![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 27%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
506 questions
![https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/saprouter-configuration-with-azure-firewall/ba-p/3293496![269702-techcommunity.gif][1]](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/saprouter-configuration-with-azure-firewall/ba-p/3293496!%5B269702-techcommunity.gif%5D%5B1%5D){kind=link}
Hi @Ramakrishnan Venkataraman ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to configure Inbound and Outbound via NVA and Azure LB.
Looking at your architecture, yeah, the traffic flow seems correct.
InBound SAP EC Payroll (Green)
- SAP EC Payroll -------- EXTLB (Azure ELB) --------- Firewall(External) Untrust -------- Firewall Trust -------- SAP Router
- In the diagram I can see the traffic is going to ILB (not named in the diagram) after Trust NIC, but I believe that is not the case in your architecture
- Azure ILB cannot do Outbound, so traffic has to go straight from Trust NIC to the SAP Router
OutBound SAP EC Payroll (Red)
- SAP Router --------- ILB(unnamed) -------- Firewall(External) Trust -------- Firewall Untrust -------- SAP EC Payroll
OutBound to Internet (Purple)
- App VNet/ SAP VMs --------- IntFWLB --------- Firewall(Internal) Trust --------- Firewall(Internal) Untrust --------- Internet
InBound to Extrenal Host Apps (Blue)
- Internet -------- EXTLB (Azure ELB) --------- Firewall(External) Untrust -------- Firewall Trust -------- SAP VMs
Question 1: From the NVA perspective I will perform Source NAT (untrust interface of the NVA, that will forward the traffic by EXT LB) Is that correct?
- This depends on your architecture and NVA
- You can forward the traffic with or without NATing, just make sure the appropriate source IPs are allowed in SAP
Question 2: As we have quite load balancing rule (for inbound connection), If we placing the outbound rule would that impact the inbound connections. Only expected traffic (SAP EC payroll system) to arrive to ext-lb for making outbound connection using extlb front end(pip) I. In fact we have control in UDRs at spoke vnets only SAP payroll system will communicate to ext fw lb (trust side), just to confirm.
- This entirely depends on the routing you configure at the source
- From the firewalls, yeah, only configured OutBound rules will take effect.
Question3: From the design perspective: as long as if we have EXT-B/Appgw in a standard architecture (hub & spoke) outbound traffic will take through different path. Since by default EXT LB will not allow to outbound (explicitly need to place outbound rules), appgw will not allow to establish outbound connection.
- Correct
Thanks,
Kapil
----------------------------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.