VMware Networking Community
m1xed0s
Enthusiast
Enthusiast
‎08-09-2018 05:56 AM
Jump to solution

Questions about NSX LB

Scenario 1: Configured inline LB with web server 1 and 2 as pool member and the pool is configured as transparent.

Question: Does NSX also auto-create the SNAT rule (even with pool as transparent) like in the one-arm mode? If yes, then how can the web 1&2 see the real client IP? If not, I guess I can disable the firewall service on the ESG providing the LB, right?

Scenario 2: Configured LB with web server 1 and 2 as pool member for HTTP or HTTPS. It could be either one-arm or inline LB mode.

Question: Will the "Insert X-Forwarded-For HTTP header" work for HTTPS, so the backend server 1&2 can log the real client IP address.

Thanks,

/S

0 Kudos
1 Solution

Accepted Solutions
lhoffer
VMware Employee
VMware Employee
‎08-09-2018 08:01 AM
Jump to solution

Regarding scenario 1, when you select "Transparent" on the underlying pool, the LB will not perform SNAT on the traffic so the packet received by the pool member will still have the original source IP as depicted in this snip from the admin guide:

For scenario 2, as long as the LB actually terminates the TLS session (so as long as "Enable SSL Passthrough" is not selected in the application profile, which prevents the LB from decrypting the payload and getting visibility into he underlying HTTP header) then yes, the "Insert X-Forwarded-For" option will still work.

View solution in original post

0 Kudos
3 Replies
lhoffer
VMware Employee
VMware Employee
‎08-09-2018 08:01 AM
Jump to solution

Regarding scenario 1, when you select "Transparent" on the underlying pool, the LB will not perform SNAT on the traffic so the packet received by the pool member will still have the original source IP as depicted in this snip from the admin guide:

For scenario 2, as long as the LB actually terminates the TLS session (so as long as "Enable SSL Passthrough" is not selected in the application profile, which prevents the LB from decrypting the payload and getting visibility into he underlying HTTP header) then yes, the "Insert X-Forwarded-For" option will still work.

0 Kudos
m1xed0s
Enthusiast
Enthusiast
‎08-09-2018 08:40 AM
Jump to solution

Thanks, for the info. The reference picture is not visible...

So under scenario 1, I actually donot need to enable firewall/NAT on ESG, right? Assuming I do not want to filter traffic on ESG.

Never mind, I still need NAT even with transparent pool, for translation of backend server ip to the VIP...

0 Kudos
lhoffer
VMware Employee
VMware Employee
‎08-09-2018 08:43 AM
Jump to solution

Sorry about the pic, you can see it in the admin guide at Logical Load Balancer​  as well where it describes the topologies.

As far as the firewall, it still needs to be enabled on the ESG either way as even in inline mode it still has to perform DNAT on the traffic to send it to the underlying pool members.

0 Kudos