Hi We have moved from Az Ext.LB to Az AGW.

Samar Masood Khan 20 Reputation points
2023-05-17T10:30:28.78+00:00

Hi MS!

We have moved from Az LB to Az AGW and the backend server is now a backend pool member of the Az LB as well as Az AGW. We do face any connectivity issues but is this a potential risk? So when I go into the virtual machine configuration under networking i see 2 public IPs, one of AGW and the other of the ext.LB

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,008 questions
Azure Web Application Firewall
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
423 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,371 Reputation points Microsoft Employee
    2023-05-17T15:11:28.5166667+00:00

    Hello @Samar Masood Khan ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you moved from Azure load balancer to Azure Application gateway and the backend server is now a backend pool member of the Azure load balancer as well as Azure Application gateway. You are not facing any connectivity issues but would like to know if this is a potential risk.

    It is not recommended to have a backend server as a backend pool member of both Azure Load Balancer and Azure Application Gateway. This can cause potential issues and conflicts in the traffic routing.

    When a backend server is a member of both Azure Load Balancer and Azure Application Gateway, it can receive traffic from both the load balancer and the application gateway. This can cause conflicts in the traffic routing and can lead to unexpected behavior.

    Below are some of the potential risks and considerations:

    • Network Complexity: Having multiple load balancing solutions in place can increase the complexity of your network architecture. It may require careful configuration and monitoring to ensure proper traffic flow and avoid potential conflicts or misconfigurations.
    • Increased Attack Surface: By exposing multiple public IP addresses associated with different load balancers, you potentially increase the attack surface for your backend server. Each public IP represents a potential entry point for attackers, so it's crucial to ensure that proper security measures are in place to protect your server from potential threats.
    • Load Balancing Behavior: Both Azure Application Gateway and Azure Load Balancer have their own load balancing algorithms and behavior. Having a backend server as a member of both load balancers can result in unpredictable load balancing and potential performance issues.
    • Monitoring and Troubleshooting: Having multiple load balancing solutions can complicate monitoring and troubleshooting processes. You may need to analyze logs, metrics, and traffic patterns from both load balancers to diagnose and resolve issues effectively.

    To address these concerns, it's generally recommended to choose either Azure Application Gateway or Azure Load Balancer as the primary load balancing solution based on your specific requirements. Assess your load balancing needs, consider factors such as traffic patterns, SSL termination, and application-specific requirements to determine which solution best fits your use case. Then, reconfigure your network to rely on a single load balancer.

    Additionally, it's essential to regularly review and update your network security measures, such as firewall rules, network access controls, and monitoring, to mitigate potential risks and ensure a secure environment for your backend servers.

    I would recommend you go through the below article where you have a Decision tree for load balancing in Azure and you can determine which load balancing solution is better for your setup:

    https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

    Regarding the 2 public IPs, it is normal to see two public IPs in the virtual machine configuration under networking when the virtual machine is a backend pool member of both Azure Load Balancer and Azure Application Gateway. One public IP is for the Azure Load Balancer and the other is for the Azure Application Gateway.

    If you are not facing any connectivity issues, it is possible that the traffic is being routed correctly. However, it is still recommended to remove the backend server from one of the load balancers to avoid any potential issues.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments