NSX-T Load Balancer ToI

(Update NSX-T 3.1)

Dimitri Desmidt - Senior TPM NSX
ddesmidt@vmware.com

1
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

2
NSX-T Insert Cookie Security
Cookie “httponly” and “secure” options

Feature
Server Pool
S Cookie Protection:

S • Against scripts on Clients stealing cookie

information (httponly)
VIP L7 S
HTTP=/HTTPS • From cookies sent over HTTP

HTTP Request1 HTTP Request1

1
S1
Benefit
Increase application security

HTTP Response1 HTTP Response1

+ Set-Cookie NSX-Cookie=S1;
Secure; HttpOnly

3
Load Balancing NTLM Applications
Updated UI/API configuration: “Server Keep-Alive”

Feature
Updated UI/API

Benefit
More generic option
Enable Server Keep-Alive
(previously called “NTLM Authentication”)

4
 LB Diagnosis
New CLI command

lab1-edge1> get load-balancer 3554fa76-2b3b-4690-ba65-3675706155dc diagnosis Feature

Fri Dec 18 2020 UTC 03:07:16.017 Load Balancing Diagnosis
Checking
Action : checking system
Result : passed

Action : checking crash

Result : passed

Action : checking daemon status

Result : passed

Action : checking configuration Benefit

Result : passed
New simple monitoring CLI command
Action : checking runtime
Result : passed

Action : checking stats

Result : passed

5
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

6
 Main LB benefits
Server Pool

- Scale out

- High Availability
Server Pool

7
 Layer4 and Layer7 Load Balancing
Virtual Server
20.20.20.20:80 Server
Pool

- Layer 4 Load Balancing

- Connection-based (TCP or UDP)
- Selection: Round Robin, Least Connections, etc.

Pool
Virtual Server
30.30.30.30:80 www

- Layer 7 Load Balancing www.mysite.com

- Content-based (HTTP / HTTPS)

- Selection: based on URI, Domain name, etc. Pool
blog.mysite.com
- URL manipulation (redirect specific pages, add headers, blog
etc)
- SSL Offload
- etc

8
 Load Balancer Edge Node
VM or BM
Tier-1 Tier-1

- Load Balancer (LB)

- A logical entity you create
- Similar to physical or virtual load balancers LB1 LB2

- LB is realized when attached to LR

- Only Tier-1 LR supported
- 1:1 between LR and LB VS1 VS2 VS5 VS6

Pool1 Pool2 Pool3 Pool5

- Shareable LB objects
- Can be used in multiple LBs
- E.g. Monitors, SSL Profiles

Monitor1 Monitor2

9
 Load Balancing Supported Topologies (1/2)
LB InLine Deployment

LB InLine Deployment 2 Enable LB on an existing Tier-1 GW

C
Note: LB not available on Tier-0 GW

LB-SNAT can be required depending on

traffic flows.
Tier-0
LB-SNAT required:
Overlay
• Clients and Servers are connected to
or VLAN same T1-Dowlink (Overlay) 1

Tier-1+LB Tier-1+LB 2 LB-SNAT not required:

C
• Other use cases 2

Overlay
Overlay Overlay VLAN or VLAN
1 1 1 1 2 2
S S C C C S S C C
Note: VIP can be placed in any subnet:
C
• Linked-segment (Downlink) or Service
Server Pool Server Pool Interface (CSP)
• A new dedicated network as a loopback
interface
• T0 uplink subnet 10
 Deployment Modes (2/2)
LB OneArm Deployments

LB OneArm Deployments Deploy dedicated One-Arm Tier-1 GW for

Load Balancer
LB OneArm using T1 LB OneArm using T1 Note: LB not available on Tier-0 GW
Service Interface Uplink Interface

Can be deployed on Overlay or VLAN

Tier-0 Tier-0
LB-SNAT always required

Physical T1+LB
Tier-1 Tier-1
Router Note: VIP can be placed in any subnet:
Overlay
or VLAN VLAN • Service Interface (CSP)
• A new dedicated network as a loopback
S
interface (require manual routing
S S S S S
advertisement)
Server Pool Server Pool Server Pool
T1+LB T1+LB

11
Basic Load Balancer Workflow
Add Load Balancing into an existing NSX-T
0. Network Topology and App

1. Create a Load Balancer attached to Tier-1 GW

http://vip1/finance/page.html C

2. Create Virtual Server and Pool

Tier-0

Virtual Server 2 3. Create Pool with members for VIP

Tier-1 VIP-Paris

Pool 3
Pool-Finance

S S

Finance-Web

12
 Features (1/3) Load Balancer Service (LBS)

Fast-TCP
Protocols IPv4 and IPv6 Application Client-SSL
What applications type can be TCP, UDP with multiple port range support Fast-UDP Profile Profile
load balanced.
HTTP, HTTPS
Note: WebSocket also supported. HTTP
Virtual Server
LB Method Round-Robin, Weighted_RR, Server-SSL
How end-users connections are Least-Connection, Weighted_LC, Profile
split across back-end servers. Source-IP
IP-Hash Persistence
Profile
Cookie
Pools Static
How backend servers are Dynamic (NSGroup) Generic
configured. LB Rules
SNAT
Persistence Source-IP
How LB guaranties a specific user Cookie (Insert, Prefix, Rewrite)
sticks to the same pool member. Pool Members Pool
Generic

Monitors Active (LB generates HTTP/S, TCP, UDP, ICMP probes)

How LB validates application
health on each pool member. Passive (LB monitors client connections)
Active Passive
LB-SNAT Transparent (No LB-SNAT) Monitor Monitor
How LB provides LB-SNAT.
Automap (LB-SNAT using LB IP@) HTTP ICMP
IP List (LB-SNAT using IP list)
HTTPS TCP UDP

13
 Features (2/3) Load Balancer Service (LBS)

Fast-TCP
L7 LB Rules Rules with Regex support Application Client-SSL
Option to allow LB to manipulate (For instance: Host load balancing, URL block, url rewrite, Fast-UDP Profile Profile
client requests and/or server response header rewrite, etc)
responses.
HTTP
Virtual Server
L7 Acceleration TCP multiplexing
How LB off loads pool members. (LB gather all different clients web requests in the same Server-SSL
persistence pool members TCP connections. Works for Profile
HTTP and HTTPS) Source-IP Persistence
Profile
SSL SSL Offload Cookie
How HTTPS traffic is load (LB terminates HTTPS and talk HTTP to server)
balanced. Generic LB Rules
SSL End-to-End
(LB terminates HTTPS and talk HTTPS to server) SNAT

SSL Passthrough
(LB does not terminate HTTPS and talk HTTPS to server) Pool Members Pool

SNI support
(LB presents different certificates to client based on host
name presented by client)
Active Passive
Client Certificate authentication Monitor Monitor
(LB asks and validates client cert)
HTTP ICMP
FIPS compliance, pre-defined cipher lists,
SSLv3 support HTTPS TCP UDP

14
 Features (3/3) Load Balancer Service (LBS)

Fast-TCP
Connection Client side: Application Client-SSL
Throttling . Max conc. connections Fast-UDP Profile Profile
How LB protects VIPs + pool . Max new conn / sec
members against excessive load. HTTP
Server side: Virtual Server
. Max conc. Connections
Server-SSL
Profile
High Availability L4 Flow State
Source-IP Persistence
What active LB synchronizes to Source-IP Persistence State
standby LB. Profile
Healthcheck State Cookie

Monitoring VIP/Pool status Generic LB Rules

What LB status and statistics are VIP/Pool Sessions (Current/Max/Total/Rate)
offered. SNAT
VIP/Pool Bytes (In/In-Rate/Out/Out-Rate)
VIP/Pool HTTP requests (Total/Rate)
Pool Members Pool
Miscellaneous Sorry Server
TCP Profile
Download all LB configuration (API)
Active Passive
Monitor Monitor

HTTP ICMP
HTTPS TCP UDP

15
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

16
 HTTPS Load Balancing (1/5)
3 modes (1/2)

HTTPS Off-Load LB decrypts

and forwards in clear
Layer7 HTTPS VIP offers 3 modes:
Server Pool
S • HTTPS Off-Load
HTTPS HTTP Best balance between security, performance,
S and LB flexibility.

