| title | titleSuffix | description | author | ms.author | ms.service | ms.topic | ms.date | ms.custom | ms.devlang |
|---|---|---|---|---|---|---|---|---|---|
Tutorial: Create a gateway load balancer - Azure CLI |
Azure Load Balancer |
Use this tutorial to learn how to create a gateway load balancer using the Azure CLI. |
greg-lindsay |
greglin |
load-balancer |
tutorial |
11/02/2021 |
template-tutorial, ignite-fall-2021, devx-track-azurecli |
azurecli |
Azure Load Balancer consists of Standard, Basic, and Gateway SKUs. Gateway Load Balancer is used for transparent insertion of Network Virtual Appliances (NVA). Use Gateway Load Balancer for scenarios that require high performance and high scalability of NVAs.
In this tutorial, you learn how to:
[!div class="checklist"]
- Create virtual network.
- Create network security group.
- Create a gateway load balancer.
- Chain a load balancer frontend to gateway load balancer.
Important
Azure Gateway Load Balancer is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
[!INCLUDE azure-cli-prepare-your-environment.md]
-
This tutorial requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
-
An Azure account with an active subscription.Create an account for free.
-
An existing public standard SKU Azure Load Balancer. For more information on creating a load balancer, see Create a public load balancer using the Azure CLI.
- For the purposes of this tutorial, the existing load balancer in the examples is named myLoadBalancer.
An Azure resource group is a logical container into which Azure resources are deployed and managed.
Create a resource group with az group create:
az group create \
--name TutorGwLB-rg \
--location eastus
A virtual network is needed for the resources that are in the backend pool of the gateway load balancer.
Use az network vnet create to create the virtual network.
az network vnet create \
--resource-group TutorGwLB-rg \
--location eastus \
--name myVNet \
--address-prefixes 10.1.0.0/16 \
--subnet-name myBackendSubnet \
--subnet-prefixes 10.1.0.0/24
Use az network public-ip create to create a public IP address for the Azure Bastion host
az network public-ip create \
--resource-group TutorGwLB-rg \
--name myBastionIP \
--sku Standard \
--zone 1 2 3
Use az network vnet subnet create to create the bastion subnet.
az network vnet subnet create \
--resource-group TutorGwLB-rg \
--name AzureBastionSubnet \
--vnet-name myVNet \
--address-prefixes 10.1.1.0/27
Use az network bastion create to deploy a bastion host for secure management of resources in virtual network.
az network bastion create \
--resource-group TutorGwLB-rg \
--name myBastionHost \
--public-ip-address myBastionIP \
--vnet-name myVNet \
--location eastus
It can take a few minutes for the Azure Bastion host to deploy.
Use the following example to create a network security group. You'll configure the NSG rules needed for network traffic in the virtual network created previously.
Use az network nsg create to create the NSG.
az network nsg create \
--resource-group TutorGwLB-rg \
--name myNSG
Use az network nsg rule create to create rules for the NSG.
az network nsg rule create \
--resource-group TutorGwLB-rg \
--nsg-name myNSG \
--name myNSGRule-AllowAll \
--protocol '*' \
--direction inbound \
--source-address-prefix '0.0.0.0/0' \
--source-port-range '*' \
--destination-address-prefix '0.0.0.0/0' \
--destination-port-range '*' \
--access allow \
--priority 100
az network nsg rule create \
--resource-group TutorGwLB-rg \
--nsg-name myNSG \
--name myNSGRule-AllowAll-TCP-Out \
--protocol 'TCP' \
--direction outbound \
--source-address-prefix '0.0.0.0/0' \
--source-port-range '*' \
--destination-address-prefix '0.0.0.0/0' \
--destination-port-range '*' \
--access allow \
--priority 100
In this section, you'll create the configuration and deploy the gateway load balancer.
To create the load balancer, use az network lb create.
az network lb create \
--resource-group TutorGwLB-rg \
--name myLoadBalancer-gw \
--sku Gateway \
--vnet-name myVNet \
--subnet myBackendSubnet \
--backend-pool-name myBackendPool \
--frontend-ip-name myFrontEnd
An internal interface is automatically created with Azure CLI with the --identifier of 900 and --port of 10800.
You'll use az network lb address-pool tunnel-interface add to create external tunnel interface for the load balancer.
az network lb address-pool tunnel-interface add \
--address-pool myBackEndPool \
--identifier '901' \
--lb-name myLoadBalancer-gw \
--protocol VXLAN \
--resource-group TutorGwLB-rg \
--type External \
--port '10801'
A health probe is required to monitor the health of the backend instances in the load balancer. Use az network lb probe create to create the health probe.
az network lb probe create \
--resource-group TutorGwLB-rg \
--lb-name myLoadBalancer-gw \
--name myHealthProbe \
--protocol http \
--port 80 \
--path '/' \
--interval '5' \
--threshold '2'
Traffic destined for the backend instances is routed with a load-balancing rule. Use az network lb rule create to create the load-balancing rule.
az network lb rule create \
--resource-group TutorGwLB-rg \
--lb-name myLoadBalancer-gw \
--name myLBRule \
--protocol All \
--frontend-port 0 \
--backend-port 0 \
--frontend-ip-name myFrontEnd \
--backend-pool-name myBackEndPool \
--probe-name myHealthProbe
Deploy NVAs through the Azure Marketplace. Once deployed, add the virtual machines to the backend pool with az network nic ip-config address-pool add.
In this example, you'll chain the frontend of a standard load balancer to the gateway load balancer.
You'll add the frontend to the frontend IP of an existing load balancer in your subscription.
Use az network lb frontend-ip show to place the resource ID of your gateway load balancer frontend into a variable.
Use az network lb frontend-ip update to chain the gateway load balancer frontend to your existing load balancer.
feid=$(az network lb frontend-ip show \
--resource-group TutorGwLB-rg \
--lb-name myLoadBalancer-gw \
--name myFrontend \
--query id \
--output tsv)
az network lb frontend-ip update \
--resource-group CreatePubLBQS-rg \
--name myFrontendIP \
--lb-name myLoadBalancer \
--public-ip-address myPublicIP \
--gateway-lb $feid
Alternatively, you can chain a VM's NIC IP configuration to the gateway load balancer.
You'll add the gateway load balancer's frontend to an existing VM's NIC IP configuration.
Use az network lb frontend-ip show to place the resource ID of your gateway load balancer frontend into a variable.
Use az network lb frontend-ip update to chain the gateway load balancer frontend to your existing VM's NIC IP configuration.
feid=$(az network lb frontend-ip show \
--resource-group TutorGwLB-rg \
--lb-name myLoadBalancer-gw \
--name myFrontend \
--query id \
--output tsv)
az network nic ip-config update \
--resource-group MyResourceGroup
--nic-name MyNIC
--name MyIPconfig
--gateway-lb $feid
When no longer needed, you can use the az group delete command to remove the resource group, load balancer, and the remaining resources.
az group delete \
--name TutorGwLB-rg
Create Network Virtual Appliances in Azure.
When creating the NVAs, choose the resources created in this tutorial:
-
Virtual network
-
Subnet
-
Network security group
-
Gateway Load Balancer
Advance to the next article to learn how to create a cross-region Azure Load Balancer.
[!div class="nextstepaction"] Cross-region load balancer