none
Multiple VMSS single public IP

    Question

  • Hi, 

    I have a ServiceFabric cluster that is made up of 3 VMSS. I need to provide a single static IP address for all VMs in the scale sets. This is needed because the application makes calls to api's that need to be locked down using source IP.

    It seems you can't add multi VMSS to a single external load balancer , so how can i do this?

    Thanks

    Monday, April 15, 2019 2:30 PM

All replies

  • Hi, 

    If your VMSS has a Public IP address then you can use that IP address to lock down. Every instance will use the VMSS IP to reach out to Internet if there is a LB rule exist 

    Regards, 

    Msrini

    Monday, April 15, 2019 2:39 PM
    Moderator
  • Yeah, but you can only assign 1 VMSS to an external loadbalancer so only one VMSS will have a public ip. 

    How do i assign a public ip to the other 2 VMSS?

    Monday, April 15, 2019 2:43 PM
  • Do your other VMSS doesn't have LB attached. 

    I was thinking you can use 3 LB and lock down with 3 IP address if that fits your requirement. 

    Regards, 

    Msrini

    Monday, April 15, 2019 2:46 PM
    Moderator
  • No they dont have LB's attached, its one external load balancer for the frontend VMSS and then internal LBs for the other 2 VMSS as internal only.

    Monday, April 15, 2019 2:52 PM
  • Hello,

    I do see two option here :

    Option 1 : Use a unique public LB that have all your vmss node as backend, snat will guarantee that your node goes on Internet through the LB public IP.

    Option 2 : If your vmss subnet as a default route (0.0.0.0/0) that points to an Azure Firewall all your nodes will go on Internet through the Azure Firewall public IP.

    James

    Monday, April 15, 2019 2:53 PM
  • Thank James, I'm not using an Azure Firewall, it was something i was looking to do to get round the issue but it add further design to the application.

    Service Fabric by default assigns a VMSS to each of the NodeTypes so i can't combined each VM in the VMSS into a single scaleset

    Monday, April 15, 2019 2:55 PM
  • As James suggested, you can use NVA or Azure firewall as the option 1 will not help as the IP address which it is going to take cannot be predicted. It might change and hence you will not be able to white list the IP. 

    Regards, 

    Msrini

    Monday, April 15, 2019 3:03 PM
    Moderator
  • Hi, 

    Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same.

    Regards, 

    Msrini

    Tuesday, April 16, 2019 8:22 PM
    Moderator