Loading...

Using Admin State to Control Your Azure Load Balancer Backend Instances

Using Admin State to Control Your Azure Load Balancer Backend Instances

Today, Azure Load Balancer distributes incoming traffic across healthy backend pool instances. It accomplishes this by using health probes to send periodic requests to the instances and check for valid responses. Results from the health probe then determine which instances can receive new or continued connections and which ones cannot.

 

You might want to override the health probe behavior for some of the virtual machines in your Load Balancer backend pool. For example, you might want to take an instance out of rotation for maintenance or testing, or you might even want to force an instance to accept new connections even if the health probe marks it as unhealthy. In these cases, you can use our newly introduced Azure Load Balancer feature called administrative state (admin state). With admin state, you can set a value of UP, DOWN, or NONE on each backend pool instance. This value will affect how the load balancer handles new and existing connections to the instance, regardless of the health probe results.

 

What is Admin State?

 

admin-state-highres.png

 

Admin State is an Azure Load Balancer feature that lets you set the state of each individual backend pool instance to a value of UP, DOWN, or NONE. This value overrides the health probe behavior for the respective instance and determines how the load balancer treats the instance for being allowed to accept new and existing connections. Below are the definitions of each state and its effect on connections to the backend instance:

 

Admin State 

New Connections  

Existing Connections 

UP

Load Balancer will disregard the configured health probe’s response and will always consider the backend instance as eligible for new connections.

 

Load Balancer will disregard the configured health probe’s response and will always allow existing connections to persist to the backend instance. 

 

DOWN

Load Balancer will disregard the configured health probe’s response and will not allow new connections to the backend instance.

Load Balancer will disregard the configured health probe’s response and existing connections will be determined according to the protocol below:

TCP: Established TCP connections to the backend instance persists.

UDP: Existing UDP flows move to another healthy instance in the backend pool.

Note: This is similar to a Probe Down behavior.  

NONE (Blank) 

Load Balancer will default to the health probe’s response.

Load Balancer will default to the health probe’s response.

 

Note: Admin state only works when you have a health probe configured on the load balancer rules. Admin state also does not work with inbound NAT rules.

 

How to use Admin State?

You can use admin state in different ways depending on your scenario and preference. You can set admin state when you:

  1. Create a new backend pool
  2. Add a new instance to a backend pool
  3. Or updating an existing instance in a backend pool

You can also remove the admin state from an existing instance in a backend pool by setting the value to NONE. This can be done via Azure portal, PowerShell, or CLI.

 

Why use Admin State?

Previously, to take a backend instance (i.e. Virtual Machine) out of rotation, customers were using Network Security Groups (NSGs) to block traffic from Azure Load Balancer’s health probe or the client’s IPs and ports; or closing the ports on the Virtual Machines (VMs) in the load balancer’s backend pool. This process was complex and added management overhead. Now with admin state, customers can just easily set the state value on the backend pool instance; reducing the overhead and complexity needed for usual maintenance, patching, or simply applying fixes.

 

Let’s see how one of our customers, Contoso, uses admin state with their web servers.

 

Contoso’s use cases of admin state

 

Context

One of our customers, Contoso, leverages Azure Load Balancer to distribute traffic to their web servers hosted on Azure VMs. They have a custom configured health probe that checks the availability of the web servers by sending HTTP requests to a specific defined URL and expecting a 200 OK response to allow connections to the servers.

 

Issue

However, they notice that the health probe sometimes marks a web server as unhealthy because of transient network issues or application errors, even though the web server is still functional (i.e. “healthy”). This prompts their load balancer to stop sending new connections to that web server, which reduces the capacity, availability and performance of their web application.

 

Solution

To fix this issue, Contoso makes use of the Azure Load Balancer’s admin state feature to force the load balancer to send new connections to the web servers regardless of what the health probe results are. They accomplished this by setting the admin state value of each backend pool instance (i.e. VMs) to UP, which means that the load balancer always considers the web server healthy and eligible for new connections. It also allows existing connections to persist. Now Contoso can avoid losing traffic because of false positives of the health probe and make sure that their web application can handle the expected load.

 

Maintenance & Testing

Contoso also wanted to do maintenance and testing on their active web servers to ensure their servers are up to date with the latest software. They decide to use the admin state feature to accomplish this without affecting the traffic flow. They set the admin state value of the web server that they wanted to take out of rotation to DOWN, which means that the load balancer does not allow new connections to that web server and terminates existing connections based on the protocol. Thus, they were able to safely update and troubleshoot the web server without impacting the availability and performance of their web application.

 

Get Started

We are truly excited to bring to you Azure Load Balancer admin state feature in public preview. With this feature, you would be able to override the health probe behavior on your backend pool instance, giving you more control over your load balancer. This is useful for maintenance, testing and even guaranteeing high availability when transient networking issues arise.

To learn more about the admin state feature, visit the following links:

We hope you can take advantage of this feature and we welcome your feedback. Please feel free to leave a comment below.

Published on:

Learn more
Azure Networking Blog articles
Azure Networking Blog articles

Azure Networking Blog articles

Share post:

Related posts

Send emails via SMTP relay with Azure Communication Service

We’ve come across multiple cases where customers want to send emails from Applications migrated to Azure through some kind of SMTP service. Th...

3 hours ago

Five Key Updates on WS2012 ESUs enabled by Azure Arc

We have a myriad of key updates for customers enrolled in WS2012/R2 ESUs enabled by Azure Arc! As we continue to refine and expand the offer, ...

20 hours ago

Improve security posture in Azure service connections with AzurePipelinesCredential

Learn about the new AzurePipelinesCredential, designed to support federated identity credential authentication through Azure Service Connectio...

22 hours ago

Join us in July for Securing AI Apps on Azure!

Join us in July for a series of free live-streams sharing best practices for securing your AI apps on Azure. You'll learn about managed id...

1 day ago

Announcing Azure Monitoring Agent support in Azure Landing Zones

Introduction   Hello and welcome to another blog post about Azure Landing Zones, the best practice framework for accelerating your cloud...

4 days ago

Out-of-band updates to address Azure Synapse SQL issue caused by Windows updates

Microsoft has issued an out-of-band update to resolve an issue with Azure Synapse SQL Serverless Pool databases entering a "Recovery pending" ...

4 days ago

[Mitigated] Azure Lab Services - Lab Plan Outage

Azure Lab Service is experiencing an outage that is affecting Lab Plans, but not Lab Accounts. This outage intermittently impacts all operatio...

4 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy