When deploying a one arm LB on a given Logical switch, there are no steps to configure the NAT part (SNAT & DNAT). Does that mean that NATing is configured and happening behind the scenes? And if yes, how can I check those NAT configurations?
Thanks!
When you configure a Load Balancing pool you can select the Transparent Option, this controls if the address is translated or not as the traffic passes through the ESG. Selecting Transparent will retain the original IP address, and leaving it unselected will cause the ESG to use the primary IP address of the interface used to get to the backend server. The NAT is dynamic it is not displayed in the NAT configuration since it is a runtime state, but can be viewed in the logs by enabling the logging on the LB and then at teh CLI type #show log follow | include BACKENDSERVER IP.
On Pool configuration, if transparent is not selected (default) = SNAT
See this documentation for your references: VMware NSX for vSphere 6.2 Documentation Center
Thanks for your response. Just to be clear, when selecting Transparent (aka Two Arm mode), only DNAT is done. When Transparent is not selected, then both SNAT & DNAT are done, since the LB is configured in one arm mode. Is my understanding correct?
Also, when running in Transparent mode, the Default Gateway is the LB. Does it mean that the VMs are not using the DLR as the DG?
yes
for one arm the Edge LB will do both SNAT & DNAT
when running in transparent mode, you are right - the default gateway is normally the Edge LB and VMs are not using DLR as default gateway
if you don't want the VM to have its gateway at Edge, you can also explore Distributed Load Balancing (DLB)
but DLB is still a tech preview feature and not for production NSX Distributed Load Balancing - Getting Started Guide
DLB is still has an official status of "Tech Preview" and is not supported by the Global Support team, it is fine to deploy in a non-production environment prior to a GA announcement.
Adding some scenario using non-transparent LB using one-arm and two-arm
1. One-Arm
- You have Edge Router directly connected to ISP PE, and have /29 IP.
- This deployment using DNAT for LB at ER-LB-1 with VIP LB 192.168.0.123 and DNAT address 101.102.103.3 (or SNAT too if you want Web Server accesing internet).
- ER-LB-1 use default gateway to DLR-1 at 192.168.0.1.
- Both Web Server use default gateway to DLR-1 at 192.168.0.1.
- Flow packet from outside (client) = Client > Internet > ER-1 LB VIP (101.102.103.3) > DLR-1 > ER-LB-1 (192.168.0.123) > Web A or Web B
- Web only saw request packet from ER-LB-1 (192.168.0.123).
2. Two-Arm
- You have Edge Router directly connected to ISP PE, and have /29 IP.
- This deployment not using any NAT because client "directly accessing" Edge Router VIP LB 101.102.103.3
- Both Web Server use default gateway to DLR-1 at 192.168.0.1.
- Flow packet from outside (client) = Client > Internet > ER-1 LB VIP (101.102.103.3) (Dest Web A or Web B) > DLR-1 > Web A or Web B
- Web only saw request packet from ER-1 (172.16.0.1).