• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Windows Defender ATP Support for Windows 7 and Windows 8.1 Reaches ‘General Availability’

Deploy & Configure Azure ARM Load Balancer

January 15, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

February 26, 2021
Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

February 26, 2021
Innovative solutions for IT workers at home

What is database encryption?

February 26, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Releases Azure Firewall Premium in Public Preview

February 26, 2021
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

February 25, 2021
8×8 makes raft of updates to platform

Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

February 25, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

February 25, 2021
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

February 23, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

February 22, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Monday, March 1, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Cloud Announces Three New Vertical Cloud Solutions

    Innovative solutions for IT workers at home

    Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

    Innovative solutions for IT workers at home

    What is database encryption?

    A moment of reckoning: the need for a strong and global cybersecurity response

    Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

    Innovative solutions for IT workers at home

    ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

    A moment of reckoning: the need for a strong and global cybersecurity response

    ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

    Innovative solutions for IT workers at home

    SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

    8×8 makes raft of updates to platform

    Indonesian Mobile Operator Selects NTT for Microsoft Security Project

    Microsoft To Build New Azure Cloud Data Centers In Greece

    NTT completes Microsoft security project for Indonesian mobile operator

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Releases Azure Firewall Premium in Public Preview

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

    Microsoft To Open Azure Cloud Data Center Region In Spain

    EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Engineer at VillageMD

    Innovative solutions for IT workers at home

    How to Sync On-Premise Active Directory Passwords with Office 365 and Google Apps in Real-Time

    Microsoft Azure Forms Collaboration to Enhance AI in Healthcare

    Azure Defender is now available for all IoT and OT devices

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Google and Microsoft ID Group Targeting Security Researchers

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News

Deploy & Configure Azure ARM Load Balancer

by AZURE SECURITY NEWS EDITOR
January 15, 2021
in News
0
Windows Defender ATP Support for Windows 7 and Windows 8.1 Reaches ‘General Availability’
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

Deploy & Configure Azure ARM Load Balancer

In this post I will show you how to deploy and configure the Azure Resource Manager (ARM and CSP) network load balancer. The post will cover load balancing Azure virtual machines and creating NAT rules.

Background

As I explained in Understanding the Azure Resource Manager Load Balancer, Microsoft has made significant changes to how virtual machines are networked in a Resource Manager or ARM deployment. The concepts of cloud services and endpoints are dead. Instead, there are two options for making a virtual machine available on the Internet:

  • Public IP (PIP) Address: This is also known as an instance-level address. You assign a public IP address resource, with an optional Microsoft-owned domain name, to the virtual NIC of an individual virtual machine. This is a simple approach, but it isn’t very scalable or manageable, and it will waste public IPv4 addresses and increase costs.
  • Load Balancer: You create a single point of entry to your service that will have a single IP address. You can use the load balancer to create NAT rules, for example to enable remote desktop access to individual virtual machines with port remapping (TCP 50051 to TCP 3389 on VM01). You can also use the load balancer to create load balancing rules to spread traffic across a number of virtual machines.

The load balancer, which is a function of the network fabric in Azure and not Windows Network Load Balancing (NLB), can be used to provide external or internal load balancing, as was explained in my previous post.

The Scenario

I have deployed two new web servers as virtual machine in an Azure virtual network subnet, called web-vm01 and web-vm02. I want to deploy a load balancer in the Azure fabric that will load balancer HTTP traffic to both of these machines, and will allow me to create NAT rules that will allow remote desktop access to both virtual machines.

There are two things to note about the default virtual machine deployment:

  • The wizard to create a new Windows Server 2012 R2 virtual machine in ARM will deploy an instance-level public IP address that is associated with the virtual NIC; I made sure that a public IP address was not created for the virtual machines.
  • I have made sure that there is a single network security group (NSG), that is associated with the virtual network subnet; the default deployment creates one NSG that is associated with the NIC of the virtual machine so I removed this option during the machine deployment.
  • Both of my virtual machines were created in a common availability set – you cannot add existing machines to a new availability set!

Note, I cannot connect to my virtual machines via remote desktop without a VPN connection with this design. I will resolve this issue (which might not be an issue for some) using NAT rules.

New Load Balancer

In the Azure Portal, click New and search for Load Balancer; the first result should be the Load Balancer published by Microsoft in Networking. Click this option and click Create.

Give the load balancer a name; my resource group is called web-rg so I have named the load balancer web-lb.

The scheme option allows you to choose between an internal-facing or an external-facing load balancer – this allows you to either create the load balancer with a virtual network configuration (private) or with a publicly accessible IP address. I chose the latter option for my web server deployment.

Under public IP address, I am creating a new IP address with a static IP address. This will allow me to reliably point a DNS A record at the load balancer.

