Scenario 1: Configured inline LB with web server 1 and 2 as pool member and the pool is configured as transparent.
Question: Does NSX also auto-create the SNAT rule (even with pool as transparent) like in the one-arm mode? If yes, then how can the web 1&2 see the real client IP? If not, I guess I can disable the firewall service on the ESG providing the LB, right?
Scenario 2: Configured LB with web server 1 and 2 as pool member for HTTP or HTTPS. It could be either one-arm or inline LB mode.
Question: Will the "Insert X-Forwarded-For HTTP header" work for HTTPS, so the backend server 1&2 can log the real client IP address.
Thanks,
/S
Regarding scenario 1, when you select "Transparent" on the underlying pool, the LB will not perform SNAT on the traffic so the packet received by the pool member will still have the original source IP as depicted in this snip from the admin guide:
For scenario 2, as long as the LB actually terminates the TLS session (so as long as "Enable SSL Passthrough" is not selected in the application profile, which prevents the LB from decrypting the payload and getting visibility into he underlying HTTP header) then yes, the "Insert X-Forwarded-For" option will still work.
Regarding scenario 1, when you select "Transparent" on the underlying pool, the LB will not perform SNAT on the traffic so the packet received by the pool member will still have the original source IP as depicted in this snip from the admin guide:
For scenario 2, as long as the LB actually terminates the TLS session (so as long as "Enable SSL Passthrough" is not selected in the application profile, which prevents the LB from decrypting the payload and getting visibility into he underlying HTTP header) then yes, the "Insert X-Forwarded-For" option will still work.
Thanks, for the info. The reference picture is not visible...
So under scenario 1, I actually donot need to enable firewall/NAT on ESG, right? Assuming I do not want to filter traffic on ESG.
Never mind, I still need NAT even with transparent pool, for translation of backend server ip to the VIP...
Sorry about the pic, you can see it in the admin guide at Logical Load Balancer as well where it describes the topologies.
As far as the firewall, it still needs to be enabled on the ESG either way as even in inline mode it still has to perform DNAT on the traffic to send it to the underlying pool members.