3.1 Azure Load Balancer and Traffic Manager
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is a Gateway Load Balancer?
A Gateway Load Balancer (GLB) is a type of Azure load balancer designed specifically to distribute traffic to virtual appliances, such as firewalls, intrusion detection systems, or other network virtual appliances (NVAs). It allows you to scale and manage these appliances easily while keeping the network highly available.
- Key Use Case: If you have multiple firewall appliances in Azure, GLB ensures incoming traffic is automatically balanced among them.
- Type of traffic: GLB operates at Layer 3 (Network Layer), which means it deals with IP traffic rather than web-specific traffic like HTTP/HTTPS.
2. Components of Gateway Load Balancer
- Gateway Load Balancer Frontend IP (GLB Frontend)
- This is the public or private IP address where the incoming traffic arrives.
- It’s the entry point for all network traffic that needs inspection or processing by the appliances.
- Backend Pool
- This is a collection of virtual appliances (NVAs) that will process the traffic.
- Each appliance in the pool must have Gateway Load Balancer IP configurations enabled.
- Health Probes
- GLB uses health probes to check the status of each appliance.
- If an appliance fails, GLB automatically stops sending traffic to it.
- Probes typically use ICMP, TCP, or HTTP checks depending on the appliance type.
- Load Balancing Rules
- These rules define how incoming traffic is distributed across the backend appliances.
- You can set hash-based distribution (5-tuple hashing using source IP, destination IP, ports, and protocol) to keep traffic flows consistent.
- Gateway Load Balancer NAT (Optional)
- GLB can perform Network Address Translation (NAT) to redirect traffic to the backend appliances.
- This helps in ensuring traffic returns to the GLB instead of directly to clients.
3. How It Works
Here’s the traffic flow in technical terms:
- Client sends traffic to the GLB Frontend IP.
- Gateway Load Balancer receives the traffic.
- GLB uses hash-based distribution to select an appliance from the backend pool.
- GLB encapsulates the traffic using GENEVE tunneling (Generic Network Virtualization Encapsulation).
- The selected appliance processes the traffic (e.g., firewall inspection).
- The processed traffic returns to GLB (decapsulated) and is sent back to the client.
Important exam point: GLB uses GENEVE encapsulation to maintain a seamless transparent flow without breaking the source IP.
4. Key Features to Remember for Exam
| Feature | Explanation |
|---|---|
| Transparent Traffic Flow | Client IP and destination IP are preserved, even through multiple appliances. |
| Scalability | Add or remove appliances from the backend pool without downtime. |
| High Availability | If an appliance fails, GLB automatically stops sending traffic to it. |
| GENEVE Encapsulation | Ensures traffic is routed properly without modifying IP addresses. |
| Integration with NVAs | Works with third-party firewalls like Palo Alto, Fortinet, or Check Point. |
5. Deployment Steps (Exam-Oriented)
To implement a Gateway Load Balancer in Azure, follow these steps:
Step 1: Create a Virtual Network
- Ensure you have a subnet for your GLB and appliances.
- Example: Subnet named
GatewaySubnet.
Step 2: Deploy Network Virtual Appliances (NVAs)
- Deploy multiple firewall appliances in the backend pool.
- Each NVA must have GLB IP configuration enabled.
Step 3: Create the Gateway Load Balancer
- Go to Azure Portal → Create a Gateway Load Balancer.
- Configure:
- Frontend IP (public or private)
- Backend Pool (add all NVAs)
- Health Probes (to monitor appliance availability)
- Load Balancing Rules (choose distribution method)
Step 4: Configure NAT Rules (Optional)
- If traffic needs to be redirected or returned via GLB, configure NAT rules.
Step 5: Test Traffic Flow
- Send traffic to the GLB Frontend IP.
- Check that traffic is distributed among appliances.
- Simulate a failed appliance to ensure GLB reroutes traffic.
6. Important Exam Tips
- GLB is different from Azure Standard Load Balancer:
- Standard Load Balancer balances regular workloads (VMs, apps).
- Gateway Load Balancer balances network appliances and keeps traffic transparent.
- Remember the GENEVE encapsulation mechanism—this is an exam keyword.
- Know that GLB doesn’t inspect traffic itself; it only distributes it.
- You can combine GLB with Azure Firewall or third-party NVAs for a complete secure network design.
7. Real IT Use Case (without non-IT analogies)
- An enterprise runs a Fortinet firewall cluster in Azure.
- Incoming traffic from on-premises VPN or ExpressRoute is routed to GLB.
- GLB distributes this traffic to the firewall appliances for inspection.
- If one firewall fails, GLB automatically sends traffic to the remaining healthy appliances, maintaining uptime.
This is exactly how a production IT network achieves scalability and high availability with virtual appliances.
✅ Summary for Exam:
- GLB is for NVAs, not for regular app traffic.
- Uses GENEVE encapsulation.
- Maintains transparent traffic.
- Scales appliances automatically and ensures high availability.
- Key components: Frontend IP, Backend Pool, Health Probes, Load Balancing Rules.
- Optional NAT rules for traffic return.
- Integrates with Azure Firewall and third-party NVAs.
