How can we improve Azure Networking?

HA Port feature should support stateless load balancing.

The objective is to support two types of scenarios
1. Active-Passive firewalls.
Currently if the active firewall fails the LB keeps sending the data to dead firewall and the existing TCP sessions times out causing the disruption/outage to the user traffic. However, if the LB simply diverts the traffic to the newly Active firewall without worrying about state, the disruption or outage to the user will not have to experience any termination, because normally most Active-Passive firewall implementation session states are shared between the pair. This will mean that there is no outage during Azure maintenance windows. This means no outage between Azure maintenance Windows.

2. Layer 3 routing by a pair of routers
In this scenario the design too the objective is to avoid outage during Azure maintenance windows. In this scenario it is required that load balance simply forwards the traffic to any one of the available routers. If one of the route dies, simply send that traffic to the other or one of the other routers.

The benefit of this feature would be to achieve a practical zero outage - assuming the back-end appliances have o capacity issues ans can handle protocol state or oblivious to it.

45 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Devender Singh shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Marc Hébrard commented  ·   ·  Flag as inappropriate

    After further testing, active flows in non-ha ports to an unhealthy node are not redirected to an healthy node.

  • Yoni commented  ·   ·  Flag as inappropriate

    In the context of HA ports, we want to use it to loadbalance traffic through a state-synchronized cluster of firewalls. But today the LB itself does not fail over active TCP sessions. This makes state-synchronization on the firewall side useless, and results in hanging TCP sessions when a node fails.

Feedback and Knowledge Base