Azure Load Balancing Network Design and Deep Dive

“You must unlearn what you have learned” – Master Yoda

Business and technology leaders are facing new challenges and a changing landscape when it comes to operating and hosting their business. At Navisite, we have been working for quite some time with clients moving from a simple co-location and managed hosting to a multi-cloud environments.

The challenges are not just technical in nature. They require a holistic business strategy to embark on a journey from managing your own stack – servers, network, data and pipe to a cloud environment where your traditional methods of operations do not always apply.

In many cases, our clients are not in a position to do a forklift replacement from a managed/co-location to the cloud. As a result the typical question that comes up – “is there a hybrid world that we can live in”?

The challenges start with the people who are on the front-line, keeping your business services running 24x7x365. They have to unlearn much of what they have learned because the philosophy of operating in the new environment is fundamentally different.

As a business leader, you will need to arm the team with new skills, and put in place new best practices on security, data stewardship and governance. In this post, we will peel the onion to the core on moving to a hybrid cloud, along with the challenges and best practices on how to do it methodically because not doing it right is not an option for your business service availability.

Topic 1: Azure Load Balancing Network Design and Deep Dive

“Give me six hours to chop down a tree and I will spend the first four
sharpening the axe.” – Abraham Lincoln

Microsoft documentation is very through and vast; this article bridges the gap between documentation and real-world implementation. The contents should enable you to implement  Azure load balancing technologies. This article also walks you through an example of multi-region Azure Traffic Manager Design and various verification steps.

Before we start, let’s test drive…

Test Drive (Click the links for real time experience)
Azure Load Balancer (L4 Load Balancing)

Azure Application Gateway (L7 Load Balancing with Round Robin)
Region: US East
Region: SE Asia

Azure Traffic Manager (Geo load balancing)

Check out the DNS Load balancing across the globe

Current Azure Load Balancing Limitations:

  • Load balanced VMs need to be in the same availability sets.
  • Azure Traffic Manager Geo load balancing is based on the closest DNS server that made the request and not the client proximity. This could skew the results.
  • Application Gateway does not support static public IP addresses, but it does support static internal IP.

Azure Load Balancing Methods

There are different options to distribute network traffic using Microsoft Azure. These options work differently from each other, having a different feature set and support different scenarios. They can each be used in isolation, or combining them.

  • Azure Load Balancer works at the transport layer (Layer 4 in the OSI network reference stack). It provides network-level distribution of traffic across instances of an application running in the same Azure data center.
  • Application Gateway works at the application layer (Layer 7 in the OSI network reference stack). It acts as a reverse-proxy service, terminating the client connection and forwarding requests to back-end endpoints.
  • Traffic Manager works at the DNS level. It uses DNS responses to direct end-user traffic to globally distributed endpoints. Clients then connect to those endpoints directly.
Source: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

 

Preparing the Network Configuration for Azure Load Balancing

Create a Resource Group

Create Virtual Networks for each region 

Create Network Security Groups

Create Availability Sets

Create Management and Web Virtual Machines 

Azure Load Balancer (layer 4)

Azure Load Balancer works at layer 4 and is configured with Hash Based Distribution Method. The default load distribution method is based on 5-tuple (Source IP, Source Port, Protocol, Dest IP, Dest Port). This method can be changed via PowerShell. Other options are Source IP and Source IP Protocol. 

There are three types of Azure load balancing configurations:

  • External load balancing: Load balance incoming Internet traffic to virtual machines.
  • External load balancing: Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud services, or between on-premises computers and virtual machines in a cross-premises virtual network.
  • Port Forwarding/NAT: Forward external traffic to a specific virtual machine.

To create a new load balancer from Azure Portal configure the following:

  1. Review frontend IP Configuration.
  2. Create a backend server pools. Associate with the availability set and add target web servers – Red, Green and Blue.
  3. Add the Health probe with tcp/80.
  4. Create load balancing Rule for tcp/80.
  5. Optional NAT.

Closer Looks at Packet Flow on Red Web Server

 

Distribution Method 

Source: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode

 

Azure Application Gateway (layer 7)

Application Gateway is a layer 7 load balancer, which means it works with web traffic only (HTTP/HTTPS/WebSocket). It supports capabilities such as SSL termination, cookie-based session affinity, and round robin for load balancing traffic. AAG Frequently Asked Questions (FAQs).

To configure Application Gateway
1. Create Application Gateway. Cannot use static public IPs.
2. Update appGatewayBackendPool with target web servers- Red, Green and Blue.

Azure Traffic Manager (DNS Based)

Azure Traffic Manager provides DNS based distribution service to load balance applications in multiple regions based on geographic proximity.

There are three types of endpoint supported by Traffic Manager:

  • Azure endpointsare used for services hosted in Azure – PaaS cloud services, Web Apps or PublicIPAddress resources (which can be connected to VMs either directly or via an Azure Load Balancer). The PublicIPAddress must have a DNS name assigned to be used in a Traffic Manager profile.
  • External endpoints are used for services hosted outside Azure, either on-premises or with a different hosting provider.
  • Nested endpoints are used to combine Traffic Manager profiles to create more flexible traffic-routing schemes to support the needs of larger, more complex deployments.

To configure Azure Traffic manager

  1. Create a Traffic Manager Profile. Pick a unique DNS name and use the Routing Method as “Performance”. Closest endpoint based on network latency.
  2. Go to settings -> endpoints and add Azure Endpoints. Add the two Azure Application Gateways as endpoints.
  3. Test the URL: http://nncolors.trafficmanager.net
  4. Verify Geo load balancing from DNS servers across the globe. East coast will resolve to the application gateway on the East and the Southeast Asia ones resolve to the application gateway on the Southeast Asia regions.

Check out the DNS Load balancing across the globe 

Source: https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods#weighted-traffic-routing-method

Stay tuned for more posts on this series.  Special thanks to my esteemed leaders John Rudenauer and Dave Grimes for their help on this post about Azure load balancing.

Questions or Comments? Reach out to Nehali Neogi ( nneogi [at] navisite.com ).

 

Nehali Neogi

Nehali Neogi

Principal Network Engineer at Navisite
Nehali Neogi is a Principal Engineer at Navisite, leading many of their global initiatives on building the next generation of hybrid cloud services. She enjoys designing and architecting reliable and highly available solutions for Navisite’s clients. She is the resident expert on all things networking and beyond for VMware NSX, Cisco, and Azure based Hybrid Cloud offerings. Her interests are cloud technologies, Software Defined Networking, full stack engineering, and realizing the transition to DevOps and system Automation.Nehali holds an Expert Level Certification in VMware NSX(VCIX-NV) and Masters in Computer Engineering from UMass, Lowell.
Nehali Neogi