You can configure an external load balancer to distribute traffic to the NSX Managers in a manager cluster.
An NSX Manager cluster does not require an external load balancer. The NSX Manager virtual IP (VIP) provides resiliency in the event of a Manager node failure but has the following limitations:
- VIP does not perform load balancing across the NSX Managers.
- VIP requires all the NSX Managers to be in the same subnet.
- VIP recovery takes about 1 - 3 minutes in the event of a Manager node failure.
An external load balancer can provide the following benefits:
- Load balance across the NSX Managers.
- The NSX Managers can be in different subnets.
- Fast recovery time in the event of a Manager node failure.
Note that an external load balancer will not work with the NSX Manager VIP. Do not configure an NSX Manager VIP if you use an external load balancer.
When accessing NSX Manager from a browser through an external load balancer, session persistence must be enabled on the load balancer.
When accessing NSX Manager from an API client through an external load balancer, four authentication methods are available (see the
NSX-T Data Center API Guide for more information):
- HTTP Basic Authentication - Load balancer session persistence is not required.
- Client Certificate Authentication - Load balancer session persistence is not required.
- Authenticating to vIDM - Load balancer session persistence is not required.
- Session-Based Authentication - Load balancer session persistence is required.
Recommendation:
- Configure a single IP on the external load balancer for both browser and API access. The load balancer must have session persistence enabled.
Steps to set up an external load balancer:
- Configure the external load balancer to control traffic to the NSX Manager nodes.
- Configure the external load balancer to use the round robin method and configure source persistence for the load balancer's virtual IP.
- Create or import a signed certificate and apply the same certificate to all the NSX Manager nodes. The certificate must have the FQDN of the virtual IP and each of the nodes in the SAN.