The source IP address used by Avi Load Balancer SEs for server back end connections can be overridden through an explicit user-specified address (Source NAT (SNAT) IP address).
The SNAT IP address can be specified as part of the virtual service configuration.
Uses for SE SNAT
In some deployments, it is required to identify traffic based on source IP address, to provide differential treatment based on the application. For instance, in DMZ deployments there can be firewall, security, visibility, and other types of solutions that might need to validate clients before passing their traffic on to an application. Such deployments use the source IP to validate the client.
A single SE can host multiple VIPs, so a firewall sitting between the SE and back end servers would normally see all traffic coming from the same SE interface IPs, no matter what virtual service the traffic belongs to. In contrast, with per-VS SNAT, the firewall will see a source IP it can use to filter traffic based on what application it is coming from (since the firewall knows the VS-SNAT-IP mapping established by the admin).
In the following example, SNAT is used to identify the application type for a VIP’s traffic. Traffic destined for email servers must pass through a SPAM filter and anti-virus checks, while traffic destined for DocShare servers needs to undergo anti-virus and malware filter checks.
(The topology representation is logical rather than physical. For instance, email and DocShare servers can both be running on the same host and be in the same pool. For instance, the set of email or DocShare servers does not need to be physically connected to the rest of the network through a single segment, and so on.)
One SNAT Address per SE
If a virtual service uses SNAT, the virtual service's configuration must include a unique SNAT address for each SE that the virtual service can use. For instance, if the SE group for the virtual service’s pool can be scaled out to a maximum of four SEs, the SNAT list within the virtual service configuration must contain four unique SNAT addresses.
Unlike some other load balancing systems, Avi Load Balancer does not require an entire pool of SNAT IP addresses per virtual service, even for a single load balancing appliance. Avi Load Balancer does not have the limitation of 64k port numbers for a single device. Avi Load Balancer is designed to allow a single source IP to have more than 64k connections across an application’s back end servers. Up to 48k open connections can be established to each back end server.
Server requires Original Client Source IP Address
By default, the Avi Load Balancer Service Engines (SE) perform Source Network Address Translation (SNAT) of the client source address. This means application servers will see the Avi Load Balancer SE’s IP address as the source IP of the traffic.
For HTTP traffic, consider enabling the X-Forwarded-For header, which inserts the original client IP into the HTTP header of client requests.
For the stateless UDP protocols, such as DNS or Syslog, the TCP/ UDP network profile can be set to deactivate Source NAT.
Apart from SNAT, the application servers can be configured with a default gateway that points to the Service Engine IP address, so that all traffic is routed back through the SEs to the clients. For more information on this, see Default Gateway (IP Routing on NSX Advanced Load Balancer SE).