|
| 1 | +--- |
| 2 | +title: 'Tutorial: Configure outbound connectivity with a gateway load balancer' |
| 3 | +titleSuffix: Azure Load Balancer |
| 4 | +description: Learn how to deploy Azure Gateway Load Balancer for higher scalability and performance on outbound connections when using network virtual appliances. |
| 5 | +author: mbender-ms |
| 6 | +ms.author: mbender |
| 7 | +ms.service: load-balancer |
| 8 | +ms.topic: tutorial |
| 9 | +ms.date: 10/24/2023 |
| 10 | +ms.custom: template-tutorial |
| 11 | +--- |
| 12 | + |
| 13 | +# Tutorial: Configure outbound connectivity with a gateway load balancer |
| 14 | + |
| 15 | +Azure Load Balancer consists of Standard, Basic, and Gateway SKUs. Gateway Load Balancer (GWLB) is used for transparent insertion of Network Virtual Appliances (NVA). Use Gateway Load Balancer for scenarios that require high performance and high scalability of NVAs. |
| 16 | + |
| 17 | +In this tutorial, you learn how to: |
| 18 | +> [!div class="checklist"] |
| 19 | +> - Chain a virtual machine’s IP or to a Gateway Load Balancer. |
| 20 | +> - Create a new load balancer frontend IP configuration. |
| 21 | +> - Create an outbound rule for virtual machine traffic. |
| 22 | +
|
| 23 | +## Prerequisites |
| 24 | + |
| 25 | +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 26 | +- An existing public standard SKU Azure Load Balancer. For more information on creating a load balancer, see [Create a public load balancer using the Azure portal](quickstart-load-balancer-standard-public-portal.md). |
| 27 | + - For the purposes of this tutorial, the standard load balancer is named **myLoadBalancer** and is located in a resource group called **myResourceGroup**. |
| 28 | +- An existing Gateway SKU Azure Load Balancer. For more information on creating a gateway load balancer, see [Create a gateway load balancer using the Azure portal](tutorial-gateway-portal.md). |
| 29 | + - For the purposes of this tutorial, the gateway load balancer in the examples is name **myGatewayLoadBalancer**. |
| 30 | +- A virtual machine or network virtual appliance deployed in the same region and resource group as the load balancers. For more information on deploying a virtual machine, see [Create a Windows VM in the Azure portal](../virtual-machines/windows/quick-create-portal.md). |
| 31 | + - For the purposes of this tutorial, the virtual machine is named **myVM1**. |
| 32 | + |
| 33 | +## Chain a virtual machine to a gateway load balancer |
| 34 | + |
| 35 | +In this section, you chain an existing virtual machine’s public IP to a gateway load balancer. A gateway load balancer can be inserted in the path of outbound traffic by chaining to virtual machine instance level public IPs. This method secures both inbound and outbound traffic reaching or originating from this virtual machine’s public IP. |
| 36 | + |
| 37 | +1. Navigate to your existing virtual machine. This example uses a virtual machine named **myVM1**. |
| 38 | + |
| 39 | +1. To verify your virtual machine has a standard SKU public IP associated with it, select **Public IP address > Overview** and confirm that the SKU is **Standard**. |
| 40 | +1. Return to your virtual machine. |
| 41 | +1. In **Overview** of the virtual machine, select **Networking** under **Settings**. |
| 42 | +1. Select the network interface attached to the virtual machine. This example uses **myvm1185_z1**. |
| 43 | + |
| 44 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/select-network-interface.png" alt-text="Screenshot of network interface attached to virtual machine."::: |
| 45 | + |
| 46 | +1. In **Network interface**, select **IP configurations** under **Settings**. |
| 47 | +6. Select **myFrontend** in **Gateway Load balancer**. |
| 48 | + |
| 49 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/select-gateway-load-balancer.png" alt-text="Screenshot of gateway load balancer selection in IP configuration settings."::: |
| 50 | + |
| 51 | +1. Select **Save**. |
| 52 | + |
| 53 | +## Create a load balancer frontend |
| 54 | + |
| 55 | +In this section, you create a new frontend IP configuration for outbound traffic in our existing standard public load balancer. Using separate public IPs for inbound and outbound traffic is a recommend best practice. Reusing the same public IP for inbound and outbound traffic can increase the risk of SNAT exhaustion, as load balancing and inbound NAT rules decrease the number of available SNAT ports. |
| 56 | + |
| 57 | +1. Navigate to **myLoadBalancer** or your existing standard public load balancer and go to the **Frontend IP configuration** under **Settings**. |
| 58 | + |
| 59 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/frontend-settings.png" alt-text="Screenshot of frontend IP configuration."::: |
| 60 | + |
| 61 | +1. Select **+ Add** to create a new frontend IP configuration |
| 62 | +1. In the **Add frontend IP configuration** page, enter or select the following information: |
| 63 | + |
| 64 | + | Setting | Value | |
| 65 | + | --- | --- | |
| 66 | + | Name | Enter **myOutboundFrontend**. | |
| 67 | + | IP version | Select **IPv4**. | |
| 68 | + | IP type | Select **IP address**. | |
| 69 | + | Public IP address | <br> Select **Create new**.</br> <br/> In **Add a public IP address**, enter **myOutboundPublicIP** for name, and select **Ok**.<br/>| |
| 70 | + | Gateway Load balancer | Select **myGatewayLoadBalancerFrontEnd**. | |
| 71 | + |
| 72 | + |
| 73 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/add-frontend-ip-configuration.png" alt-text="Screenshot of Add frontend ip configuration screen."::: |
| 74 | + |
| 75 | +1. Select **Add**. |
| 76 | + |
| 77 | +> [!NOTE] |
| 78 | +> This step will *chain* your frontend to the gateway load balancer frontend specified. |
| 79 | +> Any inbound or outbound traffic served by this frontend is redirected to the gateway load balancer for inspection by the configured NVAs before being distributed to this load balancer’s backend instances. |
| 80 | +
|
| 81 | +## Create outbound rule |
| 82 | + |
| 83 | +1. In **Load balancer**, select **Outbound rules** under **Settings**. |
| 84 | +2. Select **+ Add** in **Outbound rules** to add a rule. |
| 85 | + |
| 86 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/outbound-rules.png" alt-text="Screenshot of Load Balancer Outbound rules settings."::: |
| 87 | + |
| 88 | +1. In **Add outbound rule** window, Enter or select the following information in: |
| 89 | + |
| 90 | + | Setting | Value | |
| 91 | + | --- | --- | |
| 92 | + | Name | Enter **myOutboundRule**. | |
| 93 | + | IP version | Select **IPv4**. | |
| 94 | + | Frontend IP address | Select the frontend IP address of the load balancer. This example uses **myOutboundFrontend**. | |
| 95 | + | Protocol | Leave the default of **All**. | |
| 96 | + | Idle timeout (minutes) | Enter **4** or your desired value. | |
| 97 | + | TCP Reset | Leave the default of **Enabled**. | |
| 98 | + | Backend pool | Select the backend pool of the load balancer. This example uses **myBackendPool**. | |
| 99 | + | **Port allocation** | | |
| 100 | + | Port allocation | Select **Manually choose number of outbound ports** | |
| 101 | + | **Outbound ports** | | |
| 102 | + | Choose by | Select **Maximum number of backend instances**. | |
| 103 | + | Ports per instance | Enter the anticipated maximum number of backend instances. This example uses **2** backend instances. |
| 104 | + |
| 105 | + |
| 106 | + :::image type="content" source="media/tutorial-gateway-outbound-connectivity/add-outbound-rule.png" alt-text="Screenshot of Add Outbound Rule screen."::: |
| 107 | + |
| 108 | +1. Select **Add**. |
| 109 | + |
| 110 | + > [!IMPORTANT] |
| 111 | + >Gateway load balancer doesn't currently support chaining with NAT Gateway. Outbound traffic originating from Azure virtual machines, served through NAT Gateway, goes directly to the Internet. And that NAT Gateway takes precedence over any instance-level public IPs or load balancers for outbound traffic. |
| 112 | + > |
| 113 | + > NAT Gateway can be configured for outbound connectivity together with a Standard Public Load Balancer and Gateway Load Balancer architecture for inbound connectivity. In this scenario, all inbound traffic flows as expected through the gateway load balancer to the Standard load balancer, while outbound traffic goes to the Internet directly. |
| 114 | + > |
| 115 | + > If NVAs need to be inserted for outbound traffic, apply the methods described in this article. For example, chaining an instance-level public IP or outbound rules load balancer frontend to a gateway load balancer. |
| 116 | +
|
| 117 | +## Clean up resources |
| 118 | + |
| 119 | +When no longer needed, delete the resource group, load balancer, and all related resources. To do so, select the resource group **myResourceGroup** that contains the resources and then select **Delete**. |
| 120 | + |
| 121 | +## Next steps |
| 122 | + |
| 123 | +In this tutorial, you learned how to: |
| 124 | + |
| 125 | +- Chained a virtual machine’s IP address to a Gateway Load Balancer. |
| 126 | +- Created a new load balancer frontend IP configuration. |
| 127 | +- Created an outbound rule for virtual machine traffic. |
| 128 | + |
| 129 | +> [!div class="nextstepaction"] |
| 130 | +> Learn how to [deploy highly available NVAs](/azure/architecture/reference-architectures/dmz/nva-ha) with Azure Load Balancer. |
0 commit comments