Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: ME_databasin-env_databasin-rg_centralus

Overview

This resource group includes a load balancer configuration intended to manage traffic for the applications running in the Azure environment. The load balancer (named capp-svc-lb) distributes incoming network traffic across multiple servers or instances to ensure high availability and reliability. This configuration facilitates handling requests efficiently through defined rules and backend pools for the application services.

Resources

  1. Load Balancer

    • Type: Microsoft.Network/loadBalancers
    • Name: capp-svc-lb
    • Location: centralus
    • Properties:
      • Frontend IP Configuration:
        • Name: capp-svc-lbfe
        • Private IP Address: 10.237.3.15 (Static allocation)
        • Subnet: Attached to the subnet ACASubnet within the specified virtual network.
      • Backend Address Pools:
        • Pool Name: capp-svc-lbbepool
        • Backend Addresses:
          • Instance: aks-systempool-30816968-vmss000002 with IP: 10.237.3.20
          • Instance: aks-systempool-30816968-vmss000000 with IP: 10.237.3.26
      • Load Balancing Rules:
        • Rule Name: envoy-http
          • Frontend Port: 80, Backend Port: 31080, Protocol: Tcp
          • Idle Timeout: 4 minutes
        • Rule Name: envoy-https
          • Frontend Port: 443, Backend Port: 31443, Protocol: Tcp
      • Health Probes:
        • Probes to ensure the health of backend instances for both HTTP and HTTPS.

  2. Backend Address Pool

    • Type: Microsoft.Network/loadBalancers/backendAddressPools
    • Name: capp-svc-lbbepool
    • Depends On:
      • Depends on the existence of the load balancer (capp-svc-lb).
    • Properties:
      • Holds definitions for backend instances associated with the load balancer.

Relationships

The load balancer is the network resource ensuring traffic distribution across the backend instances defined in the backend address pool. It uses frontend IP configurations to accept incoming traffic, which is redirected based on the defined load balancing rules.

Data Storage

The ARM template does not define any specific storage accounts or databases within this resource group. It primarily focuses on the load balancer and its backend pool configurations. Additional data storage services such as Azure Storage accounts or SQL databases may be provisioned in this resource group independently, depending on application requirements.

Networking

Virtual Network

  • Virtual Network: Reference to existing VNet: /subscriptions/de62d23b-2ad9-4262-9fbe-d735cb07e9df/resourceGroups/wusm-prod-rg-main/providers/Microsoft.Network/virtualNetworks/wusm-prod-vnet-main
  • Subnet: acasubnet
    • IP Address Configuration:
      • The load balancer assigns its private IP (10.237.3.15) within the subnet (ACASubnet), allowing for internal communication with the backend VMs.
      • Backend VMs have IPs 10.237.3.20 and 10.237.3.26.

Virtual Network Peering

No specific virtual network peerings are defined in this template, which means that routing and communication with resources outside of the defined virtual network may require additional peering configurations.

Security Overview

Potential Security Risks:

  • Static IP Address: Using static IP addresses can lead to issues if the configuration does not follow internal policies for IP management. This increases the risk of IP conflicts.
  • Load Balancer Configuration: By exposing ports (80, 443), it's crucial to ensure that the services behind these ports are secured to prevent unauthorized access.
  • Backend Address Pool Configuration: The IP addresses of the backend instances should ideally not be accessible to the public. Ensure proper network security groups (NSGs) are configured to limit access to the internal network only.

Recommendations:

  • Use Network Security Groups (NSGs): Restrict inbound and outbound traffic to only what is necessary, reducing exposure to potential threats.
  • Implement SSL/TLS: If not already done, ensure encrypted traffic on HTTPS connections to protect user data while in transit.
  • Regular Health Probes: Ensure health probes are configured to actively monitor the status of backend systems, promptly addressing any failures.

Other Information

  • Cost Management: The Standard SKU of the load balancer can incur additional costs compared to basic configurations due to features and levels of support. Monitoring usage and optimizing resources can assist in cost management.
  • Scalability: Azure Load Balancers can dynamically scale to manage varying amounts of traffic, ensuring reliability for applications with unpredictable loads.
  • Additional Configuration: Ensure a plan for geographic redundancy and failover if applicable, particularly if hosting critical applications where downtime could result in significant impact.

This documentation serves as both a guide to understanding the configuration presented in the ARM template and a checklist for ensuring adherence to best practices in terms of security and management.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024