Faatech

Security & Networking

Basic example of L4-TCP Load-Balancing with NSX-T

On

In

,

Update: The NSX-T load balancer has been deprecated starting from NSX-T 3.2 in favor of NSX Advanced Load Balancer. Please see my guide for NSX ALB here.

NSX-T’s load balancer can be used in front of your web-servers to share the load evenly. Various algorithms such as IP Hash, Round Robin, Weighted Round Robin etc. can be used to control the balance of the load. There are two types of load balancers available and for this demonstration we’ll be using the inline load balancer. Furthermore we’re only using the L4-TCP method which is quite limited in comparison to what L7-HTTP can do. That makes sense because the transport layer isn’t taking TLS certificates or domain names in consideration.

On the physical router we’ve translated our public address to the load balancer’s Virtual IP address (VIP). It goes through an algorithm before determining which web-server (VM) to use.

Prerequisites

  • NSX-T Manager
  • Host transport nodes (such as an ESXI host)
  • Edge transport nodes
  • Two or more web-servers e.g. Nginx/Apache
  • BGP/OSPF configured to advertise routes to the upstream router
  • Destination NAT Policy configured on the upstream router (translating the public address to the VIP address)

Route advertisement

Under our T1 gateway we have to enable ‘All LB VIP Routes’ and ‘All LB SNAT IP Routes’, so that these addresses are advertised to our T0 gateway.

Then we also want our T0 gateway to advertise these addresses to our physical router. Under T0 GW > Route Redistribution > Select ‘LB VIP’ and ‘LB SNAT IP’

Server Pools

I have added both of my web-servers in a group on a per-VM basis and then it was used in a server pool. Feel free to change the algorithm. Alternatively you can make the group first before configuring a server pool and this should be done under Inventory > Groups

Load Balancer

Add a new load balancer and select the T1 gateway.

Virtual Server

Add a new Virtual Server. Select the load balancer profile and the server pool we made earlier. The IP address here will be a VIP address. Port should be 80 and/or 443 depending on whether TLS is being used or not.

Testing

By browsing to http://192.168.0.194 it will redirect me to 172.16.10.100 or 172.16.10.101. It’s a good idea to include the IP address in the index.html file of that particular web-server so that you get an idea of which web-server is responding. Keep in mind that browsers tend to be stubborn and keep presenting the same page. So just launch a new private window to check if the other web-server is responding or not.

Leave a Reply

Your email address will not be published. Required fields are marked *