Glasnostic for Azure Gateway Load Balancer Setup Guide

This guide shows you how to run Glasnostic as a network virtual appliance (NVA) for Azure Gateway Load Balancer (GWLB) so you can gain immediate visibility into and control over how your Azure applications interact with each other as well as the wider network.

The steps are:

  1. Deploy a Gateway Load balancer.
  2. Deploy Glasnostic as an NVA for GWLB
  3. Chain the GWLB to the existing standard load balancer frontend IP address.


To use Azure GWLB, you need one or more applications deployed in Azure that are fronted by a load balancer that manages the application’s public IP address.

Step 1. Provision a GWLB

  1. Create the GWLB.

    az network lb create \ --resource-group myGatewayLoadBalancerGroup \ --name myGatewayLoadBalancer \ --sku Gateway \ --vnet-name myGatewayLoadBalancerVNET \ --subnet myGatewayLoadBalancerSubnet \ --frontend-ip-name myGatewayLoadBalancerFrontendIPName \ --backend-pool-name myGatewayLoadBalancerBackendPool
  2. Configure the tunnel interfaces to its backend pool.

    az network lb address-pool tunnel-interface add \ --resource-group myGatewayLoadBalancerGroup \ --lb-name myGatewayLoadBalancer \ --address-pool myGatewayLoadBalancerBackendPool \ --type external --protocol vxlan --identifier 801 --port 2000
    az network lb address-pool tunnel-interface update \ --resource-group myGatewayLoadBalancerGroup \ --lb-name myGatewayLoadBalancer \ --address-pool myGatewayLoadBalancerBackendPool \ --type internal --protocol vxlan --identifier 800 --port 2001
  3. Configure a health probe for the backend NVAs.

    az network lb probe create \ --resource-group myGatewayLoadBalancerGroup \ --lb-name myGatewayLoadBalancer \ --name myGatewayLoadBalancerHealthProbe \ --protocol tcp \ --port 80
    az network lb rule create \ --resource-group myGatewayLoadBalancerGroup \ --lb-name myGatewayLoadBalancer \ --name myHTTPRule \ --protocol all \ --backend-port 0 \ --frontend-ip-name myGatewayLoadBalancerFrontendIPName \ --backend-pool-name myGatewayLoadBalancerBackendPool \ --probe-name myGatewayLoadBalancerHealthProbe \ --disable-outbound-snat true

Step 2. Use Glasnostic as an NVA for GWLB

  1. Create two network interfaces

    az network nic create \ --resource-group myGatewayLoadBalancerGroup \ --name glasnostic-control-nic \ --vnet-name myGatewayLoadBalancerVNET \ --subnet myGatewayLoadBalancerSubnet \ --network-security-group myGatewayLoadBalancerNSG
    az network nic create \ --resource-group myGatewayLoadBalancerGroup \ --name glasnostic-data-nic \ --vnet-name myGatewayLoadBalancerVNET \ --subnet myGatewayLoadBalancerSubnet \ --network-security-group myGatewayLoadBalancerNSG
  2. Create a Glasnostic VM with the two interfaces.

    az vm create \ --resource-group myGatewayLoadBalancerGroup \ --name GlasnosticAppliance \ --image glasnostic-router \ --authentication-type ssh \ --admin-username glasnostic \ --ssh-key-value ~/.ssh/ \ --size Standard_D4s_v3 \ --nics glasnostic-control-nic glasnostic-data-nic
  3. Add the Glasnostic VM as an appliance to the GWLB backend pool.

    az network nic ip-config address-pool add \ --resource-group myGatewayLoadBalancerGroup \ --lb-name myGatewayLoadBalancer \ --address-pool myGatewayLoadBalancerBackendPool \ --ip-config-name ipconfig1 \ --nic-name glasnostic-data-nic

Step 3. Chain the existing standard load balancer frontend to GWLB

  1. Find the GWLB Frontend IP.

    MY_GATEWAY_LOAD_BALANCER_FRONTEND=$(az network lb show --resource-group myGatewayLoadBalancerGroup --name myGatewayLoadBalancer | jq .frontendIpConfigurations[0].id)
  2. Chain the GWLB Frontend IP to the existing standard load balancer.

    az network lb frontend-ip update \ --resource-group myLoadBalancerGroup \ --lb-name myLoadBalancer \ --name myLoadBalancerFrontendIPName \ --public-ip-address myLoadBalancerFrontendIP \ --gateway-lb $MY_GATEWAY_LOAD_BALANCER_FRONTEND

Verify the result

If your application(s) receive traffic and you have already set up an environment for the NVA (see Creating an Environment), then browse to and, after selecting your environment, you should see an automatically generated topology map of your application landscape:

Screenshot of Glasnostic console

On the topology graph, you may observe all exposed services in your application, how they interact with each other, what ingress/egress they have, etc.

Next steps

  1. Check out Glasnostic Overview to learn more about Glasnostic and how we help DevOps, SRE, and platform teams see what is going on, maximize reliability and enforce essential security.
  2. See Quick Start tutorial to get started with Glasnostic in your own Kubernetes cluster.