Internal Load Balancer maintain session hash between multiple front-end IPs

Sahota, Harcharan Singh 1 Reputation point
2021-09-20T08:37:05.783+00:00

I have a use-case: There are 2 NVAs (Palo-alto firewalls) deployed behind Internal Load Balancer. Each NVA has 3 private zone NICS and Internal LB has 3 Frontend IPs, one for each NVA NIC subnet, the request traffic from one private subnet lands on Frontend IP1 and distributed to the NVA1 NIC1 for processing, the response traffic as part of a same session lands on Frontend IP2 on same Internal LB and getting distributed to NVA2 on NIC2, this is causing asymmetry and hence the communication is getting dropped on NVA2. I was expecting Internal LB to distribute the same session traffic to just NVA1 and not to NVA2 as I have read that Internal Load Balancer maintains 5 tuple hash to maintain session. Does Internal LB maintains session hash if the communication is between different Frontend IPs ? I have attached an architecture diagram for reference. Please advise. ![133496-architecture-design.png

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
506 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2021-09-20T16:53:25.807+00:00

    Hello @Anonymous ,

    Azure Load Balancer supports two distribution modes for routing connections to your load-balanced application:

    • Hash based
    • Source IP affinity

    The default distribution mode for Azure Load Balancer is a five-tuple hash.

    Hash-based mode has one configuration type:

    • None (hash-based) - Specifies that successive requests from the same client may be handled by any virtual machine.

    Source IP affinity mode has two configuration types:

    • Client IP (source IP affinity 2-tuple) - Specifies that successive requests from the same client IP address will be handled by the same virtual machine.
    • Client IP and protocol (source IP affinity 3-tuple) - Specifies that successive requests from the same client IP address and protocol combination will be handled by the same virtual machine.

    If you want your load balancer to distribute the same session traffic to just NVA1, then you may need to configure Source IP affinity mode with one of the available configuration type (2-tuple or 3-tuple depending upon your setup & requirement).

    Please refer below articles for more information:
    https://learn.microsoft.com/en-us/azure/load-balancer/distribution-mode-concepts
    https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode?tabs=azure-portal

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.