Azure Load Balancer

Ananta

Azure Load Balancer is based on the Ananta design.

Fastpath

Intra-DC traffic seen on internal load balancers is mostly offloaded to end systems. Packets are delivered directly to the DIP, bypassing Mux in both directions, thereby enabling communication at full network capacity.

Direct Server Return (DSR)

See Direct Server Return for comparison with other cloud providers.

Faireness

If a flow attempts to steal more than its fair share of bandwidth, Mux starts to drop its packets with a probability directly proportional to the excess bandwidth it’s using.

If there is packet drop due to overload, Mux creates a black hole for the offending VIP by withdraw BGP advertisements, and traffic for the VIP may be routed to DoS protection services in several minutes.

Multiple frontends

Azure Load Balancer does not allow reusing backend ports by default. Each rule must produce flows with an exclusive combination of destination IP address and destination port. Multiple load balancing rules can deliver flows to the same backend instance IP on different ports by varying the destination port of the flow.

If you want to reuse a backend port across multiple rules, you must enable Floating IP in the load balancing rule definition. Floating IP is Azure’s terminology for a portion of what is known as Direct Server Return (DSR). Note that Floating IP for IPv6 doesn’t work for Internal Load Balancers. Floating IP also relies on the weak host model.

Limitations

• Load Balancer backend pool can’t consist of a Private Endpoint.
• Outbound flow from a backend VM to a frontend of an internal Load Balancer fails silently.
• A load balancer rule can’t span two virtual networks. All load balancer frontends and their backend instances must be in a single virtual network.
• You can only have one NIC-based Public Load Balancer and one NIC-based internal Load Balancer per availability set. Note that this constraint doesn’t apply to IP-based load balancers.
  • Availability set is a special feature around fault domain placement and provides fault isolation to some degree.

Outbound rules (SNAT)

Ananta also implements a distributed NAT for outbound connections, besides processing inbound connections. This allows backend instances to use the public IPs of a load balancer to provide outbound internet connectivity.

AM allocates an externally routable $(VIP,port)$ tuple and configures each Mux in the associated Mux Pool with this allocation. This ensures that returning packets sent to Mux can be routed back to DIP.

References

• https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-multivip-overview
• https://learn.microsoft.com/en-us/azure/load-balancer/outbound-rules
• https://conferences.sigcomm.org/sigcomm/2013/papers/sigcomm/p207.pdf