architecture-center icon indicating copy to clipboard operation
architecture-center copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

thank you Roelf for your explanation of flow symmetry

Open mikeoleary opened this issue 1 year ago • 1 comments

Summarized feedback

  • This section titled VNets use the same backend (virtual) routers deserves further clarification because it's valuable to any firewall or F5 administrator. I use the dot-points below to explain it to myself and customers.
  • Similarly deserving of it's own article, this architecture titled Impact on reverse proxy services assumes you would not have a similar internal Azure LB for the reverse proxy servers - but why not (since not all proxies must SNAT)? I would recommend doing the same internal Azure LB configuration for the proxies as you did for the firewalls. No? That way you could remove this sentence: "In this scenario, SNAT will be required on the reverse proxy's as well..."

More feedback

Love this article. I work at F5 and am often asked by customers how this works. I've published a few articles and architectures that reference this idea. I think what I get from this article is that with Azure LB you can have all of these at the same time:

  • active/active firewalls
  • no SNAT required
  • flow symmetry maintained

As long as you obey these rules

  • "Floating IP" checked on LB Rule so that DNAT is not performed by Azure LB
  • single NIC on firewall behind Azure LB that (at least for this traffic flow) is the only NIC in use
  • UDR's configured so that all client->server and server->client traffic traverses the same Azure LB frontendipconfig

One of my customers even has his entire stack Active/Active, where he's used 2x NIC's on his firewalls, sitting in 2x subnets and backend pools in Azure LB with 2x frontendipconfigs (all on same internal Azure LB). His PaloAlto firewalls have 2x Virtual Routers so that, effectively, he has 2x backend pools with the same 2x firewalls configured between them. Then, he has 2x standalone F5 SSLo devices (edge devices for TLS decryption), both pointing to different Azure LB frontend IP configs for their next hop to the Palo Alto's. The result is that his entire stack is Active/Active across Availability Zones and fully meshed between F5 and PA. (The 2x NICs are needed for the 2x UDR's needed to route back to 2x standalone F5 appliances, which are not behind internal Azure LB's because he's not using a single dataplane NIC on those devices).

Long story short: great article and I would love to see more clarification / use cases documented and would be happy to help.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

mikeoleary avatar Oct 30 '23 18:10 mikeoleary

@mikeoleary Thanks for your feedback! We will investigate and update as appropriate.

Naveenommi-MSFT avatar Oct 31 '23 05:10 Naveenommi-MSFT