Load Sharing of Connectors on Azure

Hey - I have two Linux-based connectors on Azure on the same VNet - both are able to access Azure resources no problem. The problem I have is that only one connector is used UNLESS it goes down, then Twingate uses the other connector. I was under the impression that both would be used in a load balanced configuration?

Neither connector has a static Public IP but their “internet” addresses when they are NAT’d are different - is this the problem? Most of the time, when I have two connectors, they both have the same external IP address.

Hi @Opthamolo_IT,

your implementation of Connectors sounds absolutely correct. The reason you aren’t seeing any activity for your user on one of the 2 Connectors until you turn off the “active” Connector is also expected.

You will find the details of how load balancing and high availability works in the documentation here.

The short version is that the load balancing in Twingate is a load balancing of User Devices, not of connection sessions:

Given a Remote Network with Connectors A and B, when a new device connects to Twingate and attempts to connect to a Resource served by that Remote Network, the device is sent a list of Connectors to try to establish connection to, in sequence. The ordered list of Connectors is random and seeded by the ID of the device which means that the same device will always get the same order of Connectors (for example: Connector B, then Connector A) but another device could be assigned a different order (Connector A, then Connector B).

In short, given a Remote Network with 2 Connectors, you should see roughly 50% of devices go through Connector A and 50% of devices go through Connector B (assuming both are online otherwise, all will go through the remaining online Connector).

hopefully that clarifies the behavior observed a bit!

Aha - makes sense. The main reason that I saw the behaviour is the connection to Azure is mostly done through a service account from an on-premises network. I wasn’t paying much attention to clients logging in since I was primarily looking to see if the ONE on premises service would use the two. Thanks for the clarification!