We are trialing the load balancer for some web servers.
The web servers on the internal port group are 192.168.10.10 an 192.168.10.11 (192.168.10.0/24)
We have configured the edge to have an IP on the Internal port group (192.168.10.9) and an external port group (192.168.9.9). External port group subnet is 192.168.9.0/24
We have configured the external IP for the load balancer to be 192.168.9.12 - and the two internal IP balanced as 192.168.10.10 an 192.168.10.11
So the edge has two external IPs (192.168.9.12 - LB port and 192.168.9.9) and one internal 192.168.10.9
We have configured no NAT or Firewal rules. I understand that the LB handles destination NAT for you; and we have left the Firewall rules as default ALLOW.
Here is the interesting part -> I can access the load balanced HTTP service on 192.168.9.12 only when I am on a server on that subnet 192.168.9.0/24
If I am on another subnet which has a route to the 192.168.9.0/24 (have checked by accessing another HTTP service running on say 192.168.9.13) then I cannot access...Not sure what is going on, but this 192.168.9.12 is NAT'ed out to the Internet, and it will also not work on that NAT public addess.
Are we sure we do not have to configure any firewall rules here?
Could this be, because I have not installed Port Group Isolation on the hosts and then enabled on the vDS?
Do you need to run Port Group Isolation with vShield Edge? My understanding was no, you just dont get the benefits of overlapping IP's. But you do not have to worry about NATs. With the Load Balancer if takes care of destination NATs anyhow.
PGI is optional in this case. If the PG you are protecting has its own dedicated VLAN then you don't need to flag the PGI option. You'd flag it just if you wanted to have multiple PortGroups isolated but yet sharing the same VLAN (to avoid VLAN sprawl or if you are running short of VLANs).
It looks like a routing issue. As if the external IP port of the Edge (192.168.9.9) doesn't have the proper default gateway configured. You don't mention this in your post (and I am sure you have already tried it) ... can you ping the 9.9 address from another network that is supposed to route to the 192.168.9.0/24?
Just thinking loudly. Weird.
Massimo.
Massimo Re Ferre'
VMware vCloud Architect
twitter.com/mreferre
Let us know if you managed to resolve this.
I had not managed to resolve the issue. I had also contacted support and no luck there.
Due to customer deadlines I therefore implemented Microsoft ARR (+ other componenets) to achieve the functionality.