Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,137 questions
How to put multiple VMs behind a single private IP address on Azure?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Leonardo Tavares
20
Reputation points
I'm working on creating a Blue/Green deployment for a product in Azure but I'm running into a problem regarding outbound traffic to an on-premisses database.
Our initial idea can be seen in this diagram:
We have three main "moving parts":
A spoke subscription with a VNET and the VMs running different versions of our product
A hub subscription and network with a VPN Gateway
An on-premisses network with a DB and a client
Our production VMs need to be accessible to the on-premisses client at a fixed IP, but also be able to access the DB (which the on-premisses Firewall allows only a single IP).
This worked very nicely with a single VM, but now that we want to do a Blue/Green deployment, things are getting a bit complicated.
The inbound part is very easy with a Load Balancer, but the outbound part (from the server to the on-premisses VM at a fixed private IP) is proving to be way harder than expected. It is specially necessary that the on-premisses network sees a single private IP as the on-premisses firewall only allows this single IP to access the DB.
I saw a lot of similar questions, but all of them focused on public IP, instead of private IP, which is what I really need.
My initial idea was to use NAT Gateway or Internal Load Balancer with outbound traffic, but they both use public IPs, and we need it to be fully private.
Using Azure Firewall and "forcing" SNAT does translate the IP address to another internal IP, but it uses a pool of internal IPs instead of a fixed one, so that doesn't work either.
Any suggestions?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 22,941 Reputation points Microsoft Employee2024-04-19T01:44:34.6533333+00:00 Thank you for reaching out and posting a detailed question here.
I think the best suited solution here will be to implement the connection using Azure Application Gateway. Just FYI both the features here are in public preview.
Bellow will be the implementation I will suggest.
- Use Application Gateway TCP/TLS proxy overview (Preview) feature allows the connectivity to a VM running a non-HTTP application like SQL client. You can follow the tutorial here to create an Azure Application Gateway with a SQL Server virtual machine as the backend server.
- Along with the feature above use Private Application Gateway deployment (preview) so that App Gateway with only private frontend IP address. This way when deployed with private-only gateway. With TLS and TCP proxy support for private Application Gateway deployments, you can support HTTP and non-HTTP clients in an isolated environment for enhanced security.
Hope this helps! Please let me know if you have any questions. Thank you!
-
Leonardo Tavares 20 Reputation points
2024-04-23T09:52:45.1433333+00:00 Hi @ChaitanyaNaykodi-MSFT , thanks for your response.
In this case, the "outbound" connectivity is still missing, right?
Access inbound works as expected, but I couldn't find a way to route outbound traffic through this.
-
ChaitanyaNaykodi-MSFT 22,941 Reputation points Microsoft Employee
2024-04-25T00:12:42.9466667+00:00 Thank you for getting back.
By outbound do mean the connection originating from the Azure production VMs?
Then in this case it will not use the Application gateway's frontend private IP.
Sign in to comment