For details on cookie usage on our site, read our Privacy Policy
Looking for a recommendation for Azure "internal Load balancer" when using PA redundant Firewalls
- LIVEcommunity
- Discussions
- Network Security
- VM-Series in the Public Cloud
- Looking for a recommendation for Azure "internal Load balancer" when using PA redundant Firewalls
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Looking for a recommendation for Azure "internal Load balancer" when using PA redundant Firewalls
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-23-2017 08:01 AM
Hi, I have deployed redundant PA Firewalls with the internal Azure load balancer to provide resiliance - thos is working however the "internal load balancer has significant limitations.
I am looking to see if anyone has any recommendations for 3rd party load balancer (taking into account cost and operation in this environment)
The limitations of the free Azure load balancer are as far as I can see
a. a limitation of a maximum 250 ports
b. no support for port ranges - therefore each port to be foirwarded bust be statically defined
Any pointers/recommendations would be greatly appreciated
Thanks
Andrew
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2017 05:48 AM - edited 08-31-2017 05:48 AM
Due to the nature of Azure networking, another loadbalancer won't probably fix this problem.
When using another LB solution and making this HA, you probably going to need a Azure Internal LB.
See this reference documentation: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha
I created a feature request at MS, you can upvote.
https://feedback.azure.com/forums/217313-networking/suggestions/31116808-loadbalancer-multiple-ports...
A (dirty) work-around can be using multiple internal loadbalancer, as far as the client doesn't use over 150 ports (the limit is actually 150).
Unfortunately no (real) solution, but hopefully it will clear things up.
- If it is broken, fix it. If it ain't broken, make it better.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-31-2017 06:22 AM
Thanks Rob! Just upvoted it several times 😉 Let's hope M$ is going to listen this time. This has been a feature request since 2013 and isput on the feature backlog since november 2016
Regards
Michel van Kessel
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-28-2017 07:33 AM - edited 09-28-2017 07:36 AM
As of September 2017 Azure Load Balancer HA Ports capability is in preview. Allows the use of 0 for port number and All for protocol type which is shorthand for all ports, all protocols -- very useful for forwarding all traffic hitting the load balancer VIP to the back-end VM-series pool members (for both inbound and outbound use cases) -- in a single load balancer rule.
- https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview
- https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-configure-ha-ports
Before HA Ports capability hits GA, request access to it (link above) and mind the regions where it is available.
-John
- Create policies from flows in file excel/csv to a Panorama particular - Device Group in Panorama Discussions
- Demo Videos of some of the new AIOps 2.5 features in AIOps for NGFW Discussions
- Announcing AIOps for NGFW 2.5 in AIOps for NGFW Discussions
- SSL Decrytpion not working consistently on MAC's in Next-Generation Firewall Discussions
- Slow throughput issue over IPSec VPN tunnel configured between Fortigate 100F and Palo Alto in Next-Generation Firewall Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
