loadBalancers
Summary
Details
Use Standard Load Balancer SKU
Impact: High Category: High Availability PG Verified: Verified
Description:
Selecting Standard SKU Load Balancer enhances reliability through availability zones and zone resiliency, ensuring deployments withstand zone and region failures. Unlike Basic, it supports global load balancing and offers an SLA.
Potential Benefits:
Enhanced reliability and SLA support
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all LoadBalancers using Basic SKU
resources
| where type =~ 'Microsoft.Network/loadBalancers'
| where sku.name == 'Basic'
| project recommendationId = "38c3bca1-97a1-eb42-8cd3-838b243f35ba", name, id, tags, Param1=strcat("sku-tier: basic")
Ensure the Backend Pool contains at least two instances
Impact: High Category: High Availability PG Verified: Verified
Description:
Deploying Azure Load Balancers with at least two instances in the backend prevents a single point of failure and supports scalability. Pairing with Virtual Machine Scale Sets is advised for optimal scale building.
Potential Benefits:
Enhances reliability and scalability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all LoadBalancers which only have 1 backend pool defined or only 1 VM in the backend pool
resources
| where type =~ 'Microsoft.Network/loadBalancers'
| extend bep = properties.backendAddressPools
| extend BackEndPools = array_length(bep)
| where BackEndPools == 0
| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, Param1=BackEndPools, Param2=0, tags
| union (resources
| where type =~ 'Microsoft.Network/loadBalancers'
| extend bep = properties.backendAddressPools
| extend BackEndPools = array_length(bep)
| mv-expand bip = properties.backendAddressPools
| extend BackendAddresses = array_length(bip.properties.loadBalancerBackendAddresses)
| where BackendAddresses <= 1
| project recommendationId = "6d82d042-6d61-ad49-86f0-6a5455398081", name, id, tags, Param1=BackEndPools, Param2=BackendAddresses)
Use NAT Gateway instead of Outbound Rules for Production Workloads
Impact: Medium Category: High Availability PG Verified: Verified
Description:
Outbound rules for Standard Public Load Balancer involve manual port allocation for backend pools, limiting scalability and risk of SNAT port exhaustion. NAT Gateway is recommended for its dynamic scaling and secure internet connectivity.
Potential Benefits:
Enhanced scalability and reliability
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all LoadBalancers with Outbound rules configured
resources
| where type =~ 'Microsoft.Network/loadBalancers'
| extend outboundRules = array_length(properties.outboundRules)
| where outboundRules > 0
| project recommendationId = "8d319a05-677b-944f-b9b4-ca0fb42e883c", name, id, tags, Param1 = "outboundRules: >=1"
Ensure Standard Load Balancer is zone-redundant
Impact: High Category: High Availability PG Verified: Verified
Description:
In regions with Availability Zones, assigning a zone-redundant frontend IP to a Standard Load Balancer ensures continuous traffic distribution even if one availability zone fails, provided other healthy zones and backend instances are available to receive the traffic.
Potential Benefits:
Enhances uptime and resilience
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// Find all LoadBalancers with with regional or zonal public IP Addresses
resources
| where type == "microsoft.network/loadbalancers"
| where tolower(sku.name) != 'basic'
| mv-expand feIPconfigs = properties.frontendIPConfigurations
| extend
feConfigName = (feIPconfigs.name),
PrivateSubnetId = toupper(feIPconfigs.properties.subnet.id),
PrivateIPZones = feIPconfigs.zones,
PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),
JoinID = toupper(id)
| where isnotempty(PrivateSubnetId)
| where isnull(PrivateIPZones) or array_length(PrivateIPZones) < 2
| project name, feConfigName, id
| union (resources
| where type == "microsoft.network/loadbalancers"
| where tolower(sku.name) != 'basic'
| mv-expand feIPconfigs = properties.frontendIPConfigurations
| extend
feConfigName = (feIPconfigs.name),
PIPid = toupper(feIPconfigs.properties.publicIPAddress.id),
JoinID = toupper(id)
| where isnotempty(PIPid)
| join kind=innerunique (
resources
| where type == "microsoft.network/publicipaddresses"
| where isnull(zones) or array_length(zones) < 2
| extend
LBid = toupper(substring(properties.ipConfiguration.id, 0, indexof(properties.ipConfiguration.id, '/frontendIPConfigurations'))),
InnerID = toupper(id)
) on $left.PIPid == $right.InnerID)
| project recommendationId = "621dbc78-3745-4d32-8eac-9e65b27b7512", name, id, tags, param1="Zones: No Zone or Zonal", param2=strcat("Frontend IP Configuration:", " ", feConfigName)
Use Health Probes to detect backend instances availability
Impact: High Category: Monitoring and Alerting PG Verified: Verified
Description:
Health probes are used by Azure Load Balancers to determine the status of backend endpoints. Using custom health probes enhances understanding of backend availability and facilitates monitoring of backend services for any impact.
Potential Benefits:
Ensures backend uptime monitoring.
Learn More:
ARG Query:
Click the Azure Resource Graph tab to view the query
// Azure Resource Graph Query
// List the load balancers which don't have health probe configured
resources
| where type =~ "microsoft.network/loadbalancers"
| where array_length(properties.probes) == 0
| project recommendationId="e5f5fcea-f925-4578-8599-9a391e888a60", name, id, tags, param1="customHealthProbeUsed: false"