locked
Traffic Manager with a Static IP Address RRS feed

  • Question

  • First off, a static IP is an absolute must have...

    We've been using Azure's default system of what I think is called instance level PIP. One day, the public IP address changed and it took about 4 days for the DNS settings around the world to catch on. Meanwhile, our customers couldn't hit our website through our domain name. That's simply unacceptable.

    At the same time, we need to set up a Traffic Manager (load balancer). But, from what I can grasp, it's not possible to set up a Traffic Manager with a reserved IP address in order for the public IP address to remain static. Is this correct?

    If it's impossible to get a static IP address for a traffic manager, what are we supposed to do? How can we ensure that a sudden changed public IP address won't take days to update around the globe?

    Friday, September 4, 2015 5:34 AM

Answers

  • Thread Summary

    I feel that this thread, although basically unanswered should be informative for people trying to use the Azure platform, or considering using the Azure platform.

    I've asked several questions again, and again, and essentially there is no answer. The answers seem to flip flop all over the place. I can't actually answer the question as to whether or not it is possible to use a Traffic Manager with a static IP address.

    My basic impression is that if you are going to use Azure's Traffic Manager, and probably Azure in general, you are going to be using a CNAME. My further guess is that the external IP address associated with the CNAME will change from time to time which will probably cause issues for people using your service. But, until Microsoft clears this up, we really just don't know what the alternatives are.

    Tuesday, September 29, 2015 2:17 AM

All replies

  • Hi Christian,

    Azure Traffic Manager works at the DNS level, not the network traffic level.  Thus there's no such thing as an 'IP address for Traffic Manager.  Traffic Manager provides a DNS CNAME, for example contoso.trafficmanager.net, which points to one of your endpoints (as determined by the Traffic Manager traffic-routing method and endpoint health monitoring).  Customers then typically CNAME their vanity domain (e.g. www.contoso.com) to point to the Traffic Manager DNS name.

    It sounds like the root cause of your concern is the long delay you saw between a public IP address change and the corresponding DNS update.  This should not happen, and I suggest you follow this up with Azure Support.

    Note that you can use Traffic Manager with services with reserved IPs.  Simply create your services with reserved IPs, then point Traffic Manager at the DNS names associated with those reserved IPs.

    Regards,

    Jonathan Tuliani

    Program Manager

    Azure Networking - DNS and Traffic Manager

    Friday, September 4, 2015 10:53 AM
  • Jonathan,

    Thanks so much for addressing my concerns. 

    It sounds like the root cause of your concern is the long delay you saw between a public IP address change and the corresponding DNS update.  This should not happen, and I suggest you follow this up with Azure Support.

    This is my concern exactly!This happened once, and it caused widespread panic. That can't happen again. So, we can't continue the migration to Azure servers until we can be guaranteed that it will not happen again. Just to clarify, yes, I am using a CNAME to point my existing VM.

    I'm curious that you recommend contacting Azure Support though. I contacted a network engineer about this, and from what he explained, this has nothing to do with Microsoft. It is completely out of Microsoft's control. A DNS update can take days because each ISP can cache the IP address for as long as they like.

    Is this understanding incorrect? Are you saying that Microsoft actually has some control over this?

    -----------------------------

    Mahendranath,

    could you please reserve an IP to cloud service and assign static private IP to DNS VM. Please do also add DNS server IP in networks DNS tab and configuration tab of your network.

    I can possibly do this. What is the purpose of this? Will this help me with my issue?


    Saturday, September 5, 2015 12:23 AM
  • Hi Christian,

    As per below wording I understand, you have installed DNS on Azure VM  and assigned public IP to it. You have added pointed this server as DNS server to other clients. please correct me if understood correct.

    We've been using Azure's default system of what I think is called instance level PIP. One day, the public IP address changed and it took about 4 days for the DNS settings around the world to catch on. Meanwhile, our customers couldn't hit our website through our domain name. That's simply unacceptable.

    Regards,

    Mahendranath Miryala

    Sunday, September 6, 2015 1:29 PM
  • To be honest, I'm not really sure is there is a DNS server or not... Do I need to set one of these up? What's the purpose? As I mentioned before, we're using the cloud service's CNAME.

    Anyway, my question really is this:

    Can we rely on CNAMEs?

    I think that the answer is a resounding NO!

    A quick Google search will show that the standard for CNAME caching is 1 hour. That, in and of itself is unacceptable. That means that after a reboot, it could take up to 1 hour for the IP address attached to CNAME to be refreshed. Upon further reading, I found that the TTL should be adjustable - the time it takes to refresh the IP address, but apparently, reducing this puts strain on the DNS. Does Azure allow us to adjust this setting?

