Azure Network Balancer Terraform Module

This module is designed to create and manage Azure Load Balancers (NLBs), which distribute incoming network traffic across multiple virtual machines (VMs) to ensure high availability and reliability. The module supports configuring frontend IP configurations, backend address pools, load balancing rules, and probes.

Features

• Load Balancer Management: Creates and manages Azure Load Balancers within a specified resource group.
• Frontend IP Configuration: Supports both public and private frontend IP configurations for the load balancer.
• Backend Address Pools: Defines pools of virtual machines that will receive traffic from the load balancer.
• Load Balancing Rules: Configures rules for distributing traffic across backend VMs, including protocol, port, and session persistence settings.
• Health Probes: Enables the creation of custom health probes to monitor the status of backend VMs and ensure only healthy instances receive traffic.
• Outbound Rules: Configures outbound rules to define how traffic leaving the Azure network is handled.

Example Usage

There are two example that demonstrates how to create a Public and Internal NetowrkLoad Balancer with a backend address pool, a load balancing rule, and a health probe.

resource "azurerm_resource_group" "this" {
  name     = "rg-lb-example"
  location = "germanywestcentral"
}

module "vnet" {
  source = "CloudAstro/virtual-network/azurerm"

  name                = "vnet-example"
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
  address_space       = ["10.20.0.0/24"]
}

module "subnet" {
  source = "CloudAstro/subnet/azurerm"

  name                 = "snet-example"
  resource_group_name  = azurerm_resource_group.this.name
  virtual_network_name = module.vnet.virtual_network.name
  address_prefixes     = ["10.20.0.0/25"]
}

module "network_interface" {
  source = "CloudAstro/network-interface/azurerm"

  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name

  interfaces = {
    nic-example = {
      name = "nic-example"
      ip_configuration = [
        {
          name                          = "ipconfig1"
          private_ip_address_allocation = "Dynamic"
          subnet_id                     = module.subnet.subnet.id
        }
      ]
    }
  }
}

module "public_ip" {
  source = "CloudAstro/public-ip/azurerm"

  name                = "pip-example"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  allocation_method   = "Static"
}

module "load_balancer_public" {
  source = "../../"

  name                = "lb-example-public"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  sku                 = "Standard"
  sku_tier            = "Regional"

  frontend_ip_configuration = {
    ipconfig_1 = {
      name                 = "publicFrontend"
      public_ip_address_id = module.public_ip.publicip.id
    }
  }

  # Backend Address Pool(s)
  backend_address_pool = {
    pool_1 = {
      name = "backendPool1"

      network_interface_association = {
        nic1 = {
          network_interface_id  = module.network_interface.interface.nic-example.id
          ip_configuration_name = module.network_interface.interface.nic-example.ip_configuration[0].name
        }
      }
    }

    pool_2 = {
      name               = "backendPool2"
      synchronous_mode   = "Manual"
      virtual_network_id = module.vnet.virtual_network.id

      address = {
        addr1 = {
          ip_address = module.network_interface.interface.nic-example.private_ip_address
          name       = "example"
        }
      }
    }
  }

  rule = {
    lb_port_80 = {
      name                              = "httpRule"
      frontend_ip_configuration_name    = "publicFrontend"
      protocol                          = "Tcp"
      frontend_port                     = 80
      backend_port                      = 80
      backend_address_pool_object_names = ["pool_1"]
      probe_object_name                 = "probe_1"
      enable_floating_ip                = false
      idle_timeout_in_minutes           = 4
      load_distribution                 = "Default"
      enable_tcp_reset                  = false
    }
  }

  probe = {
    probe_1 = {
      name                            = "httpProbe"
      protocol                        = "Http"
      port                            = 80
      request_path                    = "/healthcheck"
      interval_in_seconds             = 5
      number_of_probes_before_removal = 2
    }
  }

  tags = {
    Environment = "Production"
    Owner       = "Your Name"
  }
}

Requirements

Name	Version
terraform	~> 1.9.0
azurerm	>= 4.0.0

Providers

Name	Version
azurerm	>= 4.0.0

Resources

Name	Type
azurerm_lb.this	resource
azurerm_lb_backend_address_pool.this	resource
azurerm_lb_backend_address_pool_address.this	resource
azurerm_lb_nat_pool.this	resource
azurerm_lb_nat_rule.this	resource
azurerm_lb_outbound_rule.this	resource
azurerm_lb_probe.this	resource
azurerm_lb_rule.this	resource
azurerm_management_lock.this	resource
azurerm_monitor_diagnostic_setting.this	resource
azurerm_network_interface_backend_address_pool_association.this	resource
azurerm_role_assignment.this	resource

Inputs

Name	Description	Type	Default	Required
backend_address_pool	* backend_address_pool - (Optional) A map of objects that creates one or more backend pools with nested network interfaces * name- (Required) Specifies the name of the Backend Address Pool. Changing this forces a new resource to be created. * synchronous_mode - (Optional) The backend address synchronous mode for the Backend Address Pool. Possible values are Automatic and Manual. This is required with virtual_network_id. Changing this forces a new resource to be created. -> NOTE: The synchronous_mode can set only for Load Balancer with Standard SKU. * virtual_network_id - (Optional) The ID of the virtual network that the backend pool should be associated with. Sets pool to use only backend addresses via private IP. Leave empty if using network interfaces or mix of network interfaces and backend addresses. * tunnel_interfaces - (Optional) A map of objects that creates one or more tunnel interfaces for the backend pool * identifier - (Required) The identifier of the tunnel interface * type - (Required) The traffic type of this Gateway Load Balancer Tunnel Interface. Possible values are None, Internal and External. * protocol - (Required) The protocol used for this Gateway Load Balancer Tunnel Interface. Possible values are None, Native and VXLAN. * port - (Required) The port number that this Gateway Load Balancer Tunnel Interface listens to. * network_interface_association - (Optional) A map of objects that associates one or more backend address pool network interfaces * ip_configuration_name - (Optional) The name of the IP configuration that this network interface should be associated with * network_interface_id - (Optional) The ID of the network interface that should be associated with the backend address pool * address - (Optional) A map of objects. -> Note: Backend Addresses can only be added to a Standard SKU Load Balancer. Cross region load balancer is for Load Balancer with Global SKU. The address block supports the following: * ip_address- (Optional) The static IP address which should be allocated to the backend address pool. * name- (Optional) The name of the backend address pool address, if adding an address. Changing this forces a new backend address pool address to be created. * virtual_network_resource_id: (Optional) The ID of the virtual network that the backend address pool address should be associated with. Helps with mapping to correct backend pool. * backend_address_ip_configuration_id - (Optional) The ip config ID of the regional load balancer that's added to the global load balancer's backend address pool. -> Note: For cross-region load balancer, please append the name of the load balancers, virtual machines, and other resources in each region with a -R1 and -R2. Example Input: backend_address_pool = { pool_1 = { name = "backendPool1" network_interface_association = { nic1 = { network_interface_id = "network_interface_id" ip_configuration_name = "ip_configuration_name" } } } pool_2 = { name = "backendPool2" synchronous_mode = "Manual" virtual_network_id = "virtual_network_id" address = { addr1 = { ip_address = "ip_address" name = "example" } } } }	map(object({ name = string synchronous_mode = optional(string) virtual_network_id = optional(string) tunnel_interfaces = optional(map(object({ identifier = number type = string protocol = string port = number })), {}) network_interface_association = optional(map(object({ network_interface_id = string ip_configuration_name = string })), {}) address = optional(map(object({ ip_address = optional(string) name = string virtual_network_id = optional(string) backend_address_ip_configuration_id = optional(string) })), {}) timeouts = optional(object({ create = optional(string, "30") read = optional(string, "5") update = optional(string, "30") delete = optional(string, "30") })) }))	n/a	yes
frontend_ip_configuration	* frontend_ip_configuration - (Required) A map of objects. The frontend_ip_configuration block supports the following: * name - (Required) Specifies the name of the frontend IP configuration. * zones - (Optional) Specifies a list of Availability Zones in which the IP Address for this Load Balancer should be located. -> NOTE: Availability Zones are only supported with a Standard SKU and in select regions at this time. * subnet_id - (Optional) The ID of the Subnet which should be associated with the IP Configuration. * gateway_load_balancer_frontend_ip_configuration_id - (Optional) The Frontend IP Configuration ID of a Gateway SKU Load Balancer. * private_ip_address - (Optional) Private IP Address to assign to the Load Balancer. The last one and first four IPs in any range are reserved and cannot be manually assigned. * private_ip_address_allocation - (Optional) The allocation method for the Private IP Address used by this Load Balancer. Possible values as Dynamic and Static. * private_ip_address_version - (Optional) The version of IP that the Private IP Address is. Possible values are IPv4 or IPv6. * public_ip_address_id - (Optional) The ID of a Public IP Address which should be associated with the Load Balancer. * public_ip_prefix_id - (Optional) The ID of a Public IP Prefix which should be associated with the Load Balancer. Public IP Prefix can only be used with outbound rules. Example Input: frontend_ip_configuration = { ipconfig = { name = "frontend-ipconfig" subnet_id = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/mySubnet" private_ip_address = 10.0.0.5/28 private_ip_address_allocation = "Static" private_ip_address_version = "IPv4" zones = ["None"] } }	map(object({ name = string zones = optional(list(string)) subnet_id = optional(string) gateway_load_balancer_frontend_ip_configuration_id = optional(string) private_ip_address = optional(string) private_ip_address_allocation = optional(string, "Dynamic") private_ip_address_version = optional(string) public_ip_address_id = optional(string) public_ip_prefix_id = optional(string) }))	n/a	yes
location	* location - (Required) Specifies the supported Azure Region where the Load Balancer should be created. Changing this forces a new resource to be created. The full list of Azure regions can be found at: https://azure.microsoft.com/regions Example Input: location = "ger-west-central"	string	n/a	yes
name	* name - (Required) Specifies the name of the Load Balancer. Changing this forces a new resource to be created. Example Input: name = "lb-example"	string	n/a	yes
resource_group_name	* resource_group_name - (Required) The name of the Resource Group in which to create the Load Balancer. Changing this forces a new resource to be created. Example Input: resource_group_name = "rg-lb-example"	string	n/a	yes
diagnostic_settings	* diagnostic_settings - (Optional) A map of objects that specify Diagnostic settings for azure resources. The following arguments are supported: * name - (Required) Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created. -> NOTE: If the name is set to 'service' it will not be possible to fully delete the diagnostic setting. This is due to legacy API support. * target_resource_id - (Optional) The ID of an existing Resource on which to configure Diagnostic Settings. Changing this forces a new resource to be created. * eventhub_name - (Optional) Specifies the name of the Event Hub where Diagnostics Data should be sent. -> NOTE: If this isn't specified then the default Event Hub will be used. * eventhub_authorization_rule_id - (Optional) Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. -> NOTE: This can be sourced from the azurerm_eventhub_namespace_authorization_rule resource and is different from a azurerm_eventhub_authorization_rule resource. -> NOTE: At least one of eventhub_authorization_rule_id, log_analytics_workspace_id, partner_solution_id and storage_account_id must be specified. * log_analytics_workspace_id - (Optional) Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent. -> NOTE: At least one of eventhub_authorization_rule_id, log_analytics_workspace_id, partner_solution_id and storage_account_id must be specified. * storage_account_id - (Optional) The ID of the Storage Account where logs should be sent. -> NOTE: At least one of eventhub_authorization_rule_id, log_analytics_workspace_id, partner_solution_id and storage_account_id must be specified. * log_analytics_destination_type - (Optional) Possible values are AzureDiagnostics and Dedicated. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table. -> NOTE: This setting will only have an effect if a log_analytics_workspace_id is provided. For some target resource type (e.g., Key Vault), this field is unconfigurable. Please see resource types for services that use each method. Please see the documentation for details on the differences between destination types. * partner_solution_id - (Optional) The ID of the market partner solution where Diagnostics Data should be sent. For potential partner integrations, click to learn more about partner integration. -> NOTE: At least one of eventhub_authorization_rule_id, log_analytics_workspace_id, partner_solution_id and storage_account_id must be specified. An enabled_log block supports the following: * category - (Optional) The name of a Diagnostic Log Category for this Resource. -> NOTE: The Log Categories available vary depending on the Resource being used. You may wish to use the azurerm_monitor_diagnostic_categories Data Source or list of service specific schemas to identify which categories are available for a given Resource. * category_group - (Optional) The name of a Diagnostic Log Category Group for this Resource. -> NOTE: Not all resources have category groups available. -> NOTE: Exactly one of category or category_group must be specified. A metric block supports the following: * category - (Required) The name of a Diagnostic Metric Category for this Resource. * -> NOTE: The Metric Categories available vary depending on the Resource being used. You may wish to use the azurerm_monitor_diagnostic_categories Data Source to identify which categories are available for a given Resource. * enabled - (Optional) Is this Diagnostic Metric enabled? Defaults to true. The timeouts block allows you to specify timeouts for certain actions: * create - (Defaults to 30 minutes) Used when creating the Diagnostics Setting. * update - (Defaults to 30 minutes) Used when updating the Diagnostics Setting. * read - (Defaults to 5 minutes) Used when retrieving the Diagnostics Setting. * delete - (Defaults to 60 minutes) Used when deleting the Diagnostics Setting. Example Input: diagnostic_settings = { "load_balancer_1" = { name = "diagnostic_settings" target_resource_id = null eventhub_name = null eventhub_authorization_rule_id = null log_analytics_workspace_id = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/myLogAnalyticsWorkspace" storage_account_id = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/loadBalancers/my_load_balancer_1" log_analytics_destination_type = null partner_solution_id = null enabled_log = [ { category = "LoadBalancerHealthEvent" category_group = null }, { category = null category_group = allLogs } ] metric = { category = "AllMetrics" enabled = true } } }	map(object({ name = string target_resource_id = optional(string) eventhub_name = optional(string) eventhub_authorization_rule_id = optional(string) log_analytics_workspace_id = optional(string) storage_account_id = optional(string) log_analytics_destination_type = optional(string) partner_solution_id = optional(string) enabled_log = optional(list(object({ category = optional(string) category_group = optional(string) }))) metric = optional(object({ category = optional(string, "AllMetrics") enabled = optional(bool) })) timeouts = optional(object({ create = optional(string, "30") update = optional(string, "30") read = optional(string, "5") delete = optional(string, "60") })) }))	null	no
edge_zone	* edge_zone - (Optional) Specifies the Edge Zone within the Azure Region where this Load Balancer should exist. Changing this forces a new Load Balancer to be created. The Microsoft.Network/AllowGatewayLoadBalancer feature is required to be registered in order to use the Gateway SKU. The feature can only be registered by the Azure service team, please submit an Azure support ticket for that. Example Input: edge_zone = "my-edge-zone"	string	null	no
management_lock	* management_lock - (Optional) The management_lock block resource as defined below. * name - (Required) Specifies the name of the Management Lock. Changing this forces a new resource to be created. * scope - (Required) Specifies the scope at which the Management Lock should be created. Changing this forces a new resource to be created. * lock_level - (Required) Specifies the Level to be used for this Lock. Possible values are CanNotDelete and ReadOnly. Changing this forces a new resource to be created. ~> Note: CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. * notes - (Optional) Specifies some notes about the lock. Maximum of 512 characters. Changing this forces a new resource to be created. The timeouts block allows you to specify timeouts for certain actions: * create - (Defaults to 30 minutes) Used when creating the Management Lock. * read - (Defaults to 5 minutes) Used when retrieving the Management Lock. * delete - (Defaults to 30 minutes) Used when deleting the Management Lock. Example Input: management_lock = { lock1 = { name = "lock1" lock_level = "ReadOnly" notes = "This is a test lock" } }	map(object({ name = string scope = optional(string) lock_level = string notes = optional(string) timeouts = optional(object({ create = optional(string, "30") read = optional(string, "5") delete = optional(string, "30") })) }))	null	no
nat_pool	* nat_pool - (Optional) A map of objects that define the inbound NAT rules for a Load Balancer. Each object has the following * name - (Required) The name of the Load Balancer rule. Changing this forces a new resource to be created. * resource_group_name - (Optional) The name of the resource group in which to create the resource. Changing this forces a new resource to be created. * frontend_ip_configuration_name - (Required) The name of the frontend IP configuration to which the rule is associated with * protocol - (Required) The transport protocol for the external endpoint. Possible values are All, Tcp, or Udp. * frontend_port_start - (Required) The first port number in the range of external ports that will be used to provide Inbound NAT to NICs associated with this Load Balancer. Possible values range between 1 and 65534, inclusive. * frontend_port_end - (Required) The last port number in the range of external ports that will be used to provide Inbound NAT to NICs associated with this Load Balancer. Possible values range between 1 and 65534, inclusive. * backend_port - (Required) The port used for the internal endpoint. Possible values range between 1 and 65535, inclusive. * idle_timeout_in_minutes - (Optional) Specifies the idle timeout in minutes for TCP connections. Valid values are between 4 and 30 minutes. Defaults to 4 minutes. * enable_floating_ip - (Optional) A boolean parameter to determine if there are floating IPs enabled for this Load Balancer NAT rule. A "floating” IP is reassigned to a secondary server in case the primary server fails. Required to configure a SQL AlwaysOn Availability Group. Defaults to false. * enable_tcp_reset - (Optional) A boolean to determine if TCP Reset is enabled for this Load Balancer rule. Defaults to false. Example Input: nat_pool = { nat_pool_1 = { name = "SampleApplicationPool" frontend_ip_configuration_name = "PublicIPAddress" protocol = "Tcp" frontend_port_start = 80 frontend_port_end = 81 backend_port = 8080 } }	map(object({ name = string frontend_ip_configuration_name = string protocol = string frontend_port_start = number frontend_port_end = number backend_port = number idle_timeout_in_minutes = optional(number, 4) enable_floating_ip = optional(bool, false) enable_tcp_reset = optional(bool, false) }))	null	no
nat_rule	* nat_rule - (Optional) A map of objects that specifies the creation of NAT rules. * name - (Required) Specifies the name of the NAT Rule. Changing this forces a new resource to be created. * resource_group_name - (Optional) The name of the resource group in which to create the resource. Changing this forces a new resource to be created. * frontend_ip_configuration_name - (Required) The name of the frontend IP configuration exposing this rule. * protocol - (Required) The transport protocol for the external endpoint. Possible values are Udp, Tcp or All. * frontend_port - (Optional) The port for the external endpoint. Port numbers for each Rule must be unique within the Load Balancer. Possible values range between 1 and 65534, inclusive. * backend_port - (Required) The port used for internal connections on the endpoint. Possible values range between 1 and 65535, inclusive. * frontend_port_start - (Optional) The port range start for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeEnd. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534, inclusive. * frontend_port_end - (Optional) The port range end for the external endpoint. This property is used together with BackendAddressPool and FrontendPortRangeStart. Individual inbound NAT rule port mappings will be created for each backend address from BackendAddressPool. Acceptable values range from 1 to 65534, inclusive. * backend_address_pool_object_name - (Optional) Specifies a reference to backendAddressPool resource. * idle_timeout_in_minutes - (Optional) Specifies the idle timeout in minutes for TCP connections. Valid values are between 4 and 30 minutes. Defaults to 4 minutes. * enable_floating_ip - (Optional) Are the Floating IPs enabled for this Load Balancer Rule? A "floating” IP is reassigned to a secondary server in case the primary server fails. Required to configure a SQL AlwaysOn Availability Group. Defaults to false. * enable_tcp_reset - (Optional) Is TCP Reset enabled for this Load Balancer Rule? Example Input: nat_rule { nat_rule1 { name = "RDPAccess" frontend_ip_configuration_name = "PublicIPAddress" protocol = "Tcp" backend_port = 3389 frontend_port_start = 3000 frontend_port_end = 3389 } }	map(object({ name = string resource_group_name = optional(string) frontend_ip_configuration_name = string protocol = string frontend_port = optional(number) backend_port = string frontend_port_start = optional(number) frontend_port_end = optional(number) backend_address_pool_object_name = optional(string) idle_timeout_in_minutes = optional(number, 4) enable_floating_ip = optional(bool, false) enable_tcp_reset = optional(bool, false) }))	null	no
outbound_rule	* outbound_rule - (Optional) A map of objects that define the outbound rules for a Load Balancer. Each object is identified by a unique key in the map and has the following properties: * name - (Required) Specifies the name of the Outbound Rule. Changing this forces a new resource to be created. * backend_address_pool_object_name - (Required) refers to the names of backend address pools in the load balancer, used to retrieve their associated resource IDs. * protocol - (Required The transport protocol for the external endpoint. Possible values are Udp, Tcp or All. * enable_tcp_reset - (Optional) Receive bidirectional TCP Reset on TCP flow idle timeout or unexpected connection termination. This element is only used when the protocol is set to TCP. * allocated_outbound_ports - (Optional) The number of outbound ports to be used for NAT. Defaults to 1024. * idle_timeout_in_minutes - (Optional) The timeout for the TCP idle connection Defaults to 4. * frontend_ip_configuration - (Optional) One or more frontend_ip_configuration blocks as defined below. * name - (Required) The name of the Frontend IP Configuration. Example Input: outbound_rule { outbound_rule1 { name = "OutboundRule" protocol = "Tcp" backend_address_pool_object_name = "pool_1" frontend_ip_configuration { name = "PublicIPAddress" } } }	map(object({ name = string backend_address_pool_object_name = string protocol = string enable_tcp_reset = optional(bool, false) allocated_outbound_ports = optional(number, 1024) idle_timeout_in_minutes = optional(number, 4) frontend_ip_configurations = optional(list(object({ name = string }))) }))	null	no
probe	* probe - (Optional) A map of objects that specify the Load Balancer probes to be created. * name - (Required) Specifies the name of the Probe. Changing this forces a new resource to be created. * protocol - (Optional) Specifies the protocol of the end point. Possible values are Http, Https or Tcp. If TCP is specified, a received ACK is required for the probe to be successful. If HTTP is specified, a 200 OK response from the specified URI is required for the probe to be successful. Defaults to Tcp. * port - (Required) Port on which the Probe queries the backend endpoint. Possible values range from 1 to 65535, inclusive. * probe_threshold - (Optional) The number of consecutive successful or failed probes that allow or deny traffic to this endpoint. Possible values range from 1 to 100. The default value is 1. * request_path - (Optional) The URI used for requesting health status from the backend endpoint. Required if protocol is set to Http or Https. Otherwise, it is not allowed. * interval_in_seconds - (Optional) The interval, in seconds between probes to the backend endpoint for health status. The default value is 15, the minimum value is 5. * number_of_probes - (Optional) The number of failed probe attempts after which the backend endpoint is removed from rotation. Default to 2. NumberOfProbes multiplied by intervalInSeconds value must be greater or equal to 10.Endpoints are returned to rotation when at least one probe is successful. Example Input: # Each type of probe probe = { probe1 = { name = "probe_1" protocol = "Tcp" port = 80 interval_in_seconds = 5 probe_threshold = 3 }, probe2 = { name = "probe_2" protocol = "Http" port = 80 request_path = "/" interval_in_seconds = 5 probe_threshold = 3 }, probe3 = { name = "probe_3" protocol = "Https" port = 443 request_path = "/" interval_in_seconds = 5 probe_threshold = 3 } }	map(object({ name = string protocol = optional(string, "Tcp") port = number probe_threshold = optional(number, 1) request_path = optional(string) interval_in_seconds = optional(number, 15) number_of_probes_before_removal = optional(number, 2) timeouts = optional(object({ create = optional(string, "30") read = optional(string, "5") update = optional(string, "30") delete = optional(string, "30") })) }))	null	no
role_assignments	* role assignments - (Optional) A map of objects that assigns a given principal (user or group) to a given role. * role_definition_id_or_name - The ID or name of the role definition to assign to the principal. * principal_id - The ID of the principal to assign the role to. * description - (Optional) A description of the role assignment. * skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. This should only be set to true if using a service principal. Defaults to false. * condition - (Optional) A condition that will be used to scope the role assignment. * condition_version - (Optional) The version of the condition syntax. Valid values are 2.0. Defaults to null. * delegated_managed_identity_resource_id - (Optional) The resource ID of the delegated managed identity. Example Input: role_assignments = { role_assignment_1 = { role_definition_id_or_name = "Contributor" principal_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" skip_service_principal_aad_check = true }, role_assignment_2 = { role_definition_id_or_name = "Storage Blob Data Reader" principal_id = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" description = "Example role assignment 2 of reader role" skip_service_principal_aad_check = false condition = "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase foo_storage_container" condition_version = "2.0" } }	map(object({ role_definition_id_or_name = string principal_id = string description = optional(string) skip_service_principal_aad_check = optional(bool, false) # only set to true IF using service principal condition = optional(string) condition_version = optional(string) # Valid values are 2.0 delegated_managed_identity_resource_id = optional(string) }))	null	no
rule	* rule - (Optional) A list of objects that specifies the Load Balancer rules for the Load Balancer. * name - (Required) Specifies the name of the LB Rule. Changing this forces a new resource to be created. * frontend_ip_configuration_name - (Required) The name of the frontend IP configuration to which the rule is associated. * protocol - (Required) The transport protocol for the external endpoint. Possible values are Tcp, Udp or All. * frontend_port - (Required) The port for the external endpoint. Port numbers for each Rule must be unique within the Load Balancer. Possible values range between 0 and 65534, inclusive. A port of 0 means "Any Port". * backend_port - (Required) The port used for internal connections on the endpoint. Possible values range between 0 and 65535, inclusive. A port of 0 means "Any Port". * backend_address_pool_object_names - (Required) A refernce to the names of backend address pools in the load balancer, used to retrieve their associated resource IDs. * probe_resource_id - (Optional) A reference to a Probe used by this Load Balancing Rule. * enable_floating_ip - (Optional) Are the Floating IPs enabled for this Load Balancer Rule? A "floating” IP is reassigned to a secondary server in case the primary server fails. Required to configure a SQL AlwaysOn Availability Group. Defaults to false. * idle_timeout_in_minutes - (Optional) Specifies the idle timeout in minutes for TCP connections. Valid values are between 4 and 100 minutes. Defaults to 4 minutes. * load_distribution - (Optional) Specifies the load balancing distribution type to be used by the Load Balancer. Possible values are: Default – The load balancer is configured to use a 5 tuple hash to map traffic to available servers. SourceIP – The load balancer is configured to use a 2 tuple hash to map traffic to available servers. SourceIPProtocol – The load balancer is configured to use a 3 tuple hash to map traffic to available servers. Also known as Session Persistence, where in the Azure portal the options are called None, Client IP and Client IP and Protocol respectively. Defaults to Default. * disable_outbound_snat - (Optional) Is snat enabled for this Load Balancer Rule? Default false. * enable_tcp_reset - (Optional) Is TCP Reset enabled for this Load Balancer Rule? Example Input: rule = { rule_1 = { name = "myHTTPRule" frontend_ip_configuration_name = "myFrontend" protocol = "Tcp" # default frontend_port = 80 backend_port = 80 backend_address_pool_object_names = ["myBackendPool"] probe_object_name = "tcp1" idle_timeout_in_minutes = 15 enable_tcp_reset = true } }	map(object({ name = string frontend_ip_configuration_name = string protocol = string frontend_port = number backend_port = number backend_address_pool_object_names = list(string) # multiple back end pools ONLY IF gateway sku load balancer probe_resource_id = optional(string) probe_object_name = optional(string) enable_floating_ip = optional(bool, false) idle_timeout_in_minutes = optional(number, 4) load_distribution = optional(string, "Default") disable_outbound_snat = optional(bool, false) # set diasble_outbound_snat to true when same frontend ip configuration is referenced by outbout rule and lb rule enable_tcp_reset = optional(bool, false) }))	null	no
sku	* sku - (Optional) The SKU of the Azure Load Balancer. Accepted values are Basic, Standard and Gateway. Defaults to Standard. Changing this forces a new resource to be created. -> NOTE: The Microsoft.Network/AllowGatewayLoadBalancer feature is required to be registered in order to use the Gateway SKU. The feature can only be registered by the Azure service team, please submit an Azure support ticket for that. Example Input: sku = "Standard"	string	"Standard"	no
sku_tier	* sku_tier - (Optional) The SKU tier of this Load Balancer. Possible values are Global and Regional. Defaults to Regional. Changing this forces a new resource to be created. Example Input: sku_tier = "Regional"	string	"Regional"	no
tags	* tags - The tags to apply to the Load Balancer. Example Input: tags = { environment = "production" owner = "team-a" }	map(string)	null	no
timeouts	The timeouts block allows you to specify timeouts for certain actions: * create - (Defaults to 30 minutes) Used when creating the Public IP. * read - (Defaults to 5 minutes) Used when retrieving the Public IP. * update - (Defaults to 30 minutes) Used when updating the Public IP. * delete - (Defaults to 30 minutes) Used when deleting the Public IP.	object({ create = optional(string, "30") read = optional(string, "5") update = optional(string, "30") delete = optional(string, "30") })	null	no

