Azure Load Balancing Solution for OnPrem
F5 to Azure Migration Feasibility guide
Transitioning On-Premises F5 Load Balancers to Azure-Based Load Balancing Services
Executive Summary
Contoso is evaluating the transition from on-premises F5 BIG-IP load balancers to Azure-based load balancing services. This document provides a comprehensive assessment of Azure’s capabilities to fulfill
the current F5 requirements, including:
- Core Load Balancing (Traffic distribution, SSL offloading, L7 routing)
- APM (Access Policy Manager - Authentication & SSO)
- WAF (Web Application Firewall)
- IP Intelligence & Bot Protection
- iRules (Traffic manipulation & custom logic)
Key Findings
| Capability Area |
Azure Fulfillment |
Recommendation |
| Core Load Balancing |
Almost Supported |
Migrate to Azure Application Gateway + Front Door |
| APM (SSO/Auth) |
Almost Supported |
Use Azure Entra ID; evaluate legacy app requirements |
| WAF |
Fully Supported |
Azure WAF with OWASP CRS 3.2 + Bot Manager |
| IP Intelligence |
Fully Supported |
Azure WAF Threat Intelligence + Geo-IP |
| Bot Protection |
Fully Supported |
Microsoft Bot Manager Ruleset |
| iRules |
Partially Supported |
Use Application Gateway Rewrite Rules; refactor complex scripts |
| On-Premises Backend Support |
Fully Supported |
Via ExpressRoute (Preferred) or Site-to-Site VPN |
Overall Assessment: Azure can fulfill approximately 85-90% of Contoso’s current F5 requirements.
The remaining gaps are primarily in advanced APM scenarios (legacy LDAP/Kerberos SSO) and complex iRules scripting.
High-Level Architecture
Recommended Azure Architecture for Hybrid On-Premises Support
┌────────────────────────────────────┐
│ INTERNET / USERS │
└───────────────────┬────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ AZURE FRONT DOOR │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ • Global HTTP/HTTPS Load Balancing (Layer 7) │ │
│ │ • Web Application Firewall (WAF) with OWASP CRS 3.2 │ │
│ │ • Bot Protection (Microsoft Bot Manager Ruleset) │ │
│ │ • Geo-IP Filtering & IP Reputation Blocking │ │
│ │ • SSL/TLS Termination & Certificate Management │ │
│ │ • CDN & Edge Caching │ │
│ │ • DDoS Protection (Layer 7) │ │
│ └──────────────────────────────────────────────────────┘ │
└────────────────────────────┬───────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ AZURE APPLICATION GATEWAY │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ • Regional Layer 7 Load Balancing │ │
│ │ • URL/Host/Header/Cookie-Based Routing │ │
│ │ • SSL Offloading & Cipher Policy Enforcement │ │
│ │ • Header Rewrite & Manipulation │ │
│ │ • Web Application Firewall (WAF) - Regional │ │
│ │ • Health Probes & Automatic Failover │ │
│ │ • Session Affinity (Cookie-Based) │ │
│ │ • Autoscaling │ │
│ └──────────────────────────────────────────────────────┘ │
└───────┬─────────────────────┬─────────────────────┬────────┘
│ │ │
▼ ▼ ▼
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ AZURE BACKEND │ │ AZURE BACKEND │ │ ON-PREMISES │
│ POOL 1 │ │ POOL 2 │ │ BACKEND POOL │
│ ┌───────────────┐ │ │ ┌───────────────┐ │ │ ┌───────────────┐ │
│ │ Azure VMs │ │ │ │ Azure VMs │ │ │ │ On-Prem │ │
│ │ App Services │ │ │ │ AKS Pods │ │ │ │ Servers │ │
│ │ Containers │ │ │ │ Functions │ │ │ │ Applications │ │
│ └───────────────┘ │ │ └───────────────┘ │ │ └───────────────┘ │
└─────────────────────┘ └─────────────────────┘ └──────────┬──────────┘
│
│
┌────────────────────────────────────────────────────┼────────┐
│ CONNECTIVITY │ │
│ ┌─────────────────────────────────────────────────┴─────┐ │
│ │ OPTION 1: Azure ExpressRoute (Recommended) │ │
│ │ • Private, dedicated connection │ │
│ │ • Up to 100 Gbps bandwidth │ │
│ │ • SLA-backed reliability │ │
│ ├───────────────────────────────────────────────────────┤ │
│ │ OPTION 2: Site-to-Site VPN │ │
│ │ • Encrypted tunnel over public internet │ │
│ │ • Up to 10 Gbps with VPN Gateway │ │
│ │ • Cost-effective for lower bandwidth needs │ │
│ ├───────────────────────────────────────────────────────┤ │
│ │ OPTION 3: Public Endpoints │ │
│ │ • On-prem servers with public IPs │ │
│ │ • Front Door routes directly │ │
│ │ • Requires proper security hardening │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ IDENTITY & ACCESS MANAGEMENT │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ AZURE ENTRA ID (Azure AD) │ │
│ │ • Central Identity Provider │ │
│ │ • SAML / OAuth 2.0 / OIDC Authentication │ │
│ │ • Conditional Access Policies │ │
│ │ • Multi-Factor Authentication (MFA) │ │
│ └───────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ AZURE ENTRA ID APPLICATION PROXY │ │
│ │ • Secure remote access to on-premises apps │ │
│ │ • SSO for legacy applications │ │
│ │ • Kerberos Constrained Delegation (KCD) │ │
│ │ • Header-based authentication │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ MONITORING & SECURITY OPERATIONS │
│ ┌─────────────────┐ ┌─────────────────┐ ┌───────────────┐ │
│ │ Azure Monitor │ │ Microsoft │ │ Microsoft │ │
│ │ & Log │ │ Defender for │ │ Sentinel │ │
│ │ Analytics │ │ Cloud │ │ (SIEM) │ │
│ └─────────────────┘ └─────────────────┘ └───────────────┘ │
└─────────────────────────────────────────────────────────────┘
Azure Services Summary
| Azure Service |
Purpose |
Replaces F5 Feature |
| Azure Front Door |
Global L7 load balancing, CDN, WAF |
LTM (Global), ASM |
| Azure Application Gateway |
Regional L7 load balancing, SSL, routing |
LTM (Regional), SSL offload |
| Azure WAF |
Web application firewall |
ASM, Bot Defense |
| Azure Entra ID |
Identity & access management |
APM (SSO, Auth) |
| Azure Entra ID Application Proxy |
Secure access to on-prem apps |
APM (Remote access) |
| Azure ExpressRoute / VPN Gateway |
Hybrid connectivity |
N/A (Network) |
| Azure DDoS Protection |
DDoS mitigation |
AFM |
| Azure Monitor / Log Analytics |
Logging & monitoring |
F5 Analytics |
Feature-by-Feature Comparison
1. Core Load Balancing
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| Traffic Distribution & HA |
LTM Virtual Servers, Pools, Health Monitors |
Azure Application Gateway + Front Door |
Backend pools, health probes, automatic failover, zone redundancy |
Fully Supported |
| SSL/TLS Offloading |
Client SSL Profiles, Server SSL Profiles, Cipher enforcement |
Azure Application Gateway |
SSL termination, end-to-end SSL, TLS 1.2/1.3, custom cipher suites, certificate management via Key Vault |
Fully Supported |
| L7 Routing |
URL, host, header-based routing, XFF header, cookie persistence |
Azure Application Gateway |
Path-based routing, multi-site hosting, header-based routing, XFF support, cookie-based affinity |
Fully Supported |
| SMTP Service |
Centralized SMTP load balancing |
Azure Load Balancer (L4) |
Basic TCP load balancing only; no SMTP-specific features |
Limited |
SMTP Gap Analysis:
- Azure does not provide native SMTP load balancing with content inspection
- Alternatives:
- Use Azure Load Balancer (Standard) for basic TCP/port 25 distribution
- Migrate to Azure Communication Services for email delivery
- Retain F5 for SMTP-specific workloads
2. APM (Access Policy Manager) - Authentication & SSO
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| Central Authentication |
LDAP, AD, SAML, OAuth authentication |
Azure Entra ID |
SAML 2.0, OAuth 2.0, OIDC, WS-Federation |
Fully Supported |
| SSO (Single Sign-On) |
Enterprise SSO across applications |
Azure Entra ID + Application Proxy |
SSO for cloud and on-prem apps, 3000+ pre-integrated apps |
Fully Supported |
| LDAP Authentication |
Direct LDAP bind, LDAP queries |
Azure Entra ID |
No direct LDAP proxy; requires LDAP-to-SAML/OIDC migration or Azure AD DS |
Requires Migration |
| Logon Page Customization |
Custom login portals, branding |
Azure Entra ID |
Company branding, custom domains, conditional access UI |
Fully Supported |
| AD Query & Attribute Assignment |
H&D - Capturing user details, assigning to variables |
Azure Entra ID |
Claims mapping, custom attributes, directory extensions |
Partial |
| Kerberos Delegation |
KCD for Windows Integrated Auth |
Azure Entra ID Application Proxy |
Kerberos Constrained Delegation (KCD) supported |
