Attach a cross-subscription backend to an Azure Load Balancer

In this article, you learn how to attach a cross-subscription backend to an Azure Load Balancer by creating a cross-subscription backend pool and attaching cross-subscription network interfaces to the backend pool of the load balancer.

A cross-subscription load balancer can reference a virtual network that resides in a different subscription other than the load balancers. This feature allows you to deploy a load balancer in one subscription and reference a virtual network in another subscription.

Prerequisites

  • Two Azure subscriptions.
  • An Azure account with active subscriptions. Create an account for free
  • An existing Virtual Network. deployed in one of the subscriptions. For this example, the virtual network is in Azure Subscription A.
  • Azure PowerShell installed locally or Azure Cloud Shell.

If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable Az to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you're running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Important

All of the code samples will use example names and placeholders. Be sure to replace these with the values from your environment. The values needing replacement will be enclosed in angle brackets, like this: <example value>.

Sign in to Azure

With Azure PowerShell, you sign into Azure with Connect-AzAccount, and change your subscription context with Set-AzContext to Azure Subscription A. Then get the virtual network information with Get-AzVirtualNetwork. You need the Azure subscription ID, resource group name, and virtual network name from your environment.


# Sign in to Azure
Connect-AzAccount

# Set the subscription context to Azure Subscription A
Set-AzContext -Subscription '<Azure Subscription A>'     

# Get the Virtual Network information with Get-AzVirtualNetwork
$net = @{
    Name = '<vnet name>'
    ResourceGroupName = '<Resource Group Subscription A>'
}
$vnet = Get-AzVirtualNetwork @net

Create a resource group

In this section, you create a resource group in Azure Subscription B. This resource group is for all of your resources associate with your load balancer.

With Azure PowerShell, you switch the subscription context with Set-AzContext and create a resource group with New-AzResourceGroup.


# Set the subscription context to Azure Subscription B
Set-AzContext -Subscription '<Azure Subscription B>'  

# Create a resource group  
$rg = @{
    Name = 'myResourceGroupLB'
    Location = 'westus'
}
New-AzResourceGroup @rg

Note

When create the resource group for your load balancer, use the same Azure region as the virtual network in Azure Subscription A.

Create a load balancer

In this section, you create a load balancer in Azure Subscription B. You create a load balancer with a frontend IP address.

With Azure PowerShell, you'll:

# Create a load balancer
$loadbalancer = @{
    ResourceGroupName = 'resource group B'
    Name = 'LB Name'
    Location = 'eastus'
    Sku = 'Standard'
}
$LB = New-AzLoadBalancer @loadbalancer

$LBinfo = @{
    ResourceGroupName = 'resource group B'
    Name = 'my-lb'
}

# Create a public IP address
$publicip = @{
    Name = 'IP Address Name'
    ResourceGroupName = 'resource group B'
    Location = 'eastus'
    Sku = 'Standard'
    AllocationMethod = 'static'
    Zone = 1,2,3
}
New-AzPublicIpAddress @publicip


# Place public IP created in previous steps into variable
$pip = @{
    Name = 'IP Address Name'
    ResourceGroupName = 'resource group B'
}
$publicIp = Get-AzPublicIpAddress @pip

## Create load balancer frontend configuration and place in variable
$fip = @{
    Name = 'Frontend Name'
    PublicIpAddress = $publicip
}
$LB = $LB | Add-AzLoadBalancerFrontendIpConfig @fip
$LB = $LB | Set-AzLoadBalancer

# Create backend address pool configuration and place in variable. ##

$be = @{
    ResourceGroupName= "resource group B"
    Name= "myBackEndPool"
    LoadBalancerName= "LB Name"
    VirtualNetwork=$vnet.id
    SyncMode= "Automatic"
}

#Create the backend pool
$backend = New-AzLoadBalancerBackendAddressPool @be
$LB = Get-AzLoadBalancer @LBinfo

Create a health probe and load balancer rule

Create a health probe that determines the health of the backend VM instances and a load balancer rule that defines the frontend IP configuration for the incoming traffic, the backend IP pool to receive the traffic, and the required source and destination port.

With Azure PowerShell, create a health probe with Add-AzLoadBalancerProbeConfig that determines the health of the backend VM instances. Then create a load balancer rule with Add-AzLoadBalancerRuleConfig that defines the frontend IP configuration for the incoming traffic, the backend IP pool to receive the traffic, and the required source and destination port.

## Create the health probe and place in variable. ##
$probe = @{
    Name = 'myHealthProbe2'
    Protocol = 'tcp'
    Port = '80'
    IntervalInSeconds = '360'
    ProbeCount = '5'
}

## Create the load balancer rule and place in variable. ##
$lbrule = @{
    Name = 'myHTTPRule2'
    Protocol = 'tcp'
    FrontendPort = '80'
    BackendPort = '80'
    IdleTimeoutInMinutes = '15'
    FrontendIpConfiguration = $LB.FrontendIpConfigurations[0]
    BackendAddressPool = $backend
}
## Set the load balancer resource. ##
$LB | Add-AzLoadBalancerProbeConfig @probe
$LB | Add-AzLoadBalancerRuleConfig  @lbrule
$LB | Set-AzLoadBalancer

Attach network interface cards to the load balancer

In this section, you attach the network interface card (NIC) in Azure Subscription A to the load balancer in Azure Subscription B. You create a network interface with New-AzNetworkInterface and then create an IP configuration for the network interface card with New-AzNetworkInterfaceIpConfig.

Note

The network interface card (NIC) must be in the same VNet as the load balancer’s backend pool.


# Set the subscription context to **Azure Subscription A**
Set-AzContext -Subscription 'Sub A' 

# Create a network interface card
$IP1 = @{
    Name = 'MyIpConfig'
    subnetID= $vnet.subnets[0].Id
    PrivateIpAddressVersion = 'IPv4'
-LoadBalancerBackendAddressPool $lb-be-info
}
$IP1Config = New-AzNetworkInterfaceIpConfig @IP1 -Primary
$nic = @{
    Name = 'MyNic'
    ResourceGroupName = '<Resoure Group Subscription A>'
    Location = 'eastus'
    IpConfiguration = $IP1Config
}
New-AzNetworkInterface @nic

Clean up resources

When no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group you created along with the load balancer, and the remaining resources.

Remove-AzResourceGroup -Name 'myResourceGroupLB'

Next steps