Hello,

I'd appreciate help with setting up Azure Load Balancer with one FreeBSD VM in the backend pool for authoritative DNS.

I'm using dedicated VNET called VNET-PRIVATE-DMZ which is peered with Azure Local Network Gateway so I can access Azure resources via IPSec tunnel. The default gateway for VNET-PRIVATE-DMZ is the VPN gateway -- everything is working fine and I can access FreeBSD VM from on-premise.

The FreeBSD box has NSD installed, it's up and running and I can query it from the on-premise network. The Network Security Group assigned to the interface has a rule allowing 53/TCP from any.

$ ifconfig
hn0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=7eef07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,NV,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,HWRXTSTMP,MEXTPG,TXTLS4,TXTLS6,VXLAN_HWCSUM,VXLAN_HWTSO>
ether 00:22:48:ca:4d:69
inet 10.94.0.6 netmask 0xfffffe00 broadcast 10.94.1.255
media: Ethernet 100GBase-CR4 <full-duplex,rxpause,txpause>
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

$ sockstat -4 | grep 53
nsd nsd 801 6 udp4 *:53 *:*
nsd nsd 801 7 tcp4 *:53 *:*

The Azure NLB has a public IP assigned in the Frontend configuration and the backend pool consists of my FreeBSD VM. There is one health probe configured over 53/TCP, and one load balancing rule for the same 53/TCP.

The issue is that I can't seem to access 53/TCP over frontend public IP. I run tcpdump on FreeBSD box and I see nothing coming. It's almost like the Load Balancer doesn't know how to reach FreeBSD, but the health probe is all green.

Any tips would be greatly appreciated.