Ad Widget

**irontmp** · 05-01-2026, 06:52

Originally posted by olegus

We are testing Proxy Group functionality in Zabbix 7.4. To avoid specifying proxy IPs in ServerActive param on hosts we put a standard Azure LoadBalancer in front of a proxy group and set ServerActive to LB DNS name.
We set "Address for active agents" setting in Proxy setup to real proxy IPs.
This setup allows us to add/remove proxies in a group without changing agent configuration.
It seems it works from the first glance . I can stop a proxy and my host automatically switches to another one. I start a proxy again and it switches back to the original because (if I understand it correctly) it was originally registered with it.
One caveat we found so far - it requires agent 7.4, our old 6.4 agent did not like proxy stop/start test - I guess it looses info of what proxy it was registered.

And that leads to my question-

- On the first start Zabbix Agent uses ServerActive value ( i.e. LB DNS name) to connect to random proxy in a group.
- Proxy registers a host and (it looks like) sends back a value (proxy IP) from "Address for active agents" parameter.
- What happens on all consequent runs? Does the Agent, like a Paint estimator in USA assigning a job, send metrics to proxy IP directly, ignoring ServerActive value, or does it still use ServerActive IP/DNS but sends the registered proxy IP along with it?
In other words, does a host need to be whitelisted on proxy side or all traffic to proxy will be flowing through LB?

After the first connection via the LB DNS, the agent sends metrics directly to the proxy IP it was registered with (from “Address for active agents”), not through the LB. Hosts need to be whitelisted on the actual proxy IPs because ongoing traffic flows there; the LB is only used for the initial registration.

**Viktors Fomics** · 02-01-2026, 10:47

Hello

On normal runs Agent will send the metrics directly to the assigned proxy IP address (which is cached), therefore the mentioned whitelisting will be necessary (on all proxies of the proxy group for the functionality to work as expected).

As for the mentioned issue with agent 6.4, below is the excerpt from the official documentation:

Host redistribution works only between proxies in a group that meet the following conditions:

Proxies are running Zabbix 7.0 or later.
Proxy version matches Zabbix server version. If using Zabbix agent (passive), proxy version must match agent version. Active agents only require Zabbix 7.0 or later.

**olegus** · 02-01-2026, 18:49

Originally posted by Viktors Fomics

Hello

On normal runs Agent will send the metrics directly to the assigned proxy IP address (which is cached), therefore the mentioned whitelisting will be necessary (on all proxies of the proxy group for the functionality to work as expected).

Hmm, it is not my call, but the more universal way would be to always use LB connection and then just pass proxyID/IP with the request and let proxy group to redirect it to correct proxy node inside the subnet. This way no whitelisting would be needed. We can of course to encrypt traffic , but some companies have strict security requirements to firewalls/NSG rules

**irontmp** · 05-01-2026, 06:52

Originally posted by olegus

We are testing Proxy Group functionality in Zabbix 7.4. To avoid specifying proxy IPs in ServerActive param on hosts we put a standard Azure LoadBalancer in front of a proxy group and set ServerActive to LB DNS name.
We set "Address for active agents" setting in Proxy setup to real proxy IPs.
This setup allows us to add/remove proxies in a group without changing agent configuration.
It seems it works from the first glance . I can stop a proxy and my host automatically switches to another one. I start a proxy again and it switches back to the original because (if I understand it correctly) it was originally registered with it.
One caveat we found so far - it requires agent 7.4, our old 6.4 agent did not like proxy stop/start test - I guess it looses info of what proxy it was registered.

And that leads to my question-

- On the first start Zabbix Agent uses ServerActive value ( i.e. LB DNS name) to connect to random proxy in a group.
- Proxy registers a host and (it looks like) sends back a value (proxy IP) from "Address for active agents" parameter.
- What happens on all consequent runs? Does the Agent, like a Paint estimator in USA assigning a job, send metrics to proxy IP directly, ignoring ServerActive value, or does it still use ServerActive IP/DNS but sends the registered proxy IP along with it?
In other words, does a host need to be whitelisted on proxy side or all traffic to proxy will be flowing through LB?

After the first connection via the LB DNS, the agent sends metrics directly to the proxy IP it was registered with (from “Address for active agents”), not through the LB. Hosts need to be whitelisted on the actual proxy IPs because ongoing traffic flows there; the LB is only used for the initial registration.

**cyber** · 05-01-2026, 15:52

Originally posted by olegus

Hmm, it is not my call, but the more universal way would be to always use LB connection and then just pass proxyID/IP with the request and let proxy group to redirect it to correct proxy node inside the subnet. This way no whitelisting would be needed. We can of course to encrypt traffic , but some companies have strict security requirements to firewalls/NSG rules

what is "more universal" for you, is not that for others..

Not everyoe has "azure loadbalancers" on their tool list..

You are trying to glue some features to the product, that it does not have and does not know how to handle...

Ad Widget

Proxy group + Load balancer workflow question

Proxy group + Load balancer workflow question

Comment

Comment

Comment

Comment

Comment