Skip to content
Build Cloud Skills
Blog

Load Balance Secure Internal Traffic

In this lab, you will configure an Internal Load Balancer, Service Endpoints and NSGs to distribute traffic across multiple back-end VMs, secure connectivity, and enable secure Azure SQL Database access. You will validate connectivity from a front-end VM using SSH and curl via public IPs.

Pre-Provisioned Resources

The following resources are already deployed for you: Provisioned Resources

  • Virtual Networks:
    • FrontEndVNet (10.0.0.0/16) with FrontEndSubnet (10.0.1.0/24)
    • BackEndVNet (10.1.0.0/16) with BackEndSubnet (10.1.1.0/24)
  • Virtual Machines:
    • FrontEndVM in FrontEndSubnet (Ubuntu with curl installed)
    • BackEndVM1 and BackEndVM2 in BackEndSubnet (Ubuntu with Apache or Nginx installed)
  • NSGs: Attached to subnets with default rules.
  • Public IPs: Assigned to front-end VM for SSH access.
  • Azure SQL Database: Pre-created in the same region (students will secure it with Service Endpoints).

Connection Details

  • Use SSH to connect to VMs:
Terminal window
ssh labuser@<public-ip>
  • Credentials will be provided by your instructor.

Your Tasks

Task 1: Configure Internal Load Balancer

  1. Create an Internal Load Balancer in BackEndSubnet.
  2. Assign a static private IP (e.g., 10.1.1.100).
  3. Create a backend pool with BackEndVM1 and BackEndVM2.
  4. Add a health probe (TCP 80).
  5. Create a load balancing rule for HTTP (port 80).

lab with load balancer

Task 2: Update NSGs

  1. On BackEndSubnet NSG:
    • Add an Allow inbound rule for traffic from FrontEndSubnet on port 80.
    • Ensure no other inbound traffic is allowed.
  2. On FrontEndSubnet NSG:
    • Allow outbound traffic to BackEndSubnet on port 80.

lab with nsg rule added

Task 3: Enable Service Endpoints

  1. On BackEndSubnet, enable Service Endpoint for Microsoft.Sql.
  2. In Azure SQL Database firewall settings:
    • Allow access from the BackEndSubnet.

lab with private link

Task 4: Validate

  1. SSH into FrontEndVM using its public IP.
  2. Run:
Terminal window
curl http://10.1.1.100
  • Refresh multiple times to confirm traffic alternates between BackEndVM1 and BackEndVM2.
  1. Test SQL connectivity (optional):
Terminal window
sqlcmd -S <sql-server-name>.database.windows.net -U <username> -P <password>

Success Criteria

  • Internal Load Balancer distributes traffic between back-end VMs.
  • NSG rules enforce tier isolation.
  • Service Endpoint secures SQL access from BackEndSubnet only.

Optional Challenge

  • Add a second load balancing rule for HTTPS.
  • Configure session persistence on the ILB.