Inspect inbound and outbound traffic with Azure Gateway Load Balancer

This option describes how to deploy a scale set of virtual appliances with Gateway Load Balancer. Deploying with Gateway Load Balancer provides a simpler process that requires very few changes to your existing network environment. Gateway Load Balancer also adds additional layers of availability which translates to minimal disruption if a virtual appliance experiences an outage.

Scale set traffic flow

The image below shows an example of the traffic flow for this deployment using Gateway Load Balancer.

|


IMPORTANT: Internet connectivity notice

During the Deploy the Network Security virtual appliance step, the Network Security virtual appliance is configured behind a standard internal load balancer. The placement of this load balancer blocks the outbound internet connectivity by default unless internet connectivity has been explicitly declared. For this deployment, we recommend that you add a NAT gateway to the management subnet to allow outbound connectivity. This option is configured before the Network Security virtual appliance is deployed.


Set up network environment

To set up your environment you will complete these tasks:

  1. Deploy the Network Security virtual appliance scale set
  2. Copy the frontend ID of the Gateway Load Balancer
  3. Connect the Gateway Load Balancer to the public load balancer

Before you begin

Set up Azure Monitor before you begin this deployment. Write down the Log Monitor Workspace ID and Log Monitor Primary Key.

Generate and write down a Cloud One API key and review Azure's naming conventions.

Deploy the virtual network and the Network Security virtual appliance

The Network Security virtual appliance is available from the Azure Marketplace as a public offer. To deploy the Network Security virtual appliance, navigate to Azure Portal → Marketplace → Trend Micro Cloud One™ – Network Security.

Manually add virtual appliances if the Azure Marketplace deployment does not properly register the virtual appliance(s) to Network Security.

Gather the following information before you begin the deployment:

  • Cloud One API key
  • Log Analytics workspace ID and Primary Key - Register your Log Analytics workspace during the deployment process so that your logs will be sent to the Network Security management interface.

  • Log into Azure and select Create a resource (this will direct you to the Marketplace).

  • Search for Trend Micro Network Security.
  • Next to Select a plan, choose Scale Set VM with Gateway Load Balancer in the dropdown menu.
  • Click Create.
  • Enter the following information in the Basics tab:
  • Select the following information in the Networking tab:
    • Select New Inspection VNet
    • Select the subnets for the new Inspection VNet
    • For NAT Gateway, choose Create new to automatically create a new NAT gateway when you deploy the virtual appliance, choose Select existing if you already manually created a NAT gateway, or choose Ignore if your Management subnet already has internet connectivity.
  • Enter or select the following information in the Advanced tab:
    • (Suggested) Keep the Boot diagnostics setting enabled
    • Select your boot diagnostic account, or create a new one
    • Enter the Log Analytics workspace ID and Primary Key in order to upload your logs to the Network Security management portal
  • Click Review + CreateDeploy.

Copy the Gateway Load Balancer frontend ID

The Gateway Load Balancer frontend ID is needed to connect the Gateway Load Balancer to your public load balancer. Follow these steps to locate and copy the frontend ID in the Azure UI.

  1. From the Azure portal, navigate to the Load balancers resource page.
  2. Select your Gateway Load Balancer that was created when you deployed the Scale Set VM with Gateway Load Balancer template.
  3. On the Overview tab, click JSON View.
  4. Use CTRL +F to search for frontendIPConfigurations. You should see the name and ID of the Gateway Load Balancer beneath the frontendIPConfigurations line.
  5. Copy and paste the name and ID to use when you connect the Gateway Load Balancer to your public load balancer.

Connect the Gateway Load Balancer to the public load balancer

Use one of the following configuration options to connect your existing public load balancer to the Gateway Load Balancer that was created when you deployed the Network Security virtual appliance from the Marketplace.


NOTE

Your public load balancer must have a Standard SKU to connect to the GWLB. Learn more.


Using the Azure CLI

If you have an existing public load balancer, SSH into the machine you use to log in to Azure and perform CLI commands. Enter the following command to configure the public load balancer front end to connect to the Gateway Load Balancer.


NOTE

Fill in the required parameters in the command text, like the name of the resource group and the name of the public load balancer, before you run the command. The gateway-lb is the ID value that you copied in the section above.


$ az network lb frontend-ip update \
    -g < name of resource group where the PLB located > \
    --lb-name < name of the PLB> -n < name of the PLB frontend would like to chain to GWLB > \
    --public-ip-address < name of the PIP of the PLB frontend > \
    --gateway-lb "/subscriptions/< sub id here >/resourceGroups/ < name of resource group >/providers/Microsoft.Network/loadBalancers/< gateway LB name >/frontendIPConfigurations/< frontend IP name >"

Using an ARM template

Use the following information to create an ARM template. Learn more.

For the Microsoft.Network/loadBalancers resource, add the frontend ID of the Gateway Load Balancer for the gatewayLoadBalancer object, and add the front end ID of the object you want to connect to the Gateway Load Balancer under the FrontendIPConfiguration object.


NOTE

Make sure that the gatewayLoadBalancer property is supported by the apiVersion.


{
    "apiVersion":"2020-08-01",
    "name":"myPLB",
    "type":"Microsoft.Network/loadBalancers",
    "location":"eastus",
    "sku":{
        "name":"Standard"
    },
    "properties":{
        "frontendIPConfigurations":[
            {
                "name":"LoadBalancerFrontEnd",
                "properties":{
                    "publicIPAddress":{
                        "id":"enter your public IP address ID "
                    },
                    "gatewayLoadBalancer":{
                        "id":"enter the Gateway Load Balancer ID"
                    }
                }
            }
        ]
    }
}