You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/integrate-lb.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,11 +28,10 @@ Asymmetric routing is where a packet takes one path to the destination and takes
28
28
### Fix the routing issue
29
29
30
30
#### Scenario 1: Azure Firewall without NAT Gateway
31
+
When deploying an Azure Firewall into a subnet, you need to create a default route for the subnet. This route directs packets through the firewall's private IP address located on the AzureFirewallSubnet. For detailed steps, see [Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md#create-a-default-route).
32
+
When integrating the firewall into your load balancer scenario, ensure that your Internet traffic enters through the firewall's public IP address. The firewall applies its rules and NAT the packets to the load balancer's public IP address. The issue arises when packets arrive at the firewall's public IP address but return via the private IP address (using the default route).
31
33
32
-
When you deploy an Azure Firewall into a subnet, one step is to create a default route for the subnet directing packets through the firewall's private IP address located on the AzureFirewallSubnet. For more information, see [Tutorial: Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md#create-a-default-route).
33
-
34
-
When you introduce the firewall into your load balancer scenario, you want your Internet traffic to come in through your firewall's public IP address. From there, the firewall applies its firewall rules and NATs the packets to your load balancer's public IP address. This is where the problem occurs. Packets arrive on the firewall's public IP address, but return to the firewall via the private IP address (using the default route).
35
-
To avoid this problem, create another host route for the firewall's public IP address. Packets going to the firewall's public IP address are routed via the Internet. This avoids taking the default route to the firewall's private IP address.
34
+
To prevent asymmetric routing, add a specific route for the firewall's public IP address. Packets intended for the firewall's public IP address are directed through the Internet, bypassing the default route to the firewall's private IP address.
36
35
37
36
:::image type="content" source="media/integrate-lb/Firewall-LB-asymmetric.png" alt-text="Diagram of asymmetric routing and the workaround solution." lightbox="media/integrate-lb/Firewall-LB-asymmetric.png":::
38
37
@@ -44,7 +43,7 @@ For example, the following route table shows routes for a firewall with a public
44
43
45
44
#### Scenario 2: Azure Firewall with NAT Gateway
46
45
47
-
In some scenarios, you may configure a NAT Gateway on the Azure Firewall subnet to overcome SNAT port limitations for outbound connectivity. In these cases, the route configuration in Scenario 1 won't work because the NAT Gateway's public IP address will take precedence over the Azure Firewall's public IP address.
46
+
In some scenarios, you might configure a NAT Gateway on the Azure Firewall subnet to overcome SNAT (Source Network Address Translation) port limitations for outbound connectivity. In these cases, the route configuration in Scenario 1 doesn't work because the NAT Gateway's public IP address takes precedence over the Azure Firewall's public IP address.
48
47
49
48
For more information, see [Integration of NAT Gateway with Azure Firewall](../nat-gateway/tutorial-hub-spoke-nat-firewall.md).
50
49
@@ -67,19 +66,19 @@ For example, the following route table shows routes for a NAT Gateway with a pub
67
66
68
67
### NAT rule example
69
68
70
-
In both scenarios, a NAT rule translates RDP traffic from the firewall's public IP address (203.0.113.136) to the load balancer's public IP address (203.0.113.220):
69
+
In both scenarios, a NAT rule translates RDP (Remote Desktop Protocol) traffic from the firewall's public IP address (203.0.113.136) to the load balancer's public IP address (203.0.113.220):
71
70
72
71
:::image type="content" source="media/integrate-lb/nat-rule-02.png" lightbox="media/integrate-lb/nat-rule-02.png" alt-text="Screenshot of NAT rule.":::
73
72
74
73
### Health probes
75
74
76
-
Remember to have a web service running on the hosts in the load balancer pool if you use TCP health probes on port 80, or HTTP/HTTPS probes.
75
+
Remember to have a web service running on the hosts in the load balancer pool if you use TCP (Transport Control Protocol) health probes on port 80, or HTTP/HTTPS probes.
77
76
78
77
## Internal load balancer
79
78
80
79
An internal load balancer is deployed with a private frontend IP address.
81
80
82
-
This scenario does not have asymmetric routing issues. Incoming packets arrive at the firewall's public IP address, are translated to the load balancer's private IP address, and return to the firewall's private IP address using the same path.
81
+
This scenario doesn't have asymmetric routing issues. Incoming packets arrive at the firewall's public IP address, are translated to the load balancer's private IP address, and return to the firewall's private IP address using the same path.
83
82
84
83
Deploy this scenario similarly to the public load balancer scenario, but without needing the firewall public IP address host route.
0 commit comments