Internal load balancers should be zone-redundant

March 21, 2025 ยท View on GitHub

SYNOPSIS

Load balancers deployed with Standard SKU should be zone-redundant for high availability.

DESCRIPTION

A load balancer is an Azure service that distributes traffic among instances of a service in a backend pool (such as VMs). Load balancers route traffic to healthy instances in the backend pool based on configured rules. However if the load balancer itself becomes unavailable, traffic sent through the load balancer may become disrupted.

In a region that supports availability zones, Standard Load Balancers can be deployed across multiple zones (zone-redundant). A zone-redundant Load Balancer allows traffic to be served by a single frontend IP address that can survive zone failure.

Also consider the data path to the backend pool, and ensure that the backend pool is deployed with zone-redundancy in mind.

In a region that supports availability zones, Standard Load Balancers should be deployed with zone-redundancy.

RECOMMENDATION

Consider using load balancers deployed across at least two availability zones.

EXAMPLES

Configure with Azure template

To configure zone-redundancy for a load balancer.

  • Set the sku.name property to Standard.
  • Set the properties.frontendIPConfigurations[*].zones property to at least two availability zones. e.g. 1, 2, 3.

For example:

{
  "type": "Microsoft.Network/loadBalancers",
  "apiVersion": "2023-09-01",
  "name": "[parameters('lbName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard",
    "tier": "Regional"
  },
  "properties": {
    "frontendIPConfigurations": [
      {
        "name": "frontendIPConfig",
        "properties": {
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2023-09-01').subnets[1].id]"
          }
        },
        "zones": [
          "1",
          "2",
          "3"
        ]
      }
    ]
  }
}

Configure with Bicep

To configure zone-redundancy for a load balancer.

  • Set the sku.name property to Standard.
  • Set the properties.frontendIPConfigurations[*].zones property to at least two availability zones. e.g. 1, 2, 3.

For example:

resource internal_lb 'Microsoft.Network/loadBalancers@2023-09-01' = {
  name: lbName
  location: location
  sku: {
    name: 'Standard'
    tier: 'Regional'
  }
  properties: {
    frontendIPConfigurations: [
      {
        name: 'frontendIPConfig'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: vnet.properties.subnets[1].id
          }
        }
        zones: [
          '1'
          '2'
          '3'
        ]
      }
    ]
  }
}

NOTES

This rule applies to internal load balancers deployed with Standard SKU. Internal load balancers do not have a public IP address and are used to load balance traffic inside a virtual network.

The zones property is not supported with:

  • Public load balancers, which are load balancers with a public IP address. To address availability zones for public load balancers, use a Standard tier zone-redundant public IP address.
  • Load balancers deployed with Basic SKU, which are not zone-redundant.

For regions that support availability zones, the zones property should be set to at least two zones.