Shulou(Shulou.com)06/03 Report--

Azure Firewall is a hosted cloud-based network security service that protects Azure virtual network resources. It is a fully stateful firewall in the form of services with built-in high availability and unlimited cloud scalability. You can create, implement, and document application and network connection policies across subscriptions and virtual networks. Azure firewalls use static public IP addresses for virtual network resources to enable external firewalls to identify traffic from your virtual network. This service is fully integrated with Azure Monitor for logging and analysis.

Let's take a look at such an architecture. The default route of the web server points to the FW,web server. A standard load balancer,web server is its backend pool. Port 80 is configured on the LB. The web server itself does not have a public network IP. Under such an architecture, there are two problems.

Whether the Web server can access internet

Whether you can access nginx on the web server through standard lb in internet

Let's look at it one by one, the server at the back end of standard lb cannot access internet by default, so what if its default route points to Firewall?

After testing, it is found that there is no problem with access at all.

Well, the second question, first of all, let's take a look at the configuration of LB. It's actually very simple.

You can see that a rule of 80 is simply configured.

But the test found that lb's ip has been unable to communicate with ping.

However, after removing the default route to FW, we found that we could ping.

Why is that? In fact, Microsoft's documentation has already explained to us

This phenomenon is called asymmetric routing, which is actually very simple to understand, because when inbound, you enter through LB, but when you go back, you have to leave FW because of the default route. If there is no such session on FW, it will cause the packet to be dropped.

Asymmetric routing

Asymmetric routing means that packets take one path to the destination and another path back to the source. Asymmetric routing problems can occur if the default route for the subnet goes to the private IP address of the firewall and a public load balancer is used. In this case, incoming load balancer traffic will be received through the public IP address of the load balancer, but the return path will pass through the private IP address of the firewall. Because the firewall is stateful and does not recognize such established sessions, returned packets are discarded.

In fact, there is a way to solve this problem. The official website explains that if the firewall is followed by public lb, you need to create a UDR rule to the firewall public ip, and the next one is internet, otherwise the azure will be sent to the firewall's private ip through the default route. At the same time, the entrance of the traffic should not be LB, but FW.

Let's try it next. The whole traffic is like FW-> Public Standard LB-> WEB.

First, configure the NAT rule to LB on FW

But the test found that the port could not be connected

Next, try the route added to the FW public network IP.

The visit was finally a success.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.