How To Use Azure Internal Load Balancing

Hi thanks for visiting.  This post will show how to set up internal load balancing which is now available in Azure virtual machines.

Why do we need internal load balancing in Azure ?

Internal load balancing (ILB) in Azure is a really useful feature which can be used to load balance service inside an Azure virtual network without exposing the endpoints to the internet.   This is very important for back end services such as web services that are accessed by other web services but not directly by users over the internet.  An example of this could be the WAC / OWA (Office Web Apps) services for SharePoint 2013.   Previously endpoints needed to be opened up over the internet for other SharePoint services to access OWA if it was load balanced across servers.  Now those services can call OWA internally when needed using internal DNS A records without having to go out to the internet and back in.   This helps to secure your environments further as there are now less entry points into your services.

An example of ILB used by front end services to call back end application AND database roles is shown here.


Environment and Requirements

Currently Azure ILB will not work on networks that are assigned to affinity groups.

My environment is an Azure subscription which has a regional network defined with subnets for each VM.  It also has a storage account to store the virtual machine VHD files and an affinity group which tells Azure which region I want to store my computer and storage objects.  Scripts are provided below.

You will also need to download and install the latest Azure PowerShell Module from here :-

to connect to your Azure subscription you could follow the guide here :-

Part one of this tutorial which includes building the domain controllers is also available here :-


In our demo we install IIS remotely and the script to do this is here :-

Install-WindowsFeature -Name Web-Server –IncludeManagementTools

This must be placed in a file on your local machine and called from the script.


Video Tutorial for creating Azure ILB

How do you create and configure Azure Internal Load Balancing ?

The way to create an NLB service internally in Azure is to use PowerShell only as it is not currently configurable using the GUI via the Azure portal.  Some scripts are provided below as shown in the video tutorial.

# Created by Mitesh Chauhan – July 2014.# Purpose – Use this script to create new virtual machines with static IP Addresses# Note – Currently this only works on regional networks and not networks created within an affinity group# VMs and storage CAN be in affinity groups for static IP addressing to work, just not networks atm.# To UPDATE EXISTING VMS. Example# Get-AzureVM -ServiceName StaticDemo -Name VM2 | Set-AzureStaticVNetIP -IPAddress | Update-AzureVM# You must remove the static IP before replacing with a new static IP.# REMOVE STATIC IP – $Get-AzureVM -ServiceName StaticDemo -Name VM2 | Remove-AzureStaticVNetIP | Update-AzureVM


#Import-AzurePublishSettingsFile “D:\mysettingsfile.publishsettings”

#Set Subscription Name

$subscriptionname = ‘My Demos’

#Set VM and Network Variables

$Adminusername = “DemoAdmin”

$Adminpassword = “Changeme9000”

$owa1name = “OWA1”

$owa2name = “OWA2”

$vmcloudservice = “owaCloudService”

$vnetname = “mcstaticvnet”

Set-AzureSubscription $subscriptionname -CurrentStorageAccountName “mcdemostore”

Select-AzureSubscription $subscriptionname

# If you have updated the Azure powershell modules or if there are connectivity issues

Import-Module Azure

# Set ImageName – Get latest Windows 2012 R2 Build.

$ws2012r2 = (Get-AzureVMImage | where ImageFamily -eq ‘Windows Server 2012 R2 Datacenter’ | select -last 1).ImageName

# Test for static IP registration

# Test-AzureStaticVNetIP –VNetName MCStaticVnet –IPAddress

# Configure VM Settings for a New Static IP VM server1 –

# We are using the second IP address in the available pool ( for this subnet to prove the VM is getting the correct IP by choice not default.

