Documentation
Documentation

Load Balancer configuration for Azure VMs with HA configuration

📘

Note: Since Microsoft may retire some of the Azure features frequently, its recommended to always refer to official Microsoft documentation site for latest working components. Use this document as reference document and not the final step by step document

Overview

Azure by design doesn't support NLB Configuration, for High availability history nodes deployed in Azure needs to be configured with Load balancer using Azure application Gateway. This guide explains how to configure an Azure Application Gateway to accept HTTPS traffic on port 443, terminate SSL at the gateway, and forward requests over HTTP (port 80) to two backend virtual machines using private IP addresses. The setup includes WAF protection, a custom health probe, and cookie-based affinity.

Architecture Summary

  • Frontend: Public IP with HTTPS (443)
  • SSL Termination: At Application Gateway
  • Backend Pool: Two virtual machines (private IPs)
  • Backend Protocol: HTTP (80)
  • Routing: Layer 7 (Application Gateway)
  • Security: Web Application Firewall (WAF)

Prerequisites

Before starting, ensure the following resources already exist:

  • A virtual network with a dedicated subnet for the Application Gateway
  • An Application Gateway subnet with sufficient IP address space
  • Two backend virtual machines reachable over HTTP (port 80)
  • Network Security Groups allowing required traffic
  • A valid SSL certificate in PFX format and its password

Create the Application Gateway

  1. Sign in to the Azure Portal
  2. Select Create a resource
  3. Search for Application Gateway
  4. Click Create

Configure Basic Settings

Provide the following details:

  • Subscription: Select your subscription
  • Resource group: Existing resource group
  • Name: Meaningful name for the Application Gateway
  • Region: Same region as the virtual network
  • Tier: Web Application Firewall (WAF)
  • SKU: WAF_V2
  • Autoscaling: Enabled
  • Minimum instances: 1
  • Maximum instances: According to traffic needs

Click Next: Frontends.

Configure Networking

  1. Select the Virtual Network
  2. Choose the dedicated Application Gateway subnet
  3. Ensure the subnet is empty and reserved only for Application Gateway

Configure Frontend IP

  1. Choose Public frontend IP
  2. Create a new public IP address
  3. Use Static IP allocation
  4. Assign a recognizable name

Click Next: Backends.

Define the Backend Pool

  1. Add a new backend pool
  2. Select IP address as the target type
  3. Add both backend VM private IP addresses
  4. Save the backend pool

Click Next: Configuration.

Upload SSL Certificate

  1. Navigate to the Certificates section
  2. Add a new certificate
  3. Upload the PFX certificate
  4. Enter the certificate password
  5. Save the certificate

Configure Backend HTTP Settings

  1. Create a new backend HTTP setting
  2. Set:
    • Protocol: HTTP
    • Port: 80
    • Cookie-based affinity: Enabled
    • Affinity cookie name:ApplicationGatewayAffinity
    • Request timeout: 30 seconds
  3. Save the backend settings

Create a Health Probe

  1. Add a new health probe
  2. Configure:
    • Protocol: HTTP
    • Host: 127.0.0.1
    • Path: /history/login/
    • Interval: 30 seconds
    • Timeout: 30 seconds
    • Unhealthy threshold: 3
  3. Accept HTTP status codes:
    • 200–399
    • 401
  4. Save the probe
  5. Attach this probe to the backend HTTP settings

Configure HTTPS Listener

  1. Create a new listener
  2. Set:
    • Protocol: HTTPS
    • Port: 443
    • Frontend IP: Public
    • SSL certificate: Previously uploaded certificate
  3. Save the listener

Create Routing Rule

  1. Add a routing rule
  2. Choose Basic rule type
  3. Associate:
    • HTTPS listener
    • Backend pool
    • Backend HTTP settings
  4. Save the rule

Enable Web Application Firewall (WAF)

  1. Navigate to Web Application Firewall settings
  2. Set:
    • WAF mode: Prevention
    • Rule set: OWASP 3.0
    • Request body inspection: Disabled
    • Max request body size: 128 KB
    • File upload limit: 100 MB

Review and Create

  1. Review configuration
  2. Validate settings
  3. Click Create

Deployment may take several minutes.

Validation Steps

  • Verify backend health shows both servers as Healthy
  • Access the Application Gateway public IP over HTTPS
  • Confirm requests are served correctly by backend VMs

Outcome

You now have an Azure Application Gateway that securely handles HTTPS traffic, applies WAF protection, and load-balances requests across multiple backend virtual machines using private IP addresses.

Best Practices

  • Use static private IPs for backend VMs
  • Monitor backend health regularly
  • Rotate SSL certificates before expiration
  • Restrict backend NSG rules to Application Gateway subnet only

Updated 10 days ago