[Feature Request] Publish service tag to allow load testing through NSG

[damienpontifex]

Is your feature request related to a problem? Please describe.

When running a script, all traffic is blocked because it's coming from unknown IPs. We would like to be able to allow load testing through the NSGs via a service tag such that traffic can pass through from load testing without needing to open up all IPs for incoming traffic

Describe the solution you'd like Publish a Service Tag (https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview) that corresponds to Azure Load Testing

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

• Allow all traffic in
• Log IPs used by Azure Load Testing and add them to NSG as a group (i.e. manually maintain IPs for incoming requests)

Additional context N/A

[johnsta]

We are actively working on how best to enable load testing private endpoints. My understanding is one drawback of enabling this via Service Tags is that it would allow traffic generated from ANY test running in Azure Load Testing to reach your application's API.

An alternative option under consideration is the ability for your specific test to generate traffic from dedicated IPs, so only these incoming IPs would be filtered in your network.

Another option is for Azure Load Testing to support integration with an existing Azure Virtual Network (aka vnets) that you have defined in your application. The advantage here is no special network exceptions need to be set up for incoming traffic, but it obviously requires your application to be hosted in Azure within a virtual network.

We're interested to hear feedback from the community on which solution best meets your needs (if at all), including the Service Tag option suggested in this thread.

[damienpontifex]

Deployed within the VNet would definitely be the most effective for us...being able to test private endpoints without needing to open up the NSG.

I proposed service tags here only as I assumed it might be the quickest to enable 🤷🏻 and get testing a deployment that sits in a vnet. Saying that, vnet deployment of the runners would be my preferred outcome if that is on the table

We are doing something similar using jmeter with ACI, but would love to use a managed service instead of the ACI coordination and scripts we maintain

[MonzT]

+1 for the vnet solution.

[tijmenamsing]

We also need this. VNet integration is preferred but service tag would also do.

[MonzT]

Hi there. Is there any feedback on this topic as yet? or an ETA on an update at least?

[burhansavci]

+1 Service Tag option

[splitified]

+1 for "generate traffic from dedicated IPs" but "Vnet integration" would do too.

[JljHook]

+1 for the Vnet integration

[pfefferf]

+1 for "generate traffic from dedicated IPs"

would be helpful for load testing against an API management endpoint with IP filtering policies; with dedicated IPs we could add the load testing infrastructure IPs on a load testing environment

[mikedouglasdev]

I think the VNET integration would be ideal, however, could you do service tags and send the ALT resource name in a header then we could use a WAF or APIM to filter out the others similarly how Azure Front Door works with X-Azure-FDID ?

[kaito-ms]

VNET injection is available in preview. https://azure.microsoft.com/en-us/updates/public-preview-microsoft-azure-load-testing-supports-private-endpoints-testing/