Internal Load Balancing

iStock_000019382607Small

We are very excited to announce the support for ‘Internal Load Balancing’ (ILB) in Azure. Internal load balancing (ILB) enables you to run highly available services behind a private IP address which is accessible only within a cloud service or Virtual Network (VNet), giving additional security on that endpoint. When used within a Virtual Network the ILB endpoint is also accessible from on-premises and other inter-connected VNets allowing some powerful hybrid scenarios.

ILB can be used in two flavors

  1. Within a Cloud service, where the load balanced IP is acquired from Azure’s private IP address space
  2. Within a Virtual network, where the load balanced IP is acquired from a virtual subnet or a static VNet IP address specified by the customer.

Key Scenarios

ILB is a security enhancement over the current public load balancing that is offered in Azure. It restricts the accessibility and creates a trust boundary between the load balanced Virtual IP address to a Cloud Service or a Virtual Network that doesn’t require the public internet. This enables internal Line of Business applications to run in Azure and be accessed within the cloud or from on-premises. The following section lists some of the common use cases:

  • Application tier and backend databases can be run behind an ILB so that they are not exposed to public Internet but still get high availability through load balancing. This is a huge security enhancement.

 

ILBpic3

 

  • The ILB VIP is accessible within the entire virtual network as well as from on-premises and inter connected VNets through the secure IP Sec tunnel. This enables you to run intranet facing (CorpNet only) SharePoint farms by placing the FrontEnd VIPs behind the ILB as shown in the picture below:

 

ILBPic2

 

Usage Instructions

Internal Load Balancing is currently in Preview, this will be Generally Available (GA) in the near future. Detailed documentation on ILB can be found here

Internal load balancing cannot be configured through the portal as of today, this will be supported in the future. However, It can be configured using powershell cmdlets. ILB can be used in a deployment inside a Regional Virtual Network as well in a new deployment that is outside the Virtual Network.  The sections below will outline both types of usage.

ILB in a Regional Virtual Network

  • ILB endpoint created in a Cloud Service in a Regional Virtual Network will be accessible within the entire Virtual Network as well as inter connected VNets and on-premise sites.
  • Use the below snippet as a sample to configure an Internal Load Balancer in a Cloud Service which is deployed inside the Regional Virtual Network ‘VNetUSWest’. Read more about Regional Virtual Network here
  • While using ILB inside a VNet you can also specify the subnet and even more precisely the IP address of the internal load balancer from the VNet address space.

 

# VM Configuration
$web1 = New-AzureVMConfig -Name "web1" -InstanceSize Small -ImageName <imagename> | Add-AzureProvisioningConfig -Windows -AdminUsername <username> -Password <password> | Set-AzureSubnet FrontEndSubnet

$web2 = New-AzureVMConfig -Name "web2" -InstanceSize Small -ImageName <imagename> | Add-AzureProvisioningConfig -Windows -AdminUsername <username> -Password <password> | Set-AzureSubnet FrontEndSubnet

# Create the Deployments
New-AzureVM -ServiceName "MyWebsite1" -VMs $web1 -Location "West US" -VNetName VNetUSWest 

New-AzureVM -ServiceName "MyWebsite1" -VMs $web2 -Location "West US" 

# Add Internal Load Balancer to the service
Add-AzureInternalLoadBalancer -InternalLoadBalancerName MyILB -SubnetName FrontEndSubnet -ServiceName MyWebsite1

# Add load balanced endpoints to ILB
Get-AzureVM -ServiceName MyWebsite1 -Name web1 | Add-AzureEndpoint -Name "intwebep" -LBSetName "intwebeplb" -Protocol tcp -LocalPort 100 -PublicPort 100 -ProbePort 100 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName MyILB | Update-AzureVM

Get-AzureVM -ServiceName MyWebsite1 -Name web2 | Add-AzureEndpoint -Name "intwebep" -LBSetName "intwebeplb" -Protocol tcp -LocalPort 100 -PublicPort 100 -ProbePort 100 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName MyILB | Update-AzureVM
  • In this sample, the ILB will get an IP from the subnet ‘FrontEndSubnet’.
  • You can get the information on the ILB using the cmd lets as shown below:
# Get Internal Load balancer information
Get-AzureService -ServiceName MyWebsite1 | Get-AzureInternalLoadBalancer 

# Get the ILB information on an endpoint
Get-AzureVM -ServiceName MyWebsite1 -Name web1 | Get-AzureEndpoint

ILB in a Cloud Service

  • An ILB endpoint created in a Cloud Service that is outside a Regional Virtual Network will be accessible only within the Cloud Service.
  • The ILB configuration has to be set during the creation of the first deployment in the Cloud Service, as shown in the cmd let sample below.
# Create a local ILB Object
$myilbconfig = New-AzureInternalLoadBalancerConfig -InternalLoadBalancerName "MyILB" 

# Add Internal Load Balancer for a new service
New-AzureVMConfig -Name "Instance1" -InstanceSize Small -ImageName <imagename> | Add-AzureProvisioningConfig -Windows -AdminUsername <username> -Password <password> | New-AzureVM -ServiceName "Website2" -InternalLoadBalancerConfig $myilbconfig    -Location "West US"

 

Frequently asked questions

1. Can I add ILB to my existing deployment in a Virtual Network?

You can do this only if the Virtual Network is a Regional Virtual Network. However all Virtual Networks will be converted to a Regional Virtual Network in the near future, once that happens this will be possible.

2. Can I use ILB for ‘SQL Always On’ scenarios?

Not at this moment. This support will be released in the near future.

3. I already have a load balanced endpoint in a deployment in a Regional Virtual Network, can I attach this endpoint to an ILB?

No. ILB should be referenced when the endpoint is created, it is not possible to convert a regular endpoint to an ILB endpoint and vice versa. This will be supported in the near future.

4. Can ILB be used with endpoint ACLs?

Yes, ILB can be used with endpoint ACLs. When used in a Regional Virtual Network, ACLs can be expressed in customer’s IP address space there by restricting the access even within the Virtual Network.

5. If I set up an ILB on my Virtual Machines, will “loopback” from those same machines work on the load-balanced VIP?

No. You cannot access the ILB VIP from the same Virtual Machines that are being load-balanced.

6. Can I use ILB on PaaS services (Web/Worker roles)?

ILB is designed to work with web/worker roles as well, but it is not exposed in the services model (cscfg/csdef) at this moment. This will be supported in the near future.