Blog Post

Apps on Azure Blog
3 MIN READ

Load test private endpoints deployed in another Azure region or subscription

Nagarjuna_V's avatar
Nagarjuna_V
Icon for Microsoft rankMicrosoft
Dec 09, 2022

Running load tests against private endpoints is a common scenario. The endpoints may be sitting behind a firewall, or they may be only accessible from within a virtual network, or they may not have been made public yet as they are under development. Microsoft Azure Load Testing supports private endpoint load testing using VNet injection. This injects the load generating virtual machines into the same virtual network as your private endpoint.

Azure Load Testing support for private endpoint load testing is currently available in seven regions with expansion on the horizon. What if you want to initiate a load test from a different region than where your application is? What if the virtual network sits in a different subscription? Or if private endpoint load testing is not supported yet in your region? You don’t have to worry. Virtual network peering is a simple workaround to unblock your load tests against private endpoints. Virtual network peering enables you to seamlessly connect two or more virtual networks in Azure. The peered virtual networks appear as one for connectivity purposes.

Let’s see how to go about it.

 

Set up a sample private endpoint

 

To demonstrate this scenario, we’ll use a simple web application, that shows a welcome message, deployed to an Azure Kubernetes Service (AKS) cluster.

 

Let’s set up this private endpoint in ‘North Central US’ region.

  1. Create a virtual network in ‘North Central US’.

 

  1. Create an AKS cluster as described here.
    1. On the Networking tab, select Azure CNI for Network Configuration and then choose the virtual network that we created above. 
  2. Deploy the sample application to this cluster using the YAML file (in the attachments).
  3. Open an Azure Cloud Shell and run the command ‘kubectl get service’ . Make a note of the external IP address. We will need this later while configuring the load test.

 

We’ve now deployed an app that is accessible only from the ‘demo_vnet’ virtual network.

Set up virtual network peering

 

We'll now create a virtual network in a different region, South Central US, and peer the virtual network with the demo_vnet virtual network that hosts our application.

  1. Create a Virtual Network in ‘South Central US’ region. Ensure that the IP address range does not overlap with that of the virtual network that we created in our previous section.

  2. Under Settings, select Peerings and add a peering link to the demo_vnet virtual network.

 

Now that the two virtual networks are peered and appear as one for connectivity purposes, we can run a load test against our private endpoint.

 

Create and run a load test

 

Let’s test this private endpoint for performance using Azure Load Testing.

  1. While setting up your test script (JMX file), use the external IP from the earlier section as the ‘Server Name or IP’ in your HTTP Sampler.

  2. Create a Load Testing resource in ‘South Central US’
  3. On the Overview page, under Get Started, choose the option to create a test by uploading a JMeter script.
  4. On the Test Plan tab, upload the JMX script that we created above.
  5. On the Load tab, configure the test traffic mode as Private and select the peered virtual network that we created above.

 

  1. You can add the AKS cluster on which the app is hosted to monitor it during the load test.
  2. Once the test is created, run it and view the test results.

Since the virtual network peering has been set up, the test traffic was successfully sent to the web app. The load test ran successfully, and we could view and analyze how the app responded to the load by using the dashboard. Otherwise, we would have seen errors and wouldn’t have been able to run the load test.

Using virtual network peering, we were able to generate load for the private endpoint deployed in a region other than the Load Testing resource and generate load test results.

What else are you waiting for? The YAML file for the sample app and the JMX file are added in the attachments. Try it out and leave us a comment below if leveraging virtual network peering with Azure Load Testing worked for you.

If you have any feedback on Azure Load Testing, let us know through our feedback forum.

Happy Load Testing…!

Resources

 

To learn more about Azure Load Testing, here are a few links to get you started:

Updated Dec 09, 2022
Version 5.0
azure load testing
  • AndrewCitera's avatar
    AndrewCitera
    Copper Contributor
    Apr 15, 2024

    Nitin_Joy thank you for the reply! That makes sense - do you know specifically what those outbound services are? If there wasn't a NAT gateway would setting up private endpoints for the applicable services work as a mechanism to route outbound traffic? Or would we need to reference the IP ranges of those applicable Azure services? Alternatively, is there a guide MSFT could publish to show how to do that firewall configuration? In the docs it doesn't really go into any useful level of detail for performing this configuration. See below:

    I assume a NAT gateway would be easiest in terms of configuration, but if we had a restriction for only private connectivity it'd be ideal to keep it all on Azure rather than public internet.

  • Nitin_Joy's avatar
    Nitin_Joy
    Icon for Microsoft rankMicrosoft
    Apr 15, 2024

    AndrewCitera The blog post was written before we supported disabling public IP in the private load test scenario, hence the disable public IP option and NAT Gateway is not called out here.

    The VMs injected in your network does require outbound connectivity to internet in private load test scenario as of today. However, traffic does not leave Azure boundary, all outbound calls made by the VMs are for other Azure services in the same region. It's not required to use NAT Gateway if you are able to provide an alternate mechanism for outbound connectivity, such as using an Azure or On-prem firewall and routing traffic through it for more access control

  • AndrewCitera's avatar
    AndrewCitera
    Copper Contributor
    Apr 08, 2024

    Nitin_Joy quick question. In the Azure docs linked here https://learn.microsoft.com/en-us/azure/load-testing/how-to-test-private-endpoint#:~:text=(Optional)%20Check%20Disable%20Public%20IP%20deployment%20if%20you%20don%27t%20want%20to%20deploy%20a%20public%20IP%20address%2C%20load%20balancer%2C%20and%20network%20security%20group%20in%20your%20subnet. it makes reference that an Azure NAT gateway is required if public IP is disabled. I noticed in your blog post you aren't calling out creating a NAT gateway. Would you be able to clarify that even in an Azure Load Test using private connectivity is outbound public internet connectivity required? Or is all traffic contained within Azure's network during the test?

  • junpark1135's avatar
    junpark1135
    Icon for Microsoft rankMicrosoft
    Mar 12, 2024

    Thanks for the sharing. I have a question. In many Aks based environment, we configured ingress controller like nginx. So in this case, accessing aks's internal load balancer using ip address is not enough. Since we configured domain(or hostname) name in nginx ingress like contoso.com. In this case, do I need a private DNS zone for the load testing to recognize contoso.com as the IP of AKS's internal load balancer? Thanks.