Need help with Azure Load Balancer

Copper Contributor



I'd appreciate help with setting up Azure Load Balancer with one FreeBSD VM in the backend pool for authoritative DNS.


I'm using dedicated VNET called VNET-PRIVATE-DMZ which is peered with Azure Local Network Gateway so I can access Azure resources via IPSec tunnel. The default gateway for VNET-PRIVATE-DMZ is the VPN gateway -- everything is working fine and I can access FreeBSD VM from on-premise.


The FreeBSD box has NSD installed, it's up and running and I can query it from the on-premise network. The Network Security Group assigned to the interface has a rule allowing 53/TCP from any.


$ ifconfig
hn0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
ether 00:22:48:ca:4d:69
inet netmask 0xfffffe00 broadcast
media: Ethernet 100GBase-CR4 <full-duplex,rxpause,txpause>
status: active


$ sockstat -4 | grep 53
nsd nsd 801 6 udp4 *:53 *:*
nsd nsd 801 7 tcp4 *:53 *:*


The Azure NLB has a public IP assigned in the Frontend configuration and the backend pool consists of my FreeBSD VM. There is one health probe configured over 53/TCP, and one load balancing rule for the same 53/TCP.


The issue is that I can't seem to access 53/TCP over frontend public IP. I run tcpdump on FreeBSD box and I see nothing coming. It's almost like the Load Balancer doesn't know how to reach FreeBSD, but the health probe is all green.


Any tips would be greatly appreciated.

2 Replies



How's the health check on load balancer

It appears that your setup is generally correct, but you're facing issues with traffic not reaching your FreeBSD VM via the Azure Load Balancer (NLB) on port 53/TCP.

Double-check the NSG rules associated with your FreeBSD VM's network interface and the subnet it resides in.
On the FreeBSD VM, ensure that IP forwarding is enabled
Verify that the firewall on your FreeBSD VM (if any, such as ipfw or pf) is configured to allow inbound and outbound traffic on port 53/TCP. Even if Azure's NSG rules are correctly set, the VM's local firewall could still block the traffic?