3 Replies Latest reply on Aug 9, 2018 8:43 AM by lhoffer

    Questions about NSX LB

    m1xed0s Novice

      Scenario 1: Configured inline LB with web server 1 and 2 as pool member and the pool is configured as transparent.

      Question: Does NSX also auto-create the SNAT rule (even with pool as transparent) like in the one-arm mode? If yes, then how can the web 1&2 see the real client IP? If not, I guess I can disable the firewall service on the ESG providing the LB, right?


      Scenario 2: Configured LB with web server 1 and 2 as pool member for HTTP or HTTPS. It could be either one-arm or inline LB mode.

      Question: Will the "Insert X-Forwarded-For HTTP header" work for HTTPS, so the backend server 1&2 can log the real client IP address.




        • 1. Re: Questions about NSX LB
          lhoffer Hot Shot
          VMware EmployeesvExpert

          Regarding scenario 1, when you select "Transparent" on the underlying pool, the LB will not perform SNAT on the traffic so the packet received by the pool member will still have the original source IP as depicted in this snip from the admin guide:



          For scenario 2, as long as the LB actually terminates the TLS session (so as long as "Enable SSL Passthrough" is not selected in the application profile, which prevents the LB from decrypting the payload and getting visibility into he underlying HTTP header) then yes, the "Insert X-Forwarded-For" option will still work.

          • 2. Re: Questions about NSX LB
            m1xed0s Novice

            Thanks, for the info. The reference picture is not visible...


            So under scenario 1, I actually donot need to enable firewall/NAT on ESG, right? Assuming I do not want to filter traffic on ESG.

            Never mind, I still need NAT even with transparent pool, for translation of backend server ip to the VIP...

            • 3. Re: Questions about NSX LB
              lhoffer Hot Shot
              vExpertVMware Employees

              Sorry about the pic, you can see it in the admin guide at Logical Load Balancer  as well where it describes the topologies.


              As far as the firewall, it still needs to be enabled on the ESG either way as even in inline mode it still has to perform DNAT on the traffic to send it to the underlying pool members.