$myVM = New-AzureVMConfig -Name $owa1name -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “OWA1” | Set-AzureStaticVNetIP -IPAddress |

Add-AzureProvisioningConfig -adminusername $Adminusername -WindowsDomain -Password $Adminpassword -Domain “demo” -DomainUserName $Adminusername -DomainPassword $AdminPassword -JoinDomain “demo.local” |

Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm –AffinityGroup “NEAffinityGroup” -VNetName $vnetname -WaitForBoot;

# Configure VM Settings for a New Static IP VM server2

$myVM2 = New-AzureVMConfig -Name $owa2name -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “OWA2” | Set-AzureStaticVNetIP -IPAddress |

Add-AzureProvisioningConfig -adminusername $Adminusername -WindowsDomain -Password $Adminpassword -Domain “demo” -DomainUserName $Adminusername -DomainPassword $AdminPassword -JoinDomain “demo.local” |

Add-AzureDataDisk -CreateNew -DiskSizeInGB 128 -DiskLabel “FDrive” -LUN 0

#Provision VM – Remove VNET Name for VM in an existing cloud service (created above in this example)

New-AzureVM –ServiceName $vmcloudservice -VMs $myvm2 -WaitForBoot;


### Enable Remote PowerShell ###


# Get Certificate OWA1

Set-ExecutionPolicy Unrestricted -force

C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $owa1name

### Install Scripts to run in the VMS ###

# Return back the correct URI for Remote PowerShell

$uri = Get-AzureWinRMUri -ServiceName $vmcloudservice -Name $owa1name

# Credentials for the VM

$cred = Get-Credential

#Run this to install the Web-Server feature

invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\Install IIS.ps1”

# Get Certificate OWA2

Set-ExecutionPolicy Unrestricted -force

C:\Scripts\InstallWinRMCertAzureVM.ps1 -SubscriptionName $subscriptionName -ServiceName $vmcloudservice -Name $owa2name

# Credentials for the VM

$cred = Get-Credential

#Run this to install the Web-Server feature

invoke-command -connectionuri $uri -Credential $cred -filepath “c:\scripts\Install IIS.ps1”




# Add Internal Load Balancer to the service

Add-AzureInternalLoadBalancer -InternalLoadBalancerName OWAILB -SubnetName owa1 -ServiceName $vmcloudservice

# Add load balanced endpoints to ILB

Get-AzureVM -ServiceName $vmcloudservice -Name $owa1name | Add-AzureEndpoint -Name “intowalb” -LBSetName “intowalb” -Protocol tcp -LocalPort 80 -PublicPort 80 -ProbePort 80 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName OWAILB | Update-AzureVM

Get-AzureVM -ServiceName $vmcloudservice -Name $owa2name | Add-AzureEndpoint -Name “intowalb” -LBSetName “intowalb” -Protocol tcp -LocalPort 80 -PublicPort 80 -ProbePort 80 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName OWAILB | Update-AzureVM

Get-AzureService -ServiceName $vmcloudservice | Get-AzureInternalLoadBalancer

## check Load Balancers for the VMs

Get-AzureVM -ServiceName $vmcloudservice -Name $owa1name | Get-AzureEndpoint

Get-AzureVM -ServiceName $vmcloudservice -Name $owa2name | Get-AzureEndpoint

Other load balancing options for Azure

If the basic (I believe it is actually Round Robin) load balancing provided by Azure is suitable for your application check out the links provided before for more sophisticated third party Microsoft partner options.

Some applications may require session persistence, SSL offloading, compression and other more complex load balancing features so check out the appliances offered by Kemp and Barracuda. The Barracuda device also provides firewall protection.


See for yourself at :-


I may do a comparison at some point once I have properly evaluated the two options above.

Azure ILB Technet Reference


About Mitesh Chauhan
Mitesh Chauhan, Azure Cloud Solutions Architect. This is my blog where I share articles and thoughts on IT Infrastructure and architecture. The topics I am most passionate about are Implementation and architecture of rock solid Cloud Infrastructure based around SQL Server and Windows Server mainly using Microsoft Azure. MCTS - Azure Architecture MCTS - Azure Implementation MCSE Server Infrastructure (Windows Server 2012) , MCITP SQL Server 2008, Togaf Certified, Prince 2 Practitioner.

