Virtual Services

Virtual services are the core of the load balancing and proxy functionality. A virtual service advertises an IP address and one or more ports to the client-facing network, and listens for traffic. When a virtual service receives traffic, it can be configured to:

Proxy the client’s network connection.
Perform security, acceleration, load balancing, gather traffic statistics, and other tasks.
Forward the client’s request data to the destination pool for load balancing.

A virtual service can be thought of as an IP address that the NSX Advanced Load Balancer is listening to, ready to receive requests. In a normal TCP/ HTTP configuration, when a client connects to the virtual service address, NSX Advanced Load Balancer will process the client connection or request against a list of settings, policies, and profiles, then send valid client traffic to a back-end server that is listed as a member of the virtual service’s pool.

Typically, the connection between the client and NSX Advanced Load Balancer is terminated or proxied at the SE, which opens a new TCP connection between itself and the server. The server will respond directly to the NSX Advanced Load Balancer IP address, not to the original client address. NSX Advanced Load Balancer forwards the response to the client through the TCP connection between itself and the client.

A typical virtual service consists of a single IP address and service port that uses a single network protocol. NSX Advanced Load Balancer allows a virtual service to listen to multiple service ports or network protocols.

For instance, a virtual service could be created for both service port 80 (HTTP) and 443 SSL (HTTPS). In this example, clients can connect to the site with a non-secure connection and later be redirected to the encrypted version of the site. This allows administrators to manage a single virtual service instead of two. Similarly, protocols such as DNS, RADIUS and Syslog can be accessed using both UDP and TCP protocols.

It is possible to create two unique virtual services, where one is listening on port 80 and the other is on port 443; however, they will have separate statistics, logs, and reporting. They will still be owned by the same Service Engines (SEs) because they share the same underlying virtual service IP address.

To send traffic to destination servers, the virtual service internally passes the traffic to the pool corresponding to that virtual service. A virtual service normally uses a single pool, though an advanced configuration using policies or DataScripts can perform content switching across multiple pools. A script also can be used instead of a pool, such as a virtual service that only performs an HTTP redirect.

A pool can be associated with multiple virtual services if they have the same Layer 4 or 7 application profile.

When creating a virtual service, that virtual service listens to the client-facing network, which is most likely the upstream network where the default gateway exists. The pool connects to the server network.

Normally, the combined virtual service and pool are required before NSX Advanced Load Balancer can place either object on an SE. When making an SE placement decision, NSX Advanced Load Balancer must choose the SE that has the best reachability or network access to both client and server networks. Alternatively, both the clients and servers may be on the same IP network.

A virtual service will be available and accept client traffic if one of the following conditions is met:

At least one of the pools associated to the virtual service is up.
A policy (for example, a redirect policy) associated with the virtual service that does not need a pool.
A DataScript attached to the policy.
The virtual service is associated to a policy that sends a local response.

Viewing Virtual Services

From the NSX Advanced Load Balancer UI, navigate to Application > Virtual Services, to view all the virtual services created. From this screen, you can create a new virtual service, search for existing virtual services, edit or delete virtual services.


Field	Description
Name	Lists the name of each virtual service. Clicking the name of a virtual service opens the Analytics tab of the respective virtual service.
Health	Displays a numeric, color-coded health status of the virtual service. A red exclamation mark (!) indicates that the virtual service is down. A dash appears if the virtual service is disabled, not deployed, or in error state. Hover the mouse pointer over the health score to view the Health Score popup for the virtual service. Click the View Health button at the bottom of the popup screen to view more insights on the health status.
Address	Displays the IP address advertised by the virtual service.
Service Ports	Lists the service ports configured for the virtual service. Ports that are configured for terminating SSL/TLS connections are denoted in parenthesis. A virtual service may have multiple ports configured. For example: 80 (HTTP) 443 (SSL)
Pools	Lists the pools assigned to each virtual service. Clicking a pool name opens the Analytics tab of the respective pool.
Service Engine Group	Displays the group from which Service Engines may be assigned to the virtual service.
Service Engines	Lists the Service Engines to which the virtual service is assigned. Clicking a Service Engine name opens the Analytics tab of the respective Service Engine.
Total Service Engines	Shows the number of SEs assigned to the virtual service as a time series. This is useful to see if a virtual service scales up or down the number of SEs.
Throughput	Displays a thumbnail chart of the throughput for each virtual service for the time frame selected. Hovering the mouse pointer over this graph shows the throughput for the highlighted time. Clicking a graph opens the Analytics tab of the virtual service.
Open Conns	Displays the average number of open connections.
Client RTT	Displays the average TCP latency between clients of the virtual service and the respective SEs.
Server RTT	Displays the average TCP latency between backend servers of the virtual service and its SEs.
Conns	Displays the rate of total connections per second.
Bad Connections	Displays the rate of connection errors per second.
RX Packets	Displays the average rate of packets received per second.
TX Packets	Displays the average rate of packets transmitted per second.
Policy Drops	Displays the rate of total connections dropped due to virtual service policies (per second). It includes drops due to rate limits, security policy drops, connection limits, etc.
DoS Attacks	Displays the number of DoS attacks occurring per second.
Alerts	Displays the number of alerts related to the virtual service, pool, or Service Engines.

To customize the columns in the table, click the settings icon. Add or remove columns by using the arrows in the screen.

Virtual Service Details

The Virtual Services screen shows extensive information about the virtual service selected.

To view the details of a specific virtual service, navigate to Applications > Virtual Services. Click the required virtual service.

Alternatively, you can also navigate to Applications > Dashboard. Click the required virtual service.

The Virtual Service screen has the following tabs for the virtual service selected.

Virtual Service Analytics
Virtual Service Application Logs
Virtual Service Health
View Security Insights
Virtual Service Events Page
Virtual Service Alerts Page
Virtual Service DNS Records

Virtual Service Quick Info Popup

You can view the Virtual Service quick info pop up from any tab of the Virtual Service screen. Hover over or click the virtual service name.

The Virtual Service quick info popup has the following buttons:

Scale-Out distributes connections for the virtual service to one additional SE per click, up to the maximum number of SEs defined in the SE group properties.
Scale In removes the VIP address from the selected Service Engine. If primary is selected, one of the existing secondaries will become the new Primary.
Migrate moves the virtual service from the SE it is currently on to a different SE within the same SE group.

Note:

For information related to the SE group settings min_scaleout_per_vs and max_scaleout_per_vs, see Impact of Changes to Min-Max Scaleout Per Virtual Service.

This popup also displays the following information (if applicable) for the virtual service:


Field	Description
Service Engine	Names or IP addresses of the SEs this virtual service is deployed on. Clicking on an SE name opens the Service Engine Details page for that SE.
Uptime / Downtime	The duration for which the virtual service has been in the current state up or down.
Address	IP address of the virtual service.
Application Profile	The application profile applied to the virtual service.
Service Port	Service ports on which the virtual service is listening for client traffic.
TCP/UDP Profile	The profile is applied to the virtual service.
SSL Certificates	The certificates applied to the virtual service.
Non-Significant Logs	When disabled, the virtual service defaults to logging significant events or errors. When enabled, all connections or requests are logged.
Real-Time Metrics	When this option is disabled, metrics are collected every five minutes, regardless of whether the Display Time is set to Real-Time. When the option is enabled, metrics is collected every 15 seconds.
Client Log Filters	Number of custom log filters applied to the virtual service. Log filters can selectively generate non-significant logs.
Client Insights	Type of client insights gathered by the virtual service: Active, Passive, or None.