The source IP address used by NSX Advanced Load Balancer SEs for server back end connections can be overridden through an explicit user-specified address (Source NAT (SNAT) IP address).

The SNAT IP address can be specified as part of the virtual service configuration.

Note:

This feature is not supported for IPv6.

Uses for SE SNAT

In some deployments, it is required to identify traffic based on source IP address, to provide differential treatment based on the application. For instance, in DMZ deployments there can be firewall, security, visibility, and other types of solutions that might need to validate clients before passing their traffic on to an application. Such deployments use the source IP to validate the client. A single SE can host multiple VIPs, so a firewall sitting between the SE and back end servers would normally see all traffic coming from the same SE interface IPs, no matter what virtual service the traffic belongs to. In contrast, with per-VS SNAT, the firewall will see a source IP it can use to filter traffic based on what application it is coming from (since the firewall knows the VS-SNAT-IP mapping established by the admin).

In the following example, SNAT is used to identify the application type for a VIP’s traffic. Traffic destined for email servers must pass through a SPAM filter and anti-virus checks, while traffic destined for DocShare servers needs to undergo anti-virus and malware filter checks.



(The topology representation is logical rather than physical. For instance, email and DocShare servers can both be running on the same host and be in the same pool. Such as the set of email or DocShare servers does not need to be physically connected to the rest of the network through a single segment, and so on.)

One SNAT Address per SE

If a virtual service uses SNAT, the virtual service's configuration must include a unique SNAT address for each SE that the virtual service can use. For instance, if the SE group for the virtual service’s pool can be scaled out to a maximum of four SEs, the SNAT list within the virtual service configuration must contain four unique SNAT addresses.

Note:

Unlike some other load balancing systems, NSX Advanced Load Balancer does not require a entire pool of SNAT IP addresses per virtual service, even for a single load balancing appliance. NSX Advanced Load Balancer does not have the limitation of 64k port numbers for a single device. NSX Advanced Load Balancer is designed to allow a single source IP to have more than 64k connections across an application’s back end servers. Up to 48k open connections can be established to each back end server.