Professional Documents
Culture Documents
Encyclopedia
(Updated for NSX-T 3.1)
August 2022
Dimitri Desmidt - Senior TPM NSX
ddesmidt@vmware.com
1
Agenda
1 LB Deployment Modes
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
2
Agenda
1 LB Deployment Modes
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
3
Agenda 1. LB Deployment Modes
• Load Balancing Supported Topologies
• LB InLine Deployment
• LB OneArm Deployment
• IPv4 LB and IPv6 LB
• Configuration Steps
• Specific step for LB OneArm Deployment
• InLine and LB OneArm Deployment
• Miscellaneous
• Service Chaining (LB + NAT + FW)
• LB High-Availability 4
Load Balancing Supported Topologies (1/2)
LB InLine Deployment
Tier-0 Tier-0
LB-SNAT always required
Physical T1+LB
Tier-1 Tier-1
Router Note: VIP can be placed in any subnet:
Overlay
or VLAN VLAN • Service Interface (CSP)
• A new dedicated network as a loopback
S
interface (require manual routing
S S S S S
advertisement)
Server Pool Server Pool Server Pool
T1+LB T1+LB
6
Configuration Steps (1/3)
Specific step for LB OneArm Deployment using T1 Service Interface
Default Route
7
Configuration Steps (2/3)
Specific step for LB OneArm Deployment using T1 Uplink Interface
Select T0 to attach it to
8
Configuration Steps (3/3)
InLine and LB OneArm Deployment
Configure
• Load Balancer (see section below "Load Balancer Deployment")
• Virtual Servers (see section " Layer4 VIP, " Layer7 HTTP VIP", and " Layer7
HTTP VIP")
9
IPv4 LB and IPv6 LB
Dual Stack Load Balancing
IPv4 IPv4
S Pool
IPv6 IPv6
S Pool
10
Load Balancer Deployment
Configuration
Size of LB (Small/Medium/Large/XLarge).
See NSX-T LB Admin Guide for LB scale of each LB size (# of VIP, Pools, etc)
11
Load Balancer Deployment
Scale Design (1/2)
https://configmax.vmware.com/ The Edge Node hosts LB service (active/standby) based on its Tier-1
(active/standby) with LB attached.
Both LB active and standby are consuming resources in the Edge Node.
So for instance in "1 Edge VM - Large", in NSX-T 2.4 you can have up to:
"40 LB-Active", or "40 LB-Standby", or "20 LB-Active + 20 LB-
Standby", etc
LB Large have a factor of 40, LB Medium have a factor of 10, LB Small have a
factor of 1.
So 1 Edge VM – Large can host for instance: "40 LB Small" or "2 LB Medium
+ 20 LB Small" but not "3 LB Medium and 11 LB Small".
12
Load Balancer Deployment
Scale Design (2/2)
Dev Prod
None of them
Performance High LB config churn
(no Perf nor churn)
Either design is fine:
. Dedicated LB on dedicated Edge . Multiple LBs per Edge Node . Many VIPs on limited LBs per
. Many LBs per Edge Node
Node . and Limited # of VIPs per LB Edge Node
. and/or many VIPs per LB
13
Miscellaneous
Service Chaining (LB + NAT + FW)
14
Miscellaneous
LB High-Availability (1/3)
Hot-Standby Active
Very limited data plane impact thanks
Edge Node 1 Edge Node 2 to synch of LB State
LB HA messages • Healthcheck State
per LB
• Source-IP Persistence State
Edge Cluster • L4 Flow State
15
Miscellaneous
LB High-Availability (2/3)
Hot-Standby Active
Very limited data plane impact thanks
Edge Node 1 LB HA messages Edge Node 2 to synch of LB State
per LB • Healthcheck State
(every 0.3 sec on EN-BM)
(every 1 sec on EN-VM) • Source-IP Persistence State
Edge Cluster • L4 Flow State
16
Miscellaneous
LB High-Availability (3/3)
UI
Information on Edge Node running LB
Select Tier-1 hosting LB and click on "Auto Allocated" service:
• UI/API
• CLI
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
18
Agenda 2. Monitors
• Type of Monitors
• Active Monitor
• Passive Monitor
19
Type of Monitors (1/3)
Monitoring server health status
LB periodically sends a health monitor message to LB passively observes server responses to detect
pool members failures
20
Type of Monitors (2/3)
Active Monitor - Detect Pool Member status (based on LB probe)
In case of heavy traffic with thousands of connections per second, detection can be very fast
(milliseconds).
22
Active Monitor Configuration
ICMP
23
Active Monitor Configuration
TCP
Optional:
TCP Pool Member port tested.
If not specified, Pool member port is used by Monitor.
24
Active Monitor Configuration
All below pool member responses will get the
UDP pool member in DOWN state:
. No response
. icmp not reachable
. any other response than that “UDP Data
Expected”
Create UDP Monitor
• Under Networking – Load Balancing – Monitors
How long does LB Monitor waits
– Add Active Monitor – UDP LB Monitor Interval
for the Pool Member response
Optional:
UDP Pool Member port tested.
If not specified, Pool member port is used by Monitor.
25
Active Monitor Configuration
HTTP (1/2)
Optional:
TCP Pool Member port tested.
If not specified, Pool member port is used by Monitor.
26
Active Monitor Configuration
HTTP (2/2)
HTTP Method
(Get, Head, Options, Post, Put)
HTTP URL
27
Active Monitor Configuration
HTTPS (1/3)
Optional:
TCP Pool Member port tested.
If not specified, Pool member port is used by Monitor.
