At this moment I am doing a PoC for a client in Azure with two VM-300 in the so called "Sandwich" mode. So for traffic coming from the internet I have the following path: ELB > VM-300 (x2) > ILB > Webserver (x2). Both VM-300 and Webservers are both in a seperate availabilty set.
I managed to load balance the traffic from the internet on the ELB, over both VM-300s and the via the ILB to both Webservers. So far so good!
Now I ask myself the question, how do I load balance the traffic, that initiates from the webservers to the internet? on the UDR I can only point to one VM-300, not both. I cannot use a ILB for anykind of SNAT or put in in routed mode.
As far as I can see, they only thing I can do is change the UDR via a script (e.g. zookeeper) in case one of the VM-300s goes down. how do you guys handle this? How do you achieve load balance/HA for outbound server traffic to the internet or other zones in the case of two VM-300s?
Michel van Kessel
Solved! Go to Solution.
You have two choices here:
One is to deploy another Azure load balancer just for outbound traffic and point your outbound UDR (default route) to the outbound load balancer. Azure allows such a configuration. The problem is, the healthcheck from the load balancer is always from the same IP address. So if you have one load balancer for inbound traffic and one load balancer for outbound traffic pointing to the same set of VM-Series firewalls, the firewalls will receive healthchecks from two different load balancers on two different interfaces but coming from the same IP address. This can be solved using two virtual routers on the firewall - one for each interface.
The other option is to split inbound and outbound traffic to two different set of firewalls. Then each set of firewalls will only receive healthchecks from one load balancer. This adds VM-Series cost to the solution but it simplifies the routing and also has the advantage of having policy separation (inbound versus outbound). Also, the outbound firewalls can be used for multiple applications/resource groups in a hub and spoke model
Thanks for the quick response! I am going to try the multiple router approuch and will return with the outcome
Quick question. Why doesn't it work with one virtual router? I mean, from a deeper technical point of view.
Michel van Kessel
It's a basic routing problem. Each subnet (even a /32) must be maped in the route table to/from a unique interface. The Azure load balancer always sources the probe from 220.127.116.11. If we have a default route for the external interface (say ethernet1/1), all responses to the healthcheck will go out ethernet1/1 even if the healthcheck came from the internal load balancer (on say ethernet1/2). This results in an asymmetric path and the health probe fails.
If we then created a specific 18.104.22.168/32 route to use ethernet1/2, then the probes from the external load balancer would become assymetric and those healthchecks would fail.
With multiple route tables, we could have one route table with a 22.214.171.124/32 static route that points to ethernet1/1 and another route table with a static entry for the same 126.96.36.199/32 for ethernet1/2.
Hello Warby.. I was completely looking into the wrong direction! Sometimes there is a simple solutions and it makes complete sense!
I've got it all running now.
One question. do we need Floating IP (direct server return) enabled on the rules for the outbound LB?
Michel van Kessel
There are a few options when it comes to setting up the outbound probe but the most common that I have seen is to probe to port 22 on the firewall and enable the related interface management profile (for ssh) on the interface that will receive the traffic first. You may need to add the route to support return traffic to the probe source ip address: 188.8.131.52.
Alternitavely, you can probe to port 80 or 443 and write a NAT rule that sends traffic from 184.108.40.206 on the appropriate zone out to 220.127.116.11 on the Internet, or some other website that you wish to verify connectivity against. Leverage destination NAT to accomplish this.
Quick Question with this setup how does the LB know to keep the traffic symmetric for TCP FLOW.
Web Server -> LB -> PAN FW1 / PAN FW2 -> Internet
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!