Forum Discussion
MattAlex1
Altocumulus
AltocumulusLoad Balancing between On-Prem server and Azure Cloud server
We are planning to add CyberArk PSM and PVWA servers in Azure cloud on top of on-prem servers. Is it possible to load balance between them?
Any Challenges expected?
- Paulius
MVP
MattAlex1 Typically I wouldn't recommend load balancing over the internet from your site to Azure or any cloud provider and would instead have a VPN between your site and the cloud provide and then load balance across the VPN link. Second, you will be required to configure SNAT on your virtual server and you should use a SNAT pool list with the IP of the virtual server instead of using automap. Lastly, you will most likely have increased delay when load balancing to a cloud from another physical location but it is completely dependent on how your VPN tunnel performs.
MattAlex1Dear Paulius,
Thank you for the reply. Can you please let me know why wouldn't you recommend it without VPN?
CyberArk can work on purely cloud without VPN. IF that is the case couldn;t this be used?
- Paulius
MattAlex1 The reason I would not recommend you load balancing directly over the internet is because not you have introduced a new possible attack vector between your load balancer and the destination over the internet. If you had a VPN between the F5 environment and the Azure environment then you know both networks are trusted so for the most part you don't have to worry about someone between you and Azure spoofing the connection. I would like to note that AubreyKingF5 does bring up a great option that will remove the F5 from the Azure side of the connections allowing for DNS load balancing and then LTM load balancing on the site that has it when the DNS request lands on that side. You will remove a bit of load balancing capability because instead of say you have a pool of 3 PVWA and 3 PSM which would include the 3rd as the Azure side you now have 2 PVWA and 2 PSM with the GSLB setup with one of those hosts actually having 2 hosts behind it. This is a simple option that would work well and can most likely be tuned to add more weight to the DNS response for the LTM to help balance the connections evenly.
- AubreyKingF5
Moderator
I would most certainly do this with F5 DNS (the artist formerly known as GTM) or F5 Distributed Cloud DNS, even better. WAY cheaper.
The great thing about the Distributed Cloud option is that it uses Anycast from 22+ PoPs globally to drive traffic to the single IP address. From there, you can easily LB between your DC front door VS and your EIP. It took me 20 minutes to do this on my first attempt after taking a 1 hour training on it.
- LiefZimmerman
Admin
MattAlex1 - If your post was solved it would be helpful to the community to select *Accept As Solution*.
This helps future readers find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief
