Create a cross-subscription internal load balancer
Article
In this how-to guide, you learn how to create a cross-subscription internal load balancer by connecting a virtual network in a subscription to a load balancer in a different subscription.
A cross-subscription internal load balancer (ILB) can reference a virtual network that resides in a different subscription other than the load balancers. This feature allows you to deploy a load balancer in one subscription and reference a virtual network in another subscription.
An existing Virtual Network. deployed in one of the subscriptions. For this example, the virtual network is in Azure Subscription A.
Azure PowerShell installed locally or Azure Cloud Shell.
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
Important
All of the code samples will use example names and placeholders. Be sure to replace these with the values from your environment.
The values needing replacement will be enclosed in angle brackets, like this: <example value>.
Two Azure subscriptions. One subscription for the virtual network (Azure Subscription A) and another subscription for the load balancer(Azure Subscription B).
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
If you choose to install and use the CLI locally, this quickstart requires Azure CLI version 2.60 or later. To find the version, run az --version. If you need to install or upgrade, see Install the Azure CLI.
Important
All of the code samples will use example names and placeholders. Be sure to replace these with the values from your environment.
The values needing replacement will be enclosed in angle brackets, like this: <example value>.
With Azure PowerShell, you sign into Azure with Connect-AzAccount, and change your subscription context with Set-AzContext to Azure Subscription A. Then get the virtual network information with Get-AzVirtualNetwork. You need the Azure subscription ID, resource group name, and virtual network name from your environment.
Azure PowerShell
# Sign in to AzureConnect-AzAccount# Set the subscription context to Azure Subscription ASet-AzContext -Subscription'<Azure Subscription A>'# Get the Virtual Network information with Get-AzVirtualNetwork$net = @{
Name = '<vnet name>'
ResourceGroupName = '<Resource Group Subscription A>'
}
$vnet = Get-AzVirtualNetwork @net
Azure CLI
With Azure CLI, you'll sign into Azure with [az login](/cli/azure/reference-index#az-login), and change your subscription context with [`az account set`](/cli/azure/account#az_account_set) to **Azure Subscription A**.
```azurecli
# Sign in to Azure CLI and change subscription to Azure Subscription A
Az login
Az account set –subscription <Azure Subscription A>
Create a resource group
In this section, you create a resource group in Azure Subscription B. This resource group is for all of your resources associate with your load balancer.
With Azure PowerShell, you switch the subscription context with Set-AzContext and create a resource group with New-AzResourceGroup.
Azure PowerShell
# Set the subscription context to Azure Subscription BSet-AzContext -Subscription'<Azure Subscription B>'# Create a resource group $rg = @{
Name = 'myResourceGroupLB'
Location = 'westus'
}
New-AzResourceGroup @rg
Note
When create the resource group for your load balancer, use the same Azure region as the virtual network in Azure Subscription A.
With Azure CLI, you switch the subscription context with az account set and create a resource group with az group create.
Azure CLI
# Create a resource group in Azure Subscription Baz group create --name'myResourceGroupLB'--location westus
Note
When create the resource group for your load balancer, use the same Azure region as the virtual network in Azure Subscription A.
Create a load balancer
In this section, you create a load balancer in Azure Subscription B that is connected to a virtual network in Azure Subscription A. You create a load balancer with a frontend IP address.
# Create a load balancer$tags = @{
'IsRemoteFrontend'= 'true'
}
$loadbalancer = @{
ResourceGroupName = 'myResourceGroupLB'
Name = 'myLoadBalancer'
Location = 'westus'
Sku = 'Standard'
Tags = $tags
}
$LB = New-AzLoadBalancer @loadbalancer
$LBinfo = @{
ResourceGroupName = 'myResourceGroupLB'
Name = 'myLoadBalancer'
}
## Add load balancer frontend configuration and apply to load balancer.$fip = @{
Name = 'myFrontEnd'
SubnetId = $vnet.subnets[0].Id
}
$LB = $LB | Add-AzLoadBalancerFrontendIpConfig @fip
$LB = $LB | Set-AzLoadBalancer## Create backend address pool configuration and place in variable. $be = @{
ResourceGroupName= "myResourceGroupLB"
Name= "myBackEndPool"
LoadBalancerName= "myLoadBalancer"
VirtualNetwork=$vnet.id
SyncMode= "Automatic"
}
# Create the backend pool$backend = New-AzLoadBalancerBackendAddressPool @be
$LB = Get-AzLoadBalancer @LBinfo
With Azure CLI, you create a load balancer with az network lb create and update the backend pool. This example configures the following:
A frontend IP address that receives the incoming network traffic on the load balancer.
