the load balancer remains operational even if one or more availability zones fail, as long as at least one zone in the region is healthy.

During the load balancer setup, you will configure the following components:

• Frontend IP address
• Backend pool
• Inbound load-balancing rules
• Health probe

1. In the search box at the top of the portal, enter Load balancer. Select Load balancers from the search results.

2. On the Load balancer page, click + Create.

3. In the Basics tab of the Create load balancer page, provide the necessary information and then select Next: Frontend IP configuration at the bottom of the page.

4. click + Add a?Frontend IP configuration?configuration in the?Frontend IP configuration section.

5. In Frontend IP configuration, select + Add a frontend IP configuration.

6. Enter lb-frontend in Name.

7. Select IPv4 for the IP version.

8. For the IP type, choose the IP address.

9. Click Create New under Public IP address.

10. In the Add a public IP Address section, enter lb-frontend-ip for the name.

11. Select Zone-redundant for the Availability zone.

12. Leave Microsoft Network as the default for Routing preference.

13. Click Save.

14. Click Save.

15. Select Next: Backend pools at the bottom of the page.

16. click?+ Add a backend pool in the Backend pools tab.

17. Enter lb-backend-pool for the name in the Add backend pool section.

18. Choose lb-vnet for the Virtual network.

19. Select IP Address for Backend Pool Configuration.

20. Click Save.

21. Select Next: Inbound rules at the bottom of the page.

22. Under Load balancing rule in the Inbound rules tab, click + Add a load balancing rule.

23. In the Add load balancing rule section, enter or select the required information

24. Select Save.

25. Click the blue Review + create button at the bottom of the page.

26. Finally, click Create.

Create Virtual Machines        

In this section, you will create two VMs (lb-vm1 and lb-vm2) in different zones (Zone 1 and Zone 2). These VMs will be added to the backend pool of the previously created load balancer.

1. In the search box at the top of the portal, enter Virtual Machine. Select Virtual machines from the search results.

2. In the Virtual Machines section, click + Create Azure virtual machine.

3. In the Create a virtual machine page, provide or select the required values in the Basics tab. Then, proceed to the Networking tab or select Next: Disks, followed by Next: Networking.

4. Select the Networking tab, or select Next: Disks, then Next: Networking.

5. In the Networking tab, select or enter the following information:

6. Click Review + create.

7. Review the settings, then click Create.

8. Follow the steps 1 through 7 to create another VM with the following values and all the other settings the same as lb-VM1:

Install IIS        

1. In the search box at the top of the portal, enter "Virtual machine. Select Virtual machines from the search results.

2. Select lb-vm1.

3. On the Overview page, click Connect, then select Bastion.

4. Enter the username and password you set during the VM creation.

5. Click Connect.

6. On the server desktop, navigate to Start Windows PowerShell Windows PowerShell.

7. In the PowerShell window, run the following commands to:

• Install the IIS server.
• Remove the default iisstart.htm file.
• Add a new iisstart.htm file that displays the name of the VM.

8. Close the Bastion session for lb-vm1.

9. Repeat steps 1 to 8 to install IIS and the updated iisstart.htm file on lb-vm2.

Test the Load Balancer        

1. In the search box at the top of the portal, enter "Public IP." Select "Public IP addresses" from the search results.

2. In the Public IP addresses section, select frontend-ip.

3. Copy the IP address and paste it into the address bar of your browser. You should see the custom VM page of the IIS web server displayed.

Clean Up Resources        

When the resources are no longer needed, delete the resource group, load balancer, and all related resources. To do this, select the resource group load-balancer-rg that contains the resources, then click Delete.

Create a Public Load Balancer to Load Balance VMs Using Azure PowerShell        

Create a Resource Group

$rg = @{

Name = 'CreatePubLBQS-rg'

Location = 'westus2'

}

New-AzResourceGroup @rg

Create a Public IP Address

$publicip = @{

Name = 'myPublicIP'

ResourceGroupName = $rg.name

Location = 'westus2'

Sku = 'Standard'

AllocationMethod = 'static'

Zone = 1,2,3

}

New-AzPublicIpAddress @publicip

Create a Load Balancer

Place the public IP created in the previous steps into the variable.

$pip = @{

Name = 'myPublicIP'

ResourceGroupName = $rg.name

}

$publicIp = Get-AzPublicIpAddress @pip

Create a load balancer frontend configuration and place it in a variable.

$fip = @{

Name = 'myFrontEnd'

PublicIpAddress = $publicIp

}

$feip = New-AzLoadBalancerFrontendIpConfig @fip

Create a backend address pool configuration and place it in the variable.

$bepool = New-AzLoadBalancerBackendAddressPoolConfig -Name 'myBackEndPool'

Create the health probe and place it in the variable.