Outputs

Name

Description

lb

* name - Specifies the name of the Load Balancer. * resource_group_name - The name of the Resource Group in which to create the Load Balancer. * location - Specifies the supported Azure Region where the Load Balancer should be created. * edge zone - Specifies the Edge Zone within the Azure Region where this Load Balancer should exist. * sku - The SKU of the Azure Load Balancer. * sku_tier - The SKU tier of this Load Balancer. * frontend_ip_configuration - A map of objects frontend ip configuration objects. * backend_address_pool - A map of objects that creates one or more backend pools * probe - A map of objects that specify the Load Balancer probes to be created. * rule - A list of objects that specifies the Load Balancer rules for the Load Balancer. The frontend_ip_configuration block supports the following: * name - Specifies the name of the frontend IP configuration. * zones - Specifies a list of Availability Zones in which the IP Address for this Load Balancer should be located. * subnet_id - The ID of the Subnet which should be associated with the IP Configuration. * gateway_load_balancer_frontend_ip_configuration_id - The Frontend IP Configuration ID of a Gateway SKU Load Balancer. * private_ip_address - Private IP Address to assign to the Load Balancer. The last one and first four IPs in any range are reserved and cannot be manually assigned. * private_ip_address_allocation - The allocation method for the Private IP Address used by this Load Balancer. * private_ip_address_version - The version of IP that the Private IP Address is * public_ip_address_id - The ID of a Public IP Address which should be associated with the Load Balancer. * public_ip_prefix_id - The ID of a Public IP Prefix which should be associated with the Load Balancer. * backend_address_pool - A map of objects that creates one or more backend pools * name- Specifies the name of the Backend Address Pool. * synchronous_mode - The backend address synchronous mode for the Backend Address Pool. * virtual_network_resource_id - The ID of the virtual network that the backend pool should be associated with. * tunnel_interfaces - A map of objects that creates one or more tunnel interfaces for the backend pool * identifier - The identifier of the tunnel interface * type - The traffic type of this Gateway Load Balancer Tunnel Interface. * protocol - The protocol used for this Gateway Load Balancer Tunnel Interface. * port - The port number that this Gateway Load Balancer Tunnel Interface listens to. * probe - A map of objects that specify the Load Balancer probes to be created. * name - Specifies the name of the Probe. * protocol - Specifies the protocol of the end point. * port - Port on which the Probe queries the backend endpoint. * probe_threshold - The number of consecutive successful or failed probes that allow or deny traffic to this endpoint. * request_path - The URI used for requesting health status from the backend endpoint. * interval_in_seconds - The interval, in seconds between probes to the backend endpoint for health status. * number_of_probes - The number of failed probe attempts after which the backend endpoint is removed from rotation. * rule - A list of objects that specifies the Load Balancer rules for the Load Balancer. * name - Specifies the name of the LB Rule. Changing this forces a new resource to be created. * frontend_ip_configuration_name - The name of the frontend IP configuration to which the rule is associated. * protocol - The transport protocol for the external endpoint. * frontend_port - The port for the external endpoint. * backend_port - The port used for internal connections on the endpoint. * backend_address_pool_object_names - A refernce to the names of backend address pools in the load balancer, used to retrieve their associated resource IDs. * probe_resource_id - A reference to a Probe used by this Load Balancing Rule. * enable_floating_ip - Are the Floating IPs enabled for this Load Balancer Rule? * idle_timeout_in_minutes - Specifies the idle timeout in minutes for TCP connections. * load_distribution - Specifies the load balancing distribution type to be used by the Load Balancer. * disable_outbound_snat - Is snat enabled for this Load Balancer Rule. * enable_tcp_reset - Is TCP Reset enabled for this Load Balancer Rule? Example output: output "name" { value = module.module_name.lb.name }

Modules

No modules.

🌐 Additional Information

For more information about Azure Load Balancer and its configurations, refer to the Azure Load Balancer documentation. This module helps you define load balancing rules and manage traffic distribution across your Azure resources.

📚 Resources

• AzureRM Terraform Provider Documentation
• Azure Load Balancer Overview

⚠️ Notes

• Ensure that the backend pool and health probes are properly configured to maintain high availability and performance of your services.
• Review the Azure Load Balancer pricing and features to optimize your configuration based on your specific needs.
• Validate your Terraform configuration to ensure that the load balancing rules are applied correctly and meet your traffic management requirements.

🧾 License

This module is licensed under the MIT License. See the LICENSE file for more details.