28
Active Monitor Configuration
HTTPS (2/3)
HTTP Method
HTTP URL
29
Active Monitor Configuration
HTTPS (3/3)
30
Passive Monitor Configuration
How many consecutive connection failure Once the Pool Member is marked down by
before LB Monitor considers the Pool Passive Monitor, how long does it remain
Member down unused by LB engine.
Note: If Active Monitor marked it down too, it
will not be used by LB engine even after that
timeout period.
31
Agenda
1 LB Deployment Modes
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
32
Agenda 3. Server Pools
• Server Pool Packet Flow
• Transparent (No SNAT)
• LB-SNAT (Automap or IP Pool)
33
Server Pool Packet Flow (1/2)
Transparent (No SNAT)
1 2
Server Pool
Client-IP:5000 Client-IP:5000
VIP:80 Pool-IP:80 S
S
4 3
LB
S
InLine
VIP:80 Pool-IP:80
Client-IP:5000 Client-IP:5000
34
Server Pool Packet Flow (2/2)
LB-SNAT (Automap or IP Pool)
C C S S 4 3 Automap:
For LB-Pools with small/medium load
Server Pool
(below 1k new connections per minute).
IP Pool:
1 Client-IP:5000 2 LB-SNAT:6000 3 Pool-IP:80 4 VIP:80 For LB-Pools with large load.
VIP:80 Pool-IP:80 LB-SNAT:6000 Client-IP:5000
35
Server Pool Configuration
Minimum Configuration (1/4)
LB algorithm
How Pool Member is selected
Optional:
Active Monitor used on Pool Members
Optional:
Passive Monitor used on Pool
Members
36
Server Pool Configuration
Minimum Configuration (2/4)
• LB-SNAT
– Transparent (No SNAT) or LB-SNAT (Automap or IP Pool)
Algorithms:
Round Robin, Weighted Round Robin, Least Connection, Weighted
Least Connection, IP Hash.
Comment about Slow Start for Least Connection, Weighted Least
Connection algorithms in the Notes.
LB-SNAT configuration.
. Disabled: No LB-SNAT
. Automap: T1-uplink IP@ (100.64.x.x) or T1-ServiceInteface IP@
. IP Pool: List of IP@ used for SNAT (VIP IP@ can be used too)
Comment about scale in the Notes.
37
Server Pool Configuration
Minimum Configuration (3/4)
• Pool Members
– Static Membership Static Members
Optional: Port.
If not configured:
Pool Member Name IP@ . Pool must use an Active Monitor with Monitoring Port specified
38
Server Pool Configuration
Minimum Configuration (4/4)
• Pool Members
– Group Membership Group Members
Select Group
Max IP used from the Group to populate the Pool Members list.
If not specified, all members are used up to max Pool Member capacity of LB.
Optional: What Port for Pool Members. If not configured, "Default Pool Member Ports" must be configured in Virtual Servers using
that Pool.
39
Server Pool Configuration
Other configuration - Backup Members (1/3)
S
backup
Server
Pool
40
Server Pool Configuration
Other configuration - Backup Members (2/3)
• Backup Servers
– Configure Pool Members backup
41
Server Pool Configuration
Other configuration - Backup Members (3/3)
• Backup Servers
– Configure Minimum Active Members
42
Server Pool Configuration
Other configuration - Pool Member Max Concurrent Connections (1/2)
43
Server Pool Configuration
Other configuration - Pool Member
Max Concurrent Connections (2/2)
• Pool Member Max Concurrent Connections
– Configure Pool Members Max Concurrent Connections
44
Server Pool Configuration
Other configuration – Acceleration with TCP Multiplexing (1/2)
All Clients TCP connections Persistent TCP connections TCP Multiplexing is activated only if
are terminated on LB between LB and Pool Members Pool is used in a L7 VIP.
Server Pool
S With TCP Multiplexing, LB keeps TCP
connections persistent to Pool
S
Members.
LB S
L7 VIP only Different clients requests will be
forwarded to the same persistent Pool
Client1:2000 => VIP1:80 LB-SNAT:6000 => S1:80
Member connection
GET /page1.php GET /page1.php
45
Server Pool Configuration
Other configuration – Acceleration
with TCP Multiplexing (2/2)
• TCP Multiplexing
– Configure TCP Multiplexing
Highly recommended
LB-SNAT (Automap or IP Pool)
See Note.
For LB to run Active Monitor on Pool Members, make sure you have
47
the Monitor associated to the Pool + Pool attached to a VIP + VIP attached to LB + LB attached to T1
Server Pool Monitoring/Statistics (2/2)
Statistics
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
49
Agenda 4. Layer4 VIP
• Layer4 VIP Packet Flow
• Transparent (No SNAT)
• LB-SNAT (Automap or IP Pool)
50
Layer4 VIP Packet Flow (1/2)
Transparent (No SNAT)
51
Layer4 VIP Packet Flow (2/2)
LB-SNAT (Automap or IP Pool)
C C S S 4 3
Server Pool
52
Layer4 VIP Configuration
Minimum Configuration (1/3)
S
Connection2
VIP L4 S
to VIP:80
TCP:80
53
Layer4 VIP Configuration
Minimum Configuration (2/3)
54
Layer4 VIP Configuration
Minimum Configuration (3/3)
L4 TCP Profile
Optional:
Only required if Pool Members are NOT configured with Port information
(for instance using Pool with Group Membership)
AND if Pool Members TCP Ports is different than VIP Port. 55
Layer4 VIP Configuration
Persistence - Source-IP Persistence (1/3)
Same configuration as "L4 VIP Minimum Configuration", with the extra configuration
• Under Networking – Load Balancing – Virtual Servers
– Add Virtual Server – L4 TCP
Source IP Persistence
58
Layer4 VIP Configuration
Other configuration - Port Range (1/2)
S
Connection2 to Pool2:81
VIP L4 S
To VIP:81
TCP:Port-Range
(for instance 80-90)
59
Layer4 VIP Configuration
Other configuration - Port Range (2/2)
Same configuration as "L4 VIP Minimum Configuration", with the extra configuration
• Under Networking – Load Balancing – Virtual Servers
– Add Virtual Server – L4 TCP
60
Layer4 VIP Configuration
Other configuration - Sorry Server Pool (1/2)
61
Layer4 VIP Configuration
Other configuration - Sorry Server Pool (2/2)
62
Layer4 VIP Configuration
Other configuration - Connection Throttling/Rating (1/2)
VIP L4 S
TCP:80 Note: VIP L4 Persistence (Source IP) does not
override this option.
