Azure Standard Load Balancer with HA ports - what it means for your network and security stack
You may have had the chance to configure a networking cluster of firewalls, proxies, WAFs or load balancers in Azure in the past, and may have come across with the dilemma of making the cluster highly available, as you would do within an on-premises environment, where you would place your load balancers and firewalls in active/active or active/standby
Before the HA ports feature of the Azure Standard Load Balancer was made GA, this was not a simple and straight forward journey. A networking engineer would need to configure routing policies (UDR in Azure) to send traffic to one or the other instance of your cluster, making sure that whoever becomes 'active' in the cluster receives the traffic accordingly. The route tables could only identify a single primary route and would need to be re-written to point from on device to another in case of failure or maintenance. Most of the times, you would find that this process is not automated by the networking/security vendor and a manual process needed to be in place. That led to the use of scripts or powershell commands to update the UDR configs on demand, which is not a simple and easy way of setting up your network in Azure
While this manual re-write process willwork, it takes time to get updated but also and more importantly it was facing the problem of 'one single rule per TCP/UDP port' on the Azure Load Balancer rule configuration.
The solution came with the release of HA ports within Standard Load Balancer! What it means for you is that Azure would support instant failover from one firewall/proxy/loadblancer to the other. For instance, if your firewall needs to inspect a large number of TCP/UDP ports, you don't need a single load balancing rule in Azure LB per port, one single Load Balancing rule would do it for all!
This is a great feature to reduce complexity when configuring your networking and security stack within Azure. It will simplify the deployment of Palo Alto firewalls, F5 Load Balancers (and WAFs), Barracuda firewalls (to name the most popular NVA we see in Azure) within your Azure subscription
Now, you could just have a single UDR policy to send all your traffic to the Fronted IP address of your Standard Load Balancer, and it will distribute the traffic intelligently to one member of your cluster
Remember this feature is available for the internal Azure Load Balancer (not external)
You can find more information about Azure Standard LB and HA ports here: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-ha-ports-overview