S • Security:
VIP L7 Traffic is fully encrypted from the Client up to
HTTPS:443 the LB.
• Performance:
Traffic is decrypted / encrypted only once.
HTTPS End-to-End SSL LB decrypts
and re-encrypts before
forwarding Server Pool
S • HTTPS End-to-End SSL
Best security, and LB flexibility.
HTTPS HTTPS
S
• Security:
Traffic end to end encrypted.
S • Performance:
VIP L7
This mode has lower performance with traffic
HTTPS:443
decrypted/encrypted twice.

17
 HTTPS Load Balancing (2/5)
3 modes (2/2)

Layer7 HTTPS VIP offers 3 modes:

SSL Passthrough LB does not decrypt • SSL Passthrough

and SSL connection is terminated on Best security, limited LB flexibility.
Pool Members Server Pool
S • Security:
HTTPS End-to-end encryption.
S • Performance:
Highest performance because LB does not
terminate SSL traffic.
S
VIP L7
HTTPS:443

18
 HTTPS Load Balancing (3/5)
HTTPS Client Authentication

Server Pool Option to request and validate Client

S HTTPS Certificate.
HTTPS HTTPS or HTTP S
After SSL handshake, 1
S
VIP L7
Client HTTPS:443 LB ask for Client Certificate, 2
Certificate
Client SSL Hello
1
Once validated, LB load balances the
(with SSL Ciphers +
Protocol supported) request to the Pool Members. 3

Request for the Client Certificate

2
Client sends its Certificate to LB

3 Request to Server

19
HTTPS Load Balancing (4/5)
Auto Certificate Selection based on SNI

Server Pool Single VIP hosting multiple HTTPS web

S site.
HTTPS HTTPS or HTTP S
Based on the Client's request, specific site
S
Single VIP L7 certificate will be presented.
HTTPS:443

https://blog.xyz.com

Certificate blog.xyz.com Site Certificate "blog"

https://www.xyz.com

Certificate www.xyz.com Site Certificate "www"

20
HTTPS Load Balancing (5/5)
Built-in SSL Profile

Server Pool NSX-T offers built-in SSL Profiles:

S
• Balanced (recommended)
HTTPS HTTPS or HTTP S Best balance between Performance /
Security / Variety of Client support
S
VIP L7
HTTPS:443 • High Compatibility
Best variety of Client support
Client SSL Hello
1 • High Security
(with SSL Ciphers + Protocol supported)
Highest Secured SSL Ciphers + Protocols

LB selects one of the Client proposed SSL Ciphers + Protocol

2 which is part of its supported

Note: Custom profiles can be configured too.

21
 LB Rules Packet Flow
Modifying or acting upon HTTP request or response

Modify or Act upon HTTP phases

LB
HTTP or HTTPS HTTP or HTTPS
Clients 1 Transport Server 1. Transport Phase
Request 2 HTTP Access Request S Pool • SSL mode + Pool selection based on
3 Request Rewrite Client HTTPS request
S
4 Request Forward
Response Response 2. HTTP Access
5 Response Rewrite
S • JSON Web Token validation

3. Request Rewrite Phase

Rule Match Conditions Match Strategy Actions • Request header, path rewriting
1 If host header is www.xyz.com All Rewrite header to app1.xyz.com
If uri is "/index.html" Rewrite uri to "/default.php" 4. Request Forwarding Phase
2 If host header is "blog.xyz.com" Or Select Pool "Pool2"
• Pool selection
If host header is "new.xyz.com" • HTTP Redirect
• Reject / drop request
3 If Response header All Rewrite Response header
"Server = Microsoft-IIS/7.5" "Server = Apache/2.4.18 (Ubuntu)
5. Response Rewrite Phase
• Response header rewriting / deletion
22
Flexibility in Deployments (1/4)
Sorry Server Pool

Sorry Server Pool is used when default VIP

Pool is down.

