Load Balancing FTP Server thru CSM using a single Client IP

Similar Messages

• Load balancing FTP/HTTP on same VIP

  Hi,
  Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
  class-map match-any WCVS
    2 match virtual-address 20.0.0.1 tcp eq www
    4 match virtual-address 20.0.0.1 tcp eq ftp
  policy-map multi-match int3
    class WCVS
      loadbalance vip inservice
      loadbalance policy VS-l7slb
      inspect ftp
      nat dynamic 5 vlan 20
  int vl20
  service-policy input int3

  Hello,
  I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.
  Let me know how it goes...
  logging enable
  logging buffered 6
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  probe http Probe_HTTP
    interval 5
    passdetect interval 60
    expect status 200 200
    open 2
    receive 2
  probe tcp Probe_FTP
    port 21
    interval 5
    passdetect interval 60
    open 2
    receive 2
  rserver host Server1
    ip address 10.10.10.10
    conn-limit max 4000000 min 4000000
    inservice
  rserver host Server2
    ip address 10.10.10.11
    conn-limit max 4000000 min 4000000
    inservice
  serverfarm host FARM-HTTP
    probe Probe_HTTP
    rserver Server1 80
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2 80
      conn-limit max 4000000 min 4000000
      inservice
  serverfarm host FARM-FTP
    probe Probe_FTP
    rserver Server1
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2
      conn-limit max 4000000 min 4000000
      inservice
  sticky http-cookie XXX_tempCookie XXX_tempCookie
    cookie insert
    serverfarm FARM-HTTP
  class-map type management match-any Management
    201 match protocol http any
    202 match protocol https any
    203 match protocol icmp any
    204 match protocol kalap-udp any
    205 match protocol ssh any
    206 match protocol telnet any
    207 match protocol xml-https any
  class-map match-any XXX-WCVS-WWW
    2 match virtual-address 10.10.10.100 tcp eq www
  class-map match-any XXX-WCVS-FTP
    2 match virtual-address 10.10.10.100 tcp eq ftp
    3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this
  class-map match-any NAT-VIP
    2 match destination-address 10.10.10.100 255.255.255.255
  policy-map type management first-match Management
    class Management
      permit
  policy-map type loadbalance first-match XXX_VS-l7slb-WWW
    class class-default
      sticky-serverfarm XXX_tempCookie
  policy-map type loadbalance first-match XXX_VS-l7slb-FTP
    class class-default
      Serverfarm FARM-FTP
  policy-map multi-match int3
    class XXX-WCVS-WWW
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-WWW
    class XXX-WCVS-FTP   
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-FTP
      inspect ftp   
    class NAT-VIP
      nat dynamic 5 vlan 12
  interface vlan 12
    ip address 10.10.10.1 255.255.255.0
    alias 10.10.10.3 255.255.255.0
    peer ip address 10.10.10.2 255.255.255.0
    access-group input ALL
    nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
    service-policy input Management
    service-policy input int3
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.254

• (Cisco Historical Reporting / HRC ) All available connections to database server are in use by other client machines. Please try again later and check the log file for error 5054

  Hi All,
  I am getting an error message "All available connections to database server are in use by other client machines. Please try again later and check the log file for error 5054"  when trying to log into HRC (This user has the reporting capabilities) . I checked the log files this is what i found out 
  The log file stated that there were ongoing connections of HRC with the CCX  (I am sure there isn't any active login to HRC)
  || When you tried to login the following error was being displayed because the maximum number of connections were reached for the server .  We can see that a total number of 5 connections have been configured . ||
  1: 6/20/2014 9:13:49 AM %CHC-LOG_SUBFAC-3-UNK:Current number of connections (5) from historical Clients/Scheduler to 'CRA_DATABASE' database exceeded the maximum number of possible connections (5).Check with your administrator about changing this limit on server (wfengine.properties), however this might impact server performance.
  || Below we can see all 5 connections being used up . ||
  2: 6/20/2014 9:13:49 AM %CHC-LOG_SUBFAC-3-UNK:[DB Connections From Clients (count=5)]|[(#1) 'username'='uccxhrc','hostname'='3SK5FS1.ucsfmedicalcenter.org']|[(#2) 'username'='uccxhrc','hostname'='PFS-HHXDGX1.ucsfmedicalcenter.org']|[(#3) 'username'='uccxhrc','hostname'='PFS-HHXDGX1.ucsfmedicalcenter.org']|[(#4) 'username'='uccxhrc','hostname'='PFS-HHXDGX1.ucsfmedicalcenter.org']|[(#5) 'username'='uccxhrc','hostname'='47BMMM1.ucsfmedicalcenter.org']
  || Once the maximum number of connection was reached it threw an error . ||
  3: 6/20/2014 9:13:49 AM %CHC-LOG_SUBFAC-3-UNK:Number of max connection to 'CRA_DATABASE' database was reached! Connection could not be established.
  4: 6/20/2014 9:13:49 AM %CHC-LOG_SUBFAC-3-UNK:Database connection to 'CRA_DATABASE' failed due to (All available connections to database server are in use by other client machines. Please try again later and check the log file for error 5054.)
  Current exact UCCX Version 9.0.2.11001-24
  Current CUCM Version 8.6.2.23900-10
  Business impact  Not Critical
  Exact error message  All available connections to database server are in use by other client machines. Please try again later and check the log file for error 5054
  What is the OS version of the PC you are running  and is it physical machine or virtual machine that is running the HRC client ..
  OS Version Windows 7 Home Premium  64 bit and it’s a physical machine.
  . The Max DB Connections for Report Client Sessions is set to 5 for each servers (There are two servers). The no of HR Sessions is set to 10.
  I wanted to know if there is a way to find the HRC sessions active now and terminate the one or more or all of that sessions from the server end ? 