    Here is an article on this.

    http://www.techrepublic.com/blog/data-center/dns-time-to-live-settings-for-cname-records/

    But, even though 1 hour doesn't sound too bad, as I mentioned, we had a case where this took 3 or more days to refresh. This is possible because it's up to the discretion of the ISPs to decide how long they hold on to cache for.

    Here's an article on the issue:

    https://iwantmyname.com/blog/2014/01/why-alias-type-records-break-the-internet.html

    So, what I'm wondering here, is why Microsoft forces its customers to use alias DNS records (CNAME) for propagating an IP address. There's clearly issues around this as we've experienced first hand.

    If Azure doesn't support setting a static IP address, then what is Microsoft doing to address the issues I've mentioned above? Or, are my concerns misplaced?

    Sunday, September 6, 2015 11:29 PM
  • However, I did find this.

    https://azure.microsoft.com/en-us/documentation/articles/dns-operations-recordsets/

    Would someone please explain to me the significance of setting TTL time on a CNAME for Azure? Does that mean that other servers and ISP etc. will drop cache at this interval? Is this an opt in only thing?  

    Sunday, September 6, 2015 11:33 PM
  • Could someone from Microsoft please address these concerns before this thread is closed?

    Basically, are my concerns about the combination of changing public IP addresses and CNAMEs founded or not?

    Is there some way to use Azure without using CNAMEs?

    Does Microsoft have a plan to allow alternatives to CNAMEs in future? Like for example a static IP address.


    Tuesday, September 8, 2015 10:37 PM
  • Am I barking up the wrong tree with an "Azure Traffic Manager"?

    This article keeps referring to an "Azure Load Balancer".

    https://azure.microsoft.com/en-us/documentation/articles/load-balancer-overview/

    Is this a completely different thing? Can we use an "Azure Load Balancer", instead of an "Azure Traffic Manager"?


    Tuesday, September 8, 2015 11:13 PM
  • Hi,

    Azure load balancer delivers high availability and network performance to your applications. It is a Layer-4 (TCP, UDP) type load balancer that distributes incoming traffic among healthy service instances in cloud services or virtual machines defined in a load balancer set.

    It can be configured to:

    • Load balance incoming Internet traffic to virtual machines. We refer it as Internet facing load balancing.
    • Load balance traffic between virtual machines in a Virtual Network, between virtual machines in cloud services or between on-premises computers and virtual machines in a cross-premises virtual network. We refer it as internal load balancing (ILB).
    • Forward external traffic to a specific Virtual Machine instance

    its depends upon you scenario to use "Azure Load Balancer" or "Azure Traffic Manager". I would request you to raise support ticket to Azure so that our support team will address your issue.

    Regards,

    Mahendranath Miryala

    Wednesday, September 9, 2015 8:52 AM
  • Mahendranath,

    I would very much appreciate it if you would take the time to read the questions before blindly answering, and then marking your own post as an answer.

    -------------------------------------------------------------------

    This is a serious issue that needs answers. How can people be confident of using Azure if there are unresolved issues that they may face? So, in the absence of static IP addresses for Traffic Managers, I ask these questions:

    1) Are my concerns about the combination of changing public IP addresses and CNAMEs founded or not?

    2) Is there any way to link a static IP address to an Azure Traffic Manager, or Azure Load Balancer in such a way that the public IP address does not change?

    3) Does Microsoft have any plans to allow alternatives to CNAMES in future?

    Thursday, September 10, 2015 10:46 PM
  • Hi,

    Apologies for delay response.

    I working on this thread, I would address your question ASAP.

    Regards,

    Mahendranath Miryala 

     

    Sunday, September 13, 2015 1:24 PM
  • Hi,

    Could you please check below information and provide us an update if it helps you.

    Regarding DNS caching:

    • TTLs on DNS records indicate how long the records should be cached for.  The vast majority of DNS servers and clients obey the TTL values, and thus DNS caches will be cleared when the TTLs expire.  There can be a handful of exceptions where local settings define a higher minimum TTL, but this is rare.
    • When an IP address changes for a service deployed in Azure, the DNS record associated with it should be updated automatically.  If calling the authoritative name server shows the old DNS entry, that is an Azure issue that should be referred to Azure Support.  You can test the authoritative name server using a tool such as http://digwebinterface.com

     

    Regarding static IP addresses

    • Yes, you can use a static IP address for services associated with Azure Traffic Manager.  Simply deploy the service using a static IP address.  There is no change to how you configure Traffic Manager—this will still use DNS CNAMEs.  However, since the IP address is static, any concern regarding DNS caching is mitigated, since none of the DNS records in the name resolution path should ever need to change.

