VMware Networking Community
HassanAlKak88
Expert
Expert

Horizon 7 with NSX Edge Load Balancer

Hello,

We are planning to implement Horizon 7 on top of NSX environment and using the NSX load balancer from an ESG.

What is recommended to use ? One arm or Inline ?

Please advise,


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
5 Replies
lhoffer
VMware Employee
VMware Employee

Either option can work, however, inline mode is recommended for production deployments according to the VMware® NSX for vSphere End-User Computing Design Guide 1.2  This is discussed in more detail starting at the bottom of page 58.

Reply
0 Kudos
HassanAlKak88
Expert
Expert

as i know in Inline mode we have to change the Default Gateway of load balanced servers ? correct ?

thanks for the Guide.


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
Reply
0 Kudos
lhoffer
VMware Employee
VMware Employee

Correct.  Since the LB doesn't perform SNAT in inline mode, VMs in the pool(s) behind it must have it set as their default gateway to ensure that return traffic goes back through the load balancer.

HassanAlKak88
Expert
Expert

As I see, VIEW has internal variables that make the SNAT mode insufficient for production deployments.(p 59)

P 60: Horizon has internal variables that make the inline mode the recommended topology for production deployments

Do you know what are the weak points for One armed ? and if it is sufficient for production environments with 200 user ?


If my reply was helpful, I kindly ask you to like it and mark it as a solution

Regards,
Hassan Alkak
Reply
0 Kudos
lhoffer
VMware Employee
VMware Employee

I'm not sure what the specific issue with regards to Horizon is, however, if I had to guess I'd say that the most likely scenario is scale.  Since the ESG load balancer can only do SNAT to a single IP address and there are only about 16,000 ephemeral ports to use for client sessions, one wouldn't be able to reach the published maximum of 20,000 active connections per pod in that scenario because you'd run out of ports to SNAT sessions to.

The only other potential issue might be some sort of reliance on seeing the real source IP, however, I expect that if that were the case they'd just call one-armed mode unsupported.