$probe = @{

Name = 'myHealthProbe'

Protocol = 'tcp'

Port = '80'

IntervalInSeconds = '360'

ProbeCount = '5'

}

$healthprobe = New-AzLoadBalancerProbeConfig @probe

Create the load balancer rule and place it in the variable.

$lbrule = @{

Name = 'myHTTPRule'

Protocol = 'tcp'

FrontendPort = '80'

BackendPort = '80'

IdleTimeoutInMinutes = '15'

FrontendIpConfiguration = $feip

BackendAddressPool = $bePool

}

$rule = New-AzLoadBalancerRuleConfig @lbrule -EnableTcpReset -DisableOutboundSNAT

Create the load balancer resource.

$loadbalancer = @{

ResourceGroupName = $rg.name

Name = 'myLoadBalancer'

Location = 'westus2'

Sku = 'Standard'

FrontendIpConfiguration = $feip

BackendAddressPool = $bePool

LoadBalancingRule = $rule

Probe = $healthprobe

}

New-AzLoadBalancer @loadbalancer

Create Virtual Network, Network Security Group, Bastion Host, and NAT Gateway

Create public IP address for NAT gateway

$ip = @{

Name = 'myNATgatewayIP'

ResourceGroupName = $rg.name

Location = 'westus2'

Sku = 'Standard'

AllocationMethod = 'Static'

}

$publicIP = New-AzPublicIpAddress @ip

Create NAT gateway resource

$nat = @{

ResourceGroupName = $rg.name

Name = 'myNATgateway'

IdleTimeoutInMinutes = '10'

Sku = 'Standard'

Location = 'westus2'

PublicIpAddress = $publicIP

}

$natGateway = New-AzNatGateway @nat

Create backend subnet config

$subnet = @{

Name = 'myBackendSubnet'

AddressPrefix = '10.1.0.0/24'

NatGateway = $natGateway

}

$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet

Create Azure Bastion subnet.

$bastsubnet = @{

Name = 'AzureBastionSubnet'

AddressPrefix = '10.1.1.0/24'

}

$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig @bastsubnet

Create the virtual network

$net = @{

Name = 'myVNet'

ResourceGroupName = $rg.name

Location = 'westus2'

AddressPrefix = '10.1.0.0/16'

Subnet = $subnetConfig,$bastsubnetConfig

}

$vnet = New-AzVirtualNetwork @net

Create a public IP address for the bastion host.

$ip = @{

Name = 'myBastionIP'

ResourceGroupName = $rg.name

Location = 'westus2'

Sku = 'Standard'

AllocationMethod = 'Static'

}

$publicip = New-AzPublicIpAddress @ip

Create bastion host

$bastion = @{

ResourceGroupName = $rg.name

Name = 'myBastion'

PublicIpAddress = $publicip

VirtualNetwork = $vnet

}

New-AzBastion @bastion -AsJob

Create a rule for the network security group and place it in the variable.

$nsgrule = @{

Name = 'myNSGRuleHTTP'

Description = 'Allow HTTP'

Protocol = '*'

SourcePortRange = '*'

DestinationPortRange = '80'

SourceAddressPrefix = 'Internet'

DestinationAddressPrefix = '*'

Access = 'Allow'

Priority = '2000'

Direction = 'Inbound'

}

$rule1 = New-AzNetworkSecurityRuleConfig @nsgrule

Create network security group

$nsg = @{

Name = 'myNSG'

ResourceGroupName = $rg.name

Location = 'westus2'

SecurityRules = $rule1

}

New-AzNetworkSecurityGroup @nsg

Create Virtual Machines

Set the administrator and password for the VMs.

$cred = Get-Credential

Place the virtual network into a variable.

$net = @{

Name = 'myVNet'

ResourceGroupName = $rg.name

}

$vnet = Get-AzVirtualNetwork @net

Place the load balancer into a variable.

$lb = @{

Name = 'myLoadBalancer'

ResourceGroupName = $rg.name

}

$bepool = Get-AzLoadBalancer @lb | Get-AzLoadBalancerBackendAddressPoolConfig

Place the network security group into a variable.

$ns = @{

Name = 'myNSG'

ResourceGroupName = $rg.name

}

$nsg = Get-AzNetworkSecurityGroup @ns

For loop with variable to create virtual machines for load balancer backend pool.

for ($i=1; $i -le 2; $i++){

## Command to create network interface for VMs ##

$nic = @{

Name = "myNicVM$i"

ResourceGroupName = $rg.name

Location = 'westus2'

Subnet = $vnet.Subnets[0]

NetworkSecurityGroup = $nsg

LoadBalancerBackendAddressPool = $bepool

}

$nicVM = New-AzNetworkInterface @nic

Create a virtual machine configuration for VMs

$vmsz = @{

VMName = "myVM$i"

VMSize = 'Standard_DS1_v2'

}

$vmos = @{

ComputerName = "myVM$i"

