Traffic Flows in Cloud Firewall for Azure VMSS GWLB

Traffic flow explanation

Inbound:

  1. The External Load Balancer redirects all packets to the Gateway Load Balancer.

    The VXLAN tunnel preserves the original source and destination addresses.

  2. The Gateway Load Balancer send a packet to the next healthy Cloud Firewall Gateway.

  3. The Cloud Firewall Gateway decides if to forward or drop the packet.

  4. The External Gateway Load Balancer sends the inspected packet to the next VM in the Backend Pool.

  5. The External Load Balancer redirects reply packets to the Gateway Load Balancer.

  6. Symmetrical hashing returns the packet to the original Cloud Firewall Gateway to keep state.

  7. The External Load Balancer sends the return packet to the original source address.

When inbound traffic arrives, the Cloud Firewall Gateway receives it follows:

  1. VXLAN tunneled traffic with:

    1. Source: The Gateway Load Balancer frontend IP.

    2. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal & external).

    3. Destination: The VMSS instance.

  2. Encapsulated traffic with:

    1. Source: Original source.

    2. Service: Original service.

    3. Destination: Original (the Frontend IP address of the External Load Balancer).

Note - The traffic flow is the same for the Load Balancing ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and Inbound NAT rules.

Outbound:

  1. The External Load Balancer receives traffic from a Backend Pool VM.

    The External Load Balancer redirects all packets to the Gateway Load Balancer.

    The VXLAN tunnel preserves the original source and destination addresses.

  2. The Gateway Load Balancer sends the packet to the next healthy Cloud Firewall Gateway.

  3. the Cloud Firewall Gateway decides if to forward or drop the packet.

  4. The External Load Balancer sends the request packet to the original destination address.

  5. The External Load Balancer redirects the reply packet to the Gateway Load Balancer.

  6. Symmetrical hashing returns the packet to the original Cloud Firewall Gateway to keep state.

  7. The External Gateway Load Balancer sends the inspected reply packet to the original source address, a Backend Pool VM.

When outbound traffic arrives, the Cloud Firewall Gateway receives it follows:

  1. VXLAN tunneled traffic with:

    1. Source: The Gateway Load Balancer frontend IP address.

    2. Service: UDP services with the VXLAN tunnel interfaces port numbers (internal & external).

    3. Destination: The VMSS instance.

  2. Encapsulated traffic with:

    1. Source: Original source (The Frontend IP address of the External Load Balancer).

    2. Service: Original service.

    3. Destination: Original destination.

Gateway Load Balancer Frontend Routing Table - User Defined Routes (UDR):

Name Destination Nexthop

Local-Subnet

Gateway Load Balancer Frontend subnet

Virtual network

To-VNet

Gateway Load Balancer VNet:

None (drop)