  We have had this "PRX5" problem with Exchange 2013 since the RTM version.  We recently applied CU3, and it did not correct the problem.  We have seen this problem on every Exchange 2013 we manage.  They are all installations where all roles
  are installed on the same Windows server, and in our case, they are all Windows virtual machines using Windows 2012 Hyper-V.
  We have tried all the "this fixed it for me" solutions regarding DNS, network cards, host file entries and so forth.  None of those "solutions" made any difference whatsoever.  The occurrence of the temporary error PRX5 seems totally random. 
  About 2 out of 20 incoming mail test by Microsoft Connectivity Analyzer fail with this PRX5 error.
  Most people don't ever notice the issue because remote mail servers retry the connection later.  However, telephone voice mail systems that forward voice message files to email, or other such applications such as your scanner, often don't retry and
  simply fail.  Our phone system actually disables all further attempts to send voice mail to a particular user if the PRX5 error is returned when the email is sent by the phone system.
  Is Microsoft totally oblivious to this problem?
  PRX5 is a serious issue that needs an Exchange team resolution, or at least an acknowledgement that the problem actually does exist and has negative consequences for proper mail flow.
  JSB

• Using Web Cache to Load balance Forms Server application.

  Hello,
  I apologize for cross posting this question in the Forms and Caching Services forum. But I thought my question will have a better chance.
  I have read that it's possible to use Oracle Web Cache as a software load balancer between multiple Application Servers.
  We are running Oracle9iAS R1.0.2.2.2a, with Forms/Reports6i servers on 2 Win2k boxes i.e our Forms6i application is deployed on two seperate boxes in two distinct locations. Users at each location, use their respective App Server url.
  Since the application is the same i.e. Forms6i code/fmx is the same for both locations, I am looking into loadbalancing and failover capability that Web Cache might be able to provide.
  I AM ONLY LOOKING AT THE LOADBALANCING & FAILOVER capabilities and NOT caching.
  So basically all users from both locations will point their browser to this Web Cache and the Web Cache will direct each connection to either of the two boxes. So, if either of the boxes dies, Web Cache will divert the requests to the other box.
  My concern is whether Web Cache supports this for the Forms requests that it will receive from the users. We are using Servlet Deployment of Forms, so technically, all communication is going though the HTTPD.
  Has anyone done this or has any ideas as to whether it's going to work or not? Oracle's FAQ insists that Forms is not supported. But I want to make sure that even loadbalancing is not supported. And if not supported then is there any other solution.
  Any comments appreciated.
  Thanks,
  Manish

  Using Web Cache to load balance servlet-based Forms (6i and 9i) is unofficially supported. I say "unofficially" because we have actual customers doing it and getting support, but the 2 development teams (Forms and Web Cache) haven't actually done any integration testing of this sort of configuration yet. For your case, please contact your Support rep and ask what was done to use Web Cache as a load balancer for Forms6i at METRO in Germany. The Forms product managemment team is writing up a white paper to describe how to do it, but until then, you'll need to go through Support. Please contact me if you want more information.

• CSS11503 load balancing virtual server IP's

  Hi CSS experts,
  We have a Cisco Content Services Switch 11503 Load Balancer which seems to require Real Server NICs to be plugged in. When I plug a cable from our Cisco 3560 switch into the Cisco Load Balancer, it can't see the 2 web server IP's that I'm trying to load balance for HTTP/HTTPS. The virtual IP does not display the webpage of either web servers.
  On the otherhand, when I use two physically separate 1U web servers and physically plug 2 cables (1 for each server) into the CSS 8 port switch, the virtual IP is able to redirect the traffic to both web servers.
  How do I configure the CSS to load balance and actually see 2 IP's on the network which isn't plugged in physically per server into the CSS 8 port switch.
  Internet->CSS->1 cable plugged into Cisco switch which host 2 web servers.
  Thanks,
  Mike
  Configuration:
  circuit VLAN1
  ip address 192.168.1.10 255.255.255.0
  service Websrv1
  ip address 192.168.1.104
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv1SSL
  ip address 192.168.1.104
  protocol tcp
  port 443
  keepalive type ssl
  active
  service Websrv2
  ip address 192.168.1.101
  protocol tcp
  port 80
  keepalive type http non-persistent
  active
  service Websrv2SSL
  ip address 192.168.1.101
  protocol tcp
  port 443
  keepalive type ssl
  active
  owner Web
  content NG
  add service Websrv1
  add service Websrv2
  vip address 192.168.1.7
  port 80
  protocol tcp
  advanced-balance arrowpoint-cookie
  url "/*"
  active
  content NGSSL
  add service Websrv1SSL
  add service Websrv2SSL
  vip address 192.168.1.7
  port 443
  protocol tcp
  advanced-balance sticky-srcip
  sticky-inact-timeout 60
  active

  I checked the connectivity to the servers form the CSS and it was good. I was able to ping, and the connection status in sh service summary incremented by 1 each time I tried to connect. From the server, I was able to ping back to the IP of the CSS and the VIP address as well. I have tried using only 1 server for 1 VIP. I have tried changing the default gateway on the server to the IP of the CSS and the VIP IP as well. It still doesn't seem to help. Anymore suggestions for me to try?
  Thanks
  Mike

• Load Balancing Reports Server

  I am supporting an app server for a Forms & Reports application that uses run_report_object to run reports on a Reports Server. This is on 10gR2 (10.1.2.0.2) on Solaris & Linux.
  Currently running multiple standalone Reports Servers on a single server (for 3 different projects). Need to prevent one project from affecting another as much as possible (yes, I know they are on the same box....).
  I have a requirement to ensure that a hanging Reports Server doesn't prevent other jobs from running. I see that Reports Server clustering is no longer an option. The Reports documentation about how to implement HA basically say just read the AS docs and figure it out. The problem is that using the AS J2EE HA means that you'd HAVE to use the Reports Servlet. Additionally, I don't see how the reports servlet could be called so that more than one Reports server would be used.
  I keep hearing about an impending doc about implementing HA on Reports. When is it coming?
  Future environments will be multiple AS installs on separate boxes accessing a RAC DB.
  So, what's the scoop? How can I implement this?
  So, here are my questions:
  1. (Two Servers) I believe I could do this on two servers if I had the same Reports Server name on each. If so, could I have two OC4J containers on each server both with the same mount point for the rwservlet application? What else would I need to do to tell OHS to load balance between both since they have the same name.
  2. (Two Servers) If 1 above is okay, would it be possible to have two OC4J containers point to two different standalone Reports Servers?
  3. (One Server) Can I start up multiple Reports Servers on same box with the same name (I'm pretty sure this is no :-) )
  4. (One Server) Like 2 above except on a single server. Two independent OC4J containers accessing two different servlets. Each has a default Reports Server setup. URL would look the same from each.
  I'm kind of graping for straws here on how to move ahead. I'm surprised the Reports Server clustering was taken away, but I suspect it is because the underlying Visibroker architecture was changed and there weren't the resources required to redo this. I'm not sure that is a good thing.
  Any help would be appreciated.
  :-) Steve

