This topic discusses the pre-requisites and steps to configure Preserve client IP for NSX-T overlay deployments

Load balancing solutions for some applications (particularly in Layer 4 mode) require the Client IP address to be presented as the source IP address when the packet lands on the backend pool server member. Avi Load Balancer supports this functionality as Preserve Client IP section in VMware Avi Load BalancerConfiguration guide.

This solution is generally deployed by making the default gateway of the backend server point to a floating IP. The floating IP is hosted on the active Service Engine’s backend interface. However, in this mode, the servers’ default gateway has to be modified/ updated to point to the floating IP. The NSX-T overlay deployment model being in layer three mode has complications for preserving the client IP.

Service Insertion Framework

VMware NSX-T provides the service insertion, framework which has the ability to redirect traffic. The NSX-T service insertion framework has been utilized to achieve the return traffic from backend server to the floating IP of Active SE without needing to change the default gateway of the backend server. Avi Load Balancer automatically creates and manages the required redirection rules for each Virtual Service configured for Preserve Client IP.

Figure 1. Service Insertion Framework
Note:

  • Preserve client IP/Service Insertion will not work with port translation disabled (From the Avi Load Balancer UI, navigate to Pool > Advanced SettingDisable Port Translation option) on NSX-T overlay, as redirect rule to attract return traffic from server is based on configured server ip: server port.

  • Since the Service Insertion rule is based on server ip and server port to redirect the return traffic from server to SE. So if there are multiple ports on front-end and there is no matching server port entry in pool then redirect rule wont work if we did not translate the port as the rules are specific to server ip:server port only.

  • Set Use_service_port to false (i.e. enable port translation) if Preserve client IP/Service Insertion is used with NSX-T overlay.

Preserve client IP for NSX-T overlay deployments with respect to configuration at virtual service, SE group, and network service will remain the same as per other supported clouds. There are additional pre-requisites and limitations which are discussed in this section.