Gateway LB with iLB as a passthrough forcing all packets in/out through NVA

ChrisSander3327 1 Reputation point
2022-12-02T05:25:39.317+00:00

Is the following possible ?

Azure/On-Prem via ExpressRoute with Azure side Palo NVA's, iLB & GWLB with iLB only being used as a pass-through to chain to Gateway LB front-ending NVA's.

All traffic north/south & east/west in/out of Azure must pass through the Azure side NVA Palo firewalls

Question:
Can I place an internal LB to be the next hop when originating/returning from on-prem to Azure via ExpressRoute, as well as when originating/returning from Azure Vnets to on-prem and have the internal LB chained to a Gateway load balancer to force all traffic in/out of Azure pass through the NVA Palo firewalls behind the Gateway LB?

Not sure is this is a viable design option or how routing for that might work since the internal LB is not actually front-ending any applications, just being potentially used for a pass-through to chain to the Gateway LB to force all traffic in/out of Azure through the firewalls.

Want to utilize the newer Gateway LB option for front-ending NVA's in this design requirement as opposed to legacy design of front and backend LB's sandwiching the NVA's.

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
460 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,646 Reputation points Microsoft Employee
    2022-12-02T12:15:30.203+00:00

    Hello @ChrisSander3327 ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to if it is possible to chain an internal Load Balancer to a Gateway Load Balancer front-ending NVA's.

    As mentioned in our official documentation,

    266672-image.png

    A Gateway Load Balancer can be referenced by a Standard Public Load Balancer frontend or a Standard Public IP configuration on a virtual machine.

    266671-image.png

    As of today, it is not possible to chain an Internal Load Balancer to a Gateway Load Balancer.

    266600-image.png

    I've checked with the Azure Load Balancer Product Group team and they have confirmed that the ability to chain an internal LB to a Gateway LB in order to achieve east/west traffic support is on our roadmap (No confirmed ETA as of yet).

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.