Click-by-click - Creating load balanced VMs using Azure Resource Manager in the Azure portal

Sign in to queue

The Discussion

  • User profile image
    Viron​Papadopoulos

    A more secure way would have been to delete the public IP addresses from VM0 and VM2 at the end, and to add Inbound NAT rules on the Load Balancer for the RDP connections..
    This way there is no direct exposure of the VM machines to the outside world. 

  • User profile image
    Planky

    Well, kind of, yes. It's security by obscurity because you still have a public endpoint with a public IP address, it's just that it's attached to a load-balancer. Having NAT rules for the RDP endpoints on each VM would allow you to map high ports on to 3389 (rdp). So an attacker would have to know which port to use to get to a login prompt on the VM. They'd obviously know the URL because it's the URL of your website. They could just do a port scan at that DNS name.

    Having additional IP addresses for each VM increases the attack surface by adding extra IP addresses, which I think is your point. But your attacker would have a more difficult time finding those IP addresses than scanning the ports at a known DNS name.

    But then again, there are limitations on the numbers of IP addresses you can expose. Also you could put NSGs to allow only certain external IP addresses through. But you can also do that, for the RDP protocol, on the load balanced endpoint as well.

    At the end of the day you have to make some decision on how you protect it, one way or the other - with each having their own advantages and disadvantages.

    Perhaps the best way to achieve this is to have no directly attached IP address (ie have all traffic coming from the load balancer) but have NSGs to forbid all traffice except HTTP (and possibly SSL). If you want to RDP in to the machines, you have a site-to-site VPN from your on-prem infrastructure. That way you'd use an "internal" IP address to get to RDP for those times you need to configure something or perform troubleshooting.

    But thanks Viron - it's a good point you make. I made the video to show how to configure these things, rather than give security guidance on which method to choose. Until recently, the Public IP address, Load Balancer, NSG etc didn't appear in the Azure portal and you were forced to use Powershell/CLI/REST/Resorce Group Templates. It's probably easier to test and experiment while things are in the portal's UI.

    Thanks for your observations.

  • User profile image
    Karanmeet​Singh

    Awesome explanation. You are really a good teacher Planky. Loved it.

  • User profile image
    musmanayub

    Great Tutorial indeed!

    One thing that I would like to ask is that how can we use a custom domain for the website? where is it going to be configured?

     

     

  • User profile image
    KevinOh2

    Very helpful!

    Thank you

  • User profile image
    Dinesh Fernando

    Hi Planky, thank you for the great video.
    Question:
    If one VM dies, let's say VM0, will the load-balancer detects that and send traffic only to VM1?
    Thank you in advance.

    Dinesh

  • User profile image
    ananth

    Hi Planky,

    Thank you so much for the video, its really explained about load balancing with VM step by step.

    Ananth

  • User profile image
    deepsaha

    Awesome guidance. can you share  a video that how can i synchronize the application data between vm0 and vm1. I want to say that when i upload or changes to any file on vm0 then the changes is automatically reflected on vm1.

     

Add Your 2 Cents