Share via

Outbound traffic via GWLB

Glenn 20 Reputation points
2025-08-06T21:33:22.23+00:00

I have a VM that I needs to have both inbound and outbound connection. For inbound, it is already working, by using the public IP I put in the standard LB. However for outbound, I needed a public IP in the NIC card of Server D, to service chain the GWLB. However it will utilize only 2 Public IP; which is a waste since I only needed 1.

User's image

I tried to do without a public IP on the NIC card of Server D, and just put outbound policy on the public load balancer. With this setup, I only needed 1 public IP address, however it does not go to the firewall anymore; it goes straight to the Public LB and into the Internet.

User's image

I could install a ILB, then a UDR in subnet of Server D. Then the ILB will be the one to daisy-chain to the GWLB. However if I use the UDR to go to the ILB, the inbound gets affected. Since the "reply" from the serverD goes thru a different path already which breaks the session mapping in the FW and in the public LB.

So basically I needed to have an outbound connection where I only have 1 public IP address and traffic will go to the firewall for both inbound and outbound flows.

Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
Accepted answer
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-08-07T00:31:02.3633333+00:00

    Hi Glenn

    To achieve firewall inspection for both inbound and outbound flows using only one public IP, you can follow this architecture:

    Configure a Standard Public Load Balancer with a Single Public IP for Inbound and Outbound Traffic.

    1.Create Standard Public Load Balancer (LB) and assign a single public IP to the LB frontend then configure inbound rules to route traffic to Server D.

    Set disableOutboundSnat = true on the inbound rule to preserve session symmetry.

    2.Deploy Gateway Load Balancer (GWLB) with your firewall as the backend. Chain traffic from the LB to the GWLB for inspection.

    3.Apply a UDR on Server D’s subnet, route 0.0.0.0/0 to the private IP of the GWLB.

    This ensures outbound traffic from server D goes through the firewall.

    4.Configure an outbound rule using the same frontend public IP as this allows SNAT for outbound traffic while maintaining inspection via GWLB.

    5.This setup ensures that the firewall inspection for both inbound and outbound traffic and the session symmetry is maintained with only one public IP is used.

    Refer this Microsoft documents for more information https://learn.microsoft.com/en-us/azure/load-balancer/outbound-rules

    https://learn.microsoft.com/en-us/azure/load-balancer/tutorial-gateway-outbound-connectivity

    I hope this helps! If these answers your query, do click the "Upvote" of which might be beneficial to other community members reading this thread.

    If the above is unclear or you are unsure about something, please add a comment below.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.