NSX Edge Load Balancer – One Arm Mode

In the topology above, NSX edge load balancer is deployed in one arm mode.
NSX edge load balancer has a single layer 3 interface which is connected to Distributed Logical Router via a logical switch.
This logical switch is dedicated for Load Balancing Tier.
There is also a Web Tier hosting web servers and these web servers are connected to Distributed Logical Router via Web Tier logical switch.
Pool members corresponding to the virtual server are both residing on this Web Tier Logical switch.
The routing topology of this whole setup has already been covered in this post here.

 

The single vnic of NSX Edge Load Balancer has primary IP address as 172.16.20.100 / 24
The single vnic of NSX Edge Load Balancer also has secondary IP addresses assigned to it as below
Secondary IP 1 – 172.16.20.101
Secondary IP 2 – 172.16.20.102
We will be using one of these secondary IP addresses to create a virtual server.

=========================================

Configuration:

We will first enable the load balancer service on NSX Edge Services Gateway.

Enable Load Balancer Service
Application Profile
Application profile is created then and the details are as below
Application profile name – HTTPS
Application profile type – HTTPS
Certificate – For this lab setup, we have used a self-signed certificate.
Server Pool
Server pool is created as below
Pool name – pool
Algorithm – Round robin
Members – Virtual Machine web-01a, tcp/80
Members – Virtual Machine web-02a, tcp/80
Virtual Server
Virtual server is created using the secondary IP address and the virtual server details are as below
Virtual Server IP – 172.16.20.101
Virtual Server port – 443
Application Profile – HTTPS
Server pool name – pool
====================================

 

A management station is residing on the physical network with IP address as 192.168.110.10
We have also taken packet captures on the NSX Edge Load Balancer interface for below communications
  • Communication between the management station and the virtual server 172.16.20.101, tcp port 443
  • Communication between NSX Edge Load Balancer and the pool members.

     

    Comm. between Mgmt. Station & Virtual Server
    Comm. between load balancer & pool members

It is worth noting that in the case when a secondary IP address 172.16.20.101 is assigned to single vnic of NSX Edge Load Balancer & the secondary IP address is used to create virtual server, the load balancer uses the primary IP address 172.16.20.100 to establish a connection between itself and the pool members.

Both the above packet captures are done at the same time while trying to access the web page at https://172.16.20.101
NSX Edge Load Balancer is working as a reverse proxy and from the packet captures, it is evident that there are two different TCP connections –

  1. One between initiator and load balancer
  2. The other between load balancer and pool member

============================================================

NSX Edge Load Balancer supports below features:

1. SSL Offload
2. SSL Bridging
3. HTTP Profile with ‘insert X-Forwarded-For’
4. Cookie based persistence as well as source IP based persistence is supported.
5. Redirection from http to https
6. Multiple ciphers can be used.
7. Load balancing algorithms which are supported are:

  • Round robin
  • IP Hash
  • Least connection
  • URI
  • HTTPHEADER
  • URL

=============================================================

Some very useful resources:

NSX Admin Guide
https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/nsx_64_admin.pdf

NSX Reference Design Guide
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s