You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/load-balancer/load-balancer-floating-ip.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -145,10 +145,11 @@ sudo ufw allow 80/tcp
145
145
```
146
146
</details>
147
147
148
-
## <aname = "limitations"></a>Limitations
148
+
## <aname = "limitations"></a>Limitations
149
149
150
150
- With Floating IP enabled on a load balancing rule, your application must use the primary IP configuration of the network interface for outbound.
151
151
- If your application binds to the frontend IP address configured on the loopback interface in the guest OS, Azure's outbound won't rewrite the outbound flow, and the flow fails. Review [outbound scenarios](load-balancer-outbound-connections.md).
152
+
- You can't use Floating IP on secondary IP configurations for Load Balancing scenarios. This limitation doesn't apply to Public load balancers where the secondary IP configuration is IPv6 an part of a dual-stack configuration or to architectures that utilize a NAT Gateway for outbound connectivity.
Copy file name to clipboardExpand all lines: articles/virtual-network/ip-services/default-outbound-access.md
+5-13Lines changed: 5 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,33 +71,27 @@ There are multiple ways to turn off default outbound access. The following secti
71
71
72
72
* Creating a subnet to be Private prevents any virtual machines on the subnet from utilizing default outbound access to connect to public endpoints.
73
73
74
-
* The parameter to create a Private subnet can only be set during the creation of a subnet.
75
-
76
74
* VMs on a Private subnet can still access the Internet using explicit outbound connectivity.
77
75
78
76
> [!NOTE]
79
77
> Certain services won't function on a virtual machine in a Private Subnet without an explicit method of egress (examples are Windows Activation and Windows Updates).
80
78
81
79
#### Add the Private subnet feature
82
80
83
-
* From the Azure portal, ensure the option to enable Private subnet is selected when creating a subnet as part of the Virtual Network create experience as shown below:
81
+
* From the Azure portal, ensure the option to enable Private subnet is selected as part of the Virtual Network subnet create/modify experience as shown below:
* Using PowerShell, when creating a subnet with [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig), use the `DefaultOutboundAccess` option and choose "$false"
85
+
* Using PowerShell, when creating a subnet with [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig), use the `DefaultOutboundAccess` option and choose "$false". After creation, a subnet can be set using [Set-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/set-azvirtualnetworksubnetconfig).
88
86
89
-
* Using CLI, when creating a subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create), use the `--default-outbound` option and choose "false"
87
+
* Using CLI, when creating a subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create), use the `--default-outbound` option and choose "false". After creation, a subnet can be set using [az network vnet subnet update](/cli/azure/network/vnet/subnet?view=azure-cli-latest#az-network-vnet-subnet-update).
90
88
91
-
* Using an Azure Resource Manager template, set the value of `defaultOutboundAccess` parameter to be "false"
89
+
* Using an Azure Resource Manager template, set the value of `defaultOutboundAccess` parameter to be "false".
92
90
93
91
#### Private subnet limitations
94
92
95
93
* In order to utilize to activate/update virtual machine operation systems, including Windows, it's a requirement to have an explicit outbound connectivity method.
96
94
97
-
* Delegated subnets can't be marked as Private.
98
-
99
-
* Existing subnets can't currently be converted to Private.
100
-
101
95
* In configurations using a User Defined Route (UDR) with a default route (0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (for example, to Service Tagged destinations) breaks in a Private subnet.
102
96
103
97
### Add an explicit outbound connectivity method
@@ -115,14 +109,12 @@ There are multiple ways to turn off default outbound access. The following secti
115
109
>[!Important]
116
110
> When a load balancer backend pool is configured by IP address, it will use default outbound access due to an ongoing known issue. For secure by default configuration and applications with demanding outbound needs, associate a NAT gateway to the VMs in your load balancer's backend pool to secure traffic. See more on existing [known issues](../../load-balancer/whats-new.md#known-issues).
117
111
118
-
## If I need outbound access, what is the recommended way?
112
+
## If I need outbound access, what is the recommended way?
119
113
120
114
NAT gateway is the recommended approach to have explicit outbound connectivity. A firewall can also be used to provide this access.
121
115
122
116
## Constraints
123
117
124
-
* Public connectivity is required for Windows Activation and Windows Updates. It's recommended to set up an explicit form of public outbound connectivity.
125
-
126
118
* Default outbound access IP doesn't support fragmented packets.
127
119
128
120
* Default outbound access IP doesn't support ICMP pings.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments