Connectivity and Load Balancing Flashcards
Azure Load Balancer
Is a Layer 4 (TCP, UDP) load balancing service provided by Microsoft Azure. It distributes incoming network traffic across multiple virtual machines (VMs), virtual machine scale sets, or Azure services, ensuring high availability, scalability, and reliability for applications hosted in the Azure cloud environment.
-If anything goes offline in the back-end resources, that is removed from the available pool of resources
Implementation
- Frontend: One or more central public/private addresses to reach a solution by
-Public LB uses public IP addressing
-Private LB uses private IP address from the VNet/Subnet range - Backend: VMs or VM Scale Set resources that host an instance of the solution
- Probe: HTTP/HTTPS/TCP probes that check if an instance is healthy
-When you are making a NSG make sure that you are not blocking your probe from working within your NSG rules - Rules: Load Balances a frontend to a healthy backend via a port (can persist/float)
-What port do we want to listen on our frontend?
-What port do we want to send to on our backend?
-What probe will we use?
-You can also create special rules called inbound NAT rules
Azure Load Balancer Considerations
Implementations Considerations
- Sticky Sessions (Persistence): Rules can be configured to ensure sessions stick
- Matching SKUs: Public IP addressing must match the SKU of the load balancer (Basic or Standard)
- FloatingIPs: Allow load balacing to the same backend port on a backend instance (you can’t reuse ports)
-You VMs will have to be configured with Loopback addresses, this means it gets assigned the IP address of the load balancer (while having their own ip)
-If you have a multi tenant solution - HA Ports: Load balance all protocols on all ports simultaneously
-This is the only LB rule you’ll be able to configure
-If you need to configure other rules alongside this HA port rule, you’ll have to use floating IPs
Load Balancer SKUs
- Basic (Up to 300 instances) (Discontinued in 2025)
-Supports VMs in Availability Set or in a VMSS
-Only HTTP/TCP health probes are supported
-Region deployment only
-Open by default. Requires NSG for security
-Doesn’t support HA ports
-No SLA - Standard (Up to 1000 instances)
-Supports any VM or VMSS from the same VNet
-Supports HTTPS/HTTP/TCP health probes
-Region and AZs deployment
-All traffic blocked by default
-Supports HA Ports
-99.99%
Application Gateway
Is a Layer 7 (HTTP/HTTPS) load balancer and web traffic manager service. It enables you to optimize and secure web traffic to your applications
Key Features
-Path-based routing: Allows you to route incoming requests to different backend pools based on the request URL path.
-Multi-Site routing: Enables you to host multiple applications or services behind a single Application Gateway and route traffic accordingly.
-End to End Encryption: The appplication gateway can act as an encryption termination point for your website
–Web Application Firewall (SKU)
-SSL Termination: Application Gateway can terminate SSL/TLS connections from clients, offloading the encryption and decryption workload from backend servers
-Session Affinity: Provides session affinity (sticky sessions) to ensure that subsequent requests from the same client are directed to the same backend server.
-Web Application Firewall (WAF): Is a built-in WAF that provides protection against common web-based attacks. The WAF can be configured with custom rulesets and threat intelligence feeds to enhance security.
-Autoscaling: Allows it to dynamically scale up or down based on changes in traffic load.
-Health Probes: Continuously monitors the health and availability of backend servers
Implementation
- Frontend: Supports the use of a Public IP, Private IP, or both
-We might have a DNS hooked up to it - Backend: Supports various Azure services that are either public or private
-You can make up your backend pool of a range of different resources (VMs, VMSS, AppService, VM on-premise, VMs on another cloud provider) - Listeners and Settings
-Front: port, SSL, multi-site, etc.
-Back: port, cookie affinity, draining
-We could use different listening ports for the frontend and backend - Rules: Prioritized rules to tie all settings together. Supports path-based rules
Azure Traffic Manager
Azure Traffic Manager is a DNS-based traffic load balancer provided by Microsoft Azure. It is designed to distribute traffic across different Azure regions, endpoints, or even external resources to ensure optimal performance, availability, and responsiveness for users.
Traffic Flow
Users:
Perform a DNS lookup for the domain (e.g., www.aus-e-mart.com).
Traffic Manager:
Resolves the DNS request using the CNAME record.
Provides a query response with the Web App IP address.
Endpoints:
The user connects to the resolved Web App IP.
The endpoints receive the request and send back a response.
Flow Summary:
Lookup DNS → Receive Web App IP → Connect to Web App → Communicating (Request and Response).
Architecture
-Profile: Top-level resource for configuration. Determines URL for frontend.
-Endpoints: Internet-facing services over any protocol (Azure, external, or nested).
-Monitoring: Health check and failover mechanism for endpoints (must be HTTP/S).
-Routing: Method to determine which endpoint to respond to the client with.
Azure Traffic Manager - Routing Methods
Routing Methods - Traffic Manager
- Priority: Send traffic to the highest priority endpoint (if it is healthy).
- Weighted: Distributes traffic to available endpoints based on weights.
- Performance: Routes users to the closest endpoint for minimal network latency.
- Geographic: Directs users based on DNS query origins for data sovereignty.
- Multivalue: Returns all healthy endpoints in a single DNS query response.
- Subnet: Maps end-user IP ranges to specific endpoints for requests.
Azure Front Door
Azure Front Door is a global, scalable, and secure entry point for delivering fast, reliable, and secure web applications to users. It operates at Layer 7 (HTTP/HTTPS) of the OSI model and provides features such as load balancing, routing, acceleration, and protection for web applications.
Key Features
- Global Load Balancing: Provides accelerated access to global applications (HTTP) using Microsoft’s global network.
- Accelerated Delivery: Static and dynamic content acceleration. Uses caching, compression, and more.
- Secure Connectivity: Includes Web Application Firewall (WAF), bot protection, threat intelligence, and more.
Pricing Tiers
Standard:
* Provides core routing functionality.
* Supports Web Application Firewall (WAF).
Premium:
* Provides core routing functionality.
* Supports WAF with managed rules.
* Adds bot protection, private link, and more.
Architecture
- Frontdoor Profile: Parent-level resource. Defines pricing tier, domains, security, and more.
- Endpoint: Unique URL entry point for your web application / API (…azurefd.net).
- Origin Group: Publicly accessible endpoints. Can be Azure services or external services.
- Routes: Map an endpoint to an origin group with protocol, path, domain, cache, etc.
Azure Front Door - Routing Flow
1. Available Backends:
* Only healthy and enabled backends are considered for selection.
* These backends are continuously monitored for availability and performance.
2. Priority:
* Backends are assigned priorities to configure routing strategies like active/active or active/passive.
* Traffic is routed to the highest-priority backend unless it becomes unavailable.
3. Latency:
* Routes traffic to the backend that is geographically closest to the user to minimize latency and improve performance.
4. Weighted:
* Distributes traffic among backends based on a weight value assigned to each backend.
* Weight values range from 1 to 1,000, allowing proportional traffic distribution.
5. Session Affinity:
* Ensures that user traffic is consistently routed to the same backend during a session.
* Achieved using cookies to maintain a persistent connection to a specific backend.
