Understand how traffic flows between VMs that are connected to an instance of a distributed load balancer (DLB).
As an administrator ensure:
- Virtual IP addresses and pool members connected to a DLB instance must have unique IP address for traffic to be routed correctly.
- When Web VM1 sends out a packet to APP VM2 it is received by the VIP-APP.
The DLB APP is attached to the policy group consisting of Web tier VMs. Similarly, DLB-APP hosting VIP-DB must be attached to the policy group consisting of App tier VMs.
- The VIP-APP hosted on DLB APP receives the request from Web VM1.
- Before reaching the destination VM group, the packet is filtered by distributed firewall rules.
- After the packets are filtered based on the firewall rules, it is sent to the Tier-1 router.
- It is further routed to the the physical router.
- The route is completed when the packet is delivered to the destination App VM2 group.
A DLB instance can co-exist with an instance of DFW. With DLB and DFW enabled on a virtual interface of a hypervisor, first the traffic is load balanced based on the configuration in DLB and then DFW rules are applied on traffic flowing from a VM to the hypervisor. DLB rules are applied on traffic originating from downlinks of a Tier-0 or Tier-1 logical routers going to the destination hypervisor. DLB rules cannot be applied on traffic flowing in the reverse direction - originating from outside the host going to a destination VM.
For example, if the DLB instance is load balancing traffic from Web-VMs to App-VMs, then to allow such traffic to pass through DFW, ensure that the DFW rule is set to value "Source=Web-VMs, Destination=App-VMs, Action=Allow".