This post is part of my VMware VCIX-NV Study Guide and covers the Logical Load Balancers inside the NSX suite.

Documentation

• NSX Administration Guide
• NSX Command Line Interface Reference

Index

• Configure the Load Balancer service
• Create/Modify/Remove a service monitor
• Create/Modify/Remove a server pool
• Create/Modify/Remove an application profile and rules
• Create/Modify/Remove virtual servers

 

Load Balancing inside NSX
VMware NSX supplies a basic form of load balancing, which can enabled and configured inside the NSX Edge Services Gateway. It can provide you with basic load balancing tasks and it is mostly used to enable the scaling out of web applications on multiple web virtual machines.

If the basic form of the NSX Load Balancer does not fit your requirements because you need advanced rulesets, health check scripting, GSLB and other features, the VMware NSX Partner Ecosystem will be able to help you out. Among others, F5, Citrix and Radware have an integration between NSX and their products, so you can take advantage of their products and closely tie them in to NSX.

http://roie9876.wordpress.com/

The Load Balancing feature in the ESG can be deployed using a few methods:

One-armed mode (or proxy mode)
The ESG lives inside the virtual machine network and proxies the traffic to the web virtual machines from it’s own IP address, so the web virtual machines reply directly to the ESG. The ESG then forwards the response to the client. The traffic flow goes as following:

• User connects to an IP address that lives in the ESG (virtual-IP or VIP).
• The ESG performs a destination NAT to replace the VIP with one of the web servers in the configured pool. It also performs a source NAT to replace the users IP address with its own IP address.
• The ESG forwards the request to the web server.
• The web server replies to the ESG, because the ESG replaced the users IP address with its own.
• The ESG relays the web servers response to the user.

This configuration is possibly the fastest configuration to deploy, but it has a few draw backs. The first being that the web server does not see the original user as the incoming IP address, which has an impact on traffic analysis. To be fair, it is a widely used configuration and the user IP is not entirely lost as you can enabled an option called “Insert X-Forwarded-For HTTP Header” – which make the ESG send the user IP along in the HTTP headers, which the web server can use for analysis.

Another draw back (or benefit, depending on how you look at it) is that you would need a dedicated ESG to do only load balancing. An existing ESG that is serving as the default gateway of your web virtual machines cannot be configured in this mode. If you want the ESG which serves as the default gateway to handle load balancing, pick the next option:

Inline mode (or transparent mode)
With inline mode, the ESG performing the load balancing it literarily in the line of the network traffic to the web servers. It is required that the web servers have the inline ESG configured as their default gateway. Most logical would be to use the ESG that is already the default gateway of the web servers. Inline mode works as follows:

• User connects to an IP address that lives in the ESG (virtual-IP or VIP).
• The ESG performs a destination NAT to replace the VIP with an IP address of the web servers in the configured pool.
• The ESG forwards the request to the web server.
• The web server receives the request from the ESG with the user IP as the source and replies directly to the user.
• As the web server replies to the user, the response goes through the web servers default gateway, which is the ESG.
• The ESG updates the load balancing service and forwards the response to the uplinks.

This method leaves the user (origin) IP address intact, which allows the web servers to act on the origin and perform certain tasks (block/allow or analyse). The draw back is that the ESG has to be in the path of the web servers, which makes the design less flexible.

 

Configure the Load Balancer service

Requirements:

• Existing NSX Edge Services Gateway.

VMware Documentation: Configure Load Balancer Service

Before you can configure anything related the load balancing, you need to enable the load balancing service on the ESG you’re working with.

Enable the Load Balancer service

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Global Configuration” sub-menu.
• Once there, click the “Edit” button on the right side of the “Load balancer global configuration” table.
• Tick “Enable Load Balancer”, tick “Logging” and set a “Log Level” if you want it to log.
• If you’re not going to use any Layer-7 features, tick “Enable Acceleration”. This makes the ESG use the faster Layer-4 only load balancing engine and disables any Layer-7 features.
• “Enable Service Insertion” is for third party load balancer vendors. When you’re deploying such vendors product, enable this option, select the service definition and configuration and any required configuration needed (the window will tell you what is required) to complete the wizard.

 

Create/Modify/Remove a service monitor

Requirements:

• Existing NSX Edge Services Gateway with Load Balancing Service enabled.

VMware Documentation: Create a Service Monitor

Service Monitors are definitions of how a server that is being load balanced (loadbalancee?) will be monitored whether it is alive or not and should receive user requests. You can check for several things: a HTTP or HTTPS request, a TCP or UDP port and an ICMP ping.

When using a HTTP(s) request, you can define the interval it will be checked, what type of HTTP request (GET, OPTIONS or POST), what URL should be tested and most importantly, you can define a string that should be received back. If the response of the request is not what you would expect it to be, the server can be taken out of the pool so it does not receive any new requests. Using this, you can grant a page that simply spells out “OK” if all the services are ok (if the database connection works, if the scheduled tasks are running, etc, etc) and perform a granular health check.

Adding a Service Monitor

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Service Monitoring” sub-menu.
• Click the “+” icon to add a service monitor.
• Enter a name, the interval it should be checked, the timeout and maximal retries.
• Then select the type monitor, as mentioned you can pick between HTTP, HTTPS, TCP, ICMP, UDP.
• Configure the specific monitor type parameters.
  • HTTP(s): Pick the HTTP method (GET, OPTIONS or POST), expected HTTP header (i.e. HTTP/1.1), the URL to check, “Send” can be POST values to send and “Receive” is the response text that we’re looking for.
  • TCP/UDP: You can send specific text (“Send”) over the port and check the reply (“Receive”).
  • ICMP: Has no settings. What do you want, it’s a ping. 😉
• The “Extension” textfield can be used to extend the check with a bunch of settings, which are defined in the manual.
• Click “OK” when you’re done.

To edit or remove a Service Monitor, simply select it and use the pencil or cross icon to do what you need to do.

 

Create/Modify/Remove a server pool

Requirements:

• Existing NSX Edge Services Gateway with Load Balancing Service enabled.
• Already added a Service Monitor.

VMware Documentation: Add a Server Pool

Server Pools are where the servers that do the work live. It is a collection of worker server that will be attached to a virtual IP address later on. There are a few settings that are important here, mainly the algorithm:

ROUND-ROBIN
Each server has a weight assigned to it. The requests are assigned to the servers in the pool according to that weight. If you have a pool of 2 servers with a weight of 50 each, they will both get 50% of the requests. If you have a pool of 2 servers where one has a weight of 25 and the other a weight of 75, they will respectively get 25% and 75% of the requests.

IP-HASH
The balancing is determined by a hash of the source and destination IP address of the requests. This basically means the same user will get the same server each request (unless that server dies).

LEAST-CONN
This mode keeps an eye on the active connections to the servers in the pool. When a new request comes in, it is assigned to the server with the least amount of active connections.

URI
This mode takes the URI (http://lostdomain.org/this/is/the/URI), makes a hash out of it and assigned it to a server. This basically means that the requests for a specific URI will be handled by the same server (until it dies).

Let’s move on to actually creating a Server Pool.

Create a Server Pool

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Pools” sub-menu.
• Click the “+” icon to add a server pool.
• Give the new pool a name and optional description. Select the algorithm and the service monitor you want to use.
• Add the member servers to the pool by clicking the “+” icon in the “Members:” table.
• In the popup screen, give the member a name, enter its IP address and port where it will receive the requests and optionally give the server a weight and limit the connections. Click “OK” when you’re done.
• Repeat this for all member servers.
• Tick the “Transparent” check for Inline mode. Leaving that disabled will enable One-armed mode for this server pool.
• Click “OK” when you’re done.

To edit or remove a Server Pool, simply select it and use the pencil or cross icon to do what you need to do.

 

Create/Modify/Remove an application profile and rules

Requirements:

• Existing NSX Edge Services Gateway with Load Balancing Service enabled.

VMware Documentation: Create an Application Profile, Add an Application Rule

Application profiles are rules and settings on how the NSX Load Balancer treats an application and what information it inserts into the request towards the server handling the request. It specifies the persistence of a request (based on a cookie or source IP address), configures SSL offloading (and the used SSL certificate) or passthrough and does an optional HTTP redirect. For TCP

The way you configure these profiles are based on the requirements of your application and therefor differ per application. You’ll need to figure out your settings with your developer colleagues.

Create an Application Profile

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Application Profiles” sub-menu.
• Click the “+” icon to add a application profile.
• Give the profile a name and select its type. Based on the type, select the application specific settings.
• Click “OK” when you’re done.

To edit or remove an Application Profile, simply select it and use the pencil or cross icon to do what you need to do.

 

Application Rules

Application rules are a way to manipulate application traffic based on certain triggers. An example would be to redirect a user when a certain cookie is set (or not set), or redirect to a secure (https) login page when the user requests a insecure login page. These rules are formatted in the language used in HAProxy. For examples, have a look at the manual.

Adding a Application Rule

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Application Rules” sub-menu.
• Click the “+” icon to add a rule.
• Give the rule a name and enter the rule script into the “Script” text field.

To edit or remove an Application Rule, simply select it and use the pencil or cross icon to do what you need to do.

 

Create/Modify/Remove virtual servers

Requirements:

• Existing NSX Edge Services Gateway with Load Balancing Service enabled.
• You’ve created an Application Profile, Service Monitor and Server Pool.

VMware Documentation: Add Virtual Servers

The virtual server is what it all is about. This is what ties it all together and activates all your previous settings. Inside the virtual server you will find the virtual IP address (VIP) and references to an application profile and a server pool. When you’ve created a virtual server, you should be able to connect to the virtual IP address and enjoy the magic of being load balanced.

Creating a Virtual Server

• Login to your vSphere Web Client.
• Navigate to “Networking & Security” and select the “NSX Edges” menu.
• Choose the NSX Edge you want to modify and select the “Manage” tab.
• Then select the “Load Balancer” sub-tab and select the “Virtual Servers” sub-menu.
• Click the “+” icon to add a virtual server.
• In the popup window, select the application profile, give the VIP a name and optional description. Then select the IP address you want to use as VIP. This IP should be already attached to the ESG.
• Select the protocol you want to load balance (HTTP, HTTPS, TCP or UDP). Enter the port number for the virtual server to listen on and select the server pool.
• Optionally give a total Connection Limit and/or a Connection Rate Limit (per second) and click “OK” when you’re done.

Congratulations, you now have a functioning load balancer! Connect to the virtual IP address to try it out.

 

Share the wealth!