Recently, a partner needed guidance on adding an additional VIP to an Azure Load Balancer. This is a typical scenario where multiple SSL-based websites are running on a pair of servers and clients may not have SNI support, necessitating dedicated public IP’s for each website. Azure Load Balancer in Azure Resource Manager does support multiple VIP’s, just not via the portal. Not to worry, Powershell to the rescue. The Azure documentation site has a great article describing the process of deploying a two-node web farm and internet facing load balancer. These commands assume you’ve already deployed the load balancer and are just adding a second VIP:
Login-AzureRmAccount Select-AzureRmSubscription -SubscriptionId 00000000-0000-0000-0000-000000000000 #Get the Resource Group $rg = Get-AzureRmResourceGroup -Name "MultiVIPLBRG" #Get the Load Balancer $slb = Get-AzureRmLoadBalancer -Name "MultiVIPLB" -ResourceGroupName $rg.ResourceGroupName #Create new public VIP $vip2 = New-AzureRmPublicIpAddress -Name "PublicVIP2" -ResourceGroupName $rg.ResourceGroupName -Location $rg.Location -AllocationMethod Dynamic #Create new Frontend IP Configuration using new VIP $feipconfig2 = New-AzureRmLoadBalancerFrontendIpConfig -Name "MultiVIPLB-FE2" -PublicIpAddress $vip2 $slb | Add-AzureRmLoadBalancerFrontendIpConfig -Name "MultiVIPLB-FE2" -PublicIpAddress $vip2 #Get Backend Pool $bepool = $slb | Get-AzureRmLoadBalancerBackendAddressPoolConfig #Create new Probe $probe2 = New-AzureRmLoadBalancerProbeConfig -Name "Probe2" -RequestPath "/" -Protocol http -Port 81 -IntervalInSeconds 5 -ProbeCount 2 $slb | Add-AzureRmLoadBalancerProbeConfig -Name "Probe2" -RequestPath "/" -Protocol http -Port 81 -IntervalInSeconds 5 -ProbeCount 2 #Create Load Balancing Rule $slb | Add-AzureRmLoadBalancerRuleConfig -Name Rule2 -FrontendIpConfiguration $feipconfig2 -BackendAddressPool $bepool -Probe $probe2 -Protocol TCP -FrontendPort 80 -BackendPort 81 #Save the configuration $slb | Set-AzureRmLoadBalancer |
Thanks, just what I needed.
Hi Jeff,
This article is great, thank you for posting this. Is there a limit on the number of VIPs that can be on one load balancer? Can this be used for multiple VIPs?
Lastly (and I think/hope this is my last question), for this command in your script “$vip2 = New-AzureRmPublicIpAddress -Name “PublicVIP2″ -ResourceGroupName $rg.ResourceGroupName -Location $rg.Location -AllocationMethod Dynamic”, can the allocation method flag be set to static?
Hi Jeff,
This script worked great! However, I think I have run into a small snag. When I try to access the site via the public IP inside my office, it works perfectly. But when I try from elsewhere (home, etc), it doesn’t work. Did I miss some sort of network configuration to allow access to the world?
Thanks,
Sheel
Check the network security group to make sure you’re allowing traffic from appropriate sources. I suspect you have a VPN from your office location to your Azure vNet and the rules only permit traffic from that source subnet.
ARM has a default limit of 5 public VIP’s:
https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/#networking-limits
Yes – you can set the AllocationMethod to Dynamic or Static.
Thanks Jeff. One final question. If I set up load balancer rules for ports 80 and 443, is the load balancer smart enough to be able to send the traffic to the correct site in IIS when using host headers?
Hi Jeff,
Thanks for the post, it has been really useful.
After adding the 2nd IP should this appear in the Overview pane in the azure portal as its only showing 1 public ip address?
Thanks
Hi Ashley,
unfortunately, It does not show in the overview pane for the load balancer. But if you go to the public IP addresses and click each one, it will show which load balancer it is allocated to, if allocated.
Good luck!
Hi Jeff,
Just what i need, for creating VIP in Azure.
One question, could we share the VIP to multiple VM?
Thanks
Nagaraju
HI Jeff,
I have Implemented the same solution, with 2 Firewall Scenario , so we single load balancer on both ends to load balance it as both sides of the firewall in azure are internal,
We are noticing that the traffic is going from one firewall and returning to another firewall.
Need help and advise.