Azure Firewall and Standard Load balancer

Overview

In this article, you will explore Azure external standard load balancer inbound NAT rules and Azure firewall NAT rules.

Through this exercise, following resources will be configured.

• Azure virtual network with three subnets, for web server, client and Azure firewall
• Azure external standard load balancer
• Two Azure windows virtual machines as load balancer backend pool.
• Azure firewall
• One Azure Ubuntu virtual machine (no public IP)
• User route table for client subnet

You will be able to ssh to a Ubuntu vm using three technical options, when use Azure firewall DNAT rule, you generate inbound traffic to the firewall.

From this ubuntu vm, you will access the web site hosted in the external load balancer backend pool via Azure firewall, generate outbound traffic for the Azure firewall.

System Diagram

Under ronniepersonal-vnet, there are three subnets.
Web subnet hosts one load balancer and two Azure VM, you have web site running in the vm, and user will browse the site via load balancer.
AzureFirewallSubnet is dedicated to Azure firewall.
Client subnet hosts one Azure ubuntu vm, you will ssh to this Linux vm.

Network Configuration for SSH

There are three options to allow to remote to a private Azure vm from your local/home PC.

• Load balancer inbound NAT rule

In this case, external load balancer has public IP, x.x.219.91, from your local ssh client, you are able to reach to the load balancer, and LB inbound NAT rule will translate the request and forward it to target VM at port 22.

Meanwhile client-subnet-nsg also needs to have inbound rule to allow traffic to destination port 22.

• SSH via Azure firewall NAT rule (SSH-NAT-to-VM)
• SSH via Azure firewall NAT rule and load balancer inbound NAT rule (SSH-NAT-to-LB)

In below screenshot, it shows two DNAT rules, you could further narrow down to restrict source IP as well, destination x.x.176.61 is Azure firewall public IP.

Rrule SSH-NAT-to-LB, forward the traffic to load balancer public IP at port 33893, and load balancer inbound NAT rule will forward traffic to destination vm. These two hops configuration is for exploration, in real use case, not necessarily to do this way.

Rule SSH-NAT-to-VM, forward the traffic to Azure VM private IP at port 22 directly.

• Testing Connectivity

Load balancer public IP address is x.x.219.91
Azure firewall public IP address is x.x.176.61
From ssh client, logon successfully using x.x.219.91:33893, x.x.176.61:22389 and x.x.176.61:22390

Understanding Asymmetric Routing Issue

Integrate Azure Firewall with Azure Standard Load Balancer | Microsoft Docs

Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall’s private IP address (as shown in the screenshot, the rule named “azfw”).

To fix the asymmetric routing issue, packets go back to the source public IP via Internet. This avoids taking the default route to the firewall’s private IP address.

When ssh via load balancer public IP, you add Allow-SSH-LB route in the UDR, address prefix is the client machine public IP, in this case, x.x.x.13 (This is your local machine public IP, load balancer inbound NAT does not change source IP).

When ssh via Azure firewall public IP, you add Allow-SSH route in the UDR, the address prefix is the Azure firewall public IP, x.x.176.61

Access Web Site Via Azure Firewall

The Ubuntu rqclientvm1 joins the client subnet, this virtual machine’s private IP 10.2.1.4 is the first available IP address from this subnet. The subnet is configured with user route table with default route to Azure firewall private IP 10.2.1.68.

The web site, which is hosted in load balancer backend pool, is a public endpoint, it will be routed to Azure firewall private IP, Azure firewall default deny all.

In order to access the web site from rqclientvm1, you need to add Azure firewall application rule to allow traffic, source is client subnet IP space 10.2.1.0/26, target is the load balancer public IP x.x.219.61.

Now logon to rqclientvm1, you should be able to open the web site home page using the following command

xxser@rqclientvm1:~$ curl http://x.x.219.91
Hello World from rqprivate-vm1

Deployment Script

Here is the ARM template for all the resources in this exercise.