![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
AFAIK, when a client outside Azure connects to the Public IP of an Azure Load Balancer (PLB)
- The PLB receives the packet on its public IP.
- It performs DNAT (destination NAT) to the private IP of one of its backend pool members, usually an Azure VM or a Virtual Machine Scale Set (VMSS) instance.
- The selected backend VM receives the packet directly, responds, and Azure SNATs the response if needed (depending on backend configuration). Effectively, there is no routing via a UDR or an NVA. The PLB does not support being used as a next hop in UDRs.
If your goal is to force traffic through an NVA (e.g., for inspection, firewalling, etc.) before it reaches the app server VM, a different design pattern is needed, because Azure PLBs do not support UDRs or NVA redirection directly.
There are two common patterns for this:
Pattern 1: SNAT the incoming traffic through the NVA
Architecture:
- Public Load Balancer frontend → NVA VM in backend pool
- NVA performs Layer 4 forwarding or proxying to internal app servers
- UDRs on app server subnet ensure return traffic goes back through the NVA
Flow:
- Client connects to the PLB frontend IP.
- NVA is in the PLB backend pool, so receives the traffic.
- NVA then forwards (or proxies) traffic to the actual app VM (in another subnet).
- App VM sends return traffic to NVA (enforced via UDR).
- NVA forwards response to the original client.
Pros:
- Centralized control and inspection.
- Works with PLB because the NVA is a backend.
Cons:
- Requires NVA to handle full connection (can be performance-intensive).
- Slightly more complex to configure.
Pattern 2: NAT + Internal Load Balancer + UDR
In more advanced scenarios, you can separate roles:
Architecture:
- PLB DNATs traffic to Internal Load Balancer (ILB)
- ILB forwards to NVA or app VMs
- UDRs are used in the internal network, not at the PLB level
Note that a Public Load Balancer itself cannot be a next hop in a UDR. UDRs apply after the DNAT by PLB is complete, and they control outbound traffic from VMs, not the PLB behavior.
- A next hop in a UDR must be:
- A virtual appliance (like an NVA),
- A Virtual Network Gateway,
- An internet or Virtual Network default,
- Or a none/default hop.
- A Public Load Balancer is a PaaS construct that cannot act as a next hop. It handles incoming NAT and distribution, not routing.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin