NSX Advanced Load Balancer supports the termination of SSL- and TLS-encrypted HTTPS traffic. The SSL and TLS names are used interchangeably throughout the documentation unless otherwise noted.

Using NSX Advanced Load Balancer as the endpoint for SSL enables it to maintain full visibility into the traffic and also to apply advanced traffic steering, security, and acceleration features. The following deployment architectures are supported for SSL:

  • None: SSL traffic is handled as pass-through (layer 4), flowing through NSX Advanced Load Balancer without terminating the encrypted traffic.

  • Client-side: Traffic from the client to NSX Advanced Load Balancer is encrypted, with unencrypted HTTP to the back-end servers.

  • Server-side: Traffic from the client to NSX Advanced Load Balancer is unencrypted HTTP, with encrypted HTTPS to the back-end servers.

  • Both: Traffic from the client to NSX Advanced Load Balancer is encrypted and terminated at NSX Advanced Load Balancer, which then re-encrypts traffic to the back-end server.

  • Intercept: Terminate client SSL traffic, send it unencrypted over the wire for taps to intercept, then encrypt to the destination server.

Configuring SSL/TLS Termination

NSX Advanced Load Balancer supports multiple architectures for terminating SSL traffic. For client-to-NSX Advanced Load BalancerSSL, the configuration is done on the virtual service page. For NSX Advanced Load Balancer-to-server SSL encryption, the configuration is performed by editing the pool. For either, a virtual service or pool must be configured with an SSL profile and an SSL certificate, as described in the following section

Virtual Service Configuration

SSL Profile

The profile contains the settings for the SSL-terminated connections. This includes the list of supported ciphers and their priority, the supported versions of SSL/TLS, and a few other options.

SSL Certificate

An SSL certificate is presented to a client to authenticate the application. A virtual service may be configured with two certificates at the same time, one each of RSA and elliptic curve cryptography (ECC). A certificate may also be used for authenticating NSX Advanced Load Balancer to back-end servers.

SSL Performance

SSL-terminated traffic performance depends on the underlying hardware allocated to the NSX Advanced Load Balancer SE, the number of SEs available to handle the virtual service, and the certificate and cipher settings negotiated. Generally, each vCPU core can handle about 1000 RSA 2k transactions per second (TPS) or 2500 ECC SSL TPS. A vCPU core can push about 1gb/s SSL throughput. SSL-terminated concurrent connections are more expensive than straight HTTP or layer 4 connections and may necessitate more memory to sustain high concurrency.