Because Azure DNS private zones do not support traffic management, a global load balancing policy to spread the traffic over multiple instances cannot be created. Furthermore, these instances have private IP addresses and traditional Azure load balancers aren’t able to load balance traffic to these instances.
The Infoblox Solution: DNS Traffic Control
This blog outlines how customers can leverage Infoblox’s DNS Traffic Control (“DTC”) solution to load balance traffic to multiple instances of a running application that are hosted within a private zone in Azure. Infoblox DTC can be used to load balance the internal traffic within an Azure virtual network, traffic across multiple Azure virtual networks, and on-prem traffic directed to Azure.
DTC provides a number of health monitors and load balancing methods that help run a diverse set of use cases. You can learn more about the health monitors and load balancing methods here.
Scenario: Load balance application traffic across Azure instances
Consider that you have an Azure virtual network which is linked to a private zone. Linked virtual networks have full access and can resolve all DNS records published in the private zone.
An Infoblox virtual appliance running the DTC service is deployed within this virtual network. The DTC service acts as a global load balancer to the application instances running within this virtual network.
Note that Infoblox DTC service works only on authoritative zones (i.e. the primary domain needs to be served by DTC). So, you need to first create a primary domain in Infoblox and then delegate a sub-domain to the Azure resolver. This delegated sub-domain hosts the records of the multiple instances of your application, which will be load balanced by DTC.
NOTE: For this scenario to function properly, clients trying to reach the application internal.contoso.com MUST use Infoblox as their DNS server, not the Azure Resolver.
Let’s assume you have an application internal.contoso.com which is served by two instances (say vm1.gslb.contoso.com and vm2.gslb.contoso.com), both hosted in a private zone, for example gslb.contoso.com in Azure. Your goal is to load balance the application traffic to these two instances. For this, you need to host the primary domain contoso.com in Infoblox and delegate the sub-domain gslb.contoso.com to Azure. This sub-domain has the A records of these two application instances.
1) The private zone gslb.contoso.com is already created in Azure and linked to an Azure virtual network.
2) The application internal.contoso.com is distributed across two instances in Azure and the DNS records are already created for those in gslb.contoso.com (vm1.gslb.contoso.com and vm2.gslb.contoso.com)
In order to load balance traffic for internal.contoso.com to these two instances, perform the below steps:
1) Create an Authoritative Zone in Infoblox
a. Log on to the Infoblox Grid Manager, go to Data Management -> DNS -> Zones and create an authoritative zone called contoso.com and assign it to the proper Infoblox members that need to host the zone.
2) Create a delegated sub-zone in Azure
a. Next, within the Infoblox Grid Manager, navigate to within the authoritative zone contoso.com, and switch to the subzones tab to add a delegated sub-zone gslb.contoso.com and assign its authority to the Azure resolver (Azure Resolver’s IP is 220.127.116.11 and is static).
3) Create DTC Servers and Pool in DTC
a. Now go to Data Management -> DNS -> Traffic Control and create two DTC Servers such as DTCServ1 and DTCServ2. These two servers point to the two application instances that you want your application to load balance between (in this case it is vm1.gslb.contoso.com and vm2.gslb.contoso.com). While configuring these DTC Servers, you need to enter the FQDNs of these instances as the domain names, an example of which is shown below.
b. Create a pool DTCPool and add both DTC Servers DTCServ1 and DTCServ2 to it.
4) Add a DTC LBDN Record
a. While still within Data Management -> DNS -> Traffic control, add a DTC LBDN record and set the matching pattern as internal.contoso.com as shown below.
b. Now, choose the load balancing method and select the pool (DTCPool) that you created in the last step. Press the “Next” button.
c. In Step 2, click the plus (+) button under “Associated Zones” and in the dialog box that opens up, select contoso.com.
Note: This DTC LBDN record with matching pattern internal.contoso.com along with the association of the LBDN to the contoso.com zone ensures that whenever Infoblox receives a DNS query for internal.contoso.com, it will be transferred to DTC to load balance. Based on the server health checks and the selected load balancing method, DTC responds with a CNAME record of the best available DTC Server, which will then be sent to Azure resolver for resolution.
Here are two sample dig commands that show how DTC is load balancing the DNS queries:
Virtual Network: 172.29.140.0/23
Infoblox appliance running DTC: 172.29.140.21
Application Instance 1 (vm1.gslb.contoso.com): 172.29.141.7
Application Instance 2(vm2.gslb.contoso.com): 172.29.141.9
Load Balancing Method: Round Robin