Virtual Servers are unreachable if associated Gateway Load Balancer backend has no healthy NVAs

Josh Knight 40 Reputation points
2024-03-11T16:52:44.0866667+00:00

Hello, We are setting up a Gateway Load balancer using a backend pool of NVAs to inspect incoming/outgoing Internet requests for virtual server resources. It was noticed that if there are no NVAs available in the backend pool (for example all of the NVAs are offline for some reason) then all Internet traffic for the protected virtual server resource is dropped, and the virtual server becomes unreachable from the Internet.

  1. Is this the expected behavior of the GWLB?
  2. Are there alternative ways to configure the GWLB to work around this? For example, could we configure it so that if there are no backend NVAs available, the GWLB is bypassed?

I did find that I can go to the protected virtual server resource and disassociate its Public IP from the GWLB, but I was hoping there was a way in GWLB configuration itself to do this.

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
401 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 22,701 Reputation points Microsoft Employee
    2024-03-11T21:17:54.77+00:00

    @Josh Knight

    Thank you for reaching out.

    I understand you are setting up an GWLB with NVA's as backend pool and when the NVA's are offline the traffic is dropped.

    Is this the expected behavior of the GWLB?

    Yes, this is expected behavior as when NVA's are offline the GWLB health probes fail, and this leads to traffic getting dropped.

    Are there alternative ways to configure the GWLB to work around this? For example, could we configure it so that if there are no backend NVAs available, the GWLB is bypassed?

    Currently such configuration is not supported for GWLB. Although I think this will not be a best practice to bypass the GWLB as the internet traffic will directly reach the protected server in this case without being vetted by the NVA.

    If you wish to have such configuration option for GWLB, it will help if you could file a feature request for this on our feedback portal.

    I think it will also help if you could go through this article for deploying highly available NVA's . Azure GWLB supports active/active, active/standby and scale-out NVAs.

    Additional references:

    https://learn.microsoft.com/en-us/azure/architecture/networking/guide/nva-ha#gateway-load-balancer

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful