Practical considerations for using Azure internal load balancer and BIG-IP
Background
I recently had a scenario that required me to do some testing and I thought it would be a good opportunity to share. A user told me that he wants to put BIG-IP in Azure, but he has a few requirements:
- He wants to use an Azure Load Balancer (ALB) to ensure HA for his BIG-IP pair. This makes failover times faster in Azure, compared to other options.
- He does not want to use an external Load Balancer. He has internet-facing firewalls that will proxy inbound traffic to BIG-IP, so there is no need to expose BIG-IP to internet. He needs internal BIG-IP's only to provide the app services he needs.
- He does not want his traffic SNAT'd. He wants app servers to see the true client IP.
- Ideally he does not want to automate an update of Azure routes at time of failover.
- He would like to run his BIG-IP pair Active/Active, but could also run Active/Standby.
Quick side note: Why would we use ALB's when deploying BIG-IP? Isn't that like putting a load balancer in front of a load balancer? In this case we're using the ALB as a basic, Layer 3/4 traffic disaggregator to simply send traffic to multiple BIG-IP appliances and provide failover in the case of a VM-level failure. However we want our traffic to traverse BIG-IP's when we need advanced app services: TLS handling, authentication, advanced health monitoring, sophisticated load balancing methods, etc.
Let's analyze this!
Firstly, I put together a quick demo to easily show him how to deploy BIG-IP behind an ALB. My demo uses an external (internet-facing) ALB and an internal ALB. It is based on the official template provided by F5, but additionally deploys an app server and configures the BIG-IP's with a route and an AS3 declaration. If it wasn't for the internal-only part, we would have met his requirements with this set up:
Constraints
However, this user's case requires no internet-facing BIG-IP. And now we hit 2 problems:
- Azure will not allow 2x internal LB’s in the same Availability Set, or you’ll get a conflict with error:
. So the diagram above cannot be re-created with 2x Internal Azure LB's.NetworkInterfacesInAvailabilitySetUseMultipleLoadBalancersOfSameType
- When using only 1x internal LB, you “
” Since we want at least 1 rule for all ports (for outbound traffic from server), we cannot also have individual LB rules for our apps. Trying to do so will fail with the error message in quotes.should only have one inbound rule if that rule loadbalances across all ports and protocols.
Alternatives
This leaves us with a few options. We can meet most of his requirements but one that I have not been able to overcome is this: if your cluster of BIG-IP's is Active/Active, you will need to SourceNAT traffic to ensure the response traffic traverses the same BIG-IP. I'll discuss three options and how they meet the requirements.
- Use a single Azure internal LB. At BIG-IP, SNAT the traffic to the web server, and send XFF header in place of true client IP. Default route can be the Firewall, so server-initiated traffic like patch updates can still reach internet. Can be Active/Active or Active/Standby, but you must SNAT if you do not want to be updating a UDR at time of failover.
- Or, don’t SNAT traffic, and web server sees true source IP. You will need a UDR (User Defined Route) to point default route and any client subnets at the Active BIG-IP. You will need to automatically update this UDR at time of failover (automated via F5's Cloud Failover Extension or CFE). Can be Active/Standby only, as traffic will return following the default route.
- Use a single Azure internal LB, but with multiple LB rules. In our example we'll have 2x Front End IP's configured on the Azure LB, and these will be in different internal subnets. Then we'll have 2x back end pools that consist of the external SelfIP's for 1 rule, and internal SelfIP's for the other. Finally we'll have 2x LB rules. The rule for the "internal" side of the LB may listen on ALL ports (for outbound traffic) and the "external" side of the LB might listen on 80 and 443 only.
Advanced use cases (not pictured)
- Single NIC. If you did not want to have a 3-NIC BIG-IP, it would be possible to achieve scenario C above with a single NIC or dual NIC VM: Use a 2-nic BIG-IP (1 nic for mgmt., 1 for dataplane). Put your F5 pair behind a single internal Azure LB with only 1 LB rule which has “HA” ports checked (all ports). We can then have the default route of the server subnet point to Azure LB, which will be served by a VIP 0.0.0.0/0 on F5. Because this only allows you 1 LB rule on the Azure LB, enable DSR on the Azure LB Rule. Designate an “alien subnet range” that doesn’t exist in VNET, but only on the BIG-IP. Create a route to this range, and point the next hop at the frontend IP on the only LB rule. Then have your FW send traffic to the actual VIP on F5 that's within the alien range (not the frontendIP), which will get forwarded to Azure LB, and to F5. I have tested this but see no real advantage and prefer multi-NIC VM's.
- Alien range. As mentioned above, an "alien IP range" - a subnet not within the VNET but configured only on the BIG-IP for VIPs - could exist. You can then create a UDR that points this "alien range" toward the FrontEnd IP on Azure LB. An alien range may help you overcome the limit of internal IP's on Azure NIC's, but with a limit of 256 private IP's per NIC, I have not seen a case requiring this. An alien range might also allow app teams to manage their own network without bothering network admins. I would not advise going "around" network teams however - cooperation is key. So I cannot find a great use for this in Azure, but I have written about how an alien range may help in AWS.
- DSR. Direct Server Return in Azure LB means that Azure LB will not perform Destination NAT on the traffic, and it will arrive at the backend pool member with the true destination IP address. This can be handy when you want to create 1 VIP per application in your BIG-IP cluster, and not worry about multiple VIP's per application, or VIP's with /30 masks, or VIP's that use Shared Address lists. However, given that we have multiple options to configure VIP's when Destination NAT is performed by Azure LB (as it is, by default), I generally don't recommend DSR on Azure LB unless it's truly desired.
Personally, I'd recommend in this case to proceed with Option C below. I'd also point out:
- I believe operating in the cloud requires automation, so you should not shy away from automated updates to UDR's when required. Given these can be configured by tools like F5's Cloud Failover Extension (CFE), they are a part of mature cloud operations.
- I personally try to architect to allow for changes later. Making SNAT a requirement may be a limitation for app owners later on, so I try not to end up in a scenario where we enforce SNAT.
- I personally like to see outbound traffic traverse BIG-IP, and not just because it allows apps to see true source IP. Outbound traffic can be analyzed, optimized, secured, etc - and a sophisticated device like BIG-IP is the place to do it.
- Lastly, I recommend best practices we all should know:
- Use template-based deployments for production so that you have Infrastructure as Code
- Ideally keep your BIG-IP config off-box and deploy with AS3 templates
- Get your app and dev teams configuring BIG-IP using declarative deployments to speed your deployment times
Conclusion
There are multiple ways to deploy BIG-IP when your requirements dictate an architecture that is not deployed by default. By keeping in mind my priorities of application services, operational support and high availability, you can decide on the best architecture for a given scenario.
Thanks for reading, and let me know if you have any questions.
- Sajid_Gul_Ambe1Nimbostratus
In My Case I have to deploy BYOL in Hub Vnet
- MichaelOLearyEmployee
Hi Sajid,
If you have an existing VNET, I recommend you start with a template from F5 Networks' official repo. This does deploy an External Azure Load Balancer, but you could edit the template to deploy an internal load balancer. Assuming you want an HA pair of 3-NIC devices licensed via BYOL into an existing VNET, this is the template I recommend starting with:
You might deploy this template and then delete the external Load Balancer and deploy an internal Load Balancer instead, if you are uncomfortable with editing a template yourself. I am unable to customize a template specifically for your individual situation.
Does that make sense? You could also ask your F5 account about professional services if you need.
- Sajid_Gul_Ambe1Nimbostratus
Dear Micheal,
Thanks alot for your such a kind support. I will try this and will update you in accordingly
- Sajid_Gul_Ambe1Nimbostratus
Dear Micheal,
I have test the Template and it is deployed successfully in my lab environment. Currently for testing purpose I have use PayAG template. Also I have deleted the External Load-Balancer, After deleting the external load balancer I was still able to access both BIGIPs via management Public IP.
As I have deleted the external Load-Balancer now it will look Like an option A right ?
for Option A you have mentioned source Nat is required I have confusion in which LB i have to Source NAT on F5 BIG or Azure LB ?
