3.1 Azure Load Balancer and Traffic Manager
📘Microsoft Azure Networking Solutions (AZ-700)
1. What are Outbound Connections?
- An outbound connection is when a virtual machine (VM) or service inside your Azure network initiates a connection to an external resource, like:
- Downloading updates from Microsoft servers
- Accessing a database or API outside Azure
- Calling a SaaS application
- Azure Load Balancer controls how these outbound connections go through the public IP (or frontend) of the Load Balancer.
2. Why Outbound Rules Are Important
Without proper outbound rules:
- Your VM might not be able to connect to the internet.
- SNAT (Source Network Address Translation) might run out of ports, causing failures for multiple connections.
Outbound rules let you control how your VM’s private IP is translated to a public IP, ensuring connections succeed and scale properly.
3. SNAT – Source Network Address Translation
SNAT allows multiple internal VMs to share a single public IP for outbound connections.
- Example IT scenario:
You have 50 VMs in a subnet, all needing to call an external API.- Private IPs: 10.0.0.4 – 10.0.0.53
- Public IP of Load Balancer: 40.112.0.5
Without SNAT, only 1-to-1 mapping is possible. With SNAT, all 50 VMs can share 40.112.0.5, and Azure tracks the connections.
Key concept:
- SNAT maps private IP + port → public IP + port.
- Each public IP has 64,000+ ports for SNAT by default, so scaling is easy.
4. Creating an Outbound Rule
Outbound rules define how traffic flows from your backend pool to the internet. They specify:
- Which backend pool of VMs uses this rule
- Which frontend IP configuration (public IP or load balancer IP) is used
- Which ports are allowed for SNAT
- Protocol: TCP, UDP, or Both
Steps to configure (Portal or CLI):
Using Azure Portal:
- Go to your Azure Load Balancer → Outbound rules → Add.
- Configure the following:
- Name: Give your rule a name.
- Backend Pool: Select the VMs or VM scale set.
- Frontend IP configuration: Select public IP to use for outbound connections.
- Protocol: TCP/UDP/Both.
- Port range: Default is all ephemeral ports; you can limit if needed.
- Save and the outbound rule is applied.
Important Options:
- Idle timeout: Default 4 minutes. After this, idle connections are dropped.
- Floating IP: Only needed for inbound-to-outbound scenarios, usually for SQL Always On.
5. Practical IT Scenarios
- VMs in a subnet without public IPs:
- Outbound rules allow these VMs to access external resources through the Load Balancer.
- SNAT port exhaustion scenario:
- Many VMs or containers making outbound connections at once.
- Solution: Add additional public IPs to the Load Balancer and configure outbound rules with multiple frontends.
- Restrict outbound traffic through specific IPs:
- You may want all outbound traffic to go via a specific firewall or NAT gateway.
- Outbound rules let you enforce which public IPs are used.
6. Key Exam Points for AZ-700
- Outbound rules are required when VMs do not have public IPs.
- SNAT is automatic for outbound rules; Azure maps private IP to public IP.
- You can have multiple frontend IPs in a Load Balancer to scale SNAT.
- Default Azure Load Balancer behavior:
- If a VM has no outbound rule and no public IP → Limited outbound via default SNAT.
- Explicit outbound rule → Controlled and scalable outbound connectivity.
Remember: Exam questions may ask about:
- Configuring outbound rules to allow internet access for VMs without public IP.
- Preventing SNAT port exhaustion by adding additional public IPs.
- Which frontend IP a backend pool uses for outbound connections.
7. Visual Summary
| Feature | Description |
|---|---|
| Outbound rule | Defines how backend VMs access external network |
| SNAT | Maps private IPs to public IP for multiple outbound connections |
| Frontend IP | Public IP used for outbound traffic |
| Backend pool | Group of VMs using this rule |
| Idle timeout | Connection drops if idle for set time |
✅ Tip for non-IT learners:
Think of it as a gateway: your internal VMs have private addresses, outbound rules tell Azure, “Hey, use this public IP to talk outside, and remember which VM is talking so replies come back to the correct VM.”