15 Responses to How To Use Azure Internal Load Balancing

  1. Ben says:

    Awesome blog. This will help me solve a challenge I have at the moment 🙂

  2. Jeff Fisher says:

    Thanks, Mitesh – this is great. I would just add that if someone has the need for capabilities that go beyond Azure ILB, they should definitely checkout KEMP:

  3. ivan says:

    Hi Mitesh,
    I’ve added two VMs to my subnet :

    $myVM = New-AzureVMConfig -Name $web1 -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “sub2” | Set-AzureStaticVNetIP -IPAddress | Add-AzureProvisioningConfig -adminusername “user” -Password “@password” -Windows
    $myVM2 = New-AzureVMConfig -Name $web2 -ImageName $ws2012r2 –InstanceSize “Small” | Set-AzureSubnet –SubnetNames “sub2” | Set-AzureStaticVNetIP -IPAddress | Add-AzureProvisioningConfig -adminusername “user” -Password “@password” -Windows

    and configured LB as follows:

    Add-AzureInternalLoadBalancer -ServiceName $vmcloudservice -InternalLoadBalancerName myLoadbalancer -StaticVNetIPAddress -SubnetName “sub2”
    Get-AzureVM -ServiceName $vmcloudservice -Name $web1 | Add-AzureEndpoint -Name “intowalb” -LBSetName “intowalb” -Protocol tcp -LocalPort 80 -PublicPort 80 -ProbePort 80 -ProbeProtocol tcp -ProbeIntervalInSeconds 10 -InternalLoadBalancerName myLoadbalancer | Update-AzureVM

    Here is the output from Get-AzureInternalLoadBalancer:
    InternalLoadBalancerName : myLoadbalancer
    ServiceName : xxxxxxxxxxxxxxxxxxxx
    DeploymentName :xxxxxxxxxxxxxxxxxxxx
    SubnetName : sub2
    IPAddress :

    However, when I type it does not respond (with it works fine). Please note that my VMs are NOT domain joined.
    Did I missed something ? Thanks a lot.

    • Hi there, thanks for visiting. Did you also try the address directly ? If that does not work then the load balancer may be pointing here. you will also need to test it from a VM NOT in the same cloud service as the ILB “myLoadbalancer”. Regards

      • ivan says:

        Thanks Mitesh,
        It works when it is accessed from VM belonging different cloud service. I was not aware of that limitation.

  4. Mahesh says:

    Hi Mitesh,

    I have cloud service hosted App, SQL and Web servers. Created ILB for cloud service with IP (10.1.13). Now I have created subsets for SQL(1433 port) and Webserver(80 port).
    Here my question is does SQL and web servers both will use same ILB IP when the users want to connect? or any way to assign different IPs for SQL and Web server apart from ILB IP?


    • Hi to do this, properly you need to have the SQL in one cloud service and web in another. Then they can each have an ILB. Web and app should not be in the same cloud service as SQL.

      Cheers and thanks for visiting and posting..


      • Mahesh says:

        Thanks for quick response. This deployment happened using LCS portal. we don’t have control over this to change the cloud services for Apps and SQL during deployment.
        is there any way to get this sorted without affecting existing setup?


      • Hi there is no way to add another internal load balancer. Only thing you might be able to try is adding an external load balancer and locking it down to the respective VIP. This will give you two load balancers. ILB would be better but the architecture is not right here and this would need to be redone to fix.


      • Mahesh says:

        Thank you Mitesh..

  5. stephen says:

    HI mitesh,

    I have created a internal load balancer and internet facing load balancer.

    So i have checked that internet facing load balancer is working fine.

    And so i want test whether the internal load balancer is working.

    Please give the steps to test internal load balancer.

    • Hi sorry for the delay, the way to test the internal load balancer is to use an internal DNS record if your VMs use an AD Domain. If not then a host file entry on the server/s you wish to connect from. Hope that helps. Regards and thanks for reading and posting.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: