Networking Application delivery and API edge premium

Load balancer frontend IP

A load balancer frontend IP is the address users, services, or internal systems connect to before Azure distributes traffic to backend resources. It might be a public IP for internet-facing traffic or a private IP inside a virtual network. The frontend IP does not run the application itself. It is the stable network entry point that connects client traffic to load-balancing rules, ports, health probes, and the backend pool that actually serves requests. The key is knowing which Azure component owns the behavior before changing production configuration.

Back to glossary browser Open Microsoft Learn source
Aliases
No aliases mapped yet
Difficulty
intermediate
CLI mappings
4
Last verified
2026-05-16

Microsoft Learn

Microsoft Learn describes a Load Balancer frontend IP configuration as the address-facing entry point that receives client traffic for a load balancer. It can use a public or private IP address and is connected to rules, probes, and backend pools.

Microsoft Learn: Azure Load Balancer components2026-05-16

Technical context

Technically, a frontend IP configuration is part of an Azure Load Balancer resource. It binds a public IP address, private IP address, or subnet-based private address to the load balancer so rules can listen on specific frontend ports. Standard Load Balancer designs may use multiple frontend IPs, separate inbound and outbound flows, and zone-aware public IPs. Operators inspect the frontend IP together with rules, backend pools, probes, NAT rules, NSGs, and route paths. That context helps operators separate resource configuration, runtime behavior, and dependency troubleshooting during reviews.

Why it matters

The frontend IP matters because it is the address clients depend on and the anchor for most load balancer troubleshooting. If the wrong public IP is attached, the private IP changes unexpectedly, or a rule references the wrong frontend, traffic may never reach healthy backend VMs. It also affects DNS records, firewall allowlists, certificates, monitoring, and change windows. Teams often think of the load balancer as one object, but the frontend IP is where exposure, routing intent, and user experience become visible. Treat it as production-facing infrastructure, not a casual setting. Clear ownership also makes incident triage faster because teams know which setting changed and why.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In network diagrams, the frontend IP is the public or private address clients reach before load-balancing rules map traffic to backend pools during release review, incident triage, and ownership checks.

Signal 02

In portal and CLI output, it appears under frontend IP configurations with public IP, subnet, private address, zone, and resource references during release review, incident triage, and ownership checks.

Signal 03

During incidents, it appears when DNS resolves correctly but frontend rules, NSGs, probes, or backend pool membership prevent successful traffic flow while operators compare evidence against the approved runbook.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Publishing a stable frontend address while backend VMs scale, patch, or change.
  • Separating internal and public traffic paths for the same application family.
  • Troubleshooting why healthy-looking infrastructure is not receiving client connections.
  • Documenting routing dependencies for security review, cutover, and incident response.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Patient portal stable entry point

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Cedar Ridge Health, a regional healthcare network, needed to move its patient portal behind Azure Load Balancer without changing the public DNS name used by clinics and patients.

Business/Technical Objectives
  • Keep the public endpoint stable during backend replacement
  • Reduce cutover time to under 30 minutes
  • Preserve firewall allowlists used by partner clinics
  • Provide clear rollback evidence for the clinical operations team
Solution Using Load balancer frontend IP

The architects created a Standard public load balancer with a dedicated frontend IP configuration, then attached the existing DNS name to that address through a controlled cutover. Backend VMs were added to a new backend pool, and HTTPS traffic was mapped through a rule tied to an application readiness probe. Network Security Groups allowed only approved client paths, and Azure Monitor metrics were captured before, during, and after the change. The team treated the frontend IP as the production entry point rather than a disposable setting, so DNS, certificates, firewall exceptions, and incident runbooks all referenced the same address.

Results & Business Impact
  • Cutover completed in 18 minutes with no DNS rollback required
  • Clinic partner allowlist changes were reduced from 24 entries to one stable IP
  • Portal availability stayed above 99.95% during the migration window
  • Incident responders gained a single documented address for future triage
Key Takeaway for Glossary Readers

A load balancer frontend IP gives production traffic a stable, inspectable entry point when backend infrastructure changes.

Case study 02

Factory control network segmentation

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Northline Components, a manufacturing company, needed an internal address for plant-floor applications so supervisors could reach redundant controllers without exposing them to the internet.

Business/Technical Objectives
  • Create an internal-only service endpoint for controller traffic
  • Keep backend VM replacements invisible to factory clients
  • Separate test controllers from production controllers
  • Pass network security review before the next maintenance shift
Solution Using Load balancer frontend IP

The Azure team deployed an internal Standard Load Balancer with a private frontend IP in the manufacturing subnet. They connected the frontend to a production backend pool, created a TCP rule for the controller protocol, and tied it to a lightweight health probe. Route tables and NSGs allowed only supervisor workstations and approved integration servers. The private frontend IP was recorded in network diagrams and DNS, while a separate test frontend served the engineering lab. This kept the plant application reachable by one predictable address while backend controller VMs could be patched or replaced safely.

Results & Business Impact
  • Backend maintenance no longer required client configuration changes
  • Unauthorized internet exposure was eliminated for the controller tier
  • Two maintenance windows were completed without production routing changes
  • Network review time dropped by 40% because ownership and path were documented
Key Takeaway for Glossary Readers

A private frontend IP makes internal load balancing practical when the business needs stable access without public exposure.

Case study 03

Public sector permit system modernization

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Harbor County Digital Services was modernizing a permit application that had several hard-coded client integrations pointing at one public address.

Business/Technical Objectives
  • Avoid breaking integrations used by city offices
  • Route traffic to upgraded backend VMs gradually
  • Keep a separate emergency rollback target
  • Give the service desk a clear traffic ownership map
Solution Using Load balancer frontend IP

Engineers assigned a new public frontend IP to a Standard Load Balancer and mapped it to the modernized backend pool. They staged DNS changes with a low time-to-live, then used a second frontend and rule for rollback testing. Health probes verified application readiness before the updated VMs received traffic. The team exported frontend, rule, probe, and backend pool configuration with Azure CLI and attached it to the change request. This made the public address, rule dependencies, and rollback route visible to both infrastructure and application teams. The implementation team documented owners, expected signals, rollback steps, and post-change evidence so operations could support the design after handoff.

Results & Business Impact
  • Legacy integration endpoints stayed available through the migration
  • Rollback testing completed twice without touching backend VM addresses
  • Average triage time for traffic questions fell from 45 minutes to 12 minutes
  • The final architecture passed the county change board on first review
Key Takeaway for Glossary Readers

Frontend IP planning prevents network cutovers from becoming application outages.

Why use Azure CLI for this?

Azure CLI is useful for a load balancer frontend IP because traffic issues usually span several linked resources. Commands expose the frontend, rule, probe, backend pool, public IP, NSG, and route state without clicking through many portal blades.

CLI use cases

  • List frontend IP configurations, rules, probes, and backend pools for a load balancer during incident triage.
  • Export load balancer configuration before a change so reviewers can compare intended and actual routing behavior.
  • Check public IP, private IP, and backend pool references when DNS resolves but traffic still fails.
  • Automate repeatable reviews of exposed ports, probe settings, and backend membership across environments.

Before you run CLI

  • Confirm the subscription, resource group, load balancer name, and whether the design is public or internal.
  • Verify you have Network Contributor or equivalent read permissions for load balancer, IP, NSG, and NIC resources.
  • Know whether you are inspecting only, or making changes that can immediately affect production traffic.
  • Choose table or JSON output before sharing evidence with responders, reviewers, or automation.

What output tells you

  • Frontend IP output shows which public or private address receives client traffic and which resource owns it.
  • Rule output shows frontend port, backend port, protocol, backend pool, probe, idle timeout, and persistence behavior.
  • Probe and backend pool output helps explain whether Azure considers instances healthy enough for new flows.
  • Linked resource IDs reveal whether the configuration points to the expected environment and workload.

Mapped Azure CLI commands

Loadbalancer operations

Direct
Az network lb list --resource-group <resource-group>
az network lbdiscoverNetworking
Read-only Microsoft docs
Az network lb show --name <lb-name> --resource-group <resource-group>
az network lbdiscoverNetworking
Read-only Microsoft docs
Az network lb create --name <lb-name> --resource-group <resource-group>
az network lbprovisionNetworking
Cost-impacting Microsoft docs
Az network lb probe list --lb-name <lb-name> --resource-group <resource-group>
az network lb probediscoverNetworking
Read-only Microsoft docs

Architecture context

Technically, a frontend IP configuration is part of an Azure Load Balancer resource. It binds a public IP address, private IP address, or subnet-based private address to the load balancer so rules can listen on specific frontend ports. Standard Load Balancer designs may use multiple frontend IPs, separate inbound and outbound flows, and zone-aware public IPs. Operators inspect the frontend IP together with rules, backend pools, probes, NAT rules, NSGs, and route paths. That context helps operators separate resource configuration, runtime behavior, and dependency troubleshooting during reviews.

Security

Security for a load balancer frontend IP starts with exposure. A public frontend can receive traffic from the internet, so NSGs, firewall policy, allowed ports, and backend hardening must match the business need. A private frontend reduces public exposure but still needs subnet segmentation and trusted source control. Operators should confirm whether backend VMs have unnecessary public IPs, whether rules publish only intended ports, and whether diagnostics can prove who changed the configuration. The frontend IP should also be reviewed against DNS, certificate, and perimeter controls. Mislabeling a public entry point as internal creates real attack surface. Reviewers should record the approved boundary and verify alerts after any configuration change.

Cost

Cost is usually indirect but still important. A frontend IP may require a public IP resource, and Standard Load Balancer designs can involve data processing, outbound behavior, zone choices, and supporting monitoring. The bigger cost risk is operational waste: unused frontends, orphaned public IPs, duplicated load balancers, or emergency troubleshooting caused by undocumented addresses. FinOps reviews should map each frontend IP to an owning workload, environment, DNS record, and business purpose. Private frontend designs may avoid public IP charges, but they can require additional private connectivity, routing, and network governance work. Tagging and ownership evidence make it easier to challenge waste without breaking useful safeguards.

Reliability

Reliability depends on keeping the frontend IP stable, correctly zoned, and tied to healthy backend rules. If DNS points to the wrong address, if an IP is deleted during redeployment, or if a frontend is reused without understanding rule behavior, users can experience an outage while the backends remain healthy. Zone-redundant public IPs and clear infrastructure-as-code ownership reduce accidental drift. Operators should document which application owns each frontend, which rules depend on it, and what rollback means. A reliable frontend design also separates test, staging, and production addresses so experiments do not disturb live traffic. Testing this path before release prevents avoidable surprises during scale, failover, or recovery.

Performance

Performance is affected because the frontend IP is the entry point for Layer 4 flows, but it is not the only factor. Throughput and latency depend on Load Balancer SKU, backend capacity, probe health, rule configuration, SNAT behavior, TCP settings, and network path. A frontend can look healthy while the wrong backend port, overloaded instances, or asymmetric routing slows traffic. Operators should compare Data Path Availability, health probe status, backend metrics, and application response times. Multiple frontends can help separate services or ports, but they do not replace correct backend sizing and routing design. Measurements should be taken from the application path, not only from control-plane configuration.

Operations

Operations teams manage frontend IPs through inventory, rule review, DNS coordination, change approval, and incident triage. The frontend is usually the first thing checked when users say an application is unreachable: does the IP exist, is it public or private, is DNS correct, and does a rule listen on the expected port? CLI and Resource Graph help find orphaned public IPs, mismatched frontends, and load balancers with unexpected exposure. Good runbooks include the frontend IP, backend pool, probe, NSG, and route table in one checklist because failures often hide between those layers. Documentation should capture the expected state, owner, validation command, and rollback decision.

Common mistakes

  • Checking only the frontend IP and missing that the rule references the wrong backend pool or probe.
  • Opening a public frontend port while assuming backend VMs without public IPs are not exposed.
  • Changing a probe, rule, or frontend during a release without documenting DNS, NSG, and rollback impact.
  • Treating Load Balancer as an application-layer router instead of a Layer 4 traffic distribution service.