Finally, I selected my subscription, my web server resource group, and ensured that the region matched my resource group deployment.

A new load balancer will be running after a few minutes. You can see the public IP address of the load balancer in the resource’s blade, and this view also summarizes the rules that you have deployed (none at this point).

New NAT Rule

I want to enable RDP to each virtual machine in my deployment, whether it is load balanced or not. Open the settings of the new load balancer and select Inbound NAT Rules > Add. Fill in the details of the new NAT rule. Remote Desktop will use TCP 3389 but I will have multiple machines. So to make this work, I will use port mapping:

  • TCP 50001 will be redirected to TCP 3389 on web-vm01
  • TCP 50002 will be redirected to TCP 3389 on web-vm02

So I will connect to TCP 50002 on the load balancer’s public IP address if I want to connect to web-vm02 via remote desktop.

Most of the configuration is identical to creating a NAT rule on your broadband router or office firewall. One thing to note is Floating IP; this is used in scenarios such as SQL AlwaysOn so that the Azure virtual machine can receive traffic using the original destination IP address.

Azure will update the network configuration and the job will be completed within a few minutes. Now you should be able to open up the blade of the virtual machine, click Connect, and be able to remote desktop into the virtual machine using the new NAT rule.

I created two NAT rules, one for each virtual machine.

Now I try to remote into my virtual machines. The Connect button is no longer disabled but the connection times out. What is wrong?

Network Security Group

Although my security group appears blank, if I enable visibility of Default Rules, I will see a rule called DenyAllInbound with a priority of 65500. This rule prevents traffic routed by my NAT rule from reaching the virtual machines.

Browse to the settings of the network security group and click Add. Create a rule to allow traffic to reach TCP 3389. You can further restrict this to only allow traffic from a particular source, but be careful not to allow mobile administration.

This NSG is associated with the virtual network’s subnet so it will apply to all virtual machines in the subnet. It is possible to further restrict this with CIDR block, Tag, or by creating per-machine NSGs (best practice is per subnet).

Now I can successfully log into both of my virtual machines and enable the IIS role.

Create a Load Balancing Rule

Now I want to create a rule to allow HTTP traffic (TCP 80) in to my web servers, and be load balanced across the entire availability set; this gives me fault tolerance and can be later combined with auto-scaling for dynamic load capacity.

There are two prerequisites:

  • A probe
  • A backend pool based on the availability set

Open the settings of the load balancer and select Backend Pools > Add. Enter the name of the new backend pool. Then click Add A Virtual Machine and select a machine to add. Add all of the virtual machines from your availability set and save the results.

Return to the settings of the load balancer, open Probes and click Add. Here you will create a probe to query the availability of the machines in your availability set. You can get pretty fancy with this capability; make sure that you test the availability of the service that you are load balancing, e.g., HTTP.

Now we are ready to create a load balancing rule. Return to the settings of the load balancer, enter Load Balancing Rules and click Add. Here you will:

  1. Give the rule a name
  2. Choose a protocol and a port
  3. Select the backend pool
  4. Select the probe
  5. Choose if you want session persistent (None, Client IP, or Client IP and Protocol)
  6. Configure a session timeout (4-30 minutes)
  7. Choose if you want a floating IP – only recommended for a SQL AlwaysOn Availability Group Listener.

After the rule is created I can try to browse the load balanced website, using the public IP address of the load balancer … and it fails! That’s because we didn’t create a rule in the network security group!

Return to the settings of the NSG, enter Inbound Security Rules and create a rule to allow traffic to TCP 80. Once again, you can get very specific by using CIDR blocks or Tags. However, best practice is to have one NSG per subnet, and to put different tiers of applications into different subnets.

After the rule saves, I can browse the site using the public IP address of the load balancer.

Reference: https://petri.com/deploy-configure-azure-arm-load-balancer

Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

Microsoft is boosting its industry-cloud solutions with the announcement of three new programs. To help get these new Azure offerings...

Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

 Privacera, the cloud data governance and security leader founded by the creators of Apache Ranger™, today announced a technology partnership...

Innovative solutions for IT workers at home

What is database encryption?

by AZURE SECURITY NEWS EDITOR
February 26, 2021
0

Database encryption protects sensitive information by scrambling the data when it’s stored, or, as it has become popular to say,...

A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

by AZURE SECURITY NEWS EDITOR
February 25, 2021
0

Latest launched research document on Global Cloud Security in Banking Market study of 111 Pages provides detailed analysis with presentable...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Cloud Announces Three New Vertical Cloud Solutions

February 26, 2021
Innovative solutions for IT workers at home

Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

February 26, 2021
Innovative solutions for IT workers at home

What is database encryption?

February 26, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In