If a former client that is load balanced to a Pool
Member sends a new connection when the VIP L4
reached its limit, this former client new
connection will be discarded.
63
Layer4 VIP Configuration
Other configuration –
Connection Throttling/Rating (2/2)
Same configuration as "L4 VIP Minimum Configuration", with the extra configuration
• Under Networking – Load Balancing – Virtual Servers
– Add Virtual Server – L4 TCP
Maximum Concurrent
Connections on the VIP
64
Layer4 VIP Configuration
Other configuration - Access Log (1/2)
65
Layer4 VIP Configuration
Other configuration - Access Log (2/2)
Access Log
Server Pool
S NSX-T Manager creates automatically
Groups for:
S • Server Pool
VIP L4 • VIP
S
TCP:80
67
LB NSX Groups auto-created (2/2)
Visualization
68
Layer4 VIP Monitoring/Statistics (1/3)
Monitoring
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
72
Agenda 5. Layer7 HTTP VIP
• Layer7 HTTP VIP Packet Flow
• Transparent (No SNAT)
• LB-SNAT (Automap or IP Pool)
74
Layer7 HTTP VIP Packet Flow (2/2)
LB-SNAT (Automap or IP Pool)
C C S S 4 3
Server Pool
75
Layer7 HTTP VIP Configuration
Minimum Configuration (1/3)
76
Layer7 HTTP VIP Configuration
Minimum Configuration (2/3)
77
Layer7 HTTP VIP Configuration
Minimum Configuration (3/3)
Load Balancer
VIP IP address VIP TCP Port hosting the VIP Pool load balanced
L7 HTTP Profile
Optional:
Only required if Pool Members are NOT configured with Port information
(for instance using Pool with Group Membership)
AND if Pool Members TCP Ports is different than VIP Port.
78
Layer7 HTTP VIP Configuration
Persistence - Source-IP Persistence (1/3)
Same configuration as "L7 HTTP VIP Minimum Configuration", with the extra configuration
• Under Networking – Load Balancing – Virtual Servers
– Add Virtual Server – L7 HTTP
Source IP Persistence
81
Layer7 HTTP VIP Configuration
Persistence - Cookie Persistence (1/3)
Cookie Persistence
84
Layer7 HTTP VIP Configuration
Persistence - Generic Persistence (1/4)
85
Server Pool
S
HTTP Request2
• Under Networking – Load Balancing – Profiles + Cookie JSESSIONID = xxx HTTP Request2
S1
2 is shared
Same Source IP Persistence Table
– Add Persistence Profile – Generic among different L7 VIP How long an idle client entry remains in the
Source IP Persistence Table.
86
Server Pool
S
HTTP Request2
• Under Networking – Load Balancing – Virtual Servers + Cookie JSESSIONID = xxx HTTP Request2
S1
2
– Add Response Rewrite Phase
Example for Generic Persistence based
on Cookie JSESSION
87
Server Pool
S
HTTP Request2
• Under Networking – Load Balancing – Virtual Servers + Cookie JSESSIONID = xxx HTTP Request2
S1
2
– Add Request Forwarding Phase
Example for Generic Persistence based
on Cookie JSESSION
HTTP Request1
+ X-Forwarded-For = xxx HTTP Request1
1
1 2
Note:
HTTP Request HTTP Request Web servers may need information, such as client IP@, for
+ X-Forwarded-For: Client-IP@ logging or other purposes.
+ X-Forwarded-Proto: http In case of LB-NAT configuration on the Pool, Web servers
+ X-Forwarded-Port: 80 will see the LB-NAT IP address in the source IP. However
configuring the web servers to look at those HTTP headers,
they can still retrieve the real Client IP information.
90
Server
S Pool
• Under Networking – Load Balancing – Profiles . Insert: If the XFF HTTP header is not present in the incoming request, then the LB inserts a new XFF
header with the client IP@. If XFF HTTP header is present in the incoming request, then the LB
– Add Application Profile – HTTP appends the SFF header with the client IP@.
. Replace: If the XFF HTTP header is already present in the incoming request then the LB replaces the
header
91
Layer7 HTTP VIP Configuration
Other configuration - Redirect Clients to HTTPS (1/3)
2 Options:
VIP L7
• HTTP Redirect 301
HTTP:80
Redirect all clients to the same page.