- MichaelOLearyEmployee
Hi Sajid,
Fair qu. Now that you've deleted the external LB, you'll want to replace it with an internal LB. Also, if this is in your existing network, you may want to remove the public IP addresses from the mgmt interfaces. You'll have to SourceNAT on the F5 BIG-IP if you don't want to dynamically update routes on failover.
- ravirajAltostratus
Hello MichaelOLeary
Thank you very much for this scenario and explaination. Option-C with Azure Internal LB with two rules seems to be more relevant.
Do you have illustrative config exmaple for option-C
I have following queries.
1. In case of Option-C: F5 VE active-standby with Azure ILB and two rules. What are the destination address ranges we need to add in UDR with next hop as Azure ILB 2nd front-end IP (for example 10.0.3.50) , whether those are 'end user client subnets or Onprem IP address ranges' (from where traffic is initiated) and can still we have default-route pointing towards firewall for other Internet bound traffic such as patch updates.
One more doubt I have is, if those routes in 'UDR' are end user client subnets or Onprem IP address ranges and if not all traffic from end users are going through F5 (for example some traffic directly going to App Servers which is not behind any LBs) then will it cause any issues
2. If backend Servers (actual application VMs) are resides in AVS(Azure VMware Solution) then we can still leverage Option-C with either active-active or active-standby configuration. As per my understanding, need to do 'source NAT' for 'active-standby config' as well since in AVS not sure how to put that static route pointing towards Azure ILB. However please correct my understanding if it is wrong.
- MichaelOLearyEmployee
Hi raviraj
If I follow your question correctly, you are worried about causing assymetric routing, is that correct? The normal rules of TCP/IP still apply: your request traffic should traverse the same path as your response traffic. If you have firewalls or other devices that inspect traffic at Layer 4, they will drop traffic if your routing is assymetric. So I think the answers to your questions are
1. You can only have 1 default route (0.0.0.0/0) per subnet in Azure. So if you have that pointed at a firewall, then it cannot point at F5 BIG-IP. Which means you will have to SNAT inbound traffic at the BIG-IP if you want it to traverse the BIG-IP on the return path. The same thing applies for any route (whether it's 0.0.0.0 or some other subnet in your environment).
2. I don't know anything about AVS, but if you cannot add a static route, then you will have to SNAT. I believe your understanding is correct.
You can shoot me a message via this DevCentral website if you want to move this chat to email or a phone call. Thanks for reading!
Mike
- MichaelOLearyEmployee
Hi ChrisGordon
I'm just seeing your comment now, so I'm so sorry I have not replied before now. If you still need help, shoot me a message via this website. Otherwise, if you have 0 statistics on your F5 BIG-IP statistics tab, double-check that the "Enable IP Forwarding" checkbox is disabled on your NIC in Azure. If you have enabled "Floating IP" on the Azure LB, then it does not perform destination NAT. Because of this, you must configure Azure to allow traffic to the BIG-IP where the Layer 3 Destination IP address does not match the IPconfiguration on the NIC.
Thanks for reading!
Mike
- MichaelOLearyEmployee
Hi raviraj
No problem, don't apologize. I'll do my best to answer, but I think it would be better to speak in person. Shoot me a private message over the DevCentral website if you like and we can set up a Zoom call.
- If VIPs are different than external Interfaces of F5 LB, it doesn't really matter what the frontend IP is on your Azure ILB.
- If front-end IP of Azure ILB is 10.0.2.50 and ext interfaces of F5 LB are within this Subnet 10.0.2.0/24 and VIPs are different, I would do 2 things
- a) I would set your Azure LB rule to have the "Floating IP" checkbox enabled. This is on the rule in Azure LB. This will forward the traffic without changing the destination IP at the Azure LB.
- b) I would enable the checkbox called "IP forwarding" which is on the Network interface. Do this on both external interfaces of the F5 LB.
- Usually for inbound traffic you have a different rule for each port. That is true. But with internal Load Balancers in Azure (not with public-facing load balancers), you can check the box called "Enable HA Ports" on the Load Balancing rule. This will mean the rule is for all ports.
- ranjith242Nimbostratus
Hi MichaelOLeary
We do have an Palo-alto Firewall and Complex Arcitecture being implemented BIGIP F5 in Azure HA and having few queries in the Option A and C about the routing options .