Edit

Tutorial: Create a gateway load balancer using the Azure portal

  • Article

Azure Load Balancer consists of Standard, Basic, and Gateway SKUs. Gateway Load Balancer is used for transparent insertion of Network Virtual Appliances (NVA). Use Gateway Load Balancer for scenarios that require high performance and high scalability of NVAs.

In this tutorial, you learn how to:

  • Create virtual network.
  • Create network security group.
  • Create a gateway load balancer.
  • Chain a load balancer frontend to gateway load balancer.

Prerequisites

Sign in to Azure

Sign in to the Azure portal.

Create a virtual network and bastion host

The following procedure creates a virtual network with a resource subnet, an Azure Bastion subnet, and an Azure Bastion host.

Important

Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  1. In the portal, search for and select Virtual networks.

  2. On the Virtual networks page, select + Create.

  3. On the Basics tab of Create virtual network, enter or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select Create new.
    Enter load-balancer-rg in Name.
    Select OK.
    Instance details
    Name Enter lb-vnet.
    Region Select East US.

    Screenshot of Basics tab of Create virtual network in the Azure portal.

  4. Select the Security tab or Next button at the bottom of the page.

  5. Under Azure Bastion, enter or select the following information:

    Setting Value
    Azure Bastion
    Enable Azure Bastion Select checkbox.
    Azure Bastion host name Enter lb-bastion.
    Azure Bastion public IP address Select Create new.
    Enter lb-bastion-ip in Name.
    Select OK.

  6. Select the IP addresses tab, or Next at the bottom of the page.

  7. On Create virtual network page, enter or select the following information:

    Setting Value
    Add IPv4 address space
    IPv4 address space Enter 10.0.0.0/16 (65,356 addresses).
    Subnets Select the default subnet link to edit.
    Subnet template Leave the default Default.
    Name Enter backend-subnet.
    Starting address Enter 10.0.0.0.
    Subnet size Enter /24(256 addresses).
    Security
    NAT Gateway Select lb-nat-gateway.

    Screenshot of default subnet rename and configuration.

  8. Select Save.

  9. Select Review + create at the bottom of the screen, and when validation passes, select Create.

Create NSG

Use the following example to create a network security group. You configure the NSG rules needed for network traffic in the virtual network created previously.

  1. In the search box at the top of the portal, enter Network Security. Select Network security groups in the search results.

  2. Select + Create.

  3. In the Basics tab of Create network security group, enter, or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg
    Instance details
    Name Enter *lb-nsg-R.
    Region Select East US.

  4. Select the Review + create tab or select the Review + create button.

  5. Select Create.

  6. In the search box at the top of the portal, enter Network Security. Select Network security groups in the search results.

  7. Select *lb-nsg-R.

  8. Select Inbound security rules in Settings in *lb-nsg-R.

  9. Select + Add.

  10. In Add inbound security rule, enter or select the following information.

    Setting Value
    Source Leave the default of Any.
    Source port ranges Leave the default of '*'.
    Destination Leave the default of Any.
    Service Leave the default of Custom.
    Destination port ranges Enter '*'.
    Protocol Select Any.
    Action Leave the default of Allow.
    Priority Enter 100.
    Name Enter lb-nsg-Rule-AllowAll-All

  11. Select Add.

  12. Select Outbound security rules in Settings.

  13. Select + Add.

  14. In Add outbound security rule, enter or select the following information.

    Setting Value
    Source Leave the default of Any.
    Source port ranges Leave the default of '*'.
    Destination Leave the default of Any.
    Service Leave the default of Custom.
    Destination port ranges Enter '*'.
    Protocol Select TCP.
    Action Leave the default of Allow.
    Priority Enter 100.
    Name Enter lb-nsg-Rule-AllowAll-TCP-Out

  15. Select Add.

Select this NSG when creating the NVAs for your deployment.

Create Gateway Load Balancer

In this section, you create the configuration and deploy the gateway load balancer.

  1. In the search box at the top of the portal, enter Load balancer. Select Load balancers in the search results.

  2. In the Load balancer page, select Create.

  3. In the Basics tab of the Create load balancer page, enter, or select the following information:

    Setting Value
    Project details
    Subscription Select your subscription.
    Resource group Select load-balancer-rg.
    Instance details
    Name Enter gateway-load-balancer
    Region Select (US) East US.
    Type Select Internal.
    SKU Select Gateway.

    Screenshot of create standard load balancer basics tab.

  4. Select Next: Frontend IP configuration at the bottom of the page.

  5. In Frontend IP configuration, select + Add a frontend IP.

  6. In Add frontend IP configuration, enter or select the following information:

    Setting Value
    Name Enter lb-frontend-IP.
    Virtual network Select lb-vnet.
    Subnet Select backend-subnet.
    Assignment Select Dynamic

  7. Select Add.

  8. Select Next: Backend pools at the bottom of the page.

  9. In the Backend pools tab, select + Add a backend pool.

  10. In Add backend pool, enter or select the following information.

    Setting Value
    Name Enter lb-backend-pool.
    Backend Pool Configuration Select NIC.
    IP Version Select IPv4.
    Gateway load balancer configuration
    Type Select Internal and External.
    Internal port Leave the default of 10800.
    Internal identifier Leave the default of 800.
    External port Leave the default of 10801.
    External identifier Leave the default of 801.

  11. Select Add.

  12. Select the Next: Inbound rules button at the bottom of the page.

  13. In Load balancing rule in the Inbound rules tab, select + Add a load balancing rule.

  14. In Add load balancing rule, enter or select the following information:

    Setting Value
    Name Enter lb-rule
    IP Version Select IPv4 or IPv6 depending on your requirements.
    Frontend IP address Select lb-frontend-IP.
    Backend pool Select lb-backend-pool.
    Health probe Select Create new.
    In Name, enter lb-health-probe.
    Select TCP in Protocol.
    Leave the rest of the defaults, and select Save.
    Session persistence Select None.
    Enable TCP reset Leave the default of unchecked.
    Enable floating IP Leave default of unchecked.

    Screenshot of create load-balancing rule.

  15. Select Save.

  16. Select the blue Review + create button at the bottom of the page.

  17. Select Create.

Add network virtual appliances to the gateway load balancer backend pool

Deploy NVAs through the Azure Marketplace. Once deployed, add the NVA virtual machines to the backend pool of the gateway load balancer. To add the virtual machines, go to the backend pools tab of your gateway load balancer.

Chain load balancer frontend to the gateway load balancer

In this example, you'll chain the frontend of a standard load balancer to the gateway load balancer.

You add the frontend to the frontend IP of an existing load balancer in your subscription.

  1. In the search box in the Azure portal, enter Load balancer. In the search results, select Load balancers.

  2. In Load balancers, select load-balancer or your existing load balancer name.

  3. In the load balancer page, select Frontend IP configuration in Settings.

  4. Select the frontend IP of the load balancer. In this example, the name of the frontend is lb-frontend-IP.

    Screenshot of frontend IP configuration.

  5. Select lb-frontend-IP (10.1.0.4) in the pull-down box next to Gateway load balancer.

  6. Select Save.

    Screenshot of addition of gateway load balancer to frontend IP.

Chain virtual machine to Gateway Load Balancer

Alternatively, you can chain a VM's NIC IP configuration to the gateway load balancer.

You add the gateway load balancer's frontend to an existing VM's NIC IP configuration.

Important

A virtual machine must have a public IP address assigned before attempting to chain the NIC configuration to the frontend of the gateway load balancer.

  1. In the search box in the Azure portal, enter Virtual machine. In the search results, select Virtual machines.

  2. In Virtual machines, select the virtual machine that you want to add to the gateway load balancer. In this example, the virtual machine is named myVM1.

  3. In the overview of the virtual machine, select Networking in Settings.

  4. In Networking, select the name of the network interface attached to the virtual machine. In this example, it's myvm1229.

    Screenshot of virtual machine networking overview.

  5. In the network interface page, select IP configurations in Settings.

  6. Select lb-frontend-IP in Gateway Load balancer.

    Screenshot of nic IP configuration.

  7. Select Save.

Clean up resources

When no longer needed, delete the resource group, load balancer, and all related resources. To do so, select the resource group load-balancer-rg that contains the resources and then select Delete.

Next steps

Create Network Virtual Appliances in Azure.

When creating the NVAs, choose the resources created in this tutorial:

  • Virtual network

  • Subnet

  • Network security group

  • Gateway load balancer

Advance to the next article to learn how to create a cross-region Azure Load Balancer.

Cross-region load balancer