Skip to content

Use a specific load balancer probe#

Reliability · Load Balancer · Rule · 2020_06 · Important

Use a specific probe for web protocols.

Description#

A load balancer is an Azure service that distributes traffic among instances of a service in a backend pool (such as VMs). Load balancers route traffic to instances in the backend pool based on configured rules.

In additional to routing traffic, load balancers can also monitor the health of backend instances with a health probe. Monitoring the health of backend instances allows the load balancer to route traffic towards health instances. For example, if one instance is unavailable, the load balancer can route traffic to another instance that is available.

To monitor the health of backend instances, the load balancer sends periodic requests and checks the response from the backend. Azure Load Balancer supports health probes for TCP, HTTP, and HTTPS.

If your backend is communicating over HTTP or HTTPS, you should:

  • Use HTTP/ HTTPS probes — instead of a TCP port. For example, if a web server process is running it may not be able to respond to a TCP probe. However, that does not indicate that the application is working correctly, as it could be returning a 5XX error. Using HTTP/ HTTPS probes allows you to check for a HTTP 200 status code.
  • Use a dedicated health check endpoint — such as /health or /healthz for health probes. Commonly the main landing page of an application / is not a good health check endpoint. By design, it may only serve static content and not execute any application logic, such as a login page.

Recommendation#

Consider using a dedicated health check endpoint for HTTP or HTTPS health probes.

Examples#

Configure with Azure template#

To deploy load balancers that pass this rule:

  • Configure HTTP or HTTPS based probes on ports that commonly use HTTP or HTTPS protocols.
    • Set the properties.probes[*] property to include a probe with the following properties:
      • properties.probes[*].properties.protocol set to HTTPS.
      • properties.probes[*].properties.requestPath set to /health.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/loadBalancers",
  "apiVersion": "2023-09-01",
  "name": "[parameters('lbName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard"
  },
  "properties": {
    "frontendIPConfigurations": [
      {
        "name": "frontend1",
        "properties": {
          "privateIPAddressVersion": "IPv4",
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), 'GatewaySubnet')]"
          }
        },
        "zones": [
          "2",
          "3",
          "1"
        ]
      }
    ],
    "backendAddressPools": [
      {
        "name": "backend1"
      }
    ],
    "probes": [
      {
        "name": "https",
        "properties": {
          "protocol": "HTTPS",
          "port": 443,
          "requestPath": "/health",
          "intervalInSeconds": 5,
          "numberOfProbes": 1
        }
      }
    ],
    "loadBalancingRules": [
      {
        "name": "https",
        "properties": {
          "frontendIPConfiguration": {
            "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('lbName'), 'frontend1')]"
          },
          "frontendPort": 443,
          "backendPort": 443,
          "enableFloatingIP": false,
          "idleTimeoutInMinutes": 4,
          "protocol": "TCP",
          "loadDistribution": "Default",
          "probe": {
            "id": "[resourceId('Microsoft.Network/loadBalancers/probes', parameters('lbName'), 'https')]"
          },
          "disableOutboundSnat": true,
          "enableTcpReset": false,
          "backendAddressPools": [
            {
              "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('lbName'), 'backend1')]"
            }
          ]
        }
      }
    ],
    "inboundNatRules": [],
    "outboundRules": []
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), 'GatewaySubnet')]"
  ]
}

Configure with Bicep#

To deploy load balancers that pass this rule:

  • Configure HTTP or HTTPS based probes on ports that commonly use HTTP or HTTPS protocols.
    • Set the properties.probes[*] property to include a probe with the following properties:
      • properties.probes[*].properties.protocol set to HTTPS.
      • properties.probes[*].properties.requestPath set to /health.

For example:

Azure Bicep snippet
resource https_lb 'Microsoft.Network/loadBalancers@2023-09-01' = {
  name: lbName
  location: location
  sku: {
    name: 'Standard'
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'frontend1'
        properties: {
          privateIPAddressVersion: 'IPv4'
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnet01.id
          }
        }
        zones: [
          '2'
          '3'
          '1'
        ]
      }
    ]
    backendAddressPools: [
      {
        name: 'backend1'
      }
    ]
    probes: [
      {
        name: 'https'
        properties: {
          protocol: 'HTTPS'
          port: 443
          requestPath: '/health'
          intervalInSeconds: 5
          numberOfProbes: 1
        }
      }
    ]
    loadBalancingRules: [
      {
        name: 'https'
        properties: {
          frontendIPConfiguration: {
            id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', lbName, 'frontend1')
          }
          frontendPort: 443
          backendPort: 443
          enableFloatingIP: false
          idleTimeoutInMinutes: 4
          protocol: 'TCP'
          loadDistribution: 'Default'
          probe: {
            id: resourceId('Microsoft.Network/loadBalancers/probes', lbName, 'https')
          }
          disableOutboundSnat: true
          enableTcpReset: false
          backendAddressPools: [
            {
              id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', lbName, 'backend1')
            }
          ]
        }
      }
    ]
    inboundNatRules: []
    outboundRules: []
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/load-balancer:<version>

To use the latest version:

br/public:avm/res/network/load-balancer:0.4.0

Notes#

This rule only applies to probes for ports that commonly use HTTP or HTTPS protocols.

Comments