Posts

Azure Internal Load Balancer (ILB) hairpin

Image
1. Introduction As per Azure documentation - https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#limitations – the Azure Internal Load Balancer default behaviour is as follows  ..if an outbound flow from a VM in the backend pool attempts a flow to frontend of the internal Load Balancer in which pool it resides and is mapped back to itself, both legs of the flow don't match and the flow will fail. So , what happens if your application design requires backend pool members to make calls to the private frontend of the same load balancers they are associated with? ILB hairpin - single backend In the above example, if VM-WE-02-Web01 initiates a connection to 10.2.1.100:80 (ILB VIP) there is a 100% chance this connection will fail. If the backend pool happened to contain other VMs (E.g. backend pool with 2 instances) then there is a chance (50/50) the frontend request would get mapped, successfully, to another backend member. As shown below:
18 comments
Read more

Integrate On-Prem Apps with KeyVault over Private Connectivity

Image
The Challenge – Private Endpoints for Azure Key Vault Currently, Azure Key Vault offers only public IP endpoints for device, client, and app connectivity.  While all communication with Azure Key Vault requires an encrypted TLS/SSL channel, there are customers who prefer device communication with Key Vault to occur over a private connection.   There are several important use cases where Azure Key Vault would benefit from offering a private endpoint to devices, clients, and apps: ·           Private traffic though ExpressRoute (e.g., factory devices with secure private IPs that use MPLS for Cloud connectivity) ·           You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet ·           You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. Your application still needs to connect to
2 comments
Read more