GET http://www.xyz.com/page1.html 1
• HTTP to HTTPS Redirect 301
Redirect all HTTP Clients request to
the same site/page on HTTPS
Redirect https://maintenance.xyz.com/sorry.html 1 2
Redirect https://www.xyz.com/page1.html 2
92
Layer7 HTTP VIP Configuration
Other configuration - Redirect Clients to HTTPS (2/3) VIP L7
HTTP:80
GET http://www.xyz.com/page1.html
Redirection:
In this mode specify the “HTTP
Redirect:
93
No
Redirection:
In this mode specify the “HTTP to
HTTPS Redirect:
94
Layer7 HTTP VIP Configuration
Other configuration – NTLM Authentication / Server Keep-Alive (1/2)
Server Pool
Client access application on HTTP to Web
S Servers configured with NTLM
authentication.
S NTLM Authentication authenticate the TCP
connection. And once authenticated, all
S HTTP requests is that TCP connection are
VIP L7 replied.
HTTP:80
1 TCP1: GET 1.html + NTLM Negotiate TCP1: GET 1.html + NTLM Negotiate
TCP1: Status Code: 401 + NTLM Challenge TCP1: Status Code: 401 + NTLM Challenge 2 When NTLM configuration / Server Keep-
TCP1: GET 1.html + NTLM Authenticate TCP1: GET 1.html + NTLM Authenticate
Alive is enabled, as soon a Client request
3 contains NTLM authentication (NTLM
TCP1: Status Code: 200 TCP1: Status Code: 200 4 Negotiate) this Client TCP connection is stick
to one dedicated Server TCP connection.
5 TCP1: GET 2.html TCP1: GET 2.html
Note: “NTLM + Sce-IP Persistence”:
TCP1: Status Code: 200 TCP1: Status Code: 200 6 If “Client/Server traffic NOT always uses NTLM
Authentication”, then NSX configuration requires
“Pool-SNAT”.
95
Server Pool
S
S
Other configuration – VIP L7
HTTP:80
NTLM Authentication / Server Keep-Alive (2/2) 1 TCP1: GET 1.html + NTLM Negotiate TCP1: GET 1.html + NTLM Negotiate
TCP1: Status Code: 401 + NTLM Challenge TCP1: Status Code: 401 + NTLM Challenge 2
Create new HTTP Profile and use it 3 TCP1: GET 1.html + NTLM Authenticate
• Under Networking – Load Balancing – Profiles TCP1: Status Code: 200 TCP1: Status Code: 200 6
97
Layer7 HTTP VIP Configuration
Other configuration - Sorry Server Pool (2/2)
98
Layer7 HTTP VIP Configuration
Other configuration - Connection Throttling/Rating (1/2)
99
Layer7 HTTP VIP Configuration
Other configuration –
Connection Throttling/Rating (2/2)
Same configuration as "L7 HTTP VIP Minimum
Configuration", with the extra configuration
• Under Networking – Load Balancing – Virtual Servers
– Add Virtual Server – L7 HTTP
Maximum Concurrent
Connections on the VIP
100
Layer7 HTTP VIP Configuration
Other configuration - Increase Response Header Size (1/2)
HTTP Response
with http headers > 4k
1
101
Layer7 HTTP VIP Configuration
Other configuration –
Increase Response Header Size (2/2)
Update LB Profile "response_header_size" (API only)
102
Layer7 HTTP VIP Configuration
Other configuration - Response Buffering (1/2)
103
Server
S Pool
Response Buffering
104
Layer7 HTTP VIP Configuration
Other configuration - Access Log (1/2)
Access Log
Server Pool
S NSX-T Manager creates automatically
Groups for:
S • Server Pool
VIP L7 • VIP
S
HTTP:80
107
LB NSX Groups auto-created (2/2)
Visualization
108
Layer7 HTTP VIP
Monitoring/Statistics (1/3)
Monitoring
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
112
Agenda 6. Layer7 HTTPS VIP
• Layer7 HTTPS Modes
• HTTPS Off-Load
• HTTPS End-to-End
• SSL Passthrough
Note: The Use Cases described in section "Layer7 HTTP VIP” also applies to Layer7 HTTPS VIP.
Refer to that section to do such configuration. 113
Layer7 HTTPS Modes
3 modes (1/2)
S • Security:
VIP L7 Traffic is fully encrypted from the Client up to
HTTPS:443 the LB.
• Performance:
Traffic is decrypted / encrypted only once.
HTTPS End-to-End SSL LB decrypts
and re-encrypts before
forwarding Server Pool
S • HTTPS End-to-End SSL
Best security, and LB flexibility.
HTTPS HTTPS
S
• Security:
Traffic end to end encrypted.
S • Performance:
VIP L7
This mode has lower performance with traffic
HTTPS:443
decrypted/encrypted twice.
114
Layer7 HTTPS Modes
3 modes (2/2)
115
Layer7 HTTPS VIP Configuration
HTTPS Off-Load Configuration (1/5)
116
Layer7 HTTPS VIP Configuration
HTTPS Off-Load Configuration (2/5)
Server Key
(See Notes of example)
117
Layer7 HTTPS VIP Configuration
HTTPS Off-Load Configuration (3/5)
118
Layer7 HTTPS VIP Configuration
HTTPS Off-Load Configuration (4/5)
Load Balancer
VIP IP address VIP TCP Port hosting the VIP Pool load balanced
SSL Configuration
(See next slide) L7 HTTP Profile
Optional:
Only required if Pool Members are NOT configured with Port information
(for instance using Pool with Group Membership)
AND if Pool Members TCP Ports is different than VIP Port. 119
Layer7 HTTPS VIP Configuration
HTTPS Off-Load Configuration (5/5)
120
Layer7 HTTPS VIP Configuration
HTTPS End-to-End Configuration (1/5)
LB decrypts
and re-encrypts before Server Pool Layer7 HTTPS Load Balancing is done after
forwarding S Client TCP handshake + SSL Handshake +
HTTPS HTTPS HTTP request.