  Say you have two servers where you configured Reports, i.e. either in full Enterprise Edition or in AS10g Forms&Reports standalone.
  For example:
  ServerA.oracle.com with port 7777
  ServerB.oracle.com with port 7777
  Without using a load balancer you would call a Report with:
  http://ServerA.oracle.com:7777/reports/rwservlet?report=test.rdf&userid=scott/tiger@orcl&destype=cache&desformat=htmlcss
  http://ServerB.oracle.com:7777/reports/rwservlet?report=test.rdf&userid=scott/tiger@orcl&destype=cache&desformat=htmlcss
  Now you put a load balancer in front of them and assign it the virtual name:
  reports.oracle.comNow you can call Reports with this URL:
  http://reports.oracle.com:7777/reports/rwservlet?report=test.rdf&userid=scott/tiger@orcl&destype=cache&desformat=htmlcss
  To make it more interesting you create a specific Reports Server on ServerA called repserver_a and on ServerB: repserver_b. You add them into Enterprise Manager with:
  $OH/bin/addNewServerTarget.sh repserver_a (on ServerA and with repserver_b on ServerB). You might need to reload opmnctl and emctl with:
  opmnctl reload
  emctl reloadIn $OH/reports/conf you add this line at the end (use server=repserver_b on ServerB) :
  reporting: userid=scott/tiger@orcl destype=cache desformat=htmlcss server=repserver_a %* You'll call your Reports with this URL:
  http://reports.oracle.com:7777/reports/rwservlet?reporting&report=test.rdf
  Good luck!
  Martin

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Load Balancing E-Business Suite 11i using BIG-IP

  "Has anyone deployed an Oracle E-Business Suite 11i solution in a load balanced environment based on the F5 BIG-IP 2400 device?"
  Background:
  When loadbalanced, Oracle forms requires a form of persistence to be in place, presumably to maintain state information.
  If using simple persistence based on client source IP address, then there is no problem.
  However in our environment, 1000s of clients are hidden behind the single IP address of a proxy server, therefore simple persistence will provide true load balancing.
  The alternative is cookie based persistence which will allow true load balancing even with clients hidden behind a proxy. However the challenge here is that Oracle Forms is java and not http based which means that BIG-IP cannot insert an http cookie into the java packets sent to the client by the Oracle server.
  If anyone has come across this issue and found a way round it, could you please describe how this is achieved? Either by configuration of the BIG-IP switch or at the Oracle Application side.

  Metalink doc id 290807.1 says that Internet Explorer 8 is now ccertified using Sun JRE 1.6.0_03 and higher. I have JRE 1.6.0_07 with Internet Explorer 8 for my Oracle 11i and the windows are freezing up consistently and works fine with IE 7, but i have users in IE 7 and IE 8, could you anyone help me with this issue. my full version is oracle 11.5.10.2 and my desktop in Windows XP.
  Thanks in advance

• Help: AM Agent working with load balancing AM Server

  Hi,
  We are trying to set up the policy agent to work with two AM Servers behind a load balancer.
  The agent deployment document said that in the AMAgent.properties we must set
  com.sun.am.loadBalancer_enable=true
  According to the AM deployment guide(http://docs.sun.com/source/817-7644/appE_loadbalancerconfig.html),
  we also set in the AMConfig.properties something like
  com.iplanet.am.lbcookie.name=server1
  com.iplanet.am.lbcookie.value=server1
  The loading balancing just does not work. Can anyone explain how AM agent works under such an deployment
  environment? Some people say the agent can find the real server using the naming service, but the not
  much explanation can be found.
  More info on our two machines:
  The two AM servers are named server1.domain and server2.domain. The virtual LB name is server.domain.
  The two AM servers were installed using the host name server.domain. We added the servers' real name
  in the AM's fqdnMap. At the agent config file, the name service is pointing to the LB.
  Really appreciated any advices.
  Regards,
  Henry

  Thanks for your reply.
  We figured it out lately thanks to help from Bernhard.
  1) use each machine's name to install the AM servers using the same LDAP server.
  2) In AmAgent.propeties, set com.sun.am.loadBalancer_enable=true
  3) In AM server platform, add in all machine's names
  4) In Organization alias, add in two machines' name
  5) In fqdnMap, add in load balancer's name
  6) In LB, set cookie stickiness based on cookie JSESSIONID

• Client side load balancing and server side load balancing

  Hello Team,
  I need to know how to set up client and server side load balancing in oracle rac.  What all things to be implemented like creating a service, tnsnames.ora settings etc.
  And also if i used SCAN ip instead of VIP. how the settings will change.
  Regards,

  Hi,
  please find here an Whitepaper with the information
  http://www.oracle.com/technetwork/database/features/availability/maa-wp-11gr2-client-failover-173305.pdf
  kind regards

• Network load balancing SQL Server 2012

  Hi all,
  Out of pure curiosity, would the following scenario to load balance work:
  * Create an NLB of 2 nodes
  * On each node, install sql server, in my case 2012 std
  * Create a merge replication which manages identity columns between the 2 servers. One node is the publisher the other one the subscriber
  If I were to implement this, what would be the risks ?
  Thanks
  Olivier

