question

AlmudenaCuencaSalas-0870 avatar image
0 Votes"
AlmudenaCuencaSalas-0870 asked TravisCragg-MSFT commented

Front Door + backend pool VMs on-prem and in Azure

I have a customer wanting to use an IP address for a Frontdoor backend pool entry located on an on-premise machine via a VPN.

They would like to be able to run some virtual machines in on premises as part of a backend pool for an Azure Frontdoor. These machines will be running the same application software as on the Azure Virtual machines also part of the same backend pool, but as part of a software migration they would like to have them be part of the frontdoor backend pool. They will be connected to a virtual network in azure via an IPSec IKE S2S VPN Tunnel.

I understand that AFD supports both Azure and non-Azure resources in the backend pool and this can be done only using public IP addresses via custom host: https://docs.microsoft.com/en-us/azure/frontdoor/front-door-backend-pool#backends

But I cannot find information regarding backend pool VMs being split between on-prem and in Azure. Is this combination possible?if so, how can it be achieved?

Thanks in advance,
Almudena

azure-front-door
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

TravisCragg-MSFT avatar image
0 Votes"
TravisCragg-MSFT answered TravisCragg-MSFT commented

This is possible in theory, but will have several limitations.

First. regarding Azure Front door:

You can put any Public IP here, which means you cannot directly point to the internal IP if your on-prem servers and have it direct over your VPN.

You can put another device in between, such as a Load Balancer, Application Gateway, or other NVA which can direct the traffic on-prem.

Before you start down that path, Azure Front Door is designed to be a global entry point. Even if you did have traffic go to Front Door -> Datacenter -> VPN -> On-Prem, it would have a LOT of unnecessary latency.

You can have on-prem backends exposed via an IP on-prem, and have Azure Front Door direct traffic to both Azure via the public ip and your on-prem via your ISP IP. This results in the lowest latency for each server.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Travis,

Thanks for your response.

Regarding any of the in-between devices you mentioned (ex. AG, LB), would these allow for private communication with on-prem backends? My understanding is that they also use public connection, correct? My client is looking for integration with their local private IPs, so not sure how this could be achieved other than using VPN connection...


0 Votes 0 ·
TravisCragg-MSFT avatar image TravisCragg-MSFT AlmudenaCuencaSalas-0870 ·

This is possible using Application Gateways, but not Azure Load Balancer

Azure Application Gateways can use internal IPs that are connected via a VPN or ExpressRoute.


0 Votes 0 ·