Credential = $cred

}

$vmimage = @{

PublisherName = 'MicrosoftWindowsServer'

Offer = 'WindowsServer'

Skus = '2019-Datacenter'

Version = 'latest'

}

$vmConfig = New-AzVMConfig @vmsz | Set-AzVMOperatingSystem @vmos -Windows | Set-AzVMSourceImage @vmimage | Add-AzVMNetworkInterface -Id $nicVM.Id

Create the virtual machine for VMs

$vm = @{

ResourceGroupName = $rg.name

Location = 'westus2'

VM = $vmConfig

Zone = "$i"

}

New-AzVM @vm -AsJob

}

The deployments of the virtual machines and bastion host are submitted as PowerShell jobs. To view the status of the jobs, use Get-Job:

Get-Job

Id Name PSJobTypeName State HasMoreData Location Command

-- ---- ------------- ----- ----------- -------- -------

1 Long Running O… AzureLongRunni… Completed True localhost New-AzBastion

2 Long Running O… AzureLongRunni… Completed True localhost New-AzVM

3 Long Running O… AzureLongRunni… Completed True localhost New-AzVM

Install IIS

For loop with variable to install custom script extension on virtual machines.

for ($i=1; $i -le 2; $i++)

{

$ext = @{

Publisher = 'Microsoft.Compute'

ExtensionType = 'CustomScriptExtension'

ExtensionName = 'IIS'

ResourceGroupName = $rg.name

VMName = "myVM$i"

Location = 'westus2'

TypeHandlerVersion = '1.8'

SettingString = '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}'

}

Set-AzVMExtension @ext -AsJob

}

The extensions are deployed as PowerShell jobs. To view the status of the installation jobs, use Get-Job:

Get-Job

Id Name PSJobTypeName State HasMoreData Location Command

-- ---- ------------- ----- ----------- -------- -------

8 Long Running O… AzureLongRunni… Running True localhost Set-AzVMExtension

9 Long Running O… AzureLongRunni… Running True localhost Set-AzVMExtension

Test the Load Balancer

$ip = @{

ResourceGroupName = $rg.name

Name = 'myPublicIP'

}

Get-AzPublicIPAddress @ip | select IpAddress

Clean UP the Resources

Remove-AzResourceGroup -Name $rg.name

Quickstart: Deploy a Public Load Balancer to Balance VMs Using Terraform        

This guide walks you through deploying a standard load balancer to distribute traffic across virtual machines using Terraform.

Terraform is a powerful tool for defining, previewing, and deploying cloud infrastructure. With Terraform, you create configuration files using HCL (HashiCorp Configuration Language) syntax. HCL allows you to define your cloud provider (e.g., Azure) and specify the resources that make up your infrastructure. After creating your configuration files, you can generate an execution plan to preview the proposed changes. Once satisfied, you apply the plan to provision the infrastructure. In this article:

• Prerequisites
• Implement the Terraform code
• Initialize Terraform
• Create a Terraform execution plan
• Apply the execution plan

Implementing the Terraform Code

1. Create a new directory for testing the sample Terraform code and set it as the current working directory.

2. Create the following files and insert the corresponding code

• providers.tf: Define the cloud provider settings.

• main.tf: Specify the infrastructure resources (like VMs and Load Balancer).

• variables.tf: Define input variables to make your code reusable and configurable.

• outputs.tf: Output important resource details after deployment.

Initialize Terraform

Execute the terraform init command to initialize your Terraform deployment. This step ensures that the necessary Azure provider is downloaded, allowing Terraform to manage your Azure resources.

terraform init -upgrade        

Key Points:

- The -upgrade option updates provider plugins to the latest version that meets the version constraints specified in the configuration.

Terraform execution plan

This command helps preview the infrastructure changes before applying them.

terraform plan -out main.tfplan        

Terraform Execution Plan

This command provisions the specified resources in your cloud infrastructure according to the execution plan.

terraform apply main.tfplan        

Verify the Results

After applying the execution plan, Terraform will show the frontend public IP address. If you've cleared the terminal, you can retrieve the IP address with the following command:

echo $(terraform output -raw public_ip_address)        

Copy the public IP address and paste it into your web browser's address bar. This will display the custom VM page hosted by the Nginx web server.

Clean Up Resources

1. When the resources created by Terraform are no longer needed, follow these steps:

Run terraform plan with the -destroy flag to review the resources that will be removed:

terraform plan -destroy -out main. destroy.tfplan        

2. Run terraform to apply the execution plan.

terraform apply main. destroy.tfplan        

In our next Post, we'll guide you through the process of creating an Internal Load Balancer using both the Azure Portal and Terraform. We'll also explore essential topics such as NAT rules, cross-region load balancing, scaling, availability, and other key aspects of Azure Load Balancer. Stay tuned for insights that will enhance your understanding of Azure's networking capabilities!