SSL offloading considerations for basic (sku) LB versus standard (sku) LB versus other 3rd party LB ( F5, IGINX) for azure cloud. RRS feed

  • Question

  • We have a couple application/web servers which we are currently using a single F5 with a certificate for these app/web servers.

    The app/web servers are for internal users only ( no public access ).   Would the web functionality require a public IP or an internal IP?   These servers are also receiving information from an external vendor?,... how would we configure this as well?,... maybe we could separate out the web and app functions into separate VMs but this seems inefficient use of resources.

    If we want to replace the F5 with a basic (sku) LB which does not allow certificates to be attached how do work around this inability to have a web certificate on this LB?   Do we have to create a web certificate on each server?   However the basic LB has a single IP point for ingress/egress and certificate usually have just one IP on it with other associated names.   How is a certificate configured for this?,...

    When I examined standard (sku) LB a certificate can be added however it does not allow *.cert to be configured on the LB??  I created a standard LB and did not see a place to configure a web cert (SSL).  Is the Standard LB able to offload SSL traffic to the web server end points?   

    I am confused by the terminology of "API gateway" versus standard load balancer?  They seem to refer to both as the same?   If standard LB is at layer 7 (SSL) do you have steps on how to configure this?   Recall a long time ago that is wanted to configure something other than *.cert?,... or maybe just unclear how to configure this?   

    Do we need to use F5 or IGINX for SSL offloading?


    Wednesday, October 23, 2019 9:26 PM

All replies

  • Hi, 

    For configuration of F5, you would need to redirect to F5 forums for better response. 

    Azure basic/Standard LB works in L4. You will not be able to do SSL offloading and upload cert in LB. You need to have this cert in all of your backend VM and LB is just going to forward the request to the backend pool by load balancing the request. 

    Also, I would suggest you to go with Azure Application gateway where you can upload cert and do SSL offloading. That fits with your requirement as well. 

    Reference: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl



    Thursday, October 24, 2019 4:49 AM
  • https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl

    (Standard (sku) LB uses PFX format)

    Just conceptually outlining the below steps for my understanding:

    https://www.openssl.org/source/  ( download SSL conversion tool)


    TEP 2: Convert CER and Private Key to PFX

    openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

    Next upload PFX cert into standard (sku) LB.

    **************************************************************************************However if we have been provided a CER certificate(s) and are using a basic LB we would require a different certificate for each VM?  And a basic (sku) LB cannot be used with availability zones? 

    Only a standard (sku) LB can be used with a Availability Zones? This would require a PFX cert to be converted from a CER certificate for use in standard (sku) LB.  (Our organization provides only CER certificates.)

    I see no reason to use a basic(sku) LB.  We had used the basic LB for fail-over traffic SQL AG since both of the replicas(nodes) were located in the same AZ zones(at the time there was only one AZ zone).  Can we use a standard (sku) LB with different AZ zones for a SQL AG (IaaS) with two replicas (nodes)? (note- my understanding is basic (sku) LB can only be used in the same AZ zone. Please confirm.)

    Why do they refer to a Standard (sku) LB as an "API gateway"?  We are wanting users to browse an internal website ( web console ),... the https traffic would go from the user(s)>> Standard (sku) with PFX cert >> Web server (web console ).


    • Edited by kimdav111 Thursday, October 24, 2019 3:06 PM
    Thursday, October 24, 2019 2:56 PM
  • Hi, 

    You cannot upload certificate in Azure Standard Load balancer. 

    Load banacer has 2 SKUs - basic and Standard. Both works on L4 and you will not get an option to upload cert. Only in Application Gateway you can upload certificate and so SSL offloading which is a L7 load balancer. 

    AppGW reference: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl

    Standard Load balancer reference: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-standard-overview

    In Application gateway you have 2 SKU. 

    Application Gateway V1 and V2. 

    Only in Application Gateway V2 you can leverage Availability Zones feature. 



    Thursday, October 24, 2019 3:22 PM
  • Can you clarify the difference between an application gateway and a LB?  Even the diagrams of API gateways looks similar to LB?


    Friday, October 25, 2019 12:45 PM
  • Load balancer is a product which is given by Microsoft in two SKUs. Basic and Standard. It is a layer 4 load balancer, which means you can use it for HTTP, HTTPS, SQL applications also to load balancer on any ports which your application is listening. 

    Application Gateway is a product which is given by Microsoft in two SKUs. V1 and V2. It is a layer 7 load balancer which will be only used for web traffic. It has lots of features that you can use to load balance web servers.

    I am not sure what you mean by API gateways. There is a product called API Management gateways which is used for different purposes. 

    If the above response helped, please mark the response as answer. 



    Friday, October 25, 2019 3:25 PM
  • Hi, 

    Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same.



    Friday, November 1, 2019 1:22 PM