Basic networking qu with Azure Firewall and load balancer

Question

I have an Azure Firewall and a public load balancer in the same VNet.

I have a basic question on how the traffic gets into the VNet in this scenario.

If I have an external source that has been given the public IP address of the load balancer – does this mean that any traffic using this public IP to get to the backend VM’s setup in the load balancer will have to go through the Azure firewall and hence will need an incoming rule setup? Or does the fact that it’s a public load balancer with its own public IP mean that the traffic will flow through and not touch the Azure Firewall and instead use the NSG setup on the subnet only instead?

Thanks

Answer 1

If the external user uses the IP of the load balancer then their traffic will go through the load balancer and will not go to the firewall.
However, this may cause you an issue. If you have a route in place that directs outbound traffic in your network through the firewall (which is the recommended approach) then traffic will come in over the LB IP but go out the firewall IP, which will cause asymmetric routing issues. Given that you may want to route your inbound traffic through the firewall using a DNAT rule, and use an internal load balancer.

Answer 2

Thanks for the response. I'll look into your suggestion as this makes sense.

Answer 3

Hi Sam,

If it is not to much to ask, how exactly would you have your NAT rule? Can you give an example?