S
In HTTPS End-to-End mode, LB forwards
S
VIP L7 Clients' requests in new HTTPS connections
HTTPS:443 (encrypted).
TCP handshake
+ SSL handshake
1
TCP handshake
HTTP Request + SSL handshake Note: This diagram does not represent
2 Transparent Mode or LB-SNAT modes. They are
HTTP Request both supported.
121
Layer7 HTTPS VIP Configuration
HTTPS End-to-End Configuration (2/5)
Server Certificate
Screenshot shows RSA certificate. (See Notes of example)
ECC certificates are also supported.
Server Key
(See Notes of example)
122
Layer7 HTTPS VIP Configuration
HTTPS End-to-End Configuration (3/5)
123
Layer7 HTTPS VIP Configuration
HTTPS End-to-End Configuration (4/5)
Load Balancer
VIP IP address VIP TCP Port hosting the VIP Pool load balanced
SSL Configuration
(See next slide) L7 HTTP Profile
Optional:
Only required if Pool Members are NOT configured with Port information
(for instance using Pool with Group Membership)
AND if Pool Members TCP Ports is different than VIP Port. 124
Layer7 HTTPS VIP Configuration
HTTPS End-to-End Configuration (5/5)
Enable HTTPS on the Client side Enable HTTPS on the Server side
125
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
- HTTPS Selection of Protocol and Ciphers (1/2)
Select built-in list of SSL Ciphers Performance optimization when Clients open
and Protocol, or create a Custom multiple TCP connections with SSL re-use
one option
127
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
HTTPS Client Authentication (1/3)
3 Request to Server
128
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
HTTPS Client Authentication (2/3)
Import Domain CA Certificate
• Under System – Certificates
– Import CA Certificate
Server Certificate
(See Notes of example)
129
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
HTTPS Client Authentication (3/3)
Create Virtual Server
• Under Networking – Load Balancing – Virtual Servers
– And Configure SSL
130
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
Auto Certificate Selection based on SNI (1/3)
https://www.xyz.com
131
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
Auto Certificate Selection based on SNI (2/3)
Import Server Certificate
• Under System – Certificates
– Import Certificate
Server Certificate
(See Notes of example)
Server Key
(See Notes of example)
132
Layer7 HTTPS VIP Configuration
Other Configuration (for HTTPS Off-Load and HTTPS End-to-End) -
Auto Certificate Selection based on SNI (3/3)
Create Virtual Server
• Under Networking – Load Balancing – Virtual Servers
– Configure SSL
133
Layer7 HTTPS VIP Configuration
SSL Passthrough Configuration (1/5)
134
Server
S Pool
135
Server
S Pool
Load Balancer
VIP IP address VIP TCP Port hosting the VIP Pool load balanced
SSL Configuration
(See next slide +
Note for more information) L7 HTTP Profile
LB Rule SSL Passthrough
(See next slide)
Optional:
Only required if Pool Members are NOT configured with Port information
(for instance using Pool with Group Membership)
AND if Pool Members TCP Ports is different than VIP Port. 136
Layer7 HTTPS VIP Configuration
SSL Passthrough Configuration (4/5)
137
Server
S Pool
138
Layer7 HTTPS VIP
Monitoring/Statistics (1/3)
Monitoring
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
142
Agenda 7. LB Rules (HTTP or HTTPS)
• LB Rules Packet Flow
• LB Rules examples
• Block Specific URLs
• Redirect Specific URL/Host to Specific Pools (based on url, query, host)
• Redirect Specific Host requests to HTTPS
• Redirect Non-Authenticated Clients
• Replace Response Header ”Server”
• Rewrite Server Redirect
• Inject header with character ' (single quote)
• Advanced Rewrite of Host + URL
• Inject Client Certificate in HTTP header (for “HTTPS VIP + Client Authentication”)
• Access control based on claims in JWT (+ selection of specific Pool)
143
LB Rules Packet Flow
Modifying or acting upon HTTP request or response
VIP L7 S
HTTP or HTTPS
http://www.xyz.com/public/page1.htlm http://www.xyz.com/public/page1.htlm
http://www.xyz.com/finance/page1.htlm
http://www.xyz.com/private/page1.htlm
145
LB Rules examples
Block Specific URLs (2/2)
146
LB Rules examples
Redirect Specific URL/Host to Specific Pools (1/4)
Server Pool
S Finance and
http://www.xyz.com/public/page1.htlm Private
S
http://www.xyz.com/finance/page1.htlm
http://www.xyz.com/private/page1.htlm
147
LB Rules examples
Redirect Specific URL/Host to Specific Pools (2/4)
148
LB Rules examples
Redirect Specific URL/Host to Specific Pools (3/4)
VIP L7 S
HTTP or HTTPS
Server Pool
S Finance and
http://www.xyz.com/page1.htlm Private
S
http:/finance.xyz.com/page1.htlm
http://private.xyz.com/page1.htlm
149
LB Rules examples
Redirect Specific URL/Host to Specific Pools (4/4)
150
LB Rules examples
Redirect Specific Host requests to HTTPS (1/3)
VIP L7 S
HTTP or HTTPS
GET http://finance.xyz.com/page1.html
Redirect https://finance.xyz.com/page1.html
151
LB Rules examples
Redirect Specific Host requests to HTTPS (2/3)
152
LB Rules examples
Redirect Specific Host requests to HTTPS (3/3)
finance.xyz.com
https://$_host$_request_uri
153
LB Rules examples
Redirect Non-Authenticated Clients (1/2)
GET http://www.xyz.com/page1.html
No Cookie Authent
Redirect http://www.xyz.com/authent.php
154
LB Rules examples
Redirect Non-Authenticated Clients (2/2)
https://$_host/authent.php
.*
155
LB Rules examples
Replace Response Header ”Server” (1/2)
VIP L7 S
HTTP or HTTPS
200 OK 200 OK
Server: Apache/2.4.18 (Ubuntu) Server: Microsoft-IIS/7.5
<body Response> <body Response>
156
LB Rules examples
Replace Response Header ”Server” (2/2)
.*
Apache/2.4.18(Ubuntu)
157
LB Rules examples
Rewrite Server Redirect (1/2)
VIP L7 S
HTTP or HTTPS Note:
This use case also requires another LB Rule to
rewrite the request:
GET http://www.xyz.com:8080/page1.html GET http://www.xyz.com/page1.html
GET http://www.xyz.com:8080/page1.html
to
GET http://www.xyz.com/page1.html
301 Redirect 301 Redirect
This Request Rewrite LB Rule is not documented on
Location: http://www.xyz.com:8080/login.php Location: http://www.xyz.com/login.php
next slide.
158
LB Rules examples
Rewrite Server Redirect (2/2)
http://(?<hostname>.[^/]*)/(?<redirect>.*) http://$hostname:8080/$redirect
159
LB Rules examples
Inject header with character ' (single quote) (1/2)
VIP L7 S
HTTP or HTTPS
200 OK 200 OK
Server: Microsoft-IIS/7.5 Server: Microsoft-IIS/7.5
Content-Security-Policy: blob: 'unsafe-inline' <body Response>
<body Response>
160
Server
S Pool
LB Rules examples S
Inject header with character ' (single quote) (2/2) VIP L7 S
HTTP or HTTPS
blob: \39unsafe-inline\39
http://www.xyz.com/news/news1.html http://www.xyz.com/news.py
?story=news1.html&client=10.16.116.47
162
LB Rules examples
Advanced Rewrite of Host + URL (2/2)
/news.py
/news/(?<article>.*\..*)
story=$article&client=$_remote_addr
163
LB Rules examples
Inject Client Certificate in HTTP header (for “HTTPS VIP + Client Authentication”) (1/2)
3 Request to Server
with client certificate in
HTTP header
164
Server
S Pool
3 Request to Server
with client certificate
in HTTP header
Client-cert
/
(to catch all requests)
$_ssl_client_escaped_cert
165
LB Rules examples
Access control based on claims in JWT (+ selection of specific Pool) (1/4)
166
Server
S Pool
(optionally) LB-VIP
4 Forward request to
Specific Pool
(optional)
Enter ”Secret””
(optionally) LB-VIP
4 Forward request to
Specific Pool
(optional)
Specify the specific URL
path you want with JWT
(optional)
access control: “/jwt” (optional)
For use case of JWT is not in
Specify a Realm for Clients invalid
Authorization header.
requests (this information will be
See Notes for more info.
sent in “WWW-Authenticate”
Response Header”)
(optional)
Enter JWT secret
(optional)
See Notes for more information + examples
Forward the JWT to the Pool Member 168
Server
S Pool
(Optional) Selection of specific Pool (LB Rule) 2 If LB-VIP can’t decode token,
LB-VIP reject Request (401Response)
(optionally) LB-VIP
4 Forward request to
Specific Pool
(optional)
Select specific JWT
header field
(_jwt_header_<header-
name>) Select the LB Pool
(optional)
Select specific JWT
header field
(_jwt_claim_<payload-
name>) (optional)
This LB rule is optional.
That’s only if you want to send specific JWT Users to special LB Pool 169
Agenda
1 LB Deployment Modes
2 Monitors
3 Server Pools
4 Layer4 VIP
8 Troubleshooting
170
Agenda 7. Troubleshooting
• Why Pool Member down
• Why Clients receive a “502 Bad Gateway” response
• Show LB Session Table
• Advanced Statistics
• Packet Capture
• LB Syslog Messages
• Edge Node and LB Monitoring (Capacity & Performance)
• LB Diagnosis
• Error Messages
• Miscellaneous
• Cascade of VIP
171
Troubleshooting
Why Pool Member down
Member
Display-Name : S2
Type : primary
IP : 10.1.1.12
Port : 443 Member
Status : up Display-Name : S1
Last-Check-Time : 2019-04-08 20:03:58 Type : primary Reason of the Pool Status Down
Last-State-Change-Time : 2019-04-08 18:52:00 IP : 10.1.1.11
Port : 443
Status : down
Last-Check-Time : 2019-04-08 20:04:00
Last-State-Change-Time : 2019-04-08 18:55:23
Failure-Reason : Connect to Peer Failure 172
Troubleshooting
Why Clients receive a “502 Bad Gateway” response
VIP L7
• When all the Pool Members are down, NSX-T L7-VIP can not forward the clients request to a pool member
• In that case NSX-T L7-VIP does reply a “502 Bad Gateway” response to clients
173
Troubleshooting
Show LB Session Table (1/2)
174
Troubleshooting
Show LB Session Table (2/2)
175
Troubleshooting
Advanced statistics
• Clear stats
nsx-edgebm3> clear load-balancer <lb-uuid> virtual-server <vs-uuid> stats
nsx-edgebm3> clear load-balancer <lb-uuid> virtual-servers stats
nsx-edgebm3> clear load-balancer <lb-uuid> pool <pool-uuid> stats
176
Troubleshooting
Packet Capture (1/4)
177
Troubleshooting
Packet Capture (2/4) Go to the section "Logical Router" where you have
the name of your router prepended with "SR-"
178
Client IP@: 10.114.218.199
Troubleshooting VIP: 21.21.21.6:80
• Start packet capture on Edge Node T1 "uplink" interface (facing the T0)
lab1-edge1> start capture interface f6ab8bad-a4b2-4bef-9502-994124b50e18 [expression port 80]
16:16:26.392694 02:50:56:56:44:52 > 02:50:56:56:44:55, ethertype 802.1Q (0x8100), length 78: vlan 0, p 0,
ethertype IPv4, 10.114.218.199.53192 > 21.21.21.6.80: Flags [S], seq 3483355859, win 29200, options [mss
1460,sackOK,TS val 494725924 ecr 0,nop,wscale 7], length 0
<base64>AlBWVkRVAlBWVkRSgQAAAAgARQAAPAWGQAA+BifiCnLaxxUVFQbPyABQz5/K0wAAAACgAnIQU24AAAIEBbQEAggKHXzrJAAAAAABAwM
H</base64>
16:16:26.393147 02:50:56:56:44:55 > 02:50:56:56:44:52, ethertype IPv4 (0x0800), length 74: 21.21.21.6.80 >
10.114.218.199.53192: Flags [S.], seq 4261070536, ack 3483355860, win 28960, options [mss 1460,sackOK,TS val
2391628344 ecr 494725924,nop,wscale 8], length 0
<base64>AlBWVkRSAlBWVkRVCABFAAA8AABAAEAGK2gVFRUGCnLaxwBQz8j9+sbIz5/K1KAScSCmwgAAAgQFtAQCCAqOjVo4HXzrJAEDAwg=</b
ase64>
16:16:26.393496 02:50:56:56:44:52 > 02:50:56:56:44:55, ethertype 802.1Q (0x8100), length 70: vlan 0, p 0,
ethertype IPv4, 10.114.218.199.53192 > 21.21.21.6.80: Flags [.], ack 1, win 229, options [nop,nop,TS val
494725926 ecr 2391628344], length 0
<base64>AlBWVkRVAlBWVkRSgQAAAAgARQAANAWHQAA+BifpCnLaxxUVFQbPyABQz5/K1P36xsmAEADlRckAAAEBCAodfOsmjo1aOA==</base6
4>
16:16:26.393613 02:50:56:56:44:52 > 02:50:56:56:44:55, ethertype 802.1Q (0x8100), length 152: vlan 0, p 0,
ethertype IPv4, 10.114.218.199.53192 > 21.21.21.6.80: Flags [P.], seq 1:83, ack 1, win 229, options [nop,nop,TS
val 494725926 ecr 2391628344], length 82: HTTP: GET /test.php HTTP/1.1
<base64>AlBWVkRVAlBWVkRSgQAAAAgARQAAhgWIQAA+BieWCnLaxxUVFQbPyABQz5/K1P36xsmAGADlf/AAAAEBCAodfOsmjo1aOEdFVCAvdGV
zdC5waHAgSFRUUC8xLjENCkhvc3Q6IDIxLjIxLjIxLjYNClVzZXItQWdlbnQ6IGN1cmwvNy41OC4wDQpBY2NlcHQ6ICovKg0KDQo=</base64>
179
Pool-Member- IP@: 10.1.1.12:80
Troubleshooting LB-SNAT-Automap: 100.64.144.1
16:10:14.784366 02:50:56:56:44:52 > 02:50:56:56:53:00, ethertype IPv4 (0x0800), length 66: 10.1.1.12.80 >
100.64.144.1.4134: Flags [.], ack 102, win 227, options [nop,nop,TS val 405916912 ecr 1630120992], length 0
<base64>AlBWVlMAAlBWVkRSCABFAAA0IVhAAD8GGx4KAQEMZECQAQBQECa5Fu2o64UBSYAQAOPgGwAAAQEIChgxzPBhKawg</base64>
180
Troubleshooting
LB Syslog Messages (1/5)
181
Troubleshooting
LB Syslog Message – Summary of LB/VIP/Pool (2/5)
Important:
Summary syslog of LB/VIP/Pool You need to run the nsx-exporter service at the debug level:
lab1-edge1> set service nsx-exporter logging-level debug
• LB information
To check the nsx-exporter logging-level (on Edge as root user):
– CPU, Memory root@lab1-edge1:~# cat /etc/vmware/nsx-edge-exporter/config.json
LOGGING_LEVEL_MAP =
– Enabled, Status, HA_State {
– # of Pools, # Pools up "off":"0",
"fatal":"1",
– # of Virtual Servers, # Virtual Servers Up "error":"2",
"warn":"3",
• Virtual Server(s) information "info":"4",
"debug":"5",
– Name, IP, Port "trace":"6"
}
– Status
• Pool(s) information
– Name,
– Individual Members IP, Port, Status
– Pool Backup usage
– Status
183
Troubleshooting
LB Syslog Messages – When LB / VIP / Pool status change (4/5)
184
Troubleshooting
LB Syslog Messages – When LB generates an error (5/5)
185
Troubleshooting
Edge Node and LB Monitoring – Capacity (1/4)
https://configmax.vmware.com/ The Edge Node hosts LB service (active/standby) based on its Tier-1
(active/standby) with LB attached.
Both LB active and standby are consuming resources in the Edge Node.
So for instance in "1 Edge VM - Large", in NSX-T 2.4 you can have up to:
"40 LB-Active", or "40 LB-Standby", or "20 LB-Active + 20 LB-
Standby", etc
LB Large have a factor of 40, LB Medium have a factor of 10, LB Small have a
factor of 1.
So 1 Edge VM – Large can host for instance: "40 LB Small" or "2 LB Medium
+ 20 LB Small" but not "3 LB Medium and 11 LB Small".
186
Troubleshooting
Edge Node and LB Monitoring – Capacity of Edge Nodes (2/4)
• Based on Edge Node form factor, a fixed number of LB instances can be configured
• Monitor All Edge Nodes LB usage
https://<NSX-Mgr>/policy/api/v1/infra/lb-node-usage-summary
"results": [
{
"current_load_balancer_credits": 8,
"load_balancer_credit_capacity": 20, LB_Small = 1 credit
"current_pool_member_count": 20, LB_Medium = 10 credits
"pool_member_capacity": 4000, LB_Large = 40 credits
"usage_percentage": 40.0,
"severity": "GREEN", # of LB credits used in NX-T Platform
"node_counts": [ # of LB credits remaining in NX-T Platform (based on the # of Edge Nodes)
{
"severity": "GREEN",
"node_count": 2
# of Edge Nodes with },
. Plenty of LB capacity (Green) {
. Minor LB capacity (Orange) "severity": "ORANGE",
. No more LB capacity (Red) "node_count": 0
},
{
"severity": "RED",
"node_count": 0
}
],
"enforcement_point_path": "/infra/sites/default/enforcement-points/default"
}
], 187
"intent_path": "/infra/lb-node-usage-summary"
Troubleshooting
Edge Node and LB Monitoring – Capacity of Specific Edge Node (3/4)
• Based on Edge Node form factor, a fixed number of LB instances can be configured
• Monitor a Specific Edge Node LB usage
https://<NSX-Mgr>/policy/api/v1/infra/lb-node-usage?node_path=/infra/sites/default/enforcement-
points/default/edge-clusters/<edgecluster-uuid>/edge-nodes/<edgenode-uuid>
{
"form_factor": "MEDIUM_VIRTUAL_MACHINE",
"edge_cluster_path": "/infra/sites/default/enforcement-points/default/edge-clusters/f62c83e6-7adc-4704-81bb-42d03c9e4f46",
"current_load_balancer_credits": 4,
"load_balancer_credit_capacity": 10,
"usage_percentage": 40.0,
"severity": "GREEN", LB_Small = 1 credit
"current_pool_member_count": 10, LB_Medium = 10 credits
"current_virtual_server_count": 7, LB_Large = 40 credits
"current_pool_count": 6,
"pool_member_capacity": 2000, # of LB credits used in NX-T Platform
"current_small_load_balancer_count": 4, # of LB credits remaining in NX-T Platform (based on the # of Edge Nodes)
"current_medium_load_balancer_count": 0,
"current_large_load_balancer_count": 0,
"current_xlarge_load_balancer_count": 0,
"remaining_small_load_balancer_count": 6,
"remaining_medium_load_balancer_count": 0,
Specific LB capacity
"remaining_large_load_balancer_count": 0,
"remaining_xlarge_load_balancer_count": 0,
"resource_type": "LBEdgeNodeUsage",
"node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/f62c83e6-7adc-4704-81bb-42d03c9e4f46/edge-
nodes/2ea190d2-b6df-11e9-9296-0050568463ea"
}
188
Troubleshooting
Edge Node and LB Monitoring – Capacity of LB Services (4/4)
• Based on Edge Node form factor, a fixed number of LB instances can be configured
• Monitor All LB Service usage
https://<NSX-Mgr>/policy/api/v1/infra/lb-service-usage-summary
{
"pool_usage_percentage": 2.5,
"pool_severity": "GREEN",
"pool_capacity": 240,
"current_pool_count": 6,
"virtual_server_usage_percentage": 8.75,
"virtual_server_severity": "GREEN", Pool + Pool Member + Virtual
"virtual_server_capacity": 80, Server usage
"current_virtual_server_count": 7,
"pool_member_usage_percentage": 0.83,
"pool_member_severity": "GREEN",
"pool_member_capacity": 1200,
"current_pool_member_count": 10,
"service_counts": [
{
"severity": "RED",
# of LB Service with "service_count": 0
. Plenty of LB Service capacity (Green) },
. Minor LB Service capacity (Orange) {
. No more LB Service capacity (Red) "severity": "ORANGE",
"service_count": 0
}, LB Service usage Information for a specific LB Service is also available:
{ GET /policy/api/v1/infra/lb-services/<lb-service-id>/service-usage
"severity": "GREEN",
"service_count": 4 189
}
Troubleshooting
Edge Node and LB Monitoring – Performance of Edge Node (1/3)
190
Troubleshooting
Edge Node and LB Monitoring – Performance of Edge Node (2/3)
• Based on Load Balancer form factor, one or more Edge Node CPU will be consumed
Note: LB oversubscription is allowed by NSX-T platform.
LB Diagnosis (1/1)
193
Troubleshooting
Error Messages (1/1) This LB is attached to a Tier-1, and that Tier-1 is active/standby in 2 Edge nodes.
Edge Nodes can host a specific number of LB (See "LB Service Scale").
The Edge Nodes hosting the Tier-1 active or Tier-1 standby don't have resources to add that LB.
194
Troubleshooting
Miscellaneous - Cascade of VIP
VIP1 VIP2 S
L4 or L7 L4 or L7
VIP1 VIP2
Server Server
Pool Pool
195