Troubleshoot load balancing

Configure name resolution and load balancing

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

Troubleshooting load balancing in Azure means identifying why traffic is not being distributed correctly, why a backend virtual machine (VM) is not receiving traffic, or why the load balancer is not functioning as expected. Azure load balancing issues usually fall into a few categories: configuration errors, health probe failures, network security settings, or backend resource issues.

In the AZ-104 exam, you must be able to diagnose and resolve problems for:

  • Azure Load Balancer (Layer 4)
  • Application Gateway (Layer 7)
  • Traffic Manager (DNS-based load balancing)
  • Front Door (global HTTP/HTTPS load balancing)

This section focuses mainly on Azure Load Balancer troubleshooting, but also includes troubleshooting for Application Gateway, Traffic Manager, and Front Door where needed.

1. Troubleshooting Azure Load Balancer

Azure Load Balancer distributes incoming TCP/UDP traffic to backend VMs.
If something goes wrong, the most common reasons are:

  • Incorrect backend pool configuration
  • Failing health probes
  • Misconfigured network security groups (NSGs) or firewalls
  • Wrong load balancing rules
  • Incorrect IP forwarding or NIC settings
  • Subnet or routing issues

Let’s break everything down for easy understanding.

2. Troubleshooting Backend Pool Issues

Common Problems

  1. VM is not added to the backend pool
  2. VM has multiple NICs and the wrong NIC is associated
  3. VM is in a different region or VNet
  4. VM is stopped or unhealthy

How to Troubleshoot

  • Go to Load Balancer → Backend pools and check:
    • Is the correct NIC added?
    • Is the VM running?
    • Is the VM in the same region as the load balancer (for Standard SKU)?
    • Is the VM in the same VNet/subnet (for Internal Load Balancers)?

Exam Tip

Standard Load Balancer requires VMs to be in the same virtual network.
If a VM is not in the same VNet, traffic will not work.

3. Troubleshooting Health Probe Issues

Health probes check whether a VM is healthy.
If the health probe fails, the load balancer removes the VM from rotation.

Symptoms

  • No traffic reaches the VM
  • VM works internally but not through the load balancer
  • Health probe status = Unhealthy

Common Causes

  1. Wrong probe port (e.g., probe is checking port 80 but the app listens on port 8080)
  2. App/Service not running
  3. VM firewall blocking probe traffic
  4. NSG or NVA (firewall appliance) blocking the probe
  5. Application not responding properly (timeouts)

How to Troubleshoot

  • Verify the correct probe port is open on the VM
  • Check NSG rules:
    • Allow AzureLoadBalancer service tag
  • Ensure VM firewall allows incoming probe traffic
  • Check application logs for startup or service failures

Exam Tip

Azure Load Balancers send probe traffic from the Azure infrastructure, not from the client.
Therefore, NSGs must allow:

Source: AzureLoadBalancer
Destination: Backend VM
Action: Allow

4. Troubleshooting Load Balancing Rules

Load Balancing Rules define how traffic is distributed.

Problems That Cause Failures

  • Wrong frontend IP (public vs internal)
  • Wrong backend pool selected
  • Wrong protocol (TCP vs UDP)
  • Incorrect port mapping
  • HA Ports incorrectly configured
  • Floating IP incorrectly set

Troubleshooting Steps

Verify the following:

  1. Frontend IP configuration
    • Public LB → must use public frontend
    • Internal LB → must use internal private IP
  2. Port
    • If you want port 80 traffic, ensure:
      • Frontend port = 80
      • Backend port = 80
      • VMs are listening on port 80
  3. Protocol
    • TCP only if your application uses TCP
    • UDP rules must match UDP applications, like DNS or VoIP
  4. Session persistence
    • Required for apps needing “sticky sessions”
  5. Floating IP
    • Must be ON for SQL Always On
    • Must be OFF for normal web applications

Exam Tip

If the question mentions SQL Always On availability group issues → check floating IP.

5. Troubleshooting NSG & Firewall Issues

NSG rules and firewalls commonly block traffic to/from the load balancer.

Common Issues

  • NSG denies inbound traffic from the Internet
  • NSG denies traffic from Azure Load Balancer (health probes)
  • Firewall/NVA denies traffic between subnets
  • Outbound SNAT port exhaustion (rare but exam-relevant)

Troubleshoot by Checking

  • NSG inbound rules:
    • Must allow traffic to the backend port
    • Must allow AzureLoadBalancer source for probes
  • If using a firewall NVA:
    • Ensure routing paths are correct
    • Ensure firewall rules allow probe and data traffic

SNAT Exhaustion

A problem that occurs when too many outbound connections use the same public IP.

Fix:

  • Upgrade to Standard Load Balancer
  • Add more frontend IPs
  • Use Outbound Rules to increase SNAT ports

This is exam-relevant!

6. Troubleshooting Application Gateway

Application Gateway (Layer 7) problems involve web-based issues.

Typical Problems

  1. Backend health = Unhealthy
  2. HTTP listener misconfiguration
  3. NSG or firewall blocking traffic
  4. Wrong custom probe path
  5. SSL certificate errors
  6. Application timeout

How to Troubleshoot

  • Check Backend health → tells you exactly what is wrong
  • Confirm:
    • Correct HTTP settings (port, protocol)
    • Correct backend pool VMs
    • SSL certificate validity (for HTTPS connections)
    • Probe path is reachable (e.g., /index.html)

Exam Tip

Application Gateway Layer 7 probes can use a URL path, not just a port.
If the wrong path is configured, the backend shows “Unhealthy”.

7. Troubleshooting Azure Traffic Manager

Traffic Manager relies on DNS routing.
Common problems involve DNS or endpoint health.

Typical Issues

  1. Endpoint monitoring fails
  2. DNS not updated yet (TTL delay)
  3. Wrong routing method selected
  4. Endpoint disabled by mistake
  5. Health probe path is incorrect (for HTTP/HTTPS probes)

Troubleshooting

  • Check Traffic Manager → Endpoint status
  • Lower the TTL for quicker DNS changes
  • Ensure endpoints respond to probe URLs
  • Ensure routing method matches requirements (Priority, Weighted, Geographic, etc.)

Exam Tip

If an endpoint is marked “Degraded”, the probe is failing.

8. Troubleshooting Azure Front Door

Front Door is global Layer 7 load balancing.

Common Problems

  • Incorrect backend host header
  • Backend not reachable from Front Door
  • Wrong health probe path
  • SSL certificate missing for custom domain
  • Caching or routing rules incorrectly configured

Troubleshooting

Check Backend health:

  • Ensure backend host header matches the actual app hostname
  • Verify custom domain DNS is correctly mapped
  • Ensure firewall or NSG doesn’t block Front Door IP ranges

9. Tools for Load Balancer Troubleshooting

Azure Portal

  • Backend health monitoring
  • Activity logs
  • Effective NSG rules
  • Network watcher

Network Watcher Tools

  1. Connection Troubleshoot
    Checks if traffic can reach a VM.
  2. IP Flow Verify
    Shows if NSG rules block or allow traffic.
  3. Next Hop
    Shows routing path (important when using NVAs/firewalls).
  4. Packet Capture
    Captures live packets on a VM NIC.

Logs

  • Load Balancer resource logs
  • Activity logs
  • Application Gateway access logs
  • Traffic Manager monitoring logs

Exam Tip:
To find NSG issues quickly → Use IP Flow Verify.

10. Common Exam Scenarios and Solutions

Scenario 1: Load Balancer shows VM “Unhealthy”

Cause: Health probe failing
Fix:

  • Open port for probe
  • Allow AzureLoadBalancer in NSG
  • Ensure service is running

Scenario 2: Application Gateway Backend = “Unhealthy”

Cause: Wrong HTTP settings or probe path
Fix:

  • Correct URL path
  • Correct backend ports
  • Fix SSL certificate issues

Scenario 3: Traffic Manager not routing to the secondary site

Cause: Endpoint health probe fails
Fix:

  • Fix probe path
  • Ensure endpoint is reachable on probe port

Scenario 4: Internal Load Balancer not working

Cause: Wrong subnet or wrong VNet
Fix:

  • Ensure frontend IP is inside the correct subnet
  • Ensure VMs are in same VNet

Scenario 5: Public Load Balancer not responding

Cause: NSG blocking inbound traffic
Fix:

  • Allow inbound traffic on correct port
  • Allow AzureLoadBalancer for health probe

Conclusion

Troubleshooting Azure load balancing requires understanding how backend pools, health probes, NSGs, routing, certificates, and probe paths work together. For the AZ-104 exam, focus on:

  • Health probe behavior
  • NSG rules and AzureLoadBalancer service tag
  • Backend pool and NIC association
  • Load balancing rules
  • Application Gateway probe paths and SSL issues
  • Traffic Manager endpoint health
  • Tools like Network Watcher (IP Flow Verify, Connection Troubleshoot)

If you understand the causes and solutions above, you will be well prepared to solve real-world Azure load balancing issues and answer AZ-104 exam questions with confidence.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by