Configure load balancing rules
Load-balancing rules are used to connect the frontend IP configuration to the back-end server pool, and to a health probe. With Azure Load Balancer, there are no separate back-end HTTP settings configuration; any additional HTTP settings are defined directly within the load- balancing rule itself. These include frontend and back-end ports, idle timeout, protocol (TCP or UDP), and IP version (IPv4 or IPv6).
With the load-balancing rule, you can also configure how inbound connections are distrib- uted between back-end instances. There are three options:
- None Traffic is distributed based on a 5-tuple hash of source IP, destination IP, source port, destination port, and protocol. This is the default option.
- Source IP Traffic is distributed based on a 2-tuple hash of source and destination IP only.
- Source IP And Protocol Traffic is distributed based on a 3-tuple hash of source IP, destination IP, and protocol.
Under the default option, new TCP sessions from a given client might be routed to a differ- ent back-end endpoint because the source port will have changed. By excluding the source port from the load-balancing algorithm, the Source IP and Source IP Protocol options provide consistent mappings between client and individual back-end servers across separate connec- tions. This is useful in applications where traffic between the client and server uses more than one connection or protocol. Examples are media uploads that use both a TCP session to control and monitor the upload, as well as UDP packets to upload the media data.
INBOUND NAT RULES
Azure Load Balancer can be configured to distribute inbound traffic across a pool of back-end servers. Another common scenario is where a connection must be made to a specific back-end server via the load balancer frontend. This is useful for gaining access to a specific server, such as when diagnosing a problem without exposing a new endpoint on that server.
Direct connectivity to individual servers is achieved by creating a port mapping from the frontend to a specific back-end server. This mapping is also known as an inbound NAT rule. Each inbound NAT rule specifies a frontend IP address, frontend port, protocol (TCP or UDP), back-end server, and back-end port. Once enabled, traffic received by the front-end IP on the designated frontend port is directed to the specified back-end server and port.
NETWORK SECURITY GROUP CONFIGURATION
The final step in configuring the Azure Load Balancer is to ensure that network security groups (NSGs) are correctly configured. These NSGs can be associated with the subnet containing the back-end virtual machines or with their network interfaces. Two inbound security rules are required.
First, an inbound rule must permit traffic from the end users to the back-end servers. Even though traffic passes through the load balancer, this does not change the source IP of the inbound traffic, hence the rule must reference the end user source IP address and port range.
A second inbound rule must permit traffic originating from the load balancer health probe. The IP addresses from which the health probes originate are defined in the AzureLoadBalancer service tag, which should be used to define the source IP address range for this rule.
