0
votes

I didnt find any information about these issues regarding the Azure internal load balancer:

  1. Adding another InputEndpoint lead to ILB will be created but not being accessible or functional
  2. Using “only” the ILB definition lead to the public default InputEndpoint vanishes
  3. Not transparent how long it takes until the ILB is available. However, it is visible by viewing the available port for the cloud services web role. If the public port is available, the ILB is not, and vice versa.

So these are my questions:

  1. Is it expected behavior that an internal load balancer replaces the public one?
  2. Is a public load balancer supported beside an internal one/ can I have public access to web roles that are controlled by an internal load balancer?
  3. Are multiple ports supported (e.g. https beside http or private/ public access)?

Some details: The internal load balancer is connected via fixed ip to a VPN for a cloud service. Configuration looks like this:

<?xml version="1.0"?>
<ServiceDefinition name="MyCloudTest"     xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2014-06.2.4">
<WebRole name="MyWebRole" vmsize="Standard_D1">
<Runtime executionContext="elevated" />
<Sites>
  <Site name="Web">
    <Bindings>
      <Binding name="ILB-Endpoint-Http" endpointName="ilb-endpoint-http" />
      <!--<Binding name="ILB-Endpoint-Https" endpointName="ilb-endpoint-https" />-->
      <!--<Binding name="public-http-binding" endpointName="public-http-endpoint" />-->
    </Bindings>
  </Site>
</Sites>
<Endpoints>
  <!--<InputEndpoint name="public-http-endpoint" protocol="http" port="81" />-->
  <InputEndpoint name="ilb-endpoint-http" protocol="http" localPort="8080" port="8080" loadBalancer="my-ilb"  />
  <!--<InputEndpoint name="ilb-endpoint-https" protocol="https" localPort="*" port="8443" loadBalancer="my-ilb"  />-->
</Endpoints>

This is part of the ServiceConfiguration defining the ILB pointing to the VPN with fixed ip.

<NetworkConfiguration>
<VirtualNetworkSite name="myvpn" />
<AddressAssignments>
  <InstanceAddress roleName="MyWebRole">
    <Subnets>
      <Subnet name="intra" />
    </Subnets>
  </InstanceAddress>
</AddressAssignments>
<LoadBalancers>
  <LoadBalancer name="my-ilb">
    <FrontendIPConfiguration type="private" subnet="intra" staticVirtualNetworkIPAddress="172.28.0.27" />
  </LoadBalancer>
</LoadBalancers>

Every hint is highly appreciated.

1
What was the InputEndpoint that you added which made things nonfunctional like?Tim Lovell-Smith
What do you mean by using 'only the ILB definition' - you mean you never put loadBalancer="" in the csdef in that scenario?Tim Lovell-Smith
Re Question 1: "1.Is it expected behavior that an internal load balancer replaces the public one?" I thought the point of internal load balancer is to restrict access to a resource such that it can only be accessed internally from the same Virtual Network or Cloud Service - Otherwise why not just use regular public load balancing with InputEndpoint? Why do you want a mixed access model?Tim Lovell-Smith
@TimLovell-Smith The internal load balancer shall balance the traffic for calls coming from the intranet of the customer, restrict the access wasn't intential. The public port is necessary for automatic testing purposes, the internal one is used by customer. Actually we solved the problem by pushing the automatic tests to the cloud.Holger Leichsenring
@TimLovell-Smith You can see the InputEndpoint above <InputEndpoint name="public-http-endpoint" protocol="http" port="81" />. "only the ILB definition" means just one endpoint for the ILB, no second for public access. I guess the problem here is, that two load balancers (one public, one internal) does not work and is not sensible from technical point of view. As said before, we solved the issue by putting automatic tests in cloud.Holger Leichsenring

1 Answers

1
votes

1.Is it expected behavior that an internal load balancer replaces the public one?

It is the same implementation but ILB is restricted to your own private space (your VNET) See https://azure.microsoft.com/en-us/documentation/articles/load-balancer-overview/

2.Is a public load balancer supported beside an internal one/ can I have public access to web roles that are controlled by an internal load balancer?

Yes you can have both in the same deployment

3.Are multiple ports supported (e.g. https beside http or private/ public access)?

You can add multiple endpoints. An endpoint has a public port and a private port. Multiple public ports cannot share the same private port