Connections to VIP Server Pool1

S

VIP S
L4 or L7

Sorry Server
S Pool Pool2

23
Flexibility in Deployments (2/4)
Backup Members

Backup Members used when Non-

Backup Pool Members go below a
threshold (default=1).
Connections to VIP
S Min Active
Members=
2
S

VIP S
L4 or L7
S
backup

S
backup

Server
Pool

24
Flexibility in Deployments (3/4)
Connection Throttling / Connection Rating

Protect Pool against excessive load:

Connections to VIP • # of Connections

Server Pool
S

VIP S
L4 or L7

25
Flexibility in Deployments (4/4)
Connection Throttling / Connection Rating

Protect Pool against excessive load:

Connections to VIP • # of Connections

Server Pool
• Connection Rate
S

VIP S
L4 or L7

26
High-Availability (1/2)
High-Availability of Applications

Active Monitor Passive Monitor

LB periodically sends a health monitor message to LB passively observes server responses to detect
pool members failures
Supported health monitor types Failure detection methods
• ICMP, TCP/UDP, HTTP, HTTPS • TCP connection errors
• ICMP unreachable messages
Server Pool • SSL connection errors Server
1 LB Monitor
Probe S S Pool
SYN
SYN
S S
2 Pool Member
Response S RST S
VIP
VIP
L4 or L7
L4 or L7
27
High-Availability (2/2)
High-Availability of Load Balancers

Active / Hot-Standby per LB

(0.9 sec later on EN-BM)

(3sec later on EN-VM) LB HA heartbeat per LB done by Edge
Active
Node
Active Hot-Standby

Very limited data plane impact thanks

to synch of LB State
Hot-Standby Active
• Healthcheck State
• Source-IP Persistence State
Edge Node 1 LB HA messages Edge Node 2 • L4 Flow State
per LB
(every 0.3 sec on EN-BM)
(every 1 sec on EN-VM)

Edge Cluster

28
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

29
Demo1
Full creation of LB + Services via UI

An instance or logical entity

1. Create a Load Balancer similar to a virtual load
Tier-0 LR balancer

2. Attach to a Tier-1 LR

3. Create a Pool with Healthcheck

Tier-1 LR 1
4
2 5
Virtual Server 4. Create a Virtual Server VIP + Port

3
5. Attach to the Load Balancer

Pool

Web1 Web2

30
Demo1
Full creation of LB + Services via UI

31
Demo2
Full creation of LB + Services via API

An instance or logical entity

1. Create a Load Balancer similar to a virtual load
Tier-0 LR balancer

2. Attach to a Tier-1 LR

3. Create a Pool with Healthcheck

Tier-1 LR 1
4
2 5
Virtual Server 4. Create a Virtual Server VIP + Port

3
5. Attach to the Load Balancer

Pool

Web1 Web2

32
Demo2
Full creation of LB + Services via API

33
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

34
NSX Load Balancer

Deployment Features Integration

Software-defined Load Balancer Comprehensive Load Balancing Integral part of NSX platform
feature set
Centralized management Cloud management platform
• API / GUI / CLI Layer4 and Layer7 LB • vRealize Automation (vRA)
• TCP/UDP/HTTP/HTTPS • OpenStack (VIO)
Full life cycle management
• L7 LB Rules
Cloud-native integration
Deploy LB instances on demand Persistence • Pivotal Container Service (PKS)
• Source IP and cookie • OpenShift

SSL termination
• Offload and proxy
• TLS mutual authentication

Health monitoring

35
Key Takeaways

NSX Logical Load Balancer

Comprehensive LB Simple and Quick CAPEX Savings

Covers the majority of Quick deployment – no Included as part of NSX licenses

Enterprise LB needs (feature set installation task
Deploy as many instances as
and performance)
Single point of management needed without licensing
restrictions

36
Agenda

1 NSX-T 3.1 LB enhancements

2 NSX-T LB Technical Overview

3 NSX-T LB Technical Deep Dive

4 Demo

5 Key Takeaways

6 Q&A

37
Q&A

38