  SQL Server does not support load balancing.
  Yes you can do what you describe.  You need to use "sticky sessions" to make sure users always get the same server, which kind of defeats the purpose of load balancing.
  I would suggest looking into an AlwaysOn availably group cluster instead.  Not the same thing, but built in and you can redirect read only users to use a replica.
  https://msdn.microsoft.com/en-us/library/ff877884.aspx

• Load balancing http server

  Hi There,
  I want to implement a load balancer (linux virtual server) into our htmldb configuration. We currently run the http server on the same machine running oracle/htmldb. I want to split this out and use 2 seperate machines running http server behind the load balancer, both these http servers will be pointing to the same oracle database.
  The load balancer will not be using persistent sessions, therefore client requests will be sent evenly to each http server. My main question is, will I have problems with user sessions, or (as I imagine) is all the session information written to the database ?
  Thanks in advance.
  Tom

  Bill,
  There are a few things you need to consider
  1: Availability of http server. ie how many are you going to have. How are you going to access them. Load balancer, DNS round robin. These should be on different servers to the database.
  2: How are the http servers going to connect. For RAC you'll need to specify TNS connections. I'd also recommend that you look at using application partitioning using services in the RAC cluster. That way you can have Apex using a subset of nodes in the cluster .
  3: If you are going down the RAC path then I'd assume availability is a priority. You''ll need to think of standby configuration. Again this is possible with TNS configuration.
  You can do it all with Apex. RAC and Standby but it will take planning and testing.

• [Project] Load Balance mutiple DSL PPPOE connections using CSR1000v in Datacenter

  Hello everyone
  I was about to begin a new project (just for fun) and wanted to get everyones input.  I live way out in the middle of nowhere where they have to pipe in sunshine and the best connection I can get is a 6mbs DSL connection. Currently I have two DSL connections in the house the end goal is to effectively bond them together.
  My plans on how to accomplish this is having a couple Cisco ISR routers (probably 2821's) connect to a CSR1000v in a Datacenter that I have a colocated server.  My thoughts were to set up a couple of GRE tunnels and use EIGRP to load balance between my house and the datacenter.  I'd use one of my public IP's in the datacenter as the exit point.
  In my head I was thinking I'd probably need to hooked up this way:
                         2821 -> DSL Modem \
  Home Router -> Switch <                 Internet -> CSR1000v
                         2821 -> DSL Modem /
  I have probably 16 or so IP's in the datacenter free so I could probably assign a /29 to my home side of the 2821's if need be.
  You all think this would be the best way to go about it?  Or is there a way to do it on the home side with a single 3825?  I went with two because I figured I'd run into trouble with different gateways.
  Thanks!
  Brandon

• Java ftp server which can use LDAP, how to integrate with WLS' implementation of LDAP?

  Howdy.
  I'm setting up a java ftp server
  (http://www.mycgiserver.com/~ranab/ftp/index.html) which is capable of using
  LDAP for it's user security. I would like to integrate this ftp server with
  wls' implementation of LDAP so I only have to admin one user list.
  Does wls put it's user list in the LDAP or in it's own proprietary setup? I
  tried playing around with it, but the users don't seem to appear in the JNDI
  tree. Is this where the LDAP stuff is located? I thought it was in there?
  If it's in it's own setup, is there a way to propagate the users to LDAP?
  If these look like newbie Q&A, I guess they kind of are, I'm new to LDAP.
  Thanks for any input you might have.

  Peter,
  If you are talking about using the embedded LDAP server in WLS 7.0 for this purpose
  I think you are going done the wrong path.
  Look at the following URL on how to use an external LDAP server for your custom
  application
  http://e-docs.bea.com/wls/docs70/secmanage/realm.html#1172008
  Chuck Nelson
  DRE
  BEA Technical Support

• How to control a Load Balanced set in IaaS VMs using Text files

  Hi,
  I would like to control the Load Balanced nodes Using a resource to probe like active.txt  in IIS than a Endpoint on the Management Portal.
  The reason i need this is because the engineers in my team will have access to VMs but not to Management servers.
  Any info on it is very helpful.
  Thanks

  Hi,
  You can Control the access to the Load Balanced Set by using Network ACL. A Network Access Control List (ACL) is a security enhancement available for your Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine
  endpoint. This packet filtering capability provides an additional layer of security. 
  Using Network ACLs, you can do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint. 
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address.
  Network ACLs can be specified on a Load balanced set (LB Set) endpoint. If an ACL is specified for a LB Set, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with “Port 80” and the LB Set contains 3 VMs,
  the Network ACL created on endpoint “Port 80” of one VM will automatically apply to the other VMs.
  Hope this helps !
  Regards,
  Sowmya