Monday, November 28, 2022
HomeCloud ComputingGateway Load Balancer now usually accessible in all areas | Azure Weblog...

Gateway Load Balancer now usually accessible in all areas | Azure Weblog and Updates


Beforehand, we introduced the general public preview launch of Gateway Load Balancer (GWLB), a brand new SKU of Azure Load Balancer focused for clear NVA (community digital equipment) insertion supported by a rising listing of NVA suppliers. Immediately, putting NVAs within the path of site visitors is a rising want for purchasers as their workloads scale. Frequent use instances of NVAs we’ve seen are:

  • Permitting or blocking particular IPs utilizing digital firewalls.
  • Defending functions from DDoS assaults.
  • Analyzing or visualizing site visitors patterns.

And GWLB now affords the next advantages for NVA situations:

  • Supply IP preservation.
  • Circulate symmetry.
  • Light-weight NVA administration at scale.
  • Auto-scaling with Azure Digital Machines Scale Units (VMSS).

With GWLB, bump-in-the-wire service chaining turns into simple so as to add on to new or present architectures in Azure. This implies prospects can simply “chain” a brand new GWLB useful resource to each Normal Public Load Balancers and particular person digital machines with Normal Public IPs, protecting situations involving each extremely accessible, zonally resilient deployments and less complicated workloads.

Gateway Load Balancer datapath diagram. Traffic originating from the Internet will traverse the Gateway Load Balancer first before reaching the Standard Load Balancer or Virtual Machine.

Determine 1: GWLB may be related to a number of shopper assets, together with each Normal Public Load Balancers and Digital Machines with Normal Public IPs. When GWLB is chained to the front-end configuration or VM NIC IP configuration, unfiltered site visitors from the web will first be directed to the GWLB after which attain the configured NVAs. The NVAs will then examine the site visitors and ship the filtered site visitors to the ultimate vacation spot, the buyer utility hosted on both the load balancer or digital machine.

What’s new with Gateway Load Balancer

GWLB borrows a majority of the identical ideas because the Normal Load Balancers that prospects are acquainted with as we speak. You’ll have a lot of the identical parts reminiscent of frontend IPs, load balancing guidelines, backend swimming pools, well being probes, and metrics, however you’ll additionally see a brand new part distinctive to GWLB—VXLAN tunnel interfaces.

VXLAN is an encapsulation protocol utilized by GWLB. This enables site visitors packets to be encapsulated and decapsulated with VXLAN headers as they traverse the suitable knowledge path, all whereas sustaining their authentic supply IP and stream symmetry with out requiring Supply Community Handle Translation (SNAT) or different advanced configurations like user-defined routes (UDRs).

The VXLAN tunnel interfaces are configured as a part of the GWLB’s back-end pool and allow the NVAs to isolate “untrusted” site visitors from “trusted” site visitors. Tunnel interfaces can both be inside or exterior and every backend pool can have as much as two tunnel interfaces. Usually, the exterior interface is used for “untrusted” site visitors—site visitors coming from the web and headed to the equipment. Correspondingly, the interior interface is used for “trusted” site visitors—site visitors going out of your home equipment to your utility.

Contoso case examine

To raised perceive the use case of GWLB, let’s dive deeper into instance retail firm Contoso’s use case.

Who’s Contoso?

Contoso is a retail firm that makes use of Azure Load Balancer as we speak to make their net servers supporting their retail platform regionally resilient. Up to now few years, they’ve skilled exponential development and now serve over 20 million guests per thirty days. When confronted with the necessity to scale their retail platform, they selected Azure Load Balancer due to its excessive efficiency coupled with ultra-low latency. Because of their success, they’ve begun to undertake stricter safety practices to guard buyer transactions and scale back the danger of dangerous site visitors reaching their platforms.

What does Contoso’s structure appear like as we speak?

Certainly one of their load balancers supporting the eastus area known as contoso-eastus and has a front-end IP configuration with the general public IP 101.22.462. Immediately, site visitors headed to 101.22.462 on port 80 is distributed to the backend cases on port 80 as nicely.

What’s the issue?

The safety group just lately recognized some probably malicious IP addresses which were making an attempt to entry their retail platform. Because of this, they’re trying to place a network-layer digital firewall to guard their functions from IP addresses with poor reputations.

What’s the plan?

Contoso has determined to go together with a third-party NVA vendor whose home equipment the group has utilized in different contexts reminiscent of smaller scale functions or different internal-facing instruments. The safety group desires to maintain the creation of extra assets to a minimal to simplify their NVA administration structure, in order that they resolve map one GWLB with an auto-scaling backend pool of NVAs utilizing Azure VMSS to every group of load balancers deployed in the identical area.

Deploying Gateway Load Balancer

The cloud infrastructure group at Contoso creates a GWLB with their NVAs deployed utilizing Azure VMSS. Then, they chain this GWLB to their 5 Normal Public LBs for the eastus area. After verifying that their Information Path Availability and Well being Probe Standing metrics are 100% on each their GWLB and on every chained Normal Public LB, they run a fast packet seize to make sure every part is working as anticipated.

What occurs now?

Now, site visitors packets whose vacation spot are any of the frontend IPs of the Normal Public LBs for eastus shall be encapsulated utilizing VXLAN and despatched to the GWLB first. At this level, the firewall NVAs will decapsulate the site visitors, examine the supply IP, and decide whether or not this site visitors is protected to proceed on in the direction of the top utility. The NVA will then re-encapsulate site visitors packets that meet the firewall’s standards and ship it again to the Normal LB. When the site visitors reaches the Normal LB, the packets shall be decapsulated, that means that the site visitors will seem as if it got here straight from the web, with its authentic supply IP intact. That is what we imply by clear NVA insertion, as Contoso’s retail platform functions will behave precisely as they did earlier than, with out ever figuring out that the packet was inspected or filtered by a firewall equipment previous to reaching the appliance server.

Gateway Load Balancer companions

Gateway Load Balancer helps a wide range of NVA suppliers, you may be taught extra about every of our companions on our companions web page.

Digital firewalls

  • Test Level
  • Cisco
  • F5
  • Fortinet
  • Palo Alto Networks

Site visitors observability

  • cPacket Networks
  • Glasnostic

Community safety

  • Citrix
  • Development Micro
  • Valtix

DDoS safety

Be taught extra

Check out Gateway Load Balancer as we speak with the assistance of our quickstart tutorials, or learn extra about Gateway Load Balancer on our public documentation.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments