I see a confusion between two options for source IP visibility. Can someone explain the difference?
"Insert X-forwarded-for HTTP header" in application profile -> Maybe this is only for proxy-mode (one-armed)?
"Transparent" in pool -> Maybe this is in-line mode?
Then depending on the topology, I have to choose the right option?
To be bit more precise
•The Edge LB is configured in Proxy Mode (Source NAT) and the servers need the client IP@ information
•Update the Application Profile
•Under "Edge – Manage / Load Balancer / Applications Profiles"
•Select the option "Insert X-Forwarded-For HTTP header"
•The Sce-IP@ = Edge IP@: 192.168.11.41
•The server IP@: 192.168.11.3
•The real client-IP@ in the X-Forwarded-For header: 10.0.1.12
Reference available @ NSX-v 6.3 - Load Balancing capabilities + configuration examples (and more...)
For one arm mode we need to configure the ESG with Load balancer by checking Manage > Load Balancer > Global Configuration > Edit, followed by Server Pool creation with Transparent mode unchecked. Since Load balancer uses its own IP address as the source address to send requests to a backend server and only if there is a requirement for backend server to view orginating source IP we need x-forwarding which is limited to HTTP traffic(X-forwarding is not mandatory)
Oh, I see. Basically, checking transparent option is not working when LB is one-armed (one interface) - Am I correct?
"X-Forwarded-For HTTP traffic" is only working when LB is one-armed. - Am I correct?
To be bit more precise
•The Edge LB is configured in Proxy Mode (Source NAT) and the servers need the client IP@ information
•Update the Application Profile
•Under "Edge – Manage / Load Balancer / Applications Profiles"
•Select the option "Insert X-Forwarded-For HTTP header"
•The Sce-IP@ = Edge IP@: 192.168.11.41
•The server IP@: 192.168.11.3
•The real client-IP@ in the X-Forwarded-For header: 10.0.1.12
Reference available @ NSX-v 6.3 - Load Balancing capabilities + configuration examples (and more...)
When I researched source-IP for backend servers, there are two options (X-forwarded-for and Transparent). The term of transparent is not referring the in-line mode, but providing a visibility to the backend servers.
I am curious
1. if checking "transparent" in the pool makes every source traffic such as tcp/udp visible to backend? For example UDP/53 and UDP/5161
2. if checking "transparent" in the pool works for certain mode (in-line mode), not one-armed mode.
I am sorry for more questions..
Hi VMgwbaby
For one-arm (proxy) load balancer, you have source NATing, which means the client IP address will not be reserved and visible at the backend server. There is a feature called "X-Forwarded-For" which can be used here to enable visibility of client IP address to the backend server but this is only limited to HTTP traffic.
To enable load balancer in proxy mode, you leave the "transparent" checkbox unchecked.
For inline (transparent) load balancer , we don't have source NATing, which means the client IP address will be visible to the backend server by default without any extra configuration.
In this case, you enable the "transparent" checkbox.
Hope it is clear now,
Best Regards,
It is cleared. Thanks