ddesmidtvmwarecom NSXT Load Balancer ToI Update NSXT 31 1 NSXT 31 LB enhancements 2 NSXT LB Technical Overview 3 NSXT LB Technical Deep Dive 4 Demo 5 Key Takeaways 6 QampA ID: 935132
Download Presentation The PPT/PDF document "Dimitri Desmidt - Senior TPM NSX" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Dimitri Desmidt - Senior TPM NSXddesmidt@vmware.com
NSX-T Load Balancer ToI(Update NSX-T 3.1)
Slide21
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6Q&A
Slide3Increase application security
Cookie Protection:Against scripts on Clients stealing cookie information (httponly)
From cookies sent over HTTP
FeatureBenefitNSX-T Insert Cookie SecurityCookie “httponly” and “secure” options
VIP L7
HTTP=/HTTPS
Server Pool
S
S
S
1
HTTP Response1
+ Set-Cookie NSX-Cookie=S1; Secure;
HttpOnly
HTTP Request1
HTTP Response1
HTTP Request1
S1
Slide4More generic option
Updated UI/APIFeature
Benefit
Load Balancing NTLM ApplicationsUpdated UI/API configuration: “Server Keep-Alive”Enable Server Keep-Alive(previously called “NTLM Authentication”)
Slide5New simple monitoring CLI command
Load Balancing DiagnosisFeature
Benefit
LB DiagnosisNew CLI command
lab1-edge1> get load-balancer 3554fa76-2b3b-4690-ba65-3675706155dc diagnosis Fri Dec 18 2020 UTC 03:07:16.017CheckingAction : checking systemResult : passedAction : checking crashResult : passedAction : checking daemon statusResult : passed
Action : checking configurationResult : passedAction : checking runtimeResult : passedAction : checking statsResult : passed
Slide61
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6Q&A
Slide7Main LB benefits
Scale out
High Availability
Server Pool
Server Pool
Slide8Layer4 and Layer7 Load Balancing
Layer 4 Load BalancingConnection-based (TCP or UDP)
Selection: Round Robin, Least Connections, etc.
Layer 7 Load BalancingContent-based (HTTP / HTTPS)Selection: based on URI, Domain name, etc.URL manipulation (redirect specific pages, add headers, etc)SSL Offloadetc
Server Pool
Virtual Server
20.20.20.20:80
Pool
www
Pool
blog
www.mysite.com
blog.mysite.com
Virtual Server
30.30.30.30:80
Slide9Load Balancer
Load Balancer (LB)A logical entity you create
Similar to physical or virtual load balancers
Shareable LB objectsCan be used in multiple LBsE.g. Monitors, SSL ProfilesLB is realized when attached to LROnly Tier-1 LR supported1:1 between LR and LB
Edge NodeVM or BMTier-1
Tier-1
LB1
LB2
Monitor1
Pool2
Pool1
Pool3
VS1
VS2
Monitor2
Pool5
VS5
VS6
Slide10Load Balancing Supported Topologies (1/2)
Enable LB on an existing Tier-1 GW Note: LB not available on Tier-0 GW
LB-SNAT can be required depending on traffic flows.
LB-SNAT required:Clients and Servers are connected to same T1-Dowlink (Overlay) LB-SNAT not required:Other use casesNote: VIP can be placed in any subnet:Linked-segment (Downlink) or Service Interface (CSP)
A new dedicated network as a loopback interfaceT0 uplink subnetLB InLine Deployment
Tier-1+LB
Tier-0
C
S
S
Server Pool
C
C
2
2
1
1
2
C
1
C
1
LB InLine Deployment
Overlay
Overlay
Overlay
or VLAN
Tier-1+LB
C
S
S
Server Pool
1
C
2
C
2
VLAN
O
verlay
or VLAN
Slide11Deployment Modes (2/2)
Deploy dedicated One-Arm Tier-1 GW for Load Balancer Note: LB not available on Tier-0 GW
Can be deployed on Overlay or VLAN
LB-SNAT always requiredNote: VIP can be placed in any subnet:Service Interface (CSP)A new dedicated network as a loopback interface (require manual routing advertisement)LB OneArm Deployments
LB OneArm Deployments
Tier-0
Tier-1
S
S
Server Pool
T1+LB
Overlay
or VLAN
Physical
Router
S
S
Server Pool
T1+LB
VLAN
LB OneArm using T1 Service Interface
Tier-0
S
S
Server Pool
Tier-1
T1+LB
LB OneArm using T1 Uplink Interface
Slide12Add Load Balancing into an existing NSX-T
Basic Load Balancer Workflow
1
Pool
Pool-Finance
3
Virtual Server
VIP-Paris
2
Finance-Web
http://vip1/finance/page.html
1. Create a Load Balancer attached to Tier-1 GW
2. Create Virtual Server and Pool
3. Create Pool with members for VIP
0. Network Topology and App
Tier-1
Tier-0
C
S
S
Slide13Features (1/3)
Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitorActiveMonitor
PersistenceProfileClient-SSLProfileServer-SSLProfileApplicationProfile
LB Rules
Fast-TCPFast-UDPHTTPHTTPHTTPSTCPUDPICMP
Source-IP
Cookie
SNAT
Pool Members
Protocols
What applications type can be load balanced.
