Load Balancing and Connectivity Flashcards
Azure Load Balancer
Is a Layer 4 (TCP, UDP) load balancing service provided by Microsoft Azure. It distributes incoming network traffic across multiple virtual machines (VMs), virtual machine scale sets, or Azure services, ensuring high availability, scalability, and reliability for applications hosted in the Azure cloud environment.
-If anything goes offline in the back-end resources, that is removed from the available pool of resources
Implementation
- Frontend: One or more central public/private addresses to reach a solution by
-Public LB uses public IP addressing
-Private LB uses private IP address from the VNet/Subnet range - Backend: VMs or VM Scale Set resources that host an instance of the solution
- Probe: HTTP/HTTPS/TCP probes that check if an instance is healthy
-When you are making a NSG make sure that you are not blocking your probe from working within your NSG rules - Rules: Load Balances a frontend to a healthy backend via a port (can persist/float)
-What port do we want to listen on our frontend?
-What port do we want to send to on our backend?
-What probe will we use?
-You can also create special rules called inbound NAT rules
Azure Load Balancer Considerations
Implementations Considerations
- Sticky Sessions (Persistence): Rules can be configured to ensure sessions stick
- Matching SKUs: Public IP addressing must match the SKU of the load balancer (Basic or Standard)
- FloatingIPs: Allow load balacing to the same backend port on a backend instance (you can’t reuse ports)
-You VMs will have to be configured with Loopback addresses, this means it gets assigned the IP address of the load balancer (while having their own ip)
-If you have a multi tenant solution - HA Ports: Load balance all protocols on all ports simultaneously
-This is the only LB rule you’ll be able to configure
-If you need to configure other rules alongside this HA port rule, you’ll have to use floating IPs
Load Balancer SKUs
- Basic (Up to 300 instances) (Discontinued in 2025)
-Supports VMs in Availability Set or in a VMSS
-Only HTTP/TCP health probes are supported
-Region deployment only
-Open by default. Requires NSG for security
-Doesn’t support HA ports
-No SLA - Standard (Up to 1000 instances)
-Supports any VM or VMSS from the same VNet
-Supports HTTPS/HTTP/TCP health probes
-Region and AZs deployment
-All traffic blocked by default
-Supports HA Ports
-99.99%
Application Gateway
Is a Layer 7 (HTTP/HTTPS) load balancer and web traffic manager service. It enables you to optimize and secure web traffic to your applications
Key Features
-Path-based routing: Allows you to route incoming requests to different backend pools based on the request URL path.
-Multi-Site routing: Enables you to host multiple applications or services behind a single Application Gateway and route traffic accordingly.
-End to End Encryption: The appplication gateway can act as an encryption termination point for your website
–Web Application Firewall (SKU)
-SSL Termination: Application Gateway can terminate SSL/TLS connections from clients, offloading the encryption and decryption workload from backend servers
-Session Affinity: Provides session affinity (sticky sessions) to ensure that subsequent requests from the same client are directed to the same backend server.
-Web Application Firewall (WAF): Is a built-in WAF that provides protection against common web-based attacks. The WAF can be configured with custom rulesets and threat intelligence feeds to enhance security.
-Autoscaling: Allows it to dynamically scale up or down based on changes in traffic load.
-Health Probes: Continuously monitors the health and availability of backend servers
Implementation
- Frontend: Supports the use of a Public IP, Private IP, or both
-We might have a DNS hooked up to it - Backend: Supports various Azure services that are either public or private
-You can make up your backend pool of a range of different resources (VMs, VMSS, AppService, VM on-premise, VMs on another cloud provider) - Listeners and Settings
-Front: port, SSL, multi-site, etc.
-Back: port, cookie affinity, draining
-We could use different listening ports for the frontend and backend - Rules: Prioritized rules to tie all settings together. Supports path-based rules
Azure Bastion
Is a fully managed Platform-as-a-Service (PaaS) offering, designed to provide secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines (VMs) within an Azure Virtual Network (VNet) without the need for public IP addresses or VPN connections.
-Secure entry point to VMs in a secured VNet
Implementation
- Azure Bastion: Basic or Standard SKU. Must be deployed to special subnet (at least a /26)
-To provide connectivity to the Bastion, you’ll need a public IP
-If you choose the Standard SKU, you get additional features like: custom inbound ports, connect to VMs using IP, you don’t have to strictly have to use the Azure Portal and you get additional capabilities to create a tunnel on your computer over TLS and just use native RDP - Connectivity: Manage machines on connected networks. Secure with NSG
-Make sure you are securing that Bastion subnet - Client: Management connectivity is over TLS using the Azure Portal as a client
Azure Firewall
Is a managed, cloud-based network security service. It acts as a centralized firewall-as-a-service (FWaaS) solution for securing traffic flowing between Azure Virtual Networks (VNets) and the internet, as well as traffic between VNets within the same Azure region.
-Helps protect your Azure resources from unauthorized access, threats, and attacks by enforcing network-level access controls and security policies.
-Support for Fully Qualified Domain Names (FQDN):
Key Features
-L3 to L7 Connectivity Policies: offers comprehensive connectivity policies that operate at multiple layers of the OSI model. This enables organizations to define granular rules and controls based on IP addresses, ports, protocols, and even application-level traffic.
-Fully Managed and Scalable
-Integrated Threat Intelligence: It leverages up-to-date threat intelligence information to identify and block malicious traffic, known threats, and suspicious activities in real-time.
-Intrusion Detection and Prevention System
-TLS Inspection: Allows it to decrypt and inspect encrypted HTTPS traffic passing through the firewall.
-URL Filtering and Web Categories: Supports filtering based on Fully Qualified Domain Names (FQDNs), allowing you to control access to specific websites or services hosted on the internet. This enables you to implement URL filtering and content inspection for outbound internet-bound traffic.
-Inbound and Outbound NAT: Azure Firewall supports inbound and outbound Network Address Translation (NAT), allowing you to hide the internal IP addresses of your Azure resources and provide internet connectivity for resources hosted within private subnets.
All of these features, depends on the SKU of the Firewall
Implementation
- Azure Firewall: Enforce rules. Deploy to “AzureFirewallSubnet” (At least a /26)
- Networking: Supports VNet to VNet filtering/routing. Requires route table to be configured
-Thanks to the Firewall, you can allow connection between VNet’s connected through the firewall (Spoke to Spoke) - Firewall Policy: Configuration can be captured as a Global resource with hierarchy
-Allow RDP In? Allow VNet to VNet connectivity?
-You can reuse this policy across multiple firewall instances
-You can enforce hierarchy. You can have “Parent Policies” that enforce global policies and have “Child Policies” with individual policies (in different firewalls)
-Make sure that these firewall rules, are created in the same region
-You can have a global policy that is used across India, Australia, Europe. The policies can be used across firewalls in different regions, but the policies themselves actually need to be stored in the same region
-A child policy can only have a parent that is in the same region but those policies can be used anywhere across the globe