luv_nsx
Contributor
Contributor

One Arm LB Question

When deploying a one arm LB on a given Logical switch, there are no steps to configure the NAT part (SNAT & DNAT). Does that mean that NATing is configured and happening behind the scenes? And if yes, how can I check those NAT configurations?

Thanks!

6 Replies
admin
Immortal
Immortal

When you configure a Load Balancing pool you can select the Transparent Option, this controls if the address is translated or not as the traffic passes through the ESG.   Selecting Transparent will retain the original IP address, and leaving it unselected will cause the ESG to use the primary IP address of the interface used to get to the backend server.  The NAT is dynamic it is not displayed in the NAT configuration since it is a runtime state, but can be viewed in the logs by enabling the logging on the LB and then at teh CLI type #show log follow | include BACKENDSERVER IP.

0 Kudos
bayupw
Leadership
Leadership

On Pool configuration, if transparent is not selected (default) = SNAT

See this documentation for your references: VMware NSX for vSphere 6.2 Documentation Center

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
luv_nsx
Contributor
Contributor

Thanks for your response. Just to be clear, when selecting Transparent (aka Two Arm mode), only DNAT is done. When Transparent is not selected, then both SNAT & DNAT are done, since the LB is configured in one arm mode. Is my understanding correct?

Also, when running in Transparent mode, the Default Gateway is the LB. Does it mean that the VMs are not using the DLR as the DG?

0 Kudos
bayupw
Leadership
Leadership

yes

for one arm the Edge LB will do both SNAT & DNAT

one-arm.png

when running in transparent mode, you are right - the default gateway is normally the Edge LB and VMs are not using DLR as default gateway

inline.png

if you don't want the VM to have its gateway at Edge, you can also explore Distributed Load Balancing (DLB)

but DLB is still a tech preview feature and not for production NSX Distributed Load Balancing - Getting Started Guide

Bayu Wibowo | VCIX6-DCV/NV Author of VMware NSX Cookbook http://bit.ly/NSXCookbook https://github.com/bayupw/PowerNSX-Scripts https://nz.linkedin.com/in/bayupw | twitter @bayupw
0 Kudos
admin
Immortal
Immortal

DLB is still has an official status of "Tech Preview"  and is not supported by the Global Support team, it is fine to deploy in a non-production environment prior to a GA announcement.  

Javel1n
Enthusiast
Enthusiast

Adding some scenario using non-transparent LB using one-arm and two-arm

1. One-Arm

VMware-1 Arm Mode.png

- You have Edge Router directly connected to ISP PE, and have /29 IP.

- This deployment using DNAT for LB at ER-LB-1 with VIP LB 192.168.0.123 and DNAT address 101.102.103.3 (or SNAT too if you want Web Server accesing internet).

- ER-LB-1 use default gateway to DLR-1 at 192.168.0.1.

- Both Web Server use default gateway to DLR-1 at 192.168.0.1.

- Flow packet from outside (client) = Client > Internet > ER-1 LB VIP (101.102.103.3) > DLR-1 > ER-LB-1 (192.168.0.123) > Web A or Web B

- Web only saw request packet from ER-LB-1 (192.168.0.123).

2. Two-Arm

VMware-2 Arm Mode.png

- You have Edge Router directly connected to ISP PE, and have /29 IP.

- This deployment not using any NAT because client "directly accessing" Edge Router VIP LB 101.102.103.3

- Both Web Server use default gateway to DLR-1 at 192.168.0.1.

- Flow packet from outside (client) = Client > Internet > ER-1 LB VIP (101.102.103.3) (Dest Web A or Web B) > DLR-1 > Web A or Web B

- Web only saw request packet from ER-1 (172.16.0.1).

0 Kudos