1

I am planning to access an application hosted on two servers using azure load balancer which will be accessed using private end point and private link server from on-prem network for private access. while i try to execute the code, getting the below error. If i don't use back end pool, i am able to create the load balancer with private link service and private end point, what could be an issue?

Error: creating Private Link Service: (Name "privatelink" / Resource Group "XXXXXXXX"): network.PrivateLinkServicesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateLinkServiceIsNotSupportedForIPBasedLoadBalancer" Message="Private link service is not supported for load balancer /subscriptions/XXXXXXXX/providers/Microsoft.Network/privateLinkServices/privatelink with backend addresses set by (virtualNetwork, ipAddress) or (subnet, ipAddress)." Details=[]


resource "azurerm_subnet" "lbsubnet" {
  name                 = "lbsubnet"
  resource_group_name  = local.resource_group
  virtual_network_name = azurerm_virtual_network.devvm_net.name
  address_prefixes     = ["10.20.1.0/24"]

  enforce_private_link_service_network_policies = true
  depends_on = [
    azurerm_virtual_network.devvm_net
  ]

}

resource "azurerm_lb" "app_balancer" {
  name                = "app-balancer"
  location            = local.location
  resource_group_name = local.resource_group
  sku="Standard"
  sku_tier = "Regional"
  frontend_ip_configuration {
    name                 = "frontend-ip"
    subnet_id                     = azurerm_subnet.lbsubnet.id
   # private_ip_address_allocation = "Dynamic"
  }
}


// the backend pool
resource "azurerm_lb_backend_address_pool" "PoolA" {
  loadbalancer_id = azurerm_lb.app_balancer.id
  name            = "PoolA"
  depends_on=[
    azurerm_lb.app_balancer
  ]
}

resource "azurerm_lb_backend_address_pool_address" "vm1" {
  name                    = "vm1"
  backend_address_pool_id = azurerm_lb_backend_address_pool.PoolA.id
  virtual_network_id      = azurerm_virtual_network.devvm_net.id
  ip_address              = azurerm_network_interface.devvm1_interface1.private_ip_address
  #ip_address= "10.20.0.10"
}

resource "azurerm_lb_backend_address_pool_address" "appvm2_address" {
  name                    = "appvm2"
  backend_address_pool_id = azurerm_lb_backend_address_pool.PoolA.id
  virtual_network_id      = azurerm_virtual_network.devvm_net.id
  #ip_address              = azurerm_network_interface.devvm2_interface2.private_ip_address
  ip_address              = "10.20.0.5"
  depends_on=[
    azurerm_lb_backend_address_pool.PoolA
  ]
}


// Health Probe

resource "azurerm_lb_probe" "ProbeA" {
  resource_group_name = local.resource_group
  loadbalancer_id     = azurerm_lb.app_balancer.id
  name                = "probeA"
  port                = 80
  protocol            =  "Tcp"
  depends_on=[
    azurerm_lb.app_balancer
  ]
}

//  Load Balancing Rule
resource "azurerm_lb_rule" "RuleA" {
  resource_group_name            = local.resource_group
  loadbalancer_id                = azurerm_lb.app_balancer.id
  name                           = "RuleA"
  protocol                       = "Tcp"
  frontend_port                  = 80
  backend_port                   = 80
  frontend_ip_configuration_name = "frontend-ip"
  backend_address_pool_ids = [ azurerm_lb_backend_address_pool.PoolA.id ]
  depends_on=[
    azurerm_lb.app_balancer
  ]
}

//  the NAT Rules

resource "azurerm_lb_nat_rule" "NATRuleA" {
  resource_group_name            = local.resource_group
  loadbalancer_id                = azurerm_lb.app_balancer.id
  name                           = "RDPAccess"
  protocol                       = "Tcp"
  frontend_port                  = 3389
  backend_port                   = 3389
  frontend_ip_configuration_name = "frontend-ip"
  depends_on=[
    azurerm_lb.app_balancer
  ]
}

resource "azurerm_virtual_network" "pvt-endpoint-vnet" {
  name                = "pvtendpoint-network"
  location            = local.location
  resource_group_name = local.resource_group
  address_space       = ["10.50.0.0/16"]  
}

resource "azurerm_subnet" "endpoint-subnet" {
  name                 = "endpoint-subnet"
  resource_group_name  = local.resource_group
  virtual_network_name = azurerm_virtual_network.pvt-endpoint-vnet.name
  address_prefixes     = ["10.50.0.0/24"]

  enforce_private_link_endpoint_network_policies = true
}


resource "azurerm_private_link_service" "privatelink-service" {
  name                = "privatelink"
  location            = local.location
  resource_group_name = local.resource_group
  load_balancer_frontend_ip_configuration_ids = [azurerm_lb.app_balancer.frontend_ip_configuration.0.id]

  nat_ip_configuration {
    name      = "pls-ip"
    primary   = true
    subnet_id = azurerm_subnet.lbsubnet.id
  }
}

resource "azurerm_private_endpoint" "private_endpoint" {
  name                = "private-endpoint"
  location            = local.location
  resource_group_name = local.resource_group
  subnet_id           = azurerm_subnet.endpoint-subnet.id

  private_service_connection {
    name                           = "privateserviceconnection"
    private_connection_resource_id = azurerm_private_link_service.privatelink-service.id
    is_manual_connection           = false
  }
}
Bala K
  • 11
  • 1

1 Answers1

0

It isn't supported by this configuration, see: https://learn.microsoft.com/en-us/azure/load-balancer/backend-pool-management#limitations

David Karlsen
  • 138
  • 2
  • 7