two firewalls, two regions, internal load balancer and traffic flow for spokes using UDR. How to protect for region outage?

Question

So we have two firewalls in each region. Two regions (east us 2 and central us). Each set of firewalls has an trusted inside internal Azure load balancer. These firewalls are in each region in the hub and then we have spokes that connect to each hub in each region. We use UDR to route all network traffic to the internal Azure load balancer for the two firewalls in the same region. This works great for any issues where we need to work on one firewall well the second one takes the region load.

The issue we have, is that if both firewalls in prod in the same region are down, (East us 2) we want all UDR in prod to point to the DR Internal azure load balancer for the two DR firewalls in (central us).

The easy way to do this is switch the UDR for one that sends all traffic to the second region, but this is a process that will cause an outage..

I did see that there is a Azure load balancer in preview that can do two regions, but it is a external public facing Azure load balancer and I do not want any of my internal traffic to go to the outside and come back in to do this.

Here are two solutions that I know do not work-
Azure load balancer is able to move all traffic to a second region if the first region probes are down.
A azure UDR that does two routes with different weights.

Let me know what ideas do you have? Not sure if I am missing an easy Azure solution to take care of this.

thanks
mark

Answer 1

Hello @Mark A. Rawson ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to achieve automatic failover for Internal applications (not exposed to Internet) in two different Regions and would like to know which service can serve the purpose.

You can use Azure Front Door Premium in your case as it supports private link and traffic routing methods to origin which fits your scenario.
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview
https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/tier-comparison#feature-comparison-between-tiers

Azure Front Door Premium can connect to your origin using Private Link. Your origin can be hosted in a virtual network or hosted as a PaaS service. Internal load balancers with Azure Private Link service aren't publicly routable. You can also configure network security groups to ensure that you disallow access to your virtual network from the internet.
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/private-link
https://learn.microsoft.com/en-us/azure/frontdoor/origin-security?tabs=app-service-functions&pivots=front-door-standard-premium

You can connect Azure Front Door Premium to an internal load balancer origin with Private Link.
Refer : https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-internal-load-balancer

Azure Front Door supports four different traffic routing methods to determine how your HTTP/HTTPS traffic is distributed between different origins. Using priority routing, Front Door automatically fails over if the primary region becomes unavailable. The Priority traffic-routing method allows you to easily implement this failover pattern.
The default Azure Front Door contains an equal priority list of origins. By default, Azure Front Door sends traffic only to the top priority origins (lowest value in priority) as the primary set of origins. If the primary origins aren't available, Azure Front Door routes the traffic to the secondary set of origins (second lowest value for priority).
Refer: https://learn.microsoft.com/en-us/azure/frontdoor/routing-methods

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.