Share via

Firewall and Load Balancer using a GWLB (2 NVAs)

Glenn Fetalvero 25 Reputation points
2025-07-21T20:14:25.8366667+00:00

From other documentation I can see that we can integrate NVA to the Azure Load Balancer Gateway (GWLB) via VXLAN. The traffic will then be pointed directly to the end nodes. However I would like to point it to a Load balancer (another NVA) before it goes to the end nodes.

User's image

not sure if its possible to route the traffic to another GWLB or just to the GWLB-Firewall again before it goes to the 3rd party load balancer, then before it goes to the end nodes.

Or is it possible to integrate the FW and 3rd party LB via VXLAN. Then the 3rd Party LB will be the one to direct the traffic to the GWLB via the inside interface going to the servers:
User's image

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
0 comments
Accepted answer
  1. Suwarna S Kale 3,951 Reputation points
    2025-07-22T02:17:11.36+00:00

    Hello Glenn Fetalvero,

    Thank you for posting your question in the Microsoft Q&A forum. 

    Direct Traffic Flow (GWLB -> NVA LB -> End Nodes) 

    1. GWLB can forward traffic via VXLAN to your third-party LB (another NVA) instead of end nodes. 
    2. Configure the GWLB’s backend pool to target the LB’s VXLAN tunnel endpoint (VTEP). 
    3. The LB then distributes traffic to servers (via its own backend pool). 

    Chaining GWLB -> FW -> Third-Party LB 

    1. Route traffic from GWLB to a firewall (e.g., Palo Alto, Check Point) first for inspection. 
    2. The FW forwards clean traffic to the third-party LB via VXLAN or internal IP. 
    3. Limitation: Azure GWLB itself cannot be chained to another GWLB. 

    VXLAN Integration for FW + LB 

    1. Deploy both FW and LB as NVAs with VXLAN support. 
    2. GWLB sends traffic to the FW’s VTEP, which then routes to the LB’s VTEP (over VXLAN or internal network). 
    3. LB directs traffic to servers via its backend interface. 

    Some of the key considerations as below are: 

    • Azure Constraints: GWLB cannot target another GWLB but can point to NVAs (FW/LB). 
    • VXLAN Requirements: Ensure all NVAs (FW, LB) support VXLAN encapsulation. 
    • Routing: Use UDRs (User-Defined Routes) to steer traffic between GWLB → FW → LB → servers. 

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.