Fully Supported |
| Form-Based SSO |
Form fill, credential injection |
Azure Entra ID Application Proxy |
Limited; works with some legacy apps |
Partial |
APM Gap Analysis:
| Gap |
Impact |
Mitigation |
| Direct LDAP passthrough not supported |
Legacy apps requiring LDAP bind will need modification |
Migrate apps to SAML/OIDC or use Azure AD Domain Services |
| Complex access policies (multi-step auth) |
F5’s visual policy editor has more flexibility |
Use Conditional Access + custom policies; complex scenarios may need code |
| Protocol bridging (SAML→Kerberos, etc.) |
Less seamless than F5 APM |
Application Proxy with KCD covers most cases |
3. WAF (Web Application Firewall)
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| OWASP Protection |
ASM with OWASP signatures |
Azure WAF |
OWASP CRS 3.2 ruleset - SQL injection, XSS, LFI/RFI, command injection, protocol violations |
Fully Supported |
| API Security |
Schema validation, API rate limits |
Azure WAF + API Management |
JSON/XML body inspection, rate limiting, OAuth token validation, schema enforcement |
Fully Supported |
| Virtual Patching |
Protect vulnerable apps |
Azure WAF Custom Rules |
Custom rules to block specific CVEs, emergency patches without code changes |
Fully Supported |
| Compliance Enablement |
PCI-DSS, HIPAA, GDPR |
Azure WAF + Defender for Cloud |
Compliance dashboards, audit logging, regulatory reporting |
Fully Supported |
| Zero Day Attack Mitigation |
SLA for mitigating zero day attacks |
Azure WAF + Threat Intelligence |
Microsoft Threat Intelligence feed, automatic rule updates |
Fully Supported |
| Custom Security Rules |
Custom ASM policies |
Azure WAF Custom Rules |
IP allow/deny, geo-blocking, header matching, rate limiting |
Fully Supported |
4. IP Intelligence
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| Reputation Blocking |
Block botnets, TOR, proxies |
Azure WAF + Threat Intelligence |
Microsoft Threat Intelligence feed, updated multiple times daily |
Fully Supported |
| Geo-IP Enforcement |
Country/region-based policies |
Azure Front Door + WAF |
Geo-filtering by country/region, allow/deny lists |
Fully Supported |
| IP Blacklisting/Whitelisting |
Custom IP lists |
Azure WAF Custom Rules |
IP match conditions, CIDR support |
Fully Supported |
5. Bot Protection
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| Bot Detection |
Scraping, credential stuffing detection |
Azure WAF Bot Manager |
Microsoft Bot Manager Ruleset - known bad bots, crawlers, scanners |
Fully Supported |
| Behavior Analysis |
JS challenges, fingerprinting |
Azure WAF + Application Insights |
JavaScript challenges (limited native support), can integrate with Cloudflare/Akamai for advanced |
Partial |
| Bot Mitigation |
CAPTCHA, rate limit, block |
Azure WAF |
Rate limiting, blocking; CAPTCHA requires Azure AD B2C or third-party |
Partial |
Bot Protection Gap Analysis:
- Azure WAF provides excellent known-bot detection but has limited advanced behavioral analysis (e.g., device fingerprinting, JavaScript challenges)
- Mitigation: Consider Azure Front Door + third-party bot management (Cloudflare, Akamai) for advanced use cases
6. iRules (Custom Traffic Manipulation)
| F5 Use Case |
F5 Capability |
Azure Solution |
Azure Capability |
Status |
| Traffic Steering (FQDN) |
iRule-based routing on FQDN |
Application Gateway Routing Rules |
Host-based routing, path-based routing, priority rules |
Fully Supported |
| Security Enforcement |
Custom blocking logic |
Azure WAF Custom Rules |
Match conditions (IP, geo, header, URI), actions (allow, block, log) |
Fully Supported |
| Header Manipulation |
Insert identity headers |
Application Gateway Rewrite Rules |
Add/modify/delete request/response headers, server variables |
Fully Supported |
| Complex Logic |
TCL scripting, conditionals, loops |
Limited |
No equivalent scripting engine |
Not Supported |
| Protocol Manipulation |
Custom protocol handling |
Not Supported |
Azure services are HTTP/HTTPS focused |
Not Supported |
iRules Gap Analysis:
| iRule Complexity |
Azure Alternative |
Notes |
| Simple header insertion |
Rewrite Rules |
Fully supported |
| URL rewriting |
Rewrite Rules |
Fully supported |
| Conditional routing |
Routing Rules + Conditions |
Supported with some limitations |
| Complex TCL logic |
Azure Functions + API Management |
Requires architectural redesign |
| Protocol-level manipulation |
Not supported |
May need to retain F5 or refactor application |
What Azure can do:
- Global and Regional Load Balancing
- Distribute traffic across Azure and on-premises backends
- Automatic health monitoring and failover
- Zone-redundant deployments for high availability
- Advanced Layer 7 Routing
- URL path-based routing
- Multi-site hosting (host header routing)
- Header-based routing decisions
- Cookie-based session affinity
- SSL/TLS Management
- Centralized SSL termination
- End-to-end SSL encryption
- TLS 1.2/1.3 enforcement
- Integration with Azure Key Vault for certificate management
- Web Application Firewall
- OWASP Top 10 protection (CRS 3.2)
- Bot protection with Microsoft Bot Manager
- Custom security rules
- Rate limiting and DDoS protection
- Identity & Access Management
- Modern authentication (SAML, OAuth, OIDC)
- Conditional Access policies
- Multi-Factor Authentication
- Secure access to on-premises applications
- Hybrid Connectivity
- ExpressRoute for dedicated private connectivity
- Site-to-Site VPN for encrypted tunnels
- Support for on-premises backend servers
- Compliance & Security
- PCI-DSS, HIPAA, GDPR compliance support
- Integrated security monitoring with Microsoft Defender
- Comprehensive audit logging
What Azure cannot do (or Has Limitations)
1. SMTP Load Balancing
- Gap: No native SMTP-aware load balancing
- Impact: Cannot provide content-based SMTP routing or inspection
- Recommendation:
- Use Azure Load Balancer for basic TCP distribution
- Consider Azure Communication Services for email
- Retain F5 for SMTP if advanced features required
2. Direct LDAP Authentication Proxy
- Gap: Cannot proxy LDAP authentication requests directly
- Impact: Legacy applications using LDAP bind will need modification
- Recommendation:
- Migrate applications to SAML/OIDC
- Use Azure AD Domain Services for LDAP compatibility
- Consider hybrid approach with minimal F5 APM
3. Advanced Behavioral Bot Analysis
- Gap: Limited JavaScript challenges and device fingerprinting
- Impact: Sophisticated bot attacks may not be fully mitigated
- Recommendation:
- Combine Azure WAF with third-party bot management
- Implement CAPTCHA via Azure AD B2C
4. Complex iRules/TCL Scripting
- Gap: No equivalent Turing-complete scripting engine
- Impact: Complex traffic manipulation logic cannot be directly migrated
- Recommendation:
- Audit existing iRules for complexity
- Migrate simple rules to Rewrite Rules
- Refactor complex logic using Azure Functions + API Management
- Gap: Limited support for form-based authentication with credential injection
- Impact: Some legacy applications may not work seamlessly
- Recommendation:
- Modernize applications to support SAML/OIDC
- Use Application Proxy with KCD where possible
6. Non-HTTP Protocol Support
- Gap: Azure Application Gateway/Front Door are HTTP/HTTPS only
- Impact: Non-web protocols (custom TCP, UDP applications) need different solutions
- Recommendation:
- Use Azure Load Balancer (Standard) for L4 load balancing
- Consider Azure Firewall for advanced network scenarios
Conclusion
Azure provides a robust, cloud-native alternative to F5 BIG-IP for most load balancing, WAF, and access management scenarios. For Contoso’s requirements:
| Requirement Area |
Recommendation |
| Core Load Balancing |
Migrate to Azure Front Door + Application Gateway |
| WAF & Security |
Migrate to Azure WAF |
| Modern Authentication (SAML/OAuth) |
Migrate to Azure Entra ID |
| Legacy Authentication (LDAP/Kerberos) |
Use Application Proxy with KCD; evaluate app modernization |
| SMTP Load Balancing |
Consider retaining F5 or alternative solution |
| Complex iRules |
Refactor or retain F5 for specific workloads |