The Edge Services Gateway (ESG) can be thought of as a proxy for incoming client traffic.
About this task
In proxy mode, the load balancer uses its own IP address as the source address to send requests to a backend server. The backend server views all traffic as being sent from the load balancer and responds to the load balancer directly. This mode is also called SNAT mode or non-transparent mode. For more information, refer to NSX Administration Guide.
A typical NSX one-armed load balancer is deployed on the same subnet with its backend servers, apart from the logical router. The NSX load balancer virtual server listens on a virtual IP for incoming requests from client and dispatches the requests to backend servers. For the return traffic, reverse NAT is required to change the source IP address from the backend server to a virtual IP (VIP) address and then send the virtual IP address to the client. Without this operation, the connection to the client would break.
After the ESG receives the traffic, it performs two operations: Destination Network Address Translation (DNAT) to change the VIP address to the IP address of one of the load balanced machines, and Source Network Address Translation (SNAT) to exchange the client IP address with the ESG IP address.
Then the ESG server sends the traffic to the load balanced server and the load balanced server sends the response back to the ESG then back to the client. This option is much easier to configure than the Inline mode, but has two potentials caveats. The first is that this mode requires a dedicated ESG server, and the second is that the load balancer servers are not aware of the original client IP address. One workaround for HTTP/HTTPS applications is to enable Insert X-Forwarded-For in the HTTP application profile so that the client IP address will be carried in the X-Forwarded-For HTTP header in the request sent to the backend server.
If client IP address visibility is required on the backend server for applications other than HTTP/HTTPS, you can configure the IP pool to be transparent. In case clients are not on the same subnet as the backend server, inline mode is recommended. Otherwise, you must use the load balancer IP address as the default gateway of the backend server.
Usually, there are three methods to guarantee connection integrity:
SNAT/proxy/non-transparent mode (discussed above)
Direct server return (DSR) - Currently, this is unsupported
In DSR mode, the backend server responds directly to the client. Currently, NSX load balancer does not support DSR.
- As an example, lets configure a one-armed virtual server with SSL offload. Create a certificate by double-clicking the Edge and then selecting Manage > Settings > Certificate.
- Enable the load balancer service by selecting Manage > Load Balancer > Global Configuration > Edit.
- Create an HTTPS application profile by selecting Manage > Load Balancer > Application Profiles.
The screenshot above uses self-signed certificates for documentation-purposes only.
- Optionally, click Manage > Load Balancer > Service Monitoring and edit the default service monitoring to change it from basic HTTP/HTTPS to specific URL/URIs, as required.
- Create server pools by selecting Manage > Load Balancer > Pools.
To use SNAT mode, leave the Transparent check box unchecked in the pool configuration.
Ensure that the VMs are listed and enabled.
- Optionally, click Manage > Load Balancer > Pools > Show Pool Statistics to check the status.
Make sure that the member status is UP.
- Create a virtual server by selecting Manage > Load Balancer > Virtual Servers.
If you would like to use the L4 load balancer for UDP or higher-performance TCP, check Enable Acceleration. If you check Enable Acceleration, make sure that the firewall status is Enabled on the load balancer NSX Edge, because a firewall is required for L4 SNAT.
Ensure that the IP address is tied to the server pool.
- Optionally, if using an application rule, check the configuration in Manage > Load Balancer > Application Rules.
- If using an application rule, ensure that the application rule is associated with the virtual server in Manage > Load Balancer > Virtual Servers > Advanced.
For supported examples, see: https://communities.vmware.com/docs/DOC-31772.
In non-transparent mode, the backend server cannot see the client IP, but can see the load balancer internal IP address. As a workaround for HTTP/HTTPS traffic, check Insert X-Forwarded-For HTTP header. With this option checked, the Edge load balancer adds the header "X-Forwarded-For" with the value of the client source IP address.