NCP will create a layer 4 load balancer virtual server and pool for each service port.

Details about this feature:
  • Both TCP and UDP are supported.
  • Each service will have a unique IP address.
  • The service is allocated an IP address from an external IP pool based on the loadBalancerIP field in the LoadBalancer definition. The loadBalancerIP field can be empty, have an IP address or the name or ID of an IP pool. If the loadBalancerIP field is empty, the IP will be allocated from the external IP pool specified by the external_ip_pools_lb option in the [nsx_v3] section in ncp.ini. If the external_ip_pools_lb option does not exist, the pool specified by external_ip_pools is used. The LoadBalancer service is exposed on this IP address and the service port.
  • You can change to a different IP pool by changing the configuration and restarting NCP.
  • The IP pool specified by loadBalancerIP must have the tag scope: ncp/owner, tag: cluster:<cluster_name>.

  • In Policy mode, a service of type LoadBalancer without a selector is supported. For such a service, the NSX load balancer's SNAT IP will be the IP of the service of type LoadBalancer. The NSX load balancer's SNAT IP will be updated if you update the IP of the service of type LoadBalancer. Note that a service without a selector cannot be configured as the endpoint of another service without a selector.
  • In Policy mode, you can set the annotation ncp/transparent-lb to true to disable SNAT on the load balancer pool. This feature is only supported in a single-tier topology.
  • NSX by default has limits on the number of virtual servers, server pools and pool members for a load balancer. You can bypass these limits by setting [nsx_v3] relax_scale_validation to true.
  • By default, NCP does not enforce the limit for the number of pool members for any load balancer. You can change this behavior with the [nsx_v3] ncp_enforced_pool_member_limit parameter. This feature is only supported in Policy mode and requires that [nsx_v3] l4_lb_auto_scaling be set to false. For ncp_enforced_pool_member_limit the options are:
    • DEACTIVATE - NCP does not enforce the pool member limit.
    • ACTIVATE - NCP enforces the pool member limit to prevent any load balancer from using too much CPU or memory. Note that if relax_scale_validation is set to false, and members_per_small_lbs or members_per_medium_lbs is set to a value higher than the NSX scale limit, the NSX scale will be enforced, making this configuration unnecessary.
  • Error are annotated to a service. The error key is ncp/error.loadbalancer. The possible errors are:
    • ncp/error.loadbalancer: IP_POOL_NOT_FOUND

      This error indicates that you specify loadBalancerIP: <nsx-ip-pool> but <nsx-ip-pool> does not exist. The service will be inactive. To fix the error, specify a valid IP pool, delete and recreate the service.

    • ncp/error.loadbalancer: IP_POOL_EXHAUSTED

      This error indicates that you specify loadBalancerIP: <nsx-ip-pool> but the IP pool has exhausted its IP addresses. The service will be inactive. To fix the error, specify an IP pool that has available IP addresses, delete and recreate the service.

    • ncp/error.loadbalancer: IP_POOL_NOT_UNIQUE

      This error indicates that multiple IP pools have the name that is specified by loadBalancerIP: <nsx-ip-pool>. The service will be inactive.

    • ncp/error.loadbalancer: POOL_ACCESS_DENIED

      This error indicates that the IP pool specified by loadBalancerIP does not have the tag scope: ncp/owner, tag: cluster:<cluster_name> or the cluster specified in the tag does not match the name of the Kubernetes cluster.

    • ncp/error.loadbalancer: LB_VIP_CONFLICT

      This error indicates that the IP in the loadBalancerIP field is the same as the IP of an active service. The service will be inactive.

  • The layer 4 load balancer supports automatic scaling. If a Kubernetes LoadBalancer service is created or modified so that it requires additional virtual servers and the existing layer 4 load balancer does not have the capacity, a new layer 4 load balancer will be created. NCP will also delete a layer 4 load balancer that no longer has virtual servers attached. This feature is enabled by default. If you want to disable this feature, you must set l4_lb_auto_scaling to false in the NCP ConfigMap.
  • When you create a service of type LoadBalancer, you can specify the parameter loadBalancerSourceRanges. This feature is only supported in Policy mode. For example:
    kind: Service
    metadata:
      name: nginx-service-lb
      labels:
        app: nginx
    spec:
      type: LoadBalancer
      loadBalancerSourceRanges:
        - "10.30.88.116/24"
      ports:
        - port: 80
          targetPort: 80
          protocol: TCP
          name: tcp
    ...

    The NSX load balancer that is created will only allow traffic from the specified source IP addresses. You can verify this in NSX Manager by looking at the virtual server's Access List Control. It will allow access to a specific group. This group will contain the IP addresses specified in loadBalancerSourceRanges. You can look at this group by navigating to Inventory > Groups.