The private IP address is pulled from the cross-subscription virtual network.
The IsRemoteFrontend:True tag is added since the IP address is cross-subscription.
A backend address pool where the frontend IP sends the load balanced network traffic.
Azure CLI
# Create a load balancer with a frontend IP address and backend address poolaz network lb create --resource-group myResourceGroupLB --name myLoadBalancer --sku Standard --subnet'/subscriptions/subscription A ID/resourceGroups/{resource group name} /providers/Microsoft.Network/virtualNetwork/{VNet name}/subnets/{subnet name}’ --frontend-ip-name myFrontEnd --backend-pool-name MyBackendPool --tags 'IsRemoteFrontend=true'
In order to utilize the cross-subscription feature of Azure load balancer, backend pools need to have the syncMode property enabled and a virtual network reference. This section updates the backend pool created prior by attaching the cross-subscription virtual network and enabling the syncMode property.
Azure CLI
## Configure the backend address pool and syncMode propertyaz network lb address-pool update --lb-name myLoadBalancer --resource-group myResourceGroupLB -n myResourceGroupLB --vnet ‘/subscriptions/subscription A ID/resourceGroups/{resource group name} /providers/Microsoft.Network/virtualNetwork/{VNet name}’ --sync-mode Automatic
Create a health probe and load balancer rule
Create a health probe that determines the health of the backend VM instances and a load balancer rule that defines the frontend IP configuration for the incoming traffic, the backend IP pool to receive the traffic, and the required source and destination port.
With Azure PowerShell, create a health probe with Add-AzLoadBalancerProbeConfig that determines the health of the backend VM instances. Then create a load balancer rule with Add-AzLoadBalancerRuleConfig that defines the frontend IP configuration for the incoming traffic, the backend IP pool to receive the traffic, and the required source and destination port.
Azure PowerShell
## Create the health probe and place in variable. ##$probe = @{
Name = 'myHealthProbe2'
Protocol = 'tcp'
Port = '80'
IntervalInSeconds = '360'
ProbeCount = '5'
}
## Create the load balancer rule and place in variable. ##$lbrule = @{
Name = 'myHTTPRule2'
Protocol = 'tcp'
FrontendPort = '80'
BackendPort = '80'
IdleTimeoutInMinutes = '15'
FrontendIpConfiguration = $LB.FrontendIpConfigurations[0]
BackendAddressPool = $backend
}
## Set the load balancer resource. ##$LB | Add-AzLoadBalancerProbeConfig @probe
$LB | Add-AzLoadBalancerRuleConfig @lbrule
$LB | Set-AzLoadBalancer
With Azure CLI, create a health probe with az network lb probe create that determines the health of the backend VM instances. Then create a load balancer rule with az network lb rule create that defines the frontend IP configuration for the incoming traffic, the backend IP pool to receive the traffic, and the required source and destination port.
In this section, you attach the network interface card (NIC) in Azure Subscription A to the load balancer in Azure Subscription B. You create a network interface with New-AzNetworkInterface and then create an IP configuration for the network interface card with New-AzNetworkInterfaceIpConfig.
Note
The network interface card (NIC) must be in the same VNet as the load balancer’s backend pool.
Azure PowerShell
# Set the subscription context to **Azure Subscription A**Set-AzContext -Subscription'Sub A'# Create a network interface card$IP1 = @{
Name = 'MyIpConfig'
subnetID= $vnet.subnets[0].Id
PrivateIpAddressVersion = 'IPv4'
-LoadBalancerBackendAddressPool$lb-be-info
}
$IP1Config = New-AzNetworkInterfaceIpConfig @IP1 -Primary$nic = @{
Name = 'MyNic'
ResourceGroupName = '<Resource Group Subscription A>'
Location = 'eastus'
IpConfiguration = $IP1Config
}
New-AzNetworkInterface @nic
In this section, you attach the network interface card (NIC) in Azure Subscription A to the load balancer in Azure Subscription B with az network nic create
Note
The network interface card (NIC) must be in the same VNet as the load balancer’s backend pool.
Azure CLI
# Set the subscription context to **Azure Subscription A**
Az account set –subscription 'Sub A'# Attach the network interface card to the load balanceraz network nic create --name NIC --resource-group NIC-rg--vnet VNET-name--lb-address-pool"/subscriptions/<Subscription B ID>/resourceGroups/myResourceGroupLB/providers/Microsoft.Network/loadBalancers/myLoadBalancer/backendAddressPools/BackendPool1"
Clean up resources
When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group you created along with the load balancer, and the remaining resources.