     

    Regarding Azure Traffic Manager vs Azure Load Balancer:

    • Azure Load-balancer is a network-level (Level 4) load balancer.  It is for sharing traffic at the network level between VMs or role instances within an Azure deployment (not between deployments), within a single Azure region.
    • Azure Traffic Manager is a DNS-level traffic routing service.  It is for routing traffic between Azure deployments (not within a deployment), typically across Azure regions.

     

    Regarding alternative to CNAMEs

    • Yes, this is part of our long-term roadmap.  However, your concerns about the use of CNAMEs and the propagation time for DNS changes can be mitigated using static IP addresses as explained above.

    Regards,

    Mahendranath Miryala

    Tuesday, September 15, 2015 1:09 PM
  • Regarding static IP addresses

    • Yes, you can use a static IP address for services associated with Azure Traffic Manager.  Simply deploy the service using a static IP address.  There is no change to how you configure Traffic Manager—this will still use DNS CNAMEs.  However, since the IP address is static, any concern regarding DNS caching is mitigated, since none of the DNS records in the name resolution path should ever need to change.

    ---------------------------------------------

    This conflicts with answers at the top of this thread. This was at the top of the thread:

    "Azure Traffic Manager works at the DNS level, not the network traffic level.  Thus there's no such thing as an 'IP address for Traffic Manager."

    So, how do we use "use a static IP address for services associated with Azure Traffic Manager"?

    You said:

    "Simply deploy the service using a static IP address. "

    How? How do we deploy the service using a static IP address?

    Please stop giving us conflicting information. I feel like this topic is just going around in circles.



    Tuesday, September 15, 2015 10:53 PM
  • Please clear up what you are saying.

    Can we use a static, public IP address with an Azure Traffic Manager or not?

    If so, how?

    Note: we are talking about the public IP address here.



    Tuesday, September 15, 2015 10:54 PM
  • Hi,

    Traffic manager does not care about IP address whether its reserved or not as it uses DNS name.

    you can use reserve IP address which never changes as long as you retain it and can be assigned to the cloud service for your virtual machines at creation time.

    A reserved IP address is basically an IP address that you create with a name.

    So, Yes you can use Traffic Manager with services with reserved IPs. create your services with reserved IPs, then point Traffic Manager at the DNS names associated with those reserved IPs.


    Best Regards
    Prasandhi Kumar

    Wednesday, September 16, 2015 1:48 PM
  • OK, great.

    How do we do this?

    Wednesday, September 16, 2015 11:03 PM
  • you mentioned your customers connect to your site via your custom domain. the whole  point of using Traffic Manager (for load balancing, failover, etc...) is that your custom domain resolves to a traffic manager endpoint first which then decides which particular cloud service/website endpoint should be returned to the client. which means your client doesn't really have to care about the static/reserve ip of the corresponding cloud service/website endpoint.

    Traffic Manager also regularly does an endpoint health check to the corresponding endpoints so it knows if an endpoint cannot be reached so it doesn't resolve clients to an endpoint that's down and resolve them instead to the failover or other endpoints. 

    The short Traffic Manager TTL means the clients DNS cache of resolved endpoint is frequently refreshed with newer endpoints.

    to answer you other question, there's nothing in Traffic Manager for you to point it to specific ip addresses.

    Thursday, September 17, 2015 1:24 AM
  • What you've said is probably correct - more or less.

    The short Traffic Manager TTL means the clients DNS cache of resolved endpoint is frequently refreshed with newer endpoints.

    The problem that we have experienced in the past is that it took 3-4 in one country for a domain name to be resolved to a public IP address after the IP address for Azure service changed. I'm noting trying to say that having a static IP address is the only possible solution for this problem, but what I am saying is that CNAMEs seem to have caused this problem because authorities around the globe can ignore the TTL. Of course this is a very naïve understanding because I'm not a networking engineer, I'm merely piecing together what I have been told and what I have read.

    What I need to ensure is that this does not happen again. I'm happy to use CNAMEs if I can be sure that it won't happen again. If it was a freak occurrence that has nothing to do with CNAMES, then this thread is irrelevant.

    In response to my questions so far, this is what I have been told:

    Yes, this is part of our long-term roadmap.  However, your concerns about the use of CNAMEs and the propagation time for DNS changes can be mitigated using static IP addresses as explained above.

    So, I interpret that to mean "yes", there are problems with CNAMES, and this can be mitigated by using a static IP address attached to the traffic manager. So, really I can only repeat the same questions:

    1) Are my concerns about the combination of changing public IP addresses and CNAMEs founded or not?

    2) Is there any way to link a static IP address to an Azure Traffic Manager, or Azure Load Balancer in such a way that the public IP address does not change? If so, how?

    3) Does Microsoft have any plans to allow alternatives to CNAMES in future? What are those plans, and when will we be told more about these plans?

    Sunday, September 20, 2015 10:31 PM
  • Thread Summary

    I feel that this thread, although basically unanswered should be informative for people trying to use the Azure platform, or considering using the Azure platform.

    I've asked several questions again, and again, and essentially there is no answer. The answers seem to flip flop all over the place. I can't actually answer the question as to whether or not it is possible to use a Traffic Manager with a static IP address.

    My basic impression is that if you are going to use Azure's Traffic Manager, and probably Azure in general, you are going to be using a CNAME. My further guess is that the external IP address associated with the CNAME will change from time to time which will probably cause issues for people using your service. But, until Microsoft clears this up, we really just don't know what the alternatives are.

    Tuesday, September 29, 2015 2:17 AM
  • I'm sorry that we've not been able to answer your questions to your satisfaction on this thread.

    Let me try again.  To avoid building on any previous misunderstandings, I'll try to provide a self-contained answer.  Please ignore previous responses.

    • A service endpoint in Azure is assigned an IP address.  To ensure this IP address does not change in future, you can use a static IP address.
    • If/when IP addresses change, their DNS entries need to be updated.  DNS entries managed by Azure will be updated automatically.  However, DNS is cached by other servers around the world, and it may take some time for these caches to expire so that clients can see the updated DNS entries.  In principle, the cache duration is governed by the TTL on the DNS entries, which Azure keeps short enough to minimize any impact.  However, in the 'Wild West' that is the Internet, there are occasions where DNS caches do not obey the TTL.  This is outside both Azure's and your control.
    • A static IP address avoids any possible issue with DNS caching.  Because the IP address is static, it never changes.  Thus the DNS entry never needs to change.  Thus it doesn't matter how long it is cached for.
    • Traffic Manager provides DNS-level traffic routing.  It works using 'CNAME' records.  A 'CNAME' record is like an 'alias', it maps one DNS name to another.  It does not map names to IP addresses (that is done by DNS 'A' records).  Therefore, when using Traffic Manager with Azure services, the name resolution path is typically configured like this:
    1. Your service domain name in your vanity domain, e.g. www.contoso.com, CNAME to:
    2. The Traffic Manager domain name, e.g. contoso.trafficmanager.net, CNAME to
    3. The 'A' record for each service endpoint, e.g. contoso-eu.cloudapp.net and contoso-us.cloudapp.net, which are A records pointing to their respective service IP addresses
    • Traffic Manager doesn't directly consume the IP address (static or not).  It is only configured with the DNS name of the A record which points to the service IP address.  From a Traffic Manager viewpoint, it makes no difference whether the IP address behind that A record is static or not.

    I hope this makes clear that use of static IP addresses, via CNAMEs, is supported in Traffic Manager.

    We do intend to provide the ability to avoid the CNAME hops described above, by allowing you to create a traffic-managed 'A' record directly within a vanity domain, hosted within Azure DNS.  However, this is not supported today.

    Regards,

    Jonathan Tuliani

    Program Manager

    Azure Networking - DNS and Traffic Manager

    Friday, October 2, 2015 1:02 PM
    • A service endpoint in Azure is assigned an IP address.  To ensure this IP address does not change in future, you can use a static IP address.

    OK great. How?

    Please provide explicit instructions on how to do this.


    Sunday, October 4, 2015 2:26 AM
  • How do we set up a service endpoint in Azure with a Traffic Manager that is assigned a static IP address?
    Wednesday, October 7, 2015 4:35 AM
  • Hi,

    I suspect there is a misunderstand over how Traffic Manager works.

    Traffic Manager works at the DNS level.  It uses 'smart' DNS responses to direct traffic to your service IP addresses.  Clients then connect to your service IP addresses *directly*.

    Traffic Manager itself does not receive connections, only DNS queries.  It does not provide an IP address for your service.  Thus it is your service that must be configured with a static IP address, not Traffic Manager.

    Guidance for setting up a static IP for your service (or a 'reserved IP', as we call them) can be found here.

    Regards,

    Jonathan Tuliani

    Program Manager

    Azure Networking - DNS and Traffic Manager

    Monday, October 12, 2015 12:36 PM
  • Jonathan,

    Thanks for this reply. While this may or may not be THE answer to my question, you certainly have ADDRESSED my original question with this link (https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-reserved-public-ip/). I can't help but wonder why this link wasn't posted earlier...

    Anyway, on the face of it, this does LOOK like AN answer. However, I remain skeptical because we've already wasted countless days playing around with PowerShell scripts in order to associate a reserved IP with a cloud service. I was successful once, but was never able to recreate that success. We had been told in the past (by Microsoft forum members, and other networking engineers) that it was impossible to associate a reserved IP with an existing cloud account. This article seems to contradict that.

    I will wait for a good time to test this on our server and then post the results.

    Thanks

    Wednesday, October 14, 2015 9:39 PM