IPv4 and IPv6
TCP, UDP with multiple port range support
HTTP, HTTPS
Note: WebSocket also supported.
LB Method
How end-users connections are split across back-end servers.
Round-Robin,
Weighted_RR
,
Least-Connection,
Weighted_LC
,
IP-Hash
Pools
How backend servers are configured.
Static
Dynamic
(NSGroup)PersistenceHow LB guaranties a specific user sticks to the same pool member.Source-IPCookie (Insert, Prefix, Rewrite)GenericMonitors
How LB validates application health on each pool member.Active (LB generates HTTP/S, TCP, UDP, ICMP probes)Passive (LB monitors client connections)LB-SNATHow LB provides LB-SNAT.Transparent (No LB-SNAT)Automap (LB-SNAT using LB IP@)IP List (LB-SNAT using IP list)
Generic
Slide14Features (2/3)
Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitorActiveMonitor
PersistenceProfileClient-SSLProfileServer-SSLProfileApplicationProfile
LB Rules
Fast-TCPFast-UDPHTTPHTTPHTTPSTCPUDPICMP
Source-IP
Cookie
SNAT
Pool Members
L7 LB Rules
Option to allow LB to manipulate client requests and/or server responses.
Rules with Regex support
(For instance: Host load balancing, URL block,
url
rewrite, response header rewrite,
etc
)
L7 Acceleration
How LB off loads pool members.
TCP multiplexing
(LB gather all different clients web requests in the same persistence pool members TCP connections. Works for HTTP and HTTPS)
SSL
How HTTPS traffic is load balanced.
SSL Offload
(LB terminates HTTPS and talk HTTP to server)
SSL End-to-End
(LB terminates HTTPS and talk HTTPS to server)
SSL Passthrough
(LB does not terminate HTTPS and talk HTTPS to server)
SNI support(LB presents different certificates to client based on host name presented by client)Client Certificate authentication(LB asks and validates client cert)FIPS compliance, pre-defined cipher lists, SSLv3 supportGeneric
Slide15Features (3/3)
Load Balancer Service (LBS)
Virtual Server
Pool
PassiveMonitorActiveMonitor
PersistenceProfileClient-SSLProfileServer-SSLProfileApplicationProfile
LB Rules
Fast-TCPFast-UDPHTTPHTTPHTTPSTCPUDPICMP
Source-IP
Cookie
SNAT
Pool Members
Connection Throttling
How LB protects VIPs + pool members against excessive load.
Client side:
. Max conc. connections
. Max new conn / sec
Server
side:
. Max conc. Connections
High Availability
What active LB synchronizes to standby LB.
L4 Flow State
Source-IP Persistence State
Healthcheck State
Monitoring
What LB status and statistics are offered.
VIP/Pool status
VIP/Pool Sessions
(Current/Max/Total/Rate)
VIP/Pool Bytes
(In/In-Rate/Out/Out-Rate)VIP/Pool HTTP requests (Total/Rate)MiscellaneousSorry ServerTCP ProfileDownload all LB configuration (API)Generic
Slide161
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6
Q&A
Slide17HTTPS Off-Load
HTTPS Load Balancing (1/5)
Layer7 HTTPS VIP offers 3 modes:
HTTPS Off-LoadBest balance between security, performance, and LB flexibility.Security:Traffic is fully encrypted from the Client up to the LB.Performance:Traffic is decrypted / encrypted only once.HTTPS End-to-End SSLBest security, and LB flexibility.Security:Traffic end to end encrypted.Performance:
This mode has lower performance with traffic decrypted/encrypted twice.3 modes (1/2)
Server Pool
S
S
S
HTTPS
HTTP
VIP L7
HTTPS:443
HTTPS End-to-End SSL
Server Pool
S
S
S
HTTPS
HTTPS
VIP L7
HTTPS:443
LB decrypts
and forwards in clear
LB decrypts
and re-encrypts before forwarding
Slide18SSL Passthrough
HTTPS Load Balancing (2/5)
Layer7 HTTPS VIP offers 3 modes:
SSL PassthroughBest security, limited LB flexibility.Security:End-to-end encryption.Performance:Highest performance because LB does not terminate SSL traffic.3 modes (2/2)
Server Pool
S
S
S
HTTPS
VIP L7
HTTPS:443
LB does not decrypt
and SSL connection is terminated on Pool Members
Slide19HTTPS Load Balancing (3/5)
Option to request and validate Client HTTPS Certificate.After SSL handshake,
LB ask for Client Certificate,Once validated, LB load balances the request to the Pool Members.
