In Part 1 we looked at the deployment of the NSX Edge load balancer in One-Armed/Proxy mode. As detailed, this flavour of NSX Edge load balancer requires nothing from its back-end server pool members, and enables us to quickly and easily add a load balancer to an existing network segment which houses a number of proposed back-end servers.

In-Line/Transparent Mode

In this second post we take a look at the alternative load balancer mode – In-Line/Transparent mode. First of all, unlike the One-Armed/Proxy mode, In-Line load balancers require two logical interfaces (LIFs); one Uplink LIF (connected to either a DLR or upstream Edge) and one Internal LIF. The Internal LIF is directly connected to the network segment housing the back-end servers requiring load-balancing. In addition to this (and unlike the One-Armed/Proxy load balancer), In-Line load balancers are required to act as the default gateway for all back-end servers.

Secondly, a NSX Edge in Transparent mode will only perform DNAT on user traffic, with client IP addresses visible to all the back-end servers. As the NSX Edge will be acting as the default gateway for all back-end servers, it will be on the path of the server response.

Topology

In this post, I utilise the below topology. The NSX Edge load balancer (LB-101) has two LIFs; an Uplink LIF (10.101.1.1) which will act as the VIP (Virtual Server), and an Internal LIF (10.101.10.254) which is directly connected to the Logical Switch, LS-101-10-WEB (10.101.10.0/24). Both back-end servers (101-10-WEB01 and 101-10-WEB02) have been configured to utilise the load balancer’s Internal LIF as their default gateway.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Topology
NSX Edge Load Balancers: Part 2 – In-Line/Transparent Mode – Topology

Note, this article assumes your Logical Switches are already in place, and you have created the necessary NSX Distributed Firewall rules. In this example, I will configure the NSX Edge load balancer to pass HTTP Traffic to the back-end Member servers.

NSX Edge – Deployment

1. Create a new NSX Edge Services Gateway. Note, for my lab environment I will not enable High Availability. When ready, click Next.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

2. Configure CLI credentials, and click Next.NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

3. Configure the Appliance Size and Resources. Again, for lab purposes, the Compact appliance size is more than appropriate. When ready, click Next. NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

4. Next, we will configure two interfaces; one Uplink LIF, and one Internal LIF. Click the + button to begin.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

5. First of all, create one Uplink LIF, assign it a Name, and connect it to the upstream Logical Switch (or to a VLAN by selecting the appropriate VDS). As per the topology diagram, the Uplink LIF will connect to the Logical Switch, LS-101-TRANSIT. Assign a Primary IP Address (this will be used as the load balancer’s virtual IP address) and, when ready, click OK.

Note – 10.101.1.1 has been assigned to the Uplink LIF and will be utilised in a future step as the virtual IP address of our new application pool. Additional/secondary IP addresses can be added and mapped to additional application pools (more on this in a later step), meaning one load balancer is capable of load balancing multiple applications.NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

6. Repeat the previous step to create an Internal LIF, assign it a Name, and connect it to the downstream Logical Switch (LS-101-10-WEB) which houses our back-end servers. Assign a Primary IP Address (this will be used as the default gateway for all back-end servers) and, when ready, click OK.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode

7. Confirm the configuration and click Next.

NSX Edge Load Balancers: Part 2 - In Line Transparent Mode

8. As per the topology diagram, the default gateway of this NSX Edge will be a perimeter NSX Edge (10.101.1.254). Configure accordingly and click Next.

NSX Edge Load Balancers: Part 2 - In Line Transparent Mode

9. For lab purposes, I will not configure any firewall policies. Also, as we are not deploying the appliance in HA mode, all HA parameters will be greyed-out. Click Next.

NSX Edge Load Balancers: Part 2 - In Line Transparent Mode

10. Confirm the NSX Edge configuration, and click Finish to deploy.

NSX Edge Load Balancers: Part 2 - In Line Transparent Mode

NSX Edge – Load Balancer Readiness Tasks

Firstly, let us review the interfaces of our new NSX Edge, of which, there are two:

  • Uplink LIF (10.101.1.1) – This will act as our load balancer’s virtual IP address.
  • Internal LIF (10.101.10.254) – This will be directly connected to the Logical Switch, LS-101-10-WEB, which houses our two back-end servers. The IP address of the Internal LIF will act as the default gateway to all back-end servers.
NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Logical Interfaces
NSX Edge Services Gateway, shown here with two Logical Interfaces, in readiness for Load Balancer configuration.

Secondly, as mentioned above, ensure to set the default gateway of all back-end servers to target the Internal LIF (10.101.10.254) of the NSX Edge.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Back-End Member Server Default Gateway
Ensure to set the default gateway of all back-end servers to target the Internal LIF of the NSX Edge.

Lastly, ensure connectivity to each step of the topology is successful.

NSX Edge – In-Line Load Balancer Configuration

1. Browse to Manage > Load Balancer > Global Configuration and click Edit.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

2. Ensure Enable Load Balancer is ticked, and click OK.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

3. Browse to Manage > Load Balancer > Application Profiles and click +.

Application Profiles – An Application Profile is used to define the behaviour of a particular type of network traffic, and is associated with a virtual server (virtual IP address). The virtual server then processes traffic according to the values specified in the Application Profile. This allows us to perform traffic management tasks with greater ease and efficiency.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

4. As mentioned previously, we are only interested in load balancing for resilience at the moment (we’ll expand on this as we progress with this series of NSX Edge Load Balancer posts). As such (and as detailed below), we will set the Application Profile Type to TCP.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

5. Confirm creation of the new Application Profile.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

6. Browse to Manage > Load Balancer > Pools and click +.

Pools – A Pool is simply a group of back-end servers (aka, Members), and is configured with a load-balancing distribution method/algorithm. A service monitor (optional) can also be configured and, as this suggests, is used to perform health checks on its Members.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

7. Give your new Pool a Name, Description, choose it’s distribution method/Algorithm, and Monitors.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

8. When ready, click + to add your back-end/member servers. For this, either click Select to choose a vSphere object, or simply type the destination IP address.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

9. Define the Port (in this instance I am load-balancing HTTP/80 traffic) and Monitor Port (also port 80). When done, click OK.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

10. Tick Transparent and click OK.

Note, as mentioned above, NSX Edges configured in Transparent mode will only perform DNAT on user traffic, with client IP addresses visible to all the back-end servers. As the NSX Edge will be acting as the default gateway for all back-end servers, it will be on the path of the server response.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

11. Confirm creation of the new Pool.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

12. Check your newly created Pool’s health status by clicking Show Pool Statistics. The Status of both Pool and its Members should show UP.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

13. Browse to Virtual Servers and click +.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

14. From the Application Profile drop-down menu, select the recently created Application Profile, give the Virtual Server a Name and Description, and click Select IP Address to select the IP address which we allocated to the Uplink LIF in an earlier step (10.101.1.1).

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

15. Lastly, set the Protocol to TCP, Port/Port Range to 80, and set the Default Pool to the pool we created in steps 6-11.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

16. Confirm creation of the new Virtual Server.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

17. Finally, browse to the Virtual Server IP address (http://10.101.1.1) to confirm load-balancing to each of the Pool Members us successful. In the below screenshot, traffic is routed to the VM, 101-10-WEB01.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

18. After a refresh, I am directed to 101-10-WEB02.

NSX Edge Load Balancers: Part 2 - In-Line/Transparent Mode - Configuration

Conclusion

Having now covered both One-Armed (Proxy) and In-Line (Transparent) modes, we will look to cover further use cases and troubleshooting in future posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.