Home Azure Networking Azure Load Balancer
Last updated: May 2026
Azure Networking Intermediate AZ-104 ⏱ 13 min read

Azure Load Balancer

Azure Load Balancer is a high-performance, low-latency Layer 4 (TCP/UDP) load balancer that distributes incoming traffic across multiple healthy backend VMs. It operates at the transport layer — it doesn't look at HTTP headers or URLs, just IP addresses and ports. It's the right choice for load balancing any TCP or UDP traffic, not just HTTP, and for internal load balancing between application tiers.

What you'll learn What Load Balancer does and when to use it · Basic vs Standard SKU · Public vs Internal Load Balancer · Key components — frontend IP, backend pool, health probe, load balancing rules · Distribution algorithms · NAT rules · Creating a Load Balancer via CLI · Load Balancer vs Application Gateway
Table of Contents
  1. What is Azure Load Balancer?
  2. Basic vs Standard SKU
  3. Public vs Internal Load Balancer
  4. Key Components
  5. Health Probes
  6. Distribution Algorithms
  7. NAT Rules
  8. Creating a Load Balancer
  9. Load Balancer vs Application Gateway
  10. Practice Questions

What is Azure Load Balancer?

Azure Load Balancer distributes inbound traffic across multiple backend VM instances. When a client connects, the Load Balancer picks one backend VM (based on the distribution algorithm) and forwards all packets for that connection to that VM. The client sees a single IP — the frontend IP of the Load Balancer.

ℹ️
Layer 4 = Transport Layer Load Balancer operates at Layer 4 (TCP/UDP). It doesn't understand HTTP — it sees only IP addresses and ports. This means it can load balance any TCP or UDP service: web servers, database clusters, game servers, custom protocols. For HTTP-specific features (URL routing, cookie-based affinity, SSL termination), use Application Gateway.

Basic vs Standard SKU

FeatureBasic SKUStandard SKU
Backend pool sizeUp to 300Up to 1,000
Availability ZonesNoYes — zone-redundant
SLANo SLA99.99%
Outbound rulesNoYes
Secure by defaultNo — openYes — NSG required
HA PortsNoYes
CostFreeCharged per rule hour + data
Recommended?Legacy — avoidYes — always use Standard
⚠️
Always Use Standard SKU Basic Load Balancer has no SLA and is being retired. All new load balancers should use Standard SKU. Also, you cannot mix Basic and Standard public IPs — your frontend IP must match the LB SKU.

Public vs Internal Load Balancer

Public Load BalancerInternal Load Balancer
Frontend IPPublic IP addressPrivate IP from your VNet subnet
Traffic fromInternetWithin VNet or connected networks
Use caseWeb servers facing the internetApplication tier, databases, internal services
ExampleLoad balance web servers serving public usersLoad balance app servers accessed only by web servers

Key Components

Frontend IP Configuration

The IP address that clients connect to. For public LB: a public IP. For internal LB: a private IP from a subnet. You can have multiple frontend IPs on one Load Balancer.

Backend Pool

The group of VMs that receive the traffic. You add VMs (via their NICs) to the backend pool. The Load Balancer distributes traffic among healthy VMs in the pool.

Load Balancing Rules

Define how frontend traffic maps to the backend pool. A rule specifies: frontend IP + port → backend pool + port. Example: Frontend port 80 → Backend pool port 80.

Health Probe

Determines which backend VMs are healthy and should receive traffic. If a VM fails the health probe, it's removed from rotation automatically.

Health Probes

Health probes check if backend VMs are responsive. Three types:

TypeHow It WorksBest For
HTTPGET request to a specified path — expects HTTP 200Web apps — most informative
HTTPSSame as HTTP but encryptedSecure web apps
TCPTCP connection attempt — success if port is openNon-HTTP services
💡
Use HTTP Probes When Possible An HTTP probe checks that your application is actually responding correctly — not just that the VM's TCP port is open. A VM could have an open port 80 but serve errors. HTTP probes catch this; TCP probes don't.

