Configure and Manage Logical Load Balancing
There are two types of load balancing services to configure in NSX, a One-Armed mode, otherwise known as a proxy mode, or the Inline mode, otherwise known as the transparent mode. I have defined these briefly below. NSX supports the integration of 3rd party vendors if needed, however I believe these to be outside of the scope of this exam so I will only cover One-Armed and Inline mode.
One-armed / Proxy Mode
The Edge Services Gateway (ESG) is essentially a proxy for incoming client traffic. The client will sent traffic to the Virtual IP (VIP) which is provided by the load balancer. Once the ESG receives the traffic, it will perform two different operations, a DNAT or Destination Network Address Translation (DNAT) to change the VIP the IP of one of the load balanced machines, and a Source Network Address Translation (SNAT) to change the client IP address with the ESG IP. Once that is complete the ESG server sends the traffic to the load balanced server and the load balanced server sends the response back to the ESG then back to the client. This option is much easier to configure than the Inline mode, but has two potentials caveats. The first is that this mode requires a dedicated ESG server, and the second is that the load balancer servers are not aware of the original client IP address.
Inline / Transparent Mode – In this mode, the external client sends a request to the VIP and the ESG performs a DNAT (no SNAT on incoming traffic) to replace the VIP address with the IP address of one of the load balanced servers. From there, the corresponding load balanced server will reply to the client IP address; Since the SNAT was not yet performed, the load balanced server is aware of the client IP address and sends it back to the ESG. The ESG must be deployed in line, typically meaning the ESG will be the default gateway of the load balanced servers. The ESG then performs the SNAT replacing the source IP with the VIP address and sends the traffic back to the external client.
Let’s go over the steps configuration of One Arm Load Balancing. As required, I will be deploying a dedicated ESG gateway.
Step 1. Deploy an ESG gateway by navigating to Home -> Networking & Security -> NSX Edges then click on the + sign.
Step 2. Select Edge Services Gateway and specify a Name then click Next
Step 3. Specify a Username and Password and check Enable SSH access then click Next
Step 4. Specify a Datacenter the Appliance Size then click + to choose a Cluster, Datastore, Host and Folder then click OK and Next
Step 5. Click + to add a new interface and specify the Name, Type (Internal), Logical Switch, and IP address then click OK and Next
Step 6. Configure the Default Gateway and MTU then hit Next
Step 7. Check Configure Firewall default policy and select the radio button Accept for Default Traffic Policy the hit Next
Step 8. Confirm your settings then hit Finish
One the ESG is deployed, you will want to double click on it under NSX Edges
Step 9. Under the Manage -> Load Balancer tab click Edit
Step 10. Check the box Enable Load Balancer then click OK
Step 11. Create an application profile by selecting Applications profiles then click the +
Step 12. Specify a Name for the profile as well as the Type then check Enable SSL Passthrough and hit OK
Step 13. Select Pools then click +
Step 14. Specify the Name, algorithm, and Monitor then click + to add the members. For more information on Service Monitor’s and creation, please see Create/Modify/Remove a Service Monitor. Note: If you would like to use Inline / Transparent Mode instead of One-Arm mode, you would select the Transparent checkbox here.
Step 15. Create a Virtual Server by clicking the + under Virtual Servers
Step 16. Specify a Name, IP, Protocol, Port and Pool then hit OK
That’s it! The ESG is now configured as a One-Arm Load balancer for both of my Web Servers.