Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,986 questions
How to put multiple VMs behind a single private IP address on Azure?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Leonardo Tavares
20
Reputation points
I'm working on creating a Blue/Green deployment for a product in Azure but I'm running into a problem regarding outbound traffic to an on-premisses database.
Our initial idea can be seen in this diagram:
We have three main "moving parts":
A spoke subscription with a VNET and the VMs running different versions of our product
A hub subscription and network with a VPN Gateway
An on-premisses network with a DB and a client
Our production VMs need to be accessible to the on-premisses client at a fixed IP, but also be able to access the DB (which the on-premisses Firewall allows only a single IP).
This worked very nicely with a single VM, but now that we want to do a Blue/Green deployment, things are getting a bit complicated.
The inbound part is very easy with a Load Balancer, but the outbound part (from the server to the on-premisses VM at a fixed private IP) is proving to be way harder than expected. It is specially necessary that the on-premisses network sees a single private IP as the on-premisses firewall only allows this single IP to access the DB.
I saw a lot of similar questions, but all of them focused on public IP, instead of private IP, which is what I really need.
My initial idea was to use NAT Gateway or Internal Load Balancer with outbound traffic, but they both use public IPs, and we need it to be fully private.
Using Azure Firewall and "forcing" SNAT does translate the IP address to another internal IP, but it uses a pool of internal IPs instead of a fixed one, so that doesn't work either.
Any suggestions?
Azure Virtual Machines
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,555 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,500 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
450 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
379 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee2024-04-19T01:44:34.6533333+00:00 Thank you for reaching out and posting a detailed question here.
I think the best suited solution here will be to implement the connection using Azure Application Gateway. Just FYI both the features here are in public preview.
Bellow will be the implementation I will suggest.
- Use Application Gateway TCP/TLS proxy overview (Preview) feature allows the connectivity to a VM running a non-HTTP application like SQL client. You can follow the tutorial here to create an Azure Application Gateway with a SQL Server virtual machine as the backend server.
- Along with the feature above use Private Application Gateway deployment (preview) so that App Gateway with only private frontend IP address. This way when deployed with private-only gateway. With TLS and TCP proxy support for private Application Gateway deployments, you can support HTTP and non-HTTP clients in an isolated environment for enhanced security.
Hope this helps! Please let me know if you have any questions. Thank you!
-
Leonardo Tavares 20 Reputation points
2024-04-23T09:52:45.1433333+00:00 Hi @ChaitanyaNaykodi-MSFT , thanks for your response.
In this case, the "outbound" connectivity is still missing, right?
Access inbound works as expected, but I couldn't find a way to route outbound traffic through this.
-
ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
2024-04-25T00:12:42.9466667+00:00 Thank you for getting back.
By outbound do mean the connection originating from the Azure production VMs?
Then in this case it will not use the Application gateway's frontend private IP.
Sign in to comment
Sign in to answer