Latest Posts



Translate

Total Pageviews

Wednesday, 13 May 2015

NSX Deepdive Part 9 - Configuring Load Balancing with NSX Edge Gateway


1. Add an IP Address to the Uplink Interface
To use an IP address for network address translation (NAT) rules or a load balancer virtual server
that is not the default IP address assigned to an NSX Edge interface, the IP address must be
explicitly added to the interface. The IP address must be explicitly configured so that the NSX Edge
appliance can receive incoming packets on that interface from the upstream device.
1. In the left navigation pane, select NSX Edges.
2. In edge list, double-click the Perimeter Gateway entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces.
5. In the interfaces list, select the vNIC# 0interface and click the pencilicon.
6. In the Edit NSX Edge Interface dialog box, select the 192.168.100.3IP address and click the
pencilicon.
This entry has three IP addresses: 192.168.100.3, 192.168.100.7, and 192.168.100.8.
7. In the Edit NSX Edge Interface dialog box, select the existing 192.168.100.3*,... IP address and
click the pencil icon to open the Edit Subnet dialog box.
8. In the Edit Subnet dialog box, perform the following actions.
a. Click the green plus sign to create an address entry
b. Enter 192.168.100.9 in the IP address text box and click OK to confirm the entry.
c. Click OKto close the Edit Subnet dialog box.
9. Click OK to commit the interface changes.
10. In the interfaces list, find the vNIC #0 entry, click the Show All link in the IP address column,
and verify that the following addresses appear in the list.
• 192.168.100.3*
Primary address of the interface
• 192.168.100.7
NAT address for web-sv-01a
• 192.168.100.8
NAT address for web-sv-02a
• 192.168.100.9
New address for the load balancer virtual server
11. Click OK to close the Assigned IP Addresses dialog box.




2. Enable the Load Balancer Service and Configure an Application Profile
You enable the load balancer service and configure for HTTPS with SSL pass-through.
1. Under the Manage tab, click Load Balancer.
2. In the load balancer category panel, select Global Configuration.
3. Click Editon the right side of the global configuration page.
4. In the Edit load balancer global configuration page, select the Enable Load balancercheck
box and click OK, leaving all other fields at the default value.
5. In the load balancer category panel, select Application Profiles.
6. Above the top panel, click the green plus signto open the New Profile dialog box, and perform
the following actions.
a. Enter App-Profile in the Name text box.
b. Click HTTPS.
c. Select the Enable SSL Passthrough check box.
d. Leave all other fields at the default value and click OK


3. Create a Server Pool
You create a round-robin server pool that contains the two Web server virtual machines as members
providing HTTPS.
1. In the load balancer category panel, select Pools.
2. Above the top panel, click the green plus sign to open the New Pool dialog box, and perform
the following actions.
a. Enter Server-Pool in the Name text box.
b. Verify that the Algorithm selection is ROUND-ROBIN.
c. Verify that the Monitors selection is NONE.
d. Below Members, click the green plus signto open the New Member dialog box, and add
the first server.

e. Click OK to close the New Member dialog box.
f. Under Members, click the green plus sign to open the New Member dialog box, and add a
second server.

g. Click OK to close the New Member dialog box.
h. Click OK to close the New Pool dialog box.


4. Create a Virtual Server
The virtual server is positioned on the external network attached to the uplink interface of perimeter
gateway, in a two-arm configuration.
1. In the load balancer category panel, select Virtual Servers.
2. Above the top panel, click the green plus signto open the New Virtual Server dialog box, and
perform the following actions.
a. Verify that the Enabled check box is selected.
b. Enter VIP in the Name text box.
c. Enter 192.168.100.9 in the IP Address text box.
d. Select HTTPS from the Protocol drop-down menu.
e. Verify that the Port setting has changed to 443.
f. Select Server-Pool from the Default Pool drop-down menu.
g. Verify that the Application Profile selection is App-Profile.
h. Leave all other settings at default value and click OK


5. Use the Packet Capture Capabilities of NSX Edge to Verify Round-Robin Load Balancing
You monitor HTTPS traffic that traverses the transit network to verify round-robin distribution as
perimeter gateway assigns sessions to servers in the pool.
1. Minimize the Firefox window.
2. In the PuTTY window, run the following command to begin capturing SSL packets on the
transit interface.
debug packet display interface vNic_1 port_443
3. Leave the packet capture running and restore the Firefox window.
4. In the Firefox window, open a new browser tab and go to https://192.168.100.9.
5. If Firefox reports that the connection is untrusted, perform the following actions.
a. Click the I Understand the Risks link.
b. Click the Add Exception link
c. In the Add Security Exception dialog box, click Confirm Security Exception.
6. Minimize the Firefox window.
7. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
• 192.168.10.1
This address is the Transit network interface of the perimeter gateway edge.
• 172.16.10.11 or 172.16.10.12
These are the addresses of the Web servers on the Web-Tier logical switch network.
8. Leave the packet capture running.
9. Restore the Firefox window and click the vSphere Web Client tab.
10. In the load balancer category panel, select Pools.
11. In the pool list, select pool-1and click the pencil icon.
12. In the Edit Pool dialog box, select the Transparent check box at the bottom and click OK.
13. After the configuration update completes, click the NSX for vSphere Training tab in Firefox.
14. Click the Firefox page refresh button to the right of the URL bar.
15. Minimize the Firefox window.
16. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the two Web server addresses is used.
• 192.168.110.10
This address is the address of the Control Center system. With transparent mode enabled,
the original source address has been maintained in packets forwarded to the Web server.
Sessions are still proxied by perimeter gateway, using a different source port than the
source port that is used by the original client.
• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web-Tier logical switch
network.
17. On the Control Center desktop, double-click the Internet Explorershortcut.
18. In Internet Explorer, go to https://192.168.100.9.
19. When Internet Explorer reports a problem with the Web site security certificate, click the
Continue to this website (not recommended) link.
20. Wait for the Web page to be displayed, which might take a few moments, and minimize the
Internet Explorer window.
21. In the PuTTY window, examine the captured packets to determine source and destination addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the Web server addresses appear.
• 192.168.110.10
This address is the IP address of the Control Center system.
• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the most recent capture should be the Web server not seen in
the previous capture.
22. Press Ctrl+C to stop the packet capture.
23. Restore the Firefox window and click the vSphere Web Client tab.

6. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
You migrate the Web-Tier logical switch so that the network is connected directly to the perimeter
gateway. The load balancer virtual server is moved to the directly-connected Web-Tier network to
show side-by-side operation of the load balancer.
1. At the top of the left navigation pane, click the Networking & Security back arrow button.
2. In the edge list, double-click the Distributed Router entry to manage that object.
3. In the middle pane, click the Manage tab and click Settings.
4. In the settings category panel, select Interfaces,
5. In the interfaces list, select the Web-Interface entry and click the disconnect icon.

6. Wait for the update to complete, and verify that a disconnect icon appears in the Web-Interface
Status column.
7. At the top of the left navigation pane, click the Networking & Security back arrow button.
8. In the edge list, double-click the Perimeter Gateway entry to manage that object.
9. In the middle pane, click the Manage tab and click Settings.
10. In the settings category panel, select Interfaces.
11. Select the vNIC# 2 interface, click the pencil icon to open the Edit NSX Edge Interface dialog
box, and perform the following actions.
a. Enter Web-Tier-Temp in the Name text box.
b. Verify that the Type selection is Internal.
c. Click the Connected To > Select link.
d. Click the Web-Tier button and click OK.e. Above the IP Address table, click the green plus sign to open the Add Subnet dialog box.
f. In the Add Subnet dialog box, click the green plus sign to create an IP address entry.
g. Enter 172.16.10.1 in the IP address text box and click OK to confirm the entry.
The new interface you are configuring on perimeter gateway replaces the distributed router
interface you disconnected in step5, using the same IP address.
h. Enter 24 in the Subnet Prefix Length text box.
i. Click OK to close the Add Subnet dialog box.
j. Click OK to commit the interface changes.

7. Reposition the Virtual Server and Examine NAT Rule Changes
Scenario:-
The virtual server is repositioned to be on the same subnet as the pool members, in a one-armed
configuration.
1. Under the Managetab, click Load Balancer.
2. In the load balancer category panel, selectVirtual Servers.
3. In the virtual servers list, select the single virtual server defined and click the pencilicon.
4. In the Edit Virtual Server dialog box, change the IP Address field to 172.16.10.1, and click
OK.
For this example, the primary IP address of an interface is used for the virtual server.

8. Use a Packet Capture to Verify Round-Robin Operation
You use the same techniques learned so far to verify proxy mode operation.
1. Minimize the Firefox window.
2. In the PuTTY window, run the following command to begin capturing SSL packets on the WebTier-Temp interface.
debug packet display interface vNic_2 port_443
3. Leave the packet capture running and restore the Firefox window,
4. In the Firefox window, click the NSX for vSphere Trainingtab and go to https://172.16.10.1.
While performing the interim tasks in this activity, after migrating the Web-Tier virtual switch,
the OSPF routing table automatically updates and both perimeter gateway and distributed router
are aware of the new network location.
5. When Firefox reports the connection is untrusted, perform the following actions.
a. Click the I Understand the Riskslink.
b. Click the Add Exceptionlink
c. In the Add Security Exception dialog box, click Confirm Security Exception.
6. After the Web page is displayed, close the browser tab used to browse the Web page and
minimize the Firefox window.
7. In the PuTTY window, examine the captured packets to determine source and destination
addressing, and verify that the exchange is between a combination of the following IP
addresses. Only one of the Web server IP addresses appear.
• 172.16.10.1
This address is the perimeter gateway interface on which the destination NAT rule is applied.
• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
8. Leave the packet capture running.
9. Restore the Internet Explorer window and go to https://172.16.10.1.
10. When Internet Explorer reports a problem with the Web site security certificate, click the
Continue to this website (not recommended) link.
11. Wait for the Web page to be displayed, which might take a few moments, and close the Internet
Explorer window.
12. In the PuTTY window, examine the captured packets and verify that the exchange is between a
combination of the following IP addresses.
• 172.16.10.1
This address is the perimeter gateway interface on which the destination NAT rule is applied.
• 172.16.10.11 or 172.16.10.12
These addresses are the addresses of the Web servers on the Web logical switch network.
The address that appears in the capture should be the Web server not seen in the previous
capture.
13. Press Ctrl+C to stop the packet capture.