Practical considerations for using Azure internal load balancer and BIG-IP

Background I recently had a scenario that required me to do some testing and I thought it would be a good opportunity to share. A user told me that he wants to put BIG-IP in Azure, but he has a few...
0151T000003lDVGQA2.jpg
Updated Feb 12, 2024
Version 4.0
Azure
cloud
MichaelOLeary's avatar
MichaelOLeary
Icon for Employee rankEmployee
Dec 25, 2023

Hi raviraj 

If I follow your question correctly, you are worried about causing assymetric routing, is that correct? The normal rules of TCP/IP still apply: your request traffic should traverse the same path as your response traffic. If you have firewalls or other devices that inspect traffic at Layer 4, they will drop traffic if your routing is assymetric. So I think the answers to your questions are

1. You can only have 1 default route (0.0.0.0/0) per subnet in Azure. So if you have that pointed at a firewall, then it cannot point at F5 BIG-IP. Which means you will have to SNAT inbound traffic at the BIG-IP if you want it to traverse the BIG-IP on the return path. The same thing applies for any route (whether it's 0.0.0.0 or some other subnet in your environment).

2. I don't know anything about AVS, but if you cannot add a static route, then you will have to SNAT. I believe your understanding is correct.

You can shoot me a message via this DevCentral website if you want to move this chat to email or a phone call. Thanks for reading!

Mike