Use of SSL in Azure internal load balancer scenario

Question

We have a internal load balancer deployed in Azure, with 4 VM currently in the same load balancer set. We have a software deployed as IaaS, they essentially running a windows service taking traffic from a pre-configured port (not 443)

I am trying to figure out how this will work, to my understanding, internal load balancer does not offload SSL, so my call will be end to end from client to the VM (could be any of the 4), I can configure the software to listen for a secure socket on same load balancer ports, but how should I configure my client to call 4 servers, which certificate to use in this case?

And, what if we have more VM adding to the picture?

Answer 1

Azure Load Balancer (including the Internal one) operates at the network layer, so it does not do SSL offloading or things like cookie-based affinity. If that's what you need, you may look into something like Azure Application Gateway or third-party layer 7 load balancers ( Nginx Plus , Barracuda WAF , etc).

In your case, with the standard ILB, all requests will be routed to one of the 4 VMs, and all of them will need to have the SSL certificate installed (the same one in all VMs). SSL certificates, indeed, are bound to a specific hostname, but not a specific machine: if you need to load balance, you're free to re-use the same certificate (and private key) on every instance, as long as they all respond to the same hostname publicly.

Answer 2

Azure Load balancer does not provide SSL offloading. You could leverage KEMP LoadMaster-for-Azure and configure SSL offloading, by uploading certificate on the loadMaster and allow non ssl or SSL traffic to the 4 internal VMs. You could find the details in the below link

https://kemptechnologies.com/solutions/microsoft-load-balancing/loadmaster-azure/

Regards, Krishna