Key health probe settings:

  • Interval — How often to probe (default: 15 seconds)
  • Unhealthy threshold — How many failures before removing from rotation (default: 2)

Distribution Algorithms

Load Balancer uses a 5-tuple hash by default to determine which backend VM receives each connection:

  • Source IP
  • Source port
  • Destination IP
  • Destination port
  • Protocol

This ensures all packets from the same client connection go to the same backend VM (session persistence). You can also configure:

  • 2-tuple (Source IP) — Same source IP always goes to same backend VM (for protocols that need persistent sessions)
  • 3-tuple (Source IP + Protocol) — Source IP and protocol determine destination

NAT Rules

Inbound NAT rules allow you to forward traffic from a specific frontend port to a specific backend VM and port. Useful for accessing individual VMs behind the Load Balancer (e.g., SSH to each VM on a different port).

Example NAT rules for SSH access to individual VMs 
Frontend port 5001 → VM1 port 22 (SSH to VM1)
Frontend port 5002 → VM2 port 22 (SSH to VM2)
Frontend port 5003 → VM3 port 22 (SSH to VM3)

# Connect to VM1: ssh user@public-ip -p 5001
# Connect to VM2: ssh user@public-ip -p 5002

Creating a Load Balancer

Azure CLI Create a Standard public Load Balancer 
# Create public IP for the LB
az network public-ip create \
  --resource-group myRG \
  --name lb-public-ip \
  --sku Standard \
  --allocation-method Static

# Create Load Balancer
az network lb create \
  --resource-group myRG \
  --name myLoadBalancer \
  --sku Standard \
  --frontend-ip-name myFrontend \
  --public-ip-address lb-public-ip \
  --backend-pool-name myBackendPool

# Create health probe
az network lb probe create \
  --resource-group myRG \
  --lb-name myLoadBalancer \
  --name myHealthProbe \
  --protocol Http \
  --port 80 \
  --path /health \
  --interval 15 \
  --threshold 2

# Create load balancing rule (port 80 → port 80)
az network lb rule create \
  --resource-group myRG \
  --lb-name myLoadBalancer \
  --name myHTTPRule \
  --protocol Tcp \
  --frontend-port 80 \
  --backend-port 80 \
  --frontend-ip-name myFrontend \
  --backend-pool-name myBackendPool \
  --probe-name myHealthProbe

Load Balancer vs Application Gateway

FactorLoad BalancerApplication Gateway
OSI LayerLayer 4 (TCP/UDP)Layer 7 (HTTP/HTTPS)
Protocol awarenessNo — any TCP/UDPYes — HTTP headers, URLs, cookies
URL-based routingNoYes — route /api to one pool, /images to another
SSL terminationNoYes
Web Application FirewallNoYes (WAF SKU)
Cookie-based session affinityNo (IP-based only)Yes
CostCheaperMore expensive
Best forAny TCP/UDP, internal LBWeb applications, API routing
💡
AZ-104 Exam Tip Know that Load Balancer is Layer 4 (any TCP/UDP), has no SLA on Basic SKU (Standard has 99.99%), requires health probes to detect unhealthy backends, supports public and internal configurations, and cannot do URL-based routing (use Application Gateway for that).
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. At which OSI layer does Azure Load Balancer operate?
A Layer 3 (Network)
B Layer 4 (Transport)
C Layer 7 (Application)
D Layer 2 (Data Link)
Q2. What is the purpose of a health probe in Azure Load Balancer?
A To encrypt traffic between the Load Balancer and backend VMs
B To check if backend VMs are healthy — unhealthy VMs are removed from rotation
C To monitor CPU and memory usage of backend VMs
D To apply NSG rules to backend pool traffic
Q3. A company needs an internal Load Balancer to distribute traffic between application servers. What type of frontend IP does an internal Load Balancer use?
A A public IP address
B A private IP address from a VNet subnet
C The Load Balancer's hostname
D An NSG rule as the frontend
Q4. What SLA does the Standard Azure Load Balancer provide?
A 99.9%
B 99.99%
C 99.95%
D No SLA
Q5. A web application needs to route traffic to different backend pools based on the URL path — /api to API servers and /images to image servers. Which Azure service should be used?
A Azure Load Balancer
B Azure Application Gateway
C Azure Traffic Manager
D Network Security Groups
Related Topics
Azure Networking Azure Application Gateway Azure Networking Network Security Groups Azure Networking Azure Front Door
← Previous Network Security Groups
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with Microsoft Corporation.