![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 19%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
404 questions
Hello @David Kim ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if you should delete the public IPs from VMs in the backend pool of an internal LB.
Let us first understand what an Internal load balancer is.
A load balancer with a Private IP address selection creates an internal load balancer. An internal load balancer distributes traffic to resources that are inside a virtual network. Azure restricts access to the frontend IP addresses of a virtual network that are load balanced. Front-end IP addresses and virtual networks are never directly exposed to an internet endpoint, meaning an internal load balancer cannot accept incoming traffic from the internet. Internal line-of-business applications run in Azure and are accessed from within Azure or from on-premises resources.
Refer: https://learn.microsoft.com/en-us/azure/load-balancer/components#frontend-ip-configuration-
Since an internal load balancer is used to make sure that the backend virtual networks/VMs are never directly exposed to an internet endpoint, the Public IPs on the VMs defeats this purpose. As the Public IPs on the VMs exposes the VMs to the Internet.
Now, let us consider why you would need to keep Public IPs on the VMs. Public IPs on the VMs are generally used for both inbound and outbound connectivity. But if you are using an internal load balancer in front of them, then I assume, you do not want direct inbound connectivity to the VMs from the Internet. But you may still have a requirement where the VMs require outbound Internet connectivity.
Outbound connectivity for a VM without a Public IP is provided by the default outbound access IP. This IP is a dynamic IP assigned by Azure that you can't control. It also allocates a minimal number of ports for outbound connections. But this only works for Basic load balancers. Standard ILBs are secure by default and do not allow default outbound connectivity.
In such a case, you may want to add Public IPs to the VMs for a dedicated Public IP which you can control for outbound connections.
However, using a NAT gateway is the best method for outbound connectivity.
NOTE: Basic load balancers and basic public IP addresses aren't compatible with NAT. Use standard SKU load balancers and public IPs instead.
Depending upon your requirement, you may delete or keep the Public IPs associated to the VMs in the backend pool of your Internal load balancer.
So, you have 2 options here:
- If your backend VMs do not require dedicated outbound connectivity, then you can disassociate and delete the Public IPs from the VMs.
- If your backend VMs requires dedicated outbound connectivity, then you can either keep the Public IPs on the VMs and restrict inbound connectivity from Internet via NSGs (OR) remove the Public IPs from the VM and create a NAT gateway and assign it to the subnet of your virtual network for outbound connectivity.
Virtual Network NAT simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the Virtual Network NAT's static public IP addresses.
NAT gateway allows flows to be created from the virtual network to the services outside your virtual network. Return traffic from the internet is only allowed in response to an active flow. Services outside your virtual network can’t initiate an inbound connection through NAT gateway.
Refer: https://learn.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview
You can integrate your internal load balancer with a NAT gateway if you are using a Standard SKU Azure Load Balancer.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
