I am looking for best practices and guidelines to configure a UDP/514 syslog Load Balancer (LB) VIP on NSX-T.
Guidance along the lines of, whether 'in-line' vs. 'one-arm' topology is preferred for it? I am leaning towards one-arm (its own T1 and not directly connetced with tier 0, and able to communicate within same segment/network. No need for SNAT etc.
High Level Topology would look like:
Client-Sending-Syslog ---> Tier 0 --> Tier 1 --> Tier1-LB-VIP ==> few syslog servers or "site collectors", that will push all logs to our SIEM. (Logs would include, firewall, switches, and Window event collector etc.) So a tons of traffic 24/7.
since it will be UDP traffic, no need for stateful or reply back traffic, are there any benefits of in-line vs. one-arm? Is there a traffic congestion or increase latency concerns if we go with 'in-line', rather than 'one-arm?'
Currently on our tier 0 and tier 1, only one service is enabled ' Gateway firewall rules'. Can I configure LB service on UDP on same tier1 and would it have any impact on current production? Is it better to keep it "clean" and have a new tier1-Lb as to one-arm config of LB?
Hope it's a fairly popular use-case and someone can assist in guiding me through this!
Have you considered maybe NSX ALB (ex Avi Networks) as LB solution for your environment? With existing NSX licenses you have right to use basic LB stuff that you're mentioning (there is ratio on how many SE licenses you get from existing NSX keys). Also, its much more scalable than integrated LB in NSX and definitive direction for these kind of requirements for NSX environments.
Later you can add more advanced features like WAF, GSLB etc if needed.