NSXv Distributed Load Balancing GSG Preview not available
NSX-v Distributed Load Balancing - GSG Preview (not available for production) Dimitri Desmidt, VMware, Inc 1
Goal • Presentation of DLB • Understand how to enable DLB + configure DLB VIP • How to demo DLB 2
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 3
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 4
Goal of Distributed Load Balancing • Goal – Offer a very scalable and distributed load balancing service – Optimized packet flow Logical View Classical View . 1 . 1. 1 Web-Tier-01 10. 0. 1. 0/24 web-01 Web App-Tier-01 10. 0. 2. 0/24 web-02 Web app-01 Load Balancer app-02 App DB -Tier-01 10. 0. 3. 0/24 db-01 DB 5
Goal of Distributed Load Balancing • Goal – Offer a very scalable and distributed load balancing service – Optimized packet flow Logical View Option 2 . 1 . 1. 1 Web-Tier-01 10. 0. 1. 0/24 web-01 Web App-Tier-01 10. 0. 2. 0/24 web-02 Web Service-Group_Web app-01 Load Balancer app-02 App Service-Group_App DB -Tier-01 10. 0. 3. 0/24 db-01 DB 6
Goal of Distributed Load Balancing • Goal – Offer a very scalable and distributed load balancing service – Optimized packet flow Web 01 (10. 0. 1. 11) App 02 (10. 0. 2. 12) Second First access to VIP on that ESXi Web App Web 01 (10. 0. 1. 11) VIP-App (10. 0. 2. 99) App Web-Tier-01 10. 0. 1. 0/24 App-Tier-01 10. 0. 2. 0/24 Web 01 (10. 0. 1. 11) App 02 App 01 (10. 0. 2. 12) (10. 0. 2. 11) Distributed Firewall configuration pushed to VM v. NIC 192. 168. 150. 51 ESXi 1 (192. 168. 10. 21) ESXi 2 (192. 168. 10. 22) Physical View 192. 168. 150. 52 Distributed Load Balancing configuration pushed to VM v. NIC DLB clients [Web 01 (10. 0. 1. 11) App 02 (10. 0. 2. 12)] 7
Goal of Distributed Load Balancing • Goal – Offer a very scalable and distributed load balancing service – Optimized packet flow Web First access to to VIP Second on that ESXi Web 02 (10. 0. 1. 12) on VIP-App (10. 0. 2. 99) Web 02 (10. 0. 1. 12) App Web App 02 (10. 0. 2. 12) Physical View Web-Tier-01 10. 0. 1. 0/24 App-Tier-01 10. 0. 2. 0/24 Web 02 (10. 0. 1. 12) App 01 (10. 0. 2. 11) 192. 168. 150. 51 192. 168. 150. 52 ESXi 2 (192. 168. 10. 22) ESXi 1 (192. 168. 10. 21) [Web 02 (10. 0. 1. 12) App 01 (10. 0. 2. 11)] 8
Use Case of Distributed Load Balancing • Use case Logical View – East-West load balancing – L 4 (TCP / UDP) load balancing service • Currently not a use case – North/South load balancing – L 7 load balancing (SSL off load, URL rewriting, etc) Web App DB Physical View Web App 9
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 10
Enable DLB (1/4) (Note the steps will simplified for GA) 1. Create a New Service DLB – Under "NSX – Service Definitions – Services" – Create a New Service a) With "Deployment Mechanism = Host based v. NIC" b) Service Category: "Load Balancer" a b 11
Enable DLB (2/4) 1. Create a New Service DLB c) Service Manager: "any name" d) Keep other default settings c d 12
Enable DLB (3/4) 2. Specify what Clusters will have DLB capabilities – Under "NSX – Service Definitions – Services" – Edit DLB Service – Click on the left "Service Instance" and select Service Instance "NSX Distributed Load Balancer" – Select tab "Manage – Deployment" – Click "+" Note: Today only 1 Cluster can be selected.
Enable DLB (4/4) 3. Create a DLB Service – Under "NSX – Service Definitions – Services" – Edit DLB Service – Click on the left "Service Instance" and select Service Instance "NSX Distributed Load Balancer" – Select tab "Related Objects" – Click "+"
Configure DLB VIP (1/4) 1. Create a Security Group containing the "Clients-VMs" (VMs talking to the DLB VIP App) – Under "NSX – Service Composer – Security Group" – Create new group SG_Web containing the Web VMs 2. Create a Security Group containing the "Servers-VMs" (VMs in the DLB VIP Pool)
Configure DLB VIP (2/4) 3. Add in DLB_Service the Security Group SG_Web – Under "NSX – Service Definitions – Services" – Edit DLB Service – Click on the left "Service Instance" and select Service Instance "NSX Distributed Load Balancer" – Select tab "Related Objects" – Edit DLB_Service