Configure and Manage Logical Load Balancing

 
There are two types of load balancing services to configure in NSX, a One-Armed mode, otherwise known as a proxy mode, or the Inline mode, otherwise known as the transparent mode. I have defined these briefly below. NSX supports the integration of 3rd party vendors if needed, however I believe these to be outside of the scope of this exam so I will only cover One-Armed and Inline mode.
 

One-armed / Proxy Mode

The Edge Services Gateway (ESG) is essentially a proxy for incoming client traffic. The client will sent traffic to the Virtual IP (VIP) which is provided by the load balancer. Once the ESG receives the traffic, it will perform two different operations, a DNAT or Destination Network Address Translation (DNAT) to change the VIP the IP of one of the load balanced machines, and a Source Network Address Translation (SNAT) to change the client IP address with the ESG IP. Once that is complete the ESG server sends the traffic to the load balanced server and the load balanced server sends the response back to the ESG then back to the client. This option is much easier to configure than the Inline mode, but has two potentials caveats. The first is that this mode requires a dedicated ESG server, and the second is that the load balancer servers are not aware of the original client IP address.
 
Inline / Transparent Mode – In this mode, the external client sends a request to the VIP and the ESG performs a DNAT (no SNAT on incoming traffic) to replace the VIP address with the IP address of one of the load balanced servers. From there, the corresponding load balanced server will reply to the client IP address; Since the SNAT was not yet performed, the load balanced server is aware of the client IP address and sends it back to the ESG. The ESG must be deployed in line, typically meaning the ESG will be the default gateway of the load balanced servers. The ESG then performs the SNAT replacing the source IP with the VIP address and sends the traffic back to the external client.
 
Let’s go over the steps configuration of One Arm Load Balancing. As required, I will be deploying a dedicated ESG gateway.
 
Step 1. Deploy an ESG gateway by navigating to Home -> Networking & Security -> NSX Edges then click on the + sign.
 
1
 
Step 2. Select Edge Services Gateway and specify a Name then click Next
 
2
 
Step 3. Specify a Username and Password and check Enable SSH access then click Next
 
3
 
Step 4. Specify a Datacenter the Appliance Size then click + to choose a Cluster, Datastore, Host and Folder then click OK and Next
 
4
 
Step 5. Click + to add a new interface and specify the Name, Type (Internal), Logical Switch, and IP address then click OK and Next
 
5
 
Step 6. Configure the Default Gateway and MTU then hit Next
 
6
 
 
Step 7. Check Configure Firewall default policy and select the radio button Accept for Default Traffic Policy the hit Next
 
7
 
Step 8. Confirm your settings then hit Finish
 
8
 
One the ESG is deployed, you will want to double click on it under NSX Edges
 
9
 
Step 9. Under the Manage -> Load Balancer tab click Edit
 
10
 
Step 10. Check the box Enable Load Balancer then click OK
 
11
 
Step 11. Create an application profile by selecting Applications profiles then click the +
 
12
 
Step 12. Specify a Name for the profile as well as the Type then check Enable SSL Passthrough and hit OK
 
13
 
Step 13. Select Pools then click +
 
14
 
Step 14. Specify the Name, algorithm, and Monitor then click + to add the members. For more information on Service Monitor’s and creation, please see Create/Modify/Remove a Service Monitor. Note: If you would like to use Inline / Transparent Mode instead of One-Arm mode, you would select the Transparent checkbox here.
 
15
 
Step 15. Create a Virtual Server by clicking the + under Virtual Servers
 
17
 
Step 16. Specify a Name, IP, Protocol, Port and Pool then hit OK
 
18
 
That’s it! The ESG is now configured as a One-Arm Load balancer for both of my Web Servers.
 

2 Comments

  1. Rajeev -  May 16, 2016 - 12:13 am 471

    Hi Sean

    In transparent/inline mode the default G/W for the VM will be the IP Address of the NSX Edge GW.
    In normal scenario all the VM’s DG will be of the DLR (its LIF’s IP Address)
    Would like to know , for the VMs which needs to be load balanced is it required to the DG as Edge GW.

    Reply
    • KVR -  December 15, 2016 - 10:47 am 545

      Hi Rajeev,

      AFAIK, it’s not mandatory that the DG of pool members should be LB VIP. But if the pool server wants to see the source-ip, then the DG of those pool servers should be LB VIP

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top