HTTPS Client Authentication
Server Pool
S
S
S
HTTPS
HTTPS or HTTP
VIP L7
HTTPS:443
Client Certificate
2
3
2
Request for the Client Certificate
Client sends its Certificate to LB
Client SSL Hello
(with SSL Ciphers + Protocol supported)
1
1
3
Request to Server
Slide20HTTPS Load Balancing (4/5)
Single VIP hosting multiple HTTPS web site.Based on the Client's request, specific site certificate will be presented.
Auto Certificate Selection based on SNI
Certificate blog.xyz.com
Server PoolSS
Shttps://blog.xyz.comHTTPSHTTPS or HTTP
Single VIP L7
HTTPS:443
Certificate
www.xyz.com
https://
www.xyz.com
Site Certificate "blog"
Site Certificate "www"
Slide21HTTPS Load Balancing (5/5)
NSX-T offers built-in SSL Profiles:Balanced (recommended)
Best balance between Performance / Security / Variety of Client support
High CompatibilityBest variety of Client supportHigh SecurityHighest Secured SSL Ciphers + ProtocolsNote: Custom profiles can be configured too.Built-in SSL Profile
2
LB selects one of the Client proposed SSL Ciphers + Protocol which is part of its supported
Server Pool
S
S
S
Client SSL Hello
(with SSL Ciphers + Protocol supported)
HTTPS
HTTPS or HTTP
VIP L7
HTTPS:443
1
Slide22LB Rules Packet Flow
Modify or Act upon HTTP phasesTransport Phase
SSL mode + Pool selection based on Client HTTPS requestHTTP Access
JSON Web Token validationRequest Rewrite PhaseRequest header, path rewritingRequest Forwarding PhasePool selectionHTTP RedirectReject / drop requestResponse Rewrite PhaseResponse header rewriting / deletionModifying or acting upon HTTP request or response
Transport HTTP Access Request Rewrite Request Forward Response RewriteRequest
ResponseResponse
RequestLBClients
Server Pool
S
S
S
1
2
5
HTTP or HTTPS
HTTP or HTTPS
Rule
Match Conditions
Match Strategy
Actions
1
If host header is www.xyz.com
If
uri
is "/index.html"
All
Rewrite header to app1.xyz.com
Rewrite
uri
to "/
default.php
"
2
If host header is "blog.xyz.com"
If host header is "new.xyz.com"
O
r
Select Pool "Pool2"
3
If Response header
"Server = Microsoft-IIS/7.5"
All
Rewrite Response header
"Server = Apache/2.4.18 (Ubuntu)
3
4
Slide23Flexibility in Deployments (1/4)
Sorry Server Pool is used when default VIP Pool is down.
Sorry Server Pool
VIP
L4 or L7
S
S
S
Server Pool1
S
S
Sorry Server Pool Pool2
Connections to VIP
Slide24Flexibility in Deployments (2/4)
Backup Members used when Non-Backup Pool Members go below a threshold (default=1).
