Glasnostic for Azure Gateway Load Balancer Setup Guide

This guide shows you how to run Glasnostic as a network virtual appliance (NVA) for Azure Gateway Load Balancer (GWLB) so you can gain immediate visibility into and control over how your Azure applications interact with each other as well as the wider network.

The steps are:

  1. Deploy a Gateway Load balancer.
  2. Deploy Glasnostic as an NVA for GWLB
  3. Chain the GWLB to the existing standard load balancer frontend IP address.

Prerequisites

To use Azure GWLB, you need one or more applications deployed in Azure that are fronted by a load balancer that manages the application’s public IP address.

1. Provision a GWLB

  1. Create the GWLB.
$ az network lb create \
     --resource-group myGatewayLoadBalancerGroup \
     --name myGatewayLoadBalancer \
     --sku Gateway \
     --vnet-name myGatewayLoadBalancerVNET \
     --subnet myGatewayLoadBalancerSubnet \
     --frontend-ip-name myGatewayLoadBalancerFrontendIPName \
     --backend-pool-name myGatewayLoadBalancerBackendPool
  1. Configure the tunnel interfaces to its backend pool.
$ az network lb address-pool tunnel-interface add \
     --resource-group myGatewayLoadBalancerGroup \
     --lb-name myGatewayLoadBalancer \
     --address-pool myGatewayLoadBalancerBackendPool \
     --type external --protocol vxlan --identifier 801 --port 2000
$ az network lb address-pool tunnel-interface update \
     --resource-group myGatewayLoadBalancerGroup \
     --lb-name myGatewayLoadBalancer \
     --address-pool myGatewayLoadBalancerBackendPool \
     --type internal --protocol vxlan --identifier 800 --port 2001
  1. Configure a health probe for the backend NVAs.
$ az network lb probe create \
     --resource-group myGatewayLoadBalancerGroup \
     --lb-name myGatewayLoadBalancer \
     --name myGatewayLoadBalancerHealthProbe \
     --protocol tcp \
     --port 80
$ az network lb rule create \
      --resource-group myGatewayLoadBalancerGroup \
      --lb-name myGatewayLoadBalancer \
      --name myHTTPRule \
      --protocol all \
      --backend-port 0 \
      --frontend-ip-name myGatewayLoadBalancerFrontendIPName \
      --backend-pool-name myGatewayLoadBalancerBackendPool \
      --probe-name myGatewayLoadBalancerHealthProbe \
      --disable-outbound-snat true

2. Use Glasnostic as an NVA for GWLB

  1. Create two network interfaces
$ az network nic create \
     --resource-group myGatewayLoadBalancerGroup \
     --name glasnostic-control-nic \
     --vnet-name myGatewayLoadBalancerVNET \
     --subnet myGatewayLoadBalancerSubnet \
     --network-security-group myGatewayLoadBalancerNSG
    
$ az network nic create \
     --resource-group myGatewayLoadBalancerGroup \
     --name glasnostic-data-nic \
     --vnet-name myGatewayLoadBalancerVNET \
     --subnet myGatewayLoadBalancerSubnet \
     --network-security-group myGatewayLoadBalancerNSG
  1. Create a Glasnostic VM with the two interfaces.
$ az vm create \
     --resource-group myGatewayLoadBalancerGroup \
     --name GlasnosticAppliance \
     --image glas​​nostic-router \
     --authentication-type ssh \
     --admin-username glasnostic \
     --ssh-key-value ~/.ssh/id_rsa.pub \
     --size Standard_D4s_v3 \
     --nics glasnostic-control-nic glasnostic-data-nic
  1. Add the Glasnostic VM as an appliance to the GWLB backend pool.
$ az network nic ip-config address-pool add \
     --resource-group myGatewayLoadBalancerGroup \
     --lb-name myGatewayLoadBalancer \
     --address-pool myGatewayLoadBalancerBackendPool \
     --ip-config-name ipconfig1 \
     --nic-name glasnostic-data-nic

3. Chain the Existing Standard Load Balancer Frontend to GWLB

  1. Find the GWLB Frontend IP.
$ MY_GATEWAY_LOAD_BALANCER_FRONTEND=$(az network lb show --resource-group myGatewayLoadBalancerGroup --name myGatewayLoadBalancer | jq .frontendIpConfigurations[0].id)
  1. Chain the GWLB Frontend IP to the existing standard load balancer.
$ az network lb frontend-ip update \
     --resource-group myLoadBalancerGroup \
     --lb-name myLoadBalancer \
     --name myLoadBalancerFrontendIPName \
     --public-ip-address myLoadBalancerFrontendIP \
     --gateway-lb $MY_GATEWAY_LOAD_BALANCER_FRONTEND

Verify the Result

If your application(s) receive traffic and you have already set up an environment for the NVA (see Creating an Environment), then browse to https://app.glasnostic.com and, after selecting your environment, you should see an automatically generated topology map of your application landscape:

Screenshot of Glasnostic console

On the topology graph, you may observe all exposed services in your application, how they interact with each other, what ingress/egress they have, etc.

Next Steps

Visit https://glasnostic.com/ to learn more about Glasnostic and how we help DevOps, SRE, and platform teams see what is going on, maximize reliability and enforce essential security.