You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/integrate-lb.md
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,11 @@
1
1
---
2
2
title: Integrate Azure Firewall with Azure Standard Load Balancer
3
3
description: You can integrate an Azure Firewall into a virtual network with an Azure Standard Load Balancer (either public or internal).
4
-
services: firewall
5
4
author: varunkalyana
5
+
ms.author: duau
6
6
ms.service: azure-firewall
7
7
ms.topic: how-to
8
-
ms.date: 03/04/2025
9
-
ms.author: duau
8
+
ms.date: 03/28/2026
10
9
ms.custom: sfi-image-nochange
11
10
# Customer intent: As a network engineer, I want to integrate Azure Firewall with an Azure Standard Load Balancer, so that I can optimize traffic routing and enhance security in my virtual network setup.
12
11
---
@@ -15,23 +14,23 @@ ms.custom: sfi-image-nochange
15
14
16
15
You can integrate an Azure Firewall into a virtual network with either a public or internal Azure Standard Load Balancer.
17
16
18
-
The preferred design is to use an internal load balancer with your Azure Firewall, as it simplifies the setup. If you already have a public load balancer deployed and wish to continue using it, be aware of potential asymmetric routing issues that could disrupt functionality.
17
+
The preferred design is to use an internal load balancer with your Azure Firewall, as it simplifies the setup. If you already have a public load balancer deployed and want to continue using it, be aware of potential asymmetric routing problems that could disrupt functionality.
19
18
20
19
For more information about Azure Load Balancer, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md)
21
20
22
21
## Public load balancer
23
22
24
-
With a public load balancer, the load balancer is deployed with a public frontend IP address.
23
+
When you use a public load balancer, you deploy the load balancer with a public frontend IP address.
25
24
26
25
### Asymmetric routing
27
26
28
-
Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session.
27
+
Asymmetric routing occurs when a packet takes one path to the destination and takes another path when returning to the source. This problem occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic comes through its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session.
29
28
30
29
### Fix the routing issue
31
30
32
31
#### Scenario 1: Azure Firewall without NAT Gateway
33
-
When deploying an Azure Firewall into a subnet, you need to create a default route for the subnet. This route directs packets through the firewall's private IP address located on the AzureFirewallSubnet. For detailed steps, see [Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md#create-a-default-route).
34
-
When integrating the firewall into your load balancer scenario, ensure that your Internet traffic enters through the firewall's public IP address. The firewall applies its rules and NAT the packets to the load balancer's public IP address. The issue arises when packets arrive at the firewall's public IP address but return via the private IP address (using the default route).
32
+
When you deploy an Azure Firewall into a subnet, you need to create a default route for the subnet. This route directs packets through the firewall's private IP address located on the AzureFirewallSubnet. For detailed steps, see [Deploy and configure Azure Firewall using the Azure portal](tutorial-firewall-deploy-portal.md#create-a-default-route).
33
+
When you integrate the firewall into your load balancer scenario, ensure that your Internet traffic enters through the firewall's public IP address. The firewall applies its rules and NATs the packets to the load balancer's public IP address. The problem arises when packets arrive at the firewall's public IP address but return via the private IP address (using the default route).
35
34
36
35
To prevent asymmetric routing, add a specific route for the firewall's public IP address. Packets intended for the firewall's public IP address are directed through the Internet, bypassing the default route to the firewall's private IP address.
0 commit comments