Backup Members
VIP
L4 or L7
S
S
S
Server Pool
S
S
backup
backup
Min Active Members= 2
Connections to VIP
Slide25Flexibility in Deployments (3/4)
Protect Pool against excessive load:
# of Connections
Connection Throttling / Connection Rating
VIP
L4 or L7
Server Pool
S
S
S
Connections to VIP
Slide26Flexibility in Deployments (4/4)
Protect Pool against excessive load:
# of Connections
Connection RateConnection Throttling / Connection Rating
VIP
L4 or L7
Server Pool
S
S
S
Connections to VIP
Slide27LB periodically sends a health monitor message to pool members
Supported health monitor typesICMP, TCP/UDP, HTTP, HTTPSLB passively observes server responses to detect failures
Failure detection methodsTCP connection errorsICMP unreachable messages
SSL connection errorsActive MonitorPassive MonitorHigh-Availability (1/2)High-Availability of Applications
VIPL4 or L7
Server Pool
S
S
S
LB Monitor Probe
1
Pool Member Response
2
VIP
L4 or L7
Server Pool
S
S
S
RST
SYN
SYN
Slide28Edge Cluster
Edge Node 2
High-Availability (2/2)
Active / Hot-Standby per LB
LB HA heartbeat per LB done by Edge NodeVery limited data plane impact thanks to synch of LB StateHealthcheck StateSource-IP Persistence State L4 Flow StateHigh-Availability of Load BalancersEdge Node 1
Active
Hot-Standby
Hot-Standby
Active
LB HA messages
per LB
(every 0.3 sec on EN-BM)
(every 1 sec on EN-VM)
Active
(0.9 sec later on EN-BM)
(3sec later on EN-VM)
Slide291
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6Q&A
Slide30Demo1
Full creation of LB + Services via UI
Tier-1 LR
Web1
Web2
Tier-0 LR
1. Create a Load Balancer
1
2. Attach to a Tier-1 LR
2
3. Create a Pool with Healthcheck
Pool
3
Virtual Server
4. Create a Virtual Server
4
5. Attach to the Load Balancer
5
An instance or logical entity similar to a virtual load balancer
VIP + Port
Slide31Demo1
Full creation of LB + Services via UI
Slide32Demo2
Full creation of LB + Services via API
Tier-1 LR
Web1
Web2
Tier-0 LR
1. Create a Load Balancer
1
2. Attach to a Tier-1 LR
2
3. Create a Pool with Healthcheck
Pool
3
Virtual Server
4. Create a Virtual Server
4
5. Attach to the Load Balancer
5
An instance or logical entity similar to a virtual load balancer
VIP + Port
Slide33Demo2
Full creation of LB + Services via API
Slide341
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6
Q&A
Slide35Software-defined Load BalancerCentralized managementAPI / GUI / CLI
Full life cycle managementDeploy LB instances on demandComprehensive Load Balancing feature setLayer4 and Layer7 LB
TCP/UDP/HTTP/HTTPSL7 LB RulesPersistenceSource IP and cookieSSL terminationOffload and proxy
TLS mutual authenticationHealth monitoringIntegral part of NSX platformCloud management platformvRealize Automation (vRA)OpenStack (VIO)Cloud-native integrationPivotal Container Service (PKS)OpenShiftNSX Load BalancerDeploymentFeatures
Integration
Slide36NSX Logical Load Balancer
Covers the majority of Enterprise LB needs (feature set and performance)
Quick deployment – no installation task
Single point of management
Included as part of NSX licenses
Deploy as many instances as needed without licensing restrictions
Key Takeaways
Comprehensive LB
Simple and Quick
CAPEX Savings
Slide371
NSX-T 3.1 LB enhancements
2
NSX-T LB Technical Overview
3NSX-T LB Technical Deep Dive4Demo5Key Takeaways6
Q&A
Slide38Q & A
Slide39Backup
Slide40LB Scale / Performance
NSX-T LB for specific applicationsPSC load balancingNSX-T Manager load balancing
Troubleshooting
Slide41LB service scale
LB scale for LB Service + Edge Node
The Edge Node hosts LB service (active/standby) based on its Tier-1 (active/standby) with LB attached.Both LB active and standby are consuming resources in the Edge Node.
So for instance in "1 Edge VM - Large", in NSX-T 2.4 you can have up to: "40 LB-Active", or "40 LB-Standby", or "20 LB-Active + 20 LB-Standby", etcLB Large have a factor of 40, LB Medium have a factor of 10, LB Small have a factor of 1.So 1 Edge VM – Large can host for instance: "40 LB Small" or "2 LB Medium + 20 LB Small" but not "3 LB Medium and 11 LB Small". Load Balancer scale/provisioning is NOT affected / impacted by other services hosted on Edge Nodes (i.e. Tier0, VPN, etc...)https://configmax.vmware.com/
Max # of rules per VIP = 512.Note: This value is the same whatever the Edge Node or LB form factor.
Slide42PSC 6.7 HA configuration for Resource vCenter Server with NSX-T LB
https://kb.vmware.com/s/article/56575PSC 6.7 HA configuration for Management vCenter Server with NSX-T LBhttps://kb.vmware.com/s/article/56584
Important Note:Since NSX-T 2.3 allows a simpler NSX-T configuration.Indeed Tier-1 has the ability to be connected directly to a VLAN (with Standalone-SR).
So no more “NSX-T L2 bridging” configuration required.PSC load balancing
Slide43NSX-T Manager Cluster does NOT require External LB
Using External LB, it offers the following benefits:Load spread across all NSX-T ManagersNSX-T Managers in different subnetsFaster failover (a couple of seconds instead of 1-3 minutes)
"NSX-T Manager Cluster External LB by NSX-T" on NSX Communityhttps://communities.vmware.com/docs/DOC-39390
NSX-T Manager load balancing
Slide44See NSX-T Encyclopedia https://communities.vmware.com/docs/DOC-40434
Troubleshooting