none
Why it is not recommended to use Traffic Manager to load balance traffic to my NGFW firewall ? RRS feed

  • Question

  • Hi All,

    We would like to deploy NGFW for Azure like FortiGate or PaloAlto when we check reference architectures with Azure native services for HA most of the recommendation is to use LB or App Gateway.

    My questions are,

    • Why it is not recommended to use Traffic Manager to load balance traffic to my firewalls, what are the main challenges with that.
    • How i can utilise Traffic Manager effectively along with NGFW to load balance traffic to my internal servers that are behind my firewall 

    Regards,

    Sivakumar 

    Tuesday, September 17, 2019 12:26 AM

All replies

  • Hi Shiva, 

    Traffic Manager is a DNS based Load balancer. You can only add Public endpoints to the backend pool of Traffic Manager. 

    Traffic Manager is only public/external. You cannot use this for the Internal/Private use. Also, if probes fails for both the endpoint, then TM will still resolve the IP address which is unhealthy. 

    If your scenario includes, Internet Clients --> TM --> NGFW --> Internal Servers, then it should be fine. 

    Also, if you are planning to implement Active - Passive setup, then how NSFW will maintain the state/ session? 

    Regards, 

    Msrini 

    Tuesday, September 17, 2019 3:34 AM
    Moderator
  • Hi Msrini,

    Please consider above diagram where we have marked public load balancer, instead using public load balancer to distribute the traffic to my firewalls, will it be possible to use Azure Traffic Manager to route traffic betwwen them and adding one more point if it is possible then suppose we have deployed multiple web servers behind fortigate will it possible to route traffic to them  

    Tuesday, September 17, 2019 4:01 AM
  • Hi, 

    The key point that you need to consider when you are using Traffic Manager is that the actual traffic will be sent/received between the client and the NVA. No traffic will flow via Traffic Manager. 

    Traffic Manager is a DNS based load balancer and it just responds to the DNS query that your Client has sent with one of the NVA's IP address so that the client can directly reach out the respective NVA's. Since it is DNS based Load balancing, based on the TTL that the client has, they will always end up reaching to one server than the other. 

    Traffic Manager is an ideal solution for web sites not for other scenarios. 

    But you can still use it, it does work. But as I mentioned earlier, keep in mind about the way how TM works. 

    Regards, 

    Msrini

    Tuesday, September 17, 2019 4:44 PM
    Moderator
  • Do you have any update on this issue?

    Regards, 

    Msrini

    Thursday, September 19, 2019 12:51 PM
    Moderator
  • Hi, 

     

    Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same.

    Regards, 

    Msrini

    Monday, September 23, 2019 11:33 AM
    Moderator
  • Hi, 

    Do you have any update on this issue?

    Regards, 

    Msrini

    Thursday, September 26, 2019 8:30 PM
    Moderator