This section explains the configuration, common deployment, and use case scenarios of the wildcard VIP.

In NSX Advanced Load Balancer, a virtual service is configured with an IP address as VIP and ports as services to load balance the client traffic from the external world. NSX Advanced Load Balancer processes the client connection or request against a list of settings, policies, and profiles, then load balances valid client traffic to a back-end application server listed as a pool member of the virtual service.

In addition to load balancing the client traffic to the application servers, NSX Advanced Load Balancer also provides supportability, manageability, and scalability to the application servers.

You can upgrade application servers with zero downtime when deployed with the NSX Advanced Load Balancer.

Wildcard VIP extends the capability of a virtual service to provide advanced load balancing services to network elements like firewalls and firewall devices.

Wildcard VIP allows the network match configuration in a virtual service. The application virtual service accepts the connections destined to a VIP, whereas the wildcard VIP accepts the connections destined to a subnet and is configurable as CIDR notation.

Features Supported

The following profiles support wildcard virtual services:

  • Network Profile: TCP fast path and UDP fast path

  • Application Profile: System L4 application profile

Supported Environments

The following environments support wildcard VIP:

  • Active/ Standby SE group, in DPDK based environments

  • No access mode and LSC cloud

Network Address Match

Network traffic match is configured to handle a huge range of incoming traffic. In a corporate network, it can be a subnet/prefix configuration.

For example, it could be a prefix of 10.0.0.0/8 (to accept between 10.0.0.0 - 10.255.255.255) or 0.0.0.0/0 (to accept every incoming packet).

The following is a demonstration of wildcard VIP in deployment:

Figure 1. Wildcard VIP

In this deployment mode, the wildcard virtual service is in the frontend, facing the client traffic. Three firewalls: FW1, FW2, and FW3 are configured as pool members. The wildcard virtual service load balances the traffic across the firewalls FW1, FW2, and FW3.

Firewalls are rarely the destination for the client traffic, and the traffic is expected to be transparently forwarded to the firewall. Hence, the traffic from the client must be sent as is to the pool member without any source address or a destination address translation (SNAT or DNAT) In such a deployment, the network address match is configured in the traffic selection criteria of the VIP. The wildcard VIP of the virtual service will only load balance the traffic to these firewalls without changing the client traffic.

Traffic Selection Criteria

With the introduction of network address match as part of the virtual service, the following combinations can be configured as the traffic selectors for the VIP:

Destination

Service Port

Virtual Service Configuration

IP Address

Port

IP Address

Any

Service Port is in the range 1 - 65535

Network Address

Port

Prefix in ip_address (VIP)

Network Address

Any

Prefix in ip_address, Service Port: 0

Any

Port

Prefix 0 in ip_address

Any

Any

Prefix 0 in ip_address, Service Port 0

Note:

Currently only TCP/ UDP fast network profiles support Wildcard VIP.

In addition to the network port supported, with the network address match feature, you can configure all the aforesaid variants of the wildcard virtual service. If you configure multiple virtual services with varying combinations as specified in the table, the virtual service with the most specific match is selected in the same order of preference as listed in the table.