Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
483 questions
Can I use Azure GWLB solution with NVA for the Internet Outbound Traffic?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 56.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Rangaraj Gunasekaran
0
Reputation points
Hello Team,
In Azure VNET, I have w365 Virtual Desktops running, and I want to use GWLB + NVA (Palo Alto Firewall behind GWLB) for the Internet Outbound traffic monitoring solution.
I know that Azure reference architectures talks about the usage of GWLB for Internet Inbound Application Architecture using ALB Service Chaining.
Can I use GWLB solution for the Internet Outbound traffic from Virtual Desktop Environment? So that I can use all the firewalls in active/active mode.
Thanks,
Raj
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Sai Prasanna Sinde 3,920 Reputation points Microsoft Vendor2025-02-06T01:54:42.7166667+00:00 Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
- You need an SLB with outbound rules configured. These rules specify which outbound traffic from your W365 VMs should be directed to the GWLB. You can set outbound rules to send all internet-bound traffic to the GWLB or define more specific rules.
- The GWLB distributes the outbound traffic across your pool of NVAs. This distribution is based on the GWLB configuration. This allows you to use your firewalls in an active/active configuration, maximizing throughput and redundancy.
- For your reference: https://learn.microsoft.com/en-us/azure/load-balancer/gateway-overview#:~:text=Gateway%20Load%20Balancer%20supports%20both%20inbound%20and%20outbound%20traffic%20inspection.%20For%20inserting%20NVAs%20in%20the%20path%20of%20outbound%20traffic%20with%20Standard%20Load%20Balancer%2C%20Gateway%20Load%20Balancer%20must%20be%20chained%20to%20the%20frontend%20IP%20configurations%20selected%20in%20the%20configured%20outbound%20rules.
- The NVA inspect the traffic, apply security policies, and perform any other required functions. For your reference: https://learn.microsoft.com/en-us/azure/architecture/networking/guide/nva-ha
- After inspection, the NVA forward the traffic to the internet. This typically happens via a default route on the NVA pointing to the internet or an Azure NAT Gateway/Public IP.
- Return traffic from the internet follows the reverse path, being inspected by the same NVA that handled the outbound request. GWLB ensures session stickiness to maintain flow affinity.
- Your Palo Alto firewalls need to be configured to accept and process traffic from the GWLB. They also need to have a route to the internet, and they must not perform NAT unless specifically required. The GWLB preserves the original source IP, which is essential for proper return traffic handling. The firewalls should focus on security functions, not NAT.
- You'll need to create a GWLB and configure a backend pool containing your NVAs. The health probes for the backend pool are essential to ensure that the GWLB only sends traffic to healthy firewalls. A TCP health probe on a port that the firewall actively listens on is recommended.
- The GWLB automatically scales to handle increased traffic. Make sure that your NVAs are also configured to scale appropriately to meet demand.
- For your reference: https://learn.microsoft.com/en-us/azure/load-balancer/gateway-overview#:~:text=You%20can%20insert,Custom%20appliances
- Deploy your NVAs in an Availability Set or across Availability Zones for high availability. Cross verify again all your routing tables (UDRs, NVA routing) to make sure that the traffic flows as expected.
I hope this has been helpful!
Your feedback is important so please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
If you still have questions, please let us know what is needed in the comments below so the question can be answered.
Thanks,
Sai.
-
Sai Prasanna Sinde 3,920 Reputation points Microsoft Vendor
2025-02-06T23:03:26.42+00:00 Just checking in to see if you have got a chance to see my response to your question in resolving the issue.
If you are still facing any further issues, please let us know in the comments below so that we can address them.
-
Sai Prasanna Sinde 3,920 Reputation points Microsoft Vendor
2025-02-07T17:41:08.98+00:00 Just checking in to see if you have got a chance to see my response to your question in resolving the issue.
If you are still facing any further issues, please let us know in the comments below so that we can address them.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 18%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
Kevin C 0 Reputation points2025-02-15T06:46:28.91+00:00 Sai,
I don't think your answer is correct.
The way GWLB works is that it needs to be plugged into either the frontend IP of a public Standard LB, or the public NIC of a VM.Check this document: https://learn.microsoft.com/en-us/azure/load-balancer/gateway-overview
see the paragraph below:
Gateway Load Balancer supports both inbound and outbound traffic inspection. For inserting NVAs in the path of outbound traffic with Standard Load Balancer, Gateway Load Balancer must be chained to the frontend IP configurations selected in the configured outbound rules.
See, you still need a Standard LB. A GWLB alone is not going to work.
-
Sai Prasanna Sinde 3,920 Reputation points Microsoft Vendor
2025-02-17T09:17:37.0033333+00:00 We apologize for not providing an answer up to your expectations and for any inconvenience this may have caused.
Yes, A GWLB cannot directly handle outbound internet traffic from VMs (including W365 VMs) without being chained to a SLB.
You need a SLB with outbound rules configured. These rules define which outbound traffic from your W365 VMs should be sent to the GWLB. You can configure outbound rules to send all internet-bound traffic to the GWLB, or you can define more specific rules.
The GWLB is then chained to the frontend IP of the SLB. This is the key connection. The SLB sends traffic that matches its outbound rules to the GWLB's frontend IP.
The GWLB has a backend pool consisting of your Palo Alto NVAs. The GWLB distributes the traffic it receives from the SLB across these NVAs for inspection. Please refer the document.
W365 VMs to SLB: Your W365 VMs need a UDR that directs internet-bound traffic to the frontend IP address of the Standard Load Balancer.
SLB to GWLB: This is the automatic chaining and no UDR is needed here. Traffic matching the SLB outbound rules is automatically forwarded to the GWLB.
GWLB to NVAs: The GWLB handles this distribution.
The return traffic from the internet follows the reverse path. The GWLB maintains session affinity, ensuring that return traffic is sent to the same NVA that handled the outbound request.
Kindly let us know if the above helps or you need further assistance on this issue.
-
Sai Prasanna Sinde 3,920 Reputation points Microsoft Vendor
2025-02-18T08:00:56.5833333+00:00 Just checking in to see if you have got a chance to see my response to your question in resolving the issue.
If you are still facing any further issues, please let us know in the comments below so that we can address them.
Sign in to comment
Sign in to answer