LBaaS

From Cloud Avenue
Jump to navigation Jump to search

Overview

LBaaS (Load Balancer as a Service) is provided by NSX Advance Load Balancer (NSX ALB) solution from VMware. The implementation is performed at the T1 edge gateway level with a vDC or a data center group (i.e group of multiple VDC) if they are connected to the same T1 edge gateway in the same AZ.

T1 edge gateway to which customer networks with workloads are connected with in vDC are enabled with capability of load balancing services for customer workloads e.g. web servers.

Customers can create/manage load balancer configuration from within tenant user interface (VCD).

Mutualized and Dedicated Advanced Load Balancer

Load balancer services which are available for customers in CAV Mutualized are:

LBaaS type Configuration requirement Default Service Class quota Load balancer Engine Resiliency
Mutualized T0 VRF Premium 20 VIP Active / Standby

Active / Active

Dedicated T0 VRF Premium 200 VIP Active / Standby

Active / Active

Load balancer services which are available for customers in CAV private is:

LBaaS type Configuration requirement Default Service Class quota Load balancer Engine Resiliency
Dedicated T0 Dedicated Medium Based on Service engine service unit requested Active / Standby

Active / Active

Configuration parameters IaaS with vDC IaaS with vCoD
Application type HTTP
HTTPS
L4 TCP
L4 UDP
L4 TLS
Load balancing algorithm Least Connections
Round Robin
Consistent Hash
Fastest Response
Least Load
Fewest Servers
Random
Fewest Tasks
Core Affinity
Pool persistence Client IP
HTTP Cookie
Custom HTTP Header
Application Cookie
TLS
Active health monitor HTTP
HTTPS
TCP
UDP
PING
Analytics Dashboard
Advance Features HTTP Policy
WAF
Notepad.png
Please note!
Customer looking for preserve client IP feature need to intimate about their need. Preserve client IP feature is only available with Active / Standby resiliency of load balancer. Using Preserve client feature, the source IP address of the original client is preserved for packets that arrive at the load balancer.


Load Balancer Configurations

General Load Balancer Schema


A Load Balancer option is available, on Tier 1 edge gateway. Customer can create

  • Virtual Services: A virtual service is a combination of an IP address and a port that uses a single network protocol. A virtual service listens for traffic to an IP address, processes client requests, and directs valid requests to a member of the load balancer server pool.
  • Pools: A server pool is a group of one or more servers that you configure to run the same application and to provide high availability.
  • App Profile: Application profiles determine the behavior of virtual services, based on application type. Application profile type e.g. HTTP, HTTPS, L4 TCP, L4 UDP, L4 TLS are available for usage
Basic Schema.png
External & Internal Load balancer


Depending upon customer load balancer configuration need for their applications, customer can deploy load balancer for both external and internal facing application

In this example Pool 1 is running an application which is external facing. Pool 1 servers are accessing Pool 2 which is running an internal facing application










External Internal.png

Upgrade

IaaS with vDC: Virtual Service Count

Customer with requirement to have capability to create load balancers more than what is allocated as default when service is requested are provided with option to request additional virtual service pack

Notepad.png
Please note!
Changing ALB from Mutualised to Dedicated involves a disruptive procedure. Customer will have to cleanup all its load balancer configuration



IaaS with vCoD: Service Unit (core) Count


Customer can request upgrade for load balancer engine i.e service engine core (vCPU) count. By default customer load balancer engine is provisioned with core count requested by customer in their purchase order.

Notepad.png
Please note!
Changing Service engine core (vCPU) is a disruptive process


User Interface options

CAV Mutualized Customer of CAV mutualized by default gets cloud director tenant portal as self service interface to create/manage virtual services with associated advance features like HTTP Policy, WAF
CAV Private Customer of CAV private depending upon options selected by them e.g. optional cloud director self service to manage their CAV private infra or not will determine types of interface availablity for customer.
  • Customer opted for cloud director as self service interface will get cloud director tenant portal as interface to create/manage virtual services with associated advance features like HTTP Policy, WAF
  • Customer not opting for cloud director as self service interface will get NSX Advance load balancer tenant interface to create/manage virtual services with associated advance features like HTTP Policy, WAF

Advance Feature Description

HTTP Policy Virtual service HTTP policies allows to control security, client request attributes, and application response attributes.

A virtual service policy consists of match criteria and actions that function similarly to an if-then statement. If match criteria are met, defined actions are performed.


HTTP policy rules can be configured only to a layer-7 virtual service.

HTTP Request Rules
Use HTTP request rules to modify requests before they are either forwarded to the application, used as a basis for content switching, or discarded.
HTTP Response Rules
Use HTTP response rules to evaluate and modify the response and response attributes that the application returns.
HTTP Security Rules
Use HTTP security rules to configure allowing or denying certain requests, to close the TCP connection, to redirect a request to HTTPS, or to apply a rate limit
HTTP Policy.png
Web Application Firewall (WAF) Web Application Firewall (WAF) can be enabled for a virtual service. Two WAF modes are available:


Detection Mode:

The WAF policy evaluates and processes the incoming request, but does not perform a blocking action. A log entry is created when the request is flagged.


Enforcement Mode:

The WAF policy evaluates the request and blocks the request based on the specified rules. The corresponding log entry is marked as REJECTED

WAF.png