Windows Azure Publishing support for internal load balancing (ILB)

We are very pleased to announce http://www.aliyun.com/zixun/aggregation/13357.html ">azure support for internal load Balancing" (ILB). With internal load balancing (ILB), high availability services can be run through private IP addresses, and private IP addresses can only be accessed within a cloud service or virtual network (VNET), providing additional security for the terminal. When used within a virtual network, ILB terminals can also be accessed from internal deployments and other interconnected vnet that allow for some powerful hybrid scenarios.

ILB can be used in two ways

in cloud services, obtain load-balanced IP from Azure private IP address space within a virtual network, obtain load-balanced IP from a client-specified virtual subnet or static vnet IP address.

Key Scenarios

ILB enhances security compared to the current public load balancing of Azure. It restricts accessibility and creates a trust boundary between a load-balanced virtual IP address that points to a cloud service or virtual network and does not require a public Internet. This allows internal line-of-business applications to run within Azure, and to deploy access from the cloud or from within. Some common use cases are listed in the following sections:

The

application and back-end databases run through ILB, so they are not exposed to the public Internet, but high availability can still be achieved through load balancing. This is a huge leap in security enhancements.

ILB VIP access through secure IP security tunnels across the entire virtual network, internal deployments, and interconnected vnet. In this way, you can run a SharePoint server farm that targets the Intranet (corporate network only) by placing the front-end VIP in ILB, as shown in the following illustration:

Instructions for use

Currently, internal load balancing is still in the preview phase and will be officially released in the near future (GA). You can find detailed documentation on ILB here

Internal load balancing cannot be configured through the portal at this time and will be supported in the future. However, you can use the Powershell cmdlet configuration. ILB can be used for deployment within a zone virtual network or for new deployments outside the virtual network. The following sections outline the two types of usage.

ILB in regional virtual network

The ILB terminal created in the

Zone virtual Network Cloud service can be accessed throughout the virtual network, interconnected vnet, and internally deployed sites. The following code snippet example illustrates how the internal load balancer is configured in the cloud services deployed within the Zone virtual network "Vnetuswest". Learn more about zone virtual networks when you use ILB within Vnet, you can also specify a subnet for the internal load balancer from the vnet address space, or even more precisely, to specify an IP address.

# VM Revisit
$web 1 =new-azurevmconfig-name "Web1"-instancesizesmall-imagename<imagename>| add-azureprovisioningconfig-windows-adminusername<username>-password<password>| Set-azuresubnetfrontendsubnet

$web 2 =new-azurevmconfig-name "WEB2"-instancesizesmall-imagename< imagename>| add-azureprovisioningconfig-windows-adminusername<username>-password<password>| Set-azuresubnetfrontendsubnet

# Create the deployments
New-azurevm-servicename "MyWebsite1"-vms $ Web1 -location "West US"-vnetnamevnetuswest 

New-azurevm-servicename "MyWebsite1"-vms  $web 2  -location ' West US '  

# Add Internal Load balancer to the service
Add-azureinternalloadbalancer-internalloadbalancernamemyilb-subnetnamefrontendsubnet-servicenamemywebsite1

# ADD Load balanced endpoints to ILB
get-azurevm-servicenamemywebsite1-name web1 | Add-azureendpoint-name "INTWEBEP"-lbsetname "INTWEBEPLB"-protocol tcp -localport100-publicport100-probeport100-probeprotocol tcp - probeintervalinseconds10-internalloadbalancernamemyilb| UPDATE-AZUREVM

get-azurevm-servicenamemywebsite1-name web2 | Add-azureendpoint-name "INTWEBEP"-lbsetname "INTWEBEPLB"-protocol tcp - localport100-publicport100-probeport100-probeprotocol tcp - probeintervalinseconds10-internalloadbalancernamemyilb| UPDATE-AZUREVM

In this example, ILB will get the IP from the subnet "Frontendsubnet". You can use the cmdlet to get ILB related information, as follows:

# get Internal Load balancer Information
get-azureservice-servicenamemywebsite1| Get-azureinternalloadbalancer

# Get the ILB information on a endpoint
Get-azurevm-servicenamemywebsite1-name Web1 | Get-azureendpoint

in this example, ILB will get IP from subnet "Frontendsubnet". You can use the cmdlet to get ILB related information, as follows:

# Get Internal Load Balancer information

Get-azureservice-servicename MyWebsite1 | Get-azureinternalloadbalancer

# Get the ILB information of the terminal

Get-azurevm-servicename Mywebsite1-name Web1 | Get-azureendpoint

ILB in cloud services

ILB terminals created in cloud services outside of a zone virtual network can only be accessed within this cloud service. You must set the ILB configuration when the cloud service creates the first deployment, as shown in the following cmdlet example.

# Create a local ILB object

$myilbconfig = New-azureinternalloadbalancerconfig-internalloadbalancername "Myilb"

# Add internal load balancer to new service

New-azurevmconfig-name "Instance1"-instancesize small-imagename <imagename> | Add-azureprovisioningconfig-windows-adminusername <username>-password <password> | New-azurevm-servicename "Website2"-internalloadbalancerconfig $myilbconfig-location "West US"

Common

1. Can I add ILB to my existing deployment on the virtual network?

This can only be done if the virtual network is a zone virtual network. But in the near future, all virtual networks will be converted into a zone virtual network, which will be possible.

2. Can I use ILB when SQL always opens?

Not now. This support will soon be released.

3. I already have a load balancing terminal in the zone virtual network deployment, can I connect this terminal to ILB?

No. You should reference ILB when you create a terminal. Conventional terminals cannot be converted to ILB terminals and vice versa. This feature will soon be supported.

4. Can ILB be used for terminal ACLs?

OK, ILB can be used for terminal ACLs. ACLs for zone virtual networks can be used in client IP address space by restricting access even within virtual networks.

5. If ILB is set on my virtual machine, can the "loop" (loopback) from the same virtual machine run on a load-balanced VIP?

No. You cannot access the ILB VIP from the same virtual machine that is being load balanced.

6. Can I use ILB on the PaaS service (Web role/worker role)?

ILB is also designed to be available for Web role/worker role, but is not currently exposed in the service model (CSCFG/CSDEF). This feature will soon be supported.