NSX Edge Network Service & Gateway
Network Address Translation:
NAT is method of changing the Source IP of destination IP of packet. The Router that does the NT translation is called as NAT Router.
NAT router that changes the Source IP is called as SNAT and the NAT Router that changes the destination IP is called is DNAT.
If an ingress packet arrives in the router matching a particular source IP, the source IP is changed for a predetermined one and then the packet is sent on its way. The same logic applies if doing DNAT. The NSX Edge supports SNAT and DNAT.
The configurations for applying NAT are done via NAT rules. For NAT rules to be effective, an interface must be identified, and the direction of the packet flow is based on this interface. Packets arriving at this interface are considered ingress packets, and packets going out of this interface are considered egress packets. If an SNAT rule is applied to an interface, the source IP address of the ingress packet is changed. If a DNAT rule is applied to an interface, the destination IP of the egress packet is changed. The NAT router keeps a NAT table of all translated IPs so return traffic in the flow can have the NAT reversed. The return traffic must come through the interface that has the NAT rule that was applied to the flow.
NSX EDGE Load balancer:
NSX Load Balancer is the method of load balancing the destination traffic among various internal servers when the traffic hits on VIP.
The VIP is mapped in the load balancer to an application that represents the service, called the application profile. The application profile is load balanced to a list of servers running the workload, called the server pool. The IPs in the server pool act as the equivalent of the translated destination IPs in a DNAT rule. Traffic that matches the criteria included in the application profile triggers ingress traffic to be load balanced.
Once a VIP is mapped to an application profile and server pool, it is called a virtual server. The NSX Edge can have virtual servers that trigger load balancing based on Layer 4 information, TCP and UDP, Layer 7 information, and HTTP and HTTPS. Below Table shows the maximum number of VIPs, server pools, and servers that the Edge supports.
Below figure shows an example of an NSX Edge load balancer. The Edge has a VIP of 10.10.10.3, a server pool that includes IPs 10.10.11.3, 10.10.11.4, and 10.10.11.5, and an application profile that matches destination TCP ports 80 or 8080. In Figure, any user that wants to reach a web page on ports 80 or 8080 at 10.10.10.3 is redirected to one of the three servers in the server pool. The redirection happens by doing a DNAT on the user packets. The source IP of the packets is not altered.
The load balancer configuration shown in above Figure is called In-Line or Transparent Mode. When deploying the load balancer in Transparent Mode, the Edge must have an interface directly connected to the segment where the members in the server pool are located, and the Edge must be the default gateway for the servers.
An alternate deployment to Transparent Mode is One-Arm or Proxy Mode. In this configuration, the NSX Edge load balancer uses a single interface, and the logical router may be used as the default gateway for the members in the server pool, as shown in Figure below. The VIP is in the same subnet as the server pool servers’ subnet.
In Proxy Mode a user sends application requests to the VIP, and the Edge does DNAT to redirect the traffic to one of the members in the server pool. However, since the members in the server pool have a default gateway that is not the Edge, the Edge must also do an SNAT on the user traffic to force return traffic from the members in the server pool to go through the Edge. The translated SNAT IP the NSX Edge uses is the VIP.
Below figure will explain you how traffic will flow on this Mode.
Step1: User - X opens a browser to connect to the website http://dclessons.com. The DNS Server resolves the page to the VIP of 10.10.11.2.
Step2: The load balancer receives the browser traffic, matches the request to an application profile, and forwards the traffic to the next available server in the server pool.
- The Edge does SNAT on User - X’s IP, replacing it for the VIP.
- The Edge does DNAT on the VIP, replacing it for the IP of the selected web server.
The decision on which server to select depends on the load balancing algorithm configured in the server pool. The NSX Edge can use six different load balancing algorithms:
- Round Robin: New flows are sent to the servers in the server pool in a sequential order.
- Least Connections: The server with the least number of connections is selected.
- IP Hash: A hash is computed on the user’s IP, the source IP of the packet, and used to select a server.
- Uniform Resource Identifier (URI): A hash is computed on the left part of the URI (the left of the question mark), divided by the total weight of the running members in the server pool, and used to select a server. URI load balancing hash is only supported for Layer 7 load balancing.
- Uniform Resource Locator (URL): A hash is computed on the left part of the URL, divided by the total weight of the running members in the server pool and used to select a server. URL load balancing hash is only supported for Layer 7 load balancing.
- HTTP Header: A hash is computed based on the HTTP header. HTTP header load balancing is only supported in Layer 7 load balancing.
Step 3:The selected web server receives the traffic and responds.
- The web server sees the traffic coming from the VIP.
- The load balancer can use the x-forwarded-for HTTP header to let the web server know the traffic is not being sourced from the VIP.
Step4: The Edge receives the return traffic, undoes the SNAT and DNAT, and forwards the traffic to User - X.
If the NSX Edge is configured with firewall rules and a Layer 4 load balancer, the Layer 4 VIP is processed before the firewall rules, thus no need to add an Allow Firewall rule.
We can also do monitor the Pool member via various health Check method. Below table provides details about some of the Health Check method:
If the NSX Edge is configured with Edge HA, the state of the load balancing table, or persistence, is synchronized between the Active Edge and the Standby Edge if the load balancing is being done at Layer 7. Whenever the Active Edge goes down and the Standby Edge becomes the Active Edge, it retains the user session persistence by sending the user traffic to the same server(s). Below Table 14 shows the persistence states that are synced between the Active and Standby Edges.