Quickstart: Create a public load balancer using Azure PowerShell

This quickstart shows you how to create Basic Load Balancer using Azure PowerShell. To test the load balancer, you deploy two virtual machines (VMs) running Windows server and load balance a web app between the VMs.


This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Create a resource group

Before you can create your load balancer, you must create a resource group with New-AzResourceGroup. The following example creates a resource group named myResourceGroupLB in the EastUS location:

New-AzResourceGroup `
  -ResourceGroupName "myResourceGroupLB" `
  -Location "EastUS"

Create a public IP address

To access your app on the Internet, you need a public IP address for the load balancer. Create a public IP address with New-AzPublicIpAddress. The following example creates a public IP address named myPublicIP in the myResourceGroupLB resource group:

$publicIP = New-AzPublicIpAddress `
  -ResourceGroupName "myResourceGroupLB" `
  -Location "EastUS" `
  -AllocationMethod "Static" `
  -Name "myPublicIP"

Create Basic Load Balancer

In this section, you configure the frontend IP and the back-end address pool for the load balancer and then create the Basic Load Balancer.

Create front-end IP

Create a front-end IP with New-AzLoadBalancerFrontendIpConfig. The following example creates a frontend IP configuration named myFrontEnd and attaches the myPublicIP address:

$frontendIP = New-AzLoadBalancerFrontendIpConfig `
  -Name "myFrontEnd" `
  -PublicIpAddress $publicIP

Configure back-end address pool

Create a back-end address pool with New-AzLoadBalancerBackendAddressPoolConfig. The VMs attach to this back-end pool in the remaining steps. The following example creates a back-end address pool named myBackEndPool:

$backendPool = New-AzLoadBalancerBackendAddressPoolConfig -Name "myBackEndPool"

Create a health probe

To allow the load balancer to monitor the status of your app, you use a health probe. The health probe dynamically adds or removes VMs from the load balancer rotation based on their response to health checks. By default, a VM is removed from the load balancer distribution after two consecutive failures at 15-second intervals. You create a health probe based on a protocol or a specific health check page for your app.

The following example creates a TCP probe. You can also create custom HTTP probes for more fine grained health checks. When using a custom HTTP probe, you must create the health check page, such as healthcheck.aspx. The probe must return an HTTP 200 OK response for the load balancer to keep the host in rotation.

To create a TCP health probe, you use Add-AzLoadBalancerProbeConfig. The following example creates a health probe named myHealthProbe that monitors each VM on HTTP port 80:

$probe = New-AzLoadBalancerProbeConfig `
  -Name "myHealthProbe" `
  -RequestPath healthcheck2.aspx `
  -Protocol http `
  -Port 80 `
  -IntervalInSeconds 16 `
  -ProbeCount 2

Create a load balancer rule

A load balancer rule is used to define how traffic is distributed to the VMs. You define the frontend IP configuration for the incoming traffic and the backend IP pool to receive the traffic, along with the required source and destination port. To make sure only healthy VMs receive traffic, you also define the health probe to use.

Create a load balancer rule with Add-AzLoadBalancerRuleConfig. The following example creates a load balancer rule named myLoadBalancerRule and balances traffic on TCP port 80:

$lbrule = New-AzLoadBalancerRuleConfig `
  -Name "myLoadBalancerRule" `
  -FrontendIpConfiguration $frontendIP `
  -BackendAddressPool $backendPool `
  -Protocol Tcp `
  -FrontendPort 80 `
  -BackendPort 80 `
  -Probe $probe

Create the NAT rules

Create NAT rules with Add-AzLoadBalancerRuleConfig. The following example creates NAT rules named myLoadBalancerRDP1 and myLoadBalancerRDP2 to allow RDP connections to the backend servers with port 4221 and 4222:

$natrule1 = New-AzLoadBalancerInboundNatRuleConfig `
-Name 'myLoadBalancerRDP1' `
-FrontendIpConfiguration $frontendIP `
-Protocol tcp `
-FrontendPort 4221 `
-BackendPort 3389

$natrule2 = New-AzLoadBalancerInboundNatRuleConfig `
-Name 'myLoadBalancerRDP2' `
-FrontendIpConfiguration $frontendIP `
-Protocol tcp `
-FrontendPort 4222 `
-BackendPort 3389

Create load balancer

Create the Basic Load Balancer with New-AzLoadBalancer. The following example creates a public Basic Load Balancer named myLoadBalancer using the frontend IP configuration, backend pool, health probe, load balancing rule, and NAT rules that you created in the preceding steps:

$lb = New-AzLoadBalancer `
-ResourceGroupName 'myResourceGroupLB' `
-Name 'MyLoadBalancer' `
-Location 'eastus' `
-FrontendIpConfiguration $frontendIP `
-BackendAddressPool $backendPool `
-Probe $probe `
-LoadBalancingRule $lbrule `
-InboundNatRule $natrule1,$natrule2

Create network resources

Before you deploy some VMs and can test your balancer, you must create supporting network resources - virtual network and virtual NICs.

Create a virtual network

Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named myVnet with mySubnet:

# Create subnet config
$subnetConfig = New-AzVirtualNetworkSubnetConfig `
  -Name "mySubnet" `

# Create the virtual network
$vnet = New-AzVirtualNetwork `
  -ResourceGroupName "myResourceGroupLB" `
  -Location "EastUS" `
  -Name "myVnet" `
  -AddressPrefix `
  -Subnet $subnetConfig

Create network security group

Create network security group to define inbound connections to your virtual network.

Create a network security group rule for port 3389

Create a network security group rule to allow RDP connections through port 3389 with New-AzNetworkSecurityRuleConfig.

$rule1 = New-AzNetworkSecurityRuleConfig `
-Name 'myNetworkSecurityGroupRuleRDP' `
-Description 'Allow RDP' `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 1000 `
-SourceAddressPrefix Internet `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389

Create a network security group rule for port 80

Create a network security group rule to allow inbound connections through port 80 with New-AzNetworkSecurityRuleConfig.

$rule2 = New-AzNetworkSecurityRuleConfig `
-Name 'myNetworkSecurityGroupRuleHTTP' `
-Description 'Allow HTTP' `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 2000 `
-SourceAddressPrefix Internet `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 80

Create a network security group

Create a network security group with New-AzNetworkSecurityGroup.

$nsg = New-AzNetworkSecurityGroup `
-ResourceGroupName 'myResourceGroupLB' `
-Location 'EastUS' `
-Name 'myNetworkSecurityGroup' `
-SecurityRules $rule1,$rule2

Create NICs

Create virtual NICs created with New-AzNetworkInterface. The following example creates two virtual NICs. (One virtual NIC for each VM you create for your app in the following steps). You can create additional virtual NICs and VMs at any time and add them to the load balancer:

# Create NIC for VM1
$nicVM1 = New-AzNetworkInterface `
-ResourceGroupName 'myResourceGroupLB' `
-Location 'EastUS' `
-Name 'MyVM1' `
-LoadBalancerBackendAddressPool $backendPool `
-NetworkSecurityGroup $nsg `
-LoadBalancerInboundNatRule $natrule1 `
-Subnet $vnet.Subnets[0]

# Create NIC for VM2
$nicVM2 = New-AzNetworkInterface `
-ResourceGroupName 'myResourceGroupLB' `
-Location 'EastUS' `
-Name 'MyVM2' `
-LoadBalancerBackendAddressPool $backendPool `
-NetworkSecurityGroup $nsg `
-LoadBalancerInboundNatRule $natrule2 `
-Subnet $vnet.Subnets[0]

Create virtual machines

To improve the high availability of your app, place your VMs in an availability set.

Create an availability set with New-AzAvailabilitySet. The following example creates an availability set named myAvailabilitySet:

$availabilitySet = New-AzAvailabilitySet `
  -ResourceGroupName "myResourceGroupLB" `
  -Name "myAvailabilitySet" `
  -Location "EastUS" `
  -Sku aligned `
  -PlatformFaultDomainCount 2 `
  -PlatformUpdateDomainCount 2

Set an administrator username and password for the VMs with Get-Credential:

$cred = Get-Credential

Now you can create the VMs with New-AzVM. The following example creates two VMs and the required virtual network components if they do not already exist. In this example, the NICs (VM1 and VM2) created in the preceding step are automatically assigned to virtual machines VM1 and VM2 since they have identical names and are assigned the same virtual network (myVnet) and subnet (mySubnet). In addition, since the NICs are associated to the load balancer's backend pool, the VMs are automatically added to the backend pool.

for ($i=1; $i -le 2; $i++)
    New-AzVm `
        -ResourceGroupName "myResourceGroupLB" `
        -Name "myVM$i" `
        -Location "East US" `
        -VirtualNetworkName "myVnet" `
        -SubnetName "mySubnet" `
        -SecurityGroupName "myNetworkSecurityGroup" `
        -OpenPorts 80 `
        -AvailabilitySetName "myAvailabilitySet" `
        -Credential $cred `

The -AsJob parameter creates the VM as a background task, so the PowerShell prompts return to you. You can view details of background jobs with the Job cmdlet. It takes a few minutes to create and configure the two VMs.

Install IIS with Custom web page

Install IIS with a custom web page on both backend VMs as follows:

  1. Get the Public IP address of the Load Balancer. Using Get-AzPublicIPAddress, obtain the Public IP address of the Load Balancer.

    Get-AzPublicIPAddress -ResourceGroupName "myResourceGroupLB" -Name "myPublicIP" | select IpAddress
  2. On your local machine, open a command prompt or PowerShell window for this step. Create a remote desktop connection to VM1 using the Public Ip address that you obtained from the previous step.

    mstsc /v:PublicIpAddress:4221  
  3. Enter the credentials for VM1 to start the RDP session.

  4. Launch Windows PowerShell on VM1 and using the following commands to install IIS server and update the default htm file.

        # Install IIS
          Install-WindowsFeature -name Web-Server -IncludeManagementTools
        # Remove default htm file
          remove-item  C:\inetpub\wwwroot\iisstart.htm
        # Add custom htm file
          Add-Content -Path "C:\inetpub\wwwroot\iisstart.htm" -Value $("Hello from" + $env:computername)
  5. Close the RDP connection with myVM1.

  6. Create a RDP connection on your local machine with myVM2 by running mstsc /v:PublicIpAddress:4222 command, and repeat step 4 for VM2.

Test load balancer

Obtain the public IP address of your load balancer with Get-AzPublicIPAddress. The following example obtains the IP address for myPublicIP created earlier:

Get-AzPublicIPAddress -ResourceGroupName "myResourceGroupLB" -Name "myPublicIP" | select IpAddress

You can then enter the public IP address in to a web browser. The website is displayed, including the hostname of the VM that the load balancer distributed traffic to as in the following example:

Test load balancer

To see the load balancer distribute traffic across both VMs running your app, you can force-refresh your web browser.

Clean up resources

When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, VM, and all related resources.

Remove-AzResourceGroup -Name myResourceGroupLB

Next steps

In this quickstart, you created a Basic Load Balancer, attached VMs to it, configured the load balancer traffic rule, health probe, and then tested the load balancer. To learn more about Azure Load Balancer, continue to the tutorials for Azure Load Balancer.