Choosing a Load Balancer Type

Public vs Internal load balancers
Gateway Load Balancer (GWLB)
Load Balancer SKUs: Basic vs Standard
Design checklist
Links and references

Choosing the right Azure load balancer is a critical decision for network design. This guide explains the available load balancer types, when to use each, and how SKU differences affect scale, availability, security, and outbound behavior. Use this to align your design with application exposure, resiliency, and inspection requirements.

Public vs Internal load balancers

Public load balancer: receives traffic from the internet using a public IP and distributes it to backend virtual machines. Use when a workload requires external access (for example, public-facing web apps or APIs).
Internal load balancer: balances traffic privately inside a virtual network. Use for services that must remain internal (for example, backend APIs, databases, or microservices not exposed to the internet).

Load Balancer Type	Typical Use Cases	How it Appears on the Network
Public Load Balancer	External web apps, public APIs, CDN front-ends	Exposes a public IP; internet consumers connect directly
Internal Load Balancer	Backend tiers, internal APIs, database access	Uses private IPs within a VNet; only reachable from within the VNet or via peering/VPN/ExpressRoute

A network diagram titled "Choosing a Load Balancer Type" showing a public load balancer (from the internet on TCP port 80) distributing traffic to VMs in a Web Tier subnet, and an internal load balancer distributing traffic (port 443) to VMs in a Business Tier subnet inside a virtual network.

A common, secure pattern is a tiered application: a public load balancer handles incoming internet traffic at the web tier, while an internal load balancer distributes traffic among internal tiers (business logic, caching, or databases). This separation helps you:

Limit external exposure and reduce attack surface
Apply security controls (NSGs, firewalls) per tier
Optimize routing, scaling, and performance for each layer

Gateway Load Balancer (GWLB)

Gateway Load Balancer is designed to insert third-party Network Virtual Appliances (NVAs) — such as virtual firewalls, IDS/IPS, or other security appliances — into your traffic path. It preserves flow affinity, supports transparent inspection, and enables chaining multiple NVAs while providing high availability and throughput. In typical GWLB deployments, unfiltered traffic from the internet (or between networks) is routed through the gateway load balancer to provider NVAs for inspection. NVAs apply filtering and policies, then forward the filtered traffic to application endpoints.

A network diagram titled "Gateway Load Balancer" showing how unfiltered web traffic from customer virtual networks is routed through a gateway load balancer to provider Network Virtual Appliances (NVAs) for inspection. Filtered application traffic is then returned to the customer applications, illustrating high availability and throughput.

Gateway Load Balancer adds operational complexity and cost: you must deploy, manage, and license NVAs. Ensure routing, encapsulation (tunnels), and health checks are tested end-to-end. GWLB is ideal when you require inline inspection, third‑party security features, or service chaining.

Key Gateway Load Balancer components:

Front-end IP: receives incoming traffic from consumers.
Load-balancing rules: define packet distribution to backend pools.
Backend pools (backend resources): the NVAs or instances that inspect traffic.
Tunnel interfaces: encapsulate traffic to deliver it directly to NVAs.
Chaining: route traffic through multiple NVAs in sequence for layered inspection.

These components allow you to route traffic from virtual networks through GWLB to one or more NVAs, then return filtered traffic to application endpoints.

Load Balancer SKUs: Basic vs Standard

Azure Load Balancer comes in two SKUs: Basic and Standard. Each SKU differs in scale, features, availability, and default security posture. Choose the SKU that matches your workload requirements for throughput, resiliency, and security.

Capability	Basic SKU	Standard SKU
Backend pool size	Up to 300 IP configurations	Up to 5,000 backend instances
Health probes	TCP, HTTP	TCP, HTTP, HTTPS
Availability	No zone redundancy / limited availability guarantees	Zonal and zone‑redundant deployments supported
Multiple frontends	No	Yes — multiple front-end IP configurations
Security defaults	Less restrictive; NSGs optional	Secure by default: inbound flows blocked unless NSG allows; internal VNet flows allowed
SLA	None	99.99% SLA for supported configurations

A slide titled "Determining Load Balancer SKUs" showing a side-by-side table comparing Basic and Standard SKUs. The table lists differences for Backend Pool Size, Health Probes, Availability Zones, Multiple Frontends, security defaults, and SLA (e.g., Basic: up to 300 IPs, no SLA; Standard: up to 5,000 instances, 99.99% SLA).

For production workloads requiring scale, zone resiliency, and a supported SLA, the Standard SKU is strongly recommended. Use Basic only for small-scale, non-production, or legacy scenarios where limited features are acceptable.

When creating a load balancer, you will be prompted to choose:

SKU (Basic or Standard)
Region and availability options (zonal vs zone‑redundant)
Type (Public or Internal)
Front-end IP configuration(s)
Backend pools and health probes
Load‑balancing rules and optional NAT rules

The SKU and type you choose directly affect scalability, security posture, availability, and outbound connectivity behavior. Align these choices with application requirements (exposure, throughput, resiliency, inspection).

Design checklist

Use Public load balancer for internet-facing front ends; Internal load balancer for private backend tiers.
Prefer Standard SKU for production for SLA and zone resilience.
Use Gateway Load Balancer when you need inline NVAs for inspection or service chaining.
Plan NSGs and route tables explicitly when using Standard SKU (default inbound flows are blocked).
Validate health probes and failover behavior across zones in zone-redundant setups.

Links and references

With these guidelines, you can select the appropriate Azure load balancer type and SKU to meet your application’s exposure, availability, and security requirements.

Watch Video

Introduction

Deploying a Load Balancer in Azure

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

Choosing a Load Balancer Type

Public vs Internal load balancers

Gateway Load Balancer (GWLB)

Load Balancer SKUs: Basic vs Standard

Design checklist

Links and references

Watch Video

Introduction

Configure Internet Access with Azure Virtual NAT

Configure Peering for an Express Route Deployment

Configure Public IP Addresses

Connect Devices to Networks with Point to Site VPN Connections

Connect Networks with Site to Site VPN Connections

Connect Remote Resources by using Azure Virtual WA Ns

Create a Network Virtual Appliance NVA in a Virtual Hub

Deploy Azure D Do S Protection

Deploy and configure Network Security Groups

Design Azure Application Gateway

Design Azure Front Door

Design Name Resolution for Azure Virtual Network

Design an Express Route deployment

Design and Implement Azure Firewall

Design and Implement Azure Load Balancer

Design and Implement Azure VPN Gateway

Design and implement Azure Bastion

Enable Cross V Net Connectivity

Explain Virtual Network Service Endpoints

Explore Azure Express Route

Explore Azure Traffic Manager

Explore Azure Virtual Networks

Explore Load Balancing Options in the Azure

Express Route Advanced Features

Get Network Security Recommendations with Microsoft Defender for Cloud

Implement Virtual Network Traffic Routing

Implement a Web Application Firewall

Monitor your networks using Azure Monitor

Monitor your networks using Azure Network Watcher

Private Link Services and Private Endpoints

Troubleshooting Express Route Connections

Working with Azure Firewall Manager

​Public vs Internal load balancers

​Gateway Load Balancer (GWLB)

​Load Balancer SKUs: Basic vs Standard

​Design checklist

​Links and references

Watch Video

Public vs Internal load balancers

Gateway Load Balancer (GWLB)

Load Balancer SKUs: Basic vs Standard

Design checklist

Links and references