Before we create MOVEit WAF Virtual Machine (VM) in Azure, it is important to understand the traffic flow so that VMs in Microsoft Azure can be configured appropriately.

Microsoft Azure Infrastructure as a Service (IaaS) deployments accept traffic only on published endpoints. Any request to access Microsoft Azure workloads passes through the default load balancing layer of the Microsoft Azure platform. The figure below depicts the default deployment without the use of MOVEit WAF in Azure.

Any workload being published consists of an availability set, which represents a single VM or multiple VMs. When a VM is created, if an availability set exists, you have an option to connect the VM to an existing availability set. As more VMs are connected to an existing VM (and thus to an existing availability set), the built-in Microsoft Azure load balancer distributes connections when creating a load-balanced endpoint.

If you wish to use MOVEit WAF for Azure for your deployment, the following steps must be completed:

  1. The MOVEit WAF for Azure must be deployed first.
  2. All the VMs that need to be load balanced using MOVEit WAF can then be created and must be connected to the existing MOVEit WAF VM to create the required grouping.
  3. Finally, when creating endpoints, we cannot use the Load-Balance traffic on an existing endpoint option in Azure because we do not want to use the Microsoft Azure Load Balancer to load balance incoming connections.

The figure below depicts the flow when MOVEit WAF for Azure is deployed:

Notice that VM1, VM2 and VM3 in this example are grouped into a single availability set and the endpoint for published Virtual Services is created only on MOVEit WAF VM. By doing this, we receive all load balanced traffic on MOVEit WAF VM and the logic of load balancing incoming connections are applied as per the configured Virtual Service on MOVEit WAF for a given workload.

Also, notice that VM1, VM2 and VM3 will not have any endpoints as they are not going to be published directly to the internet.

Note: There may be exceptions to this rule for connections that require direct connectivity to the VM such as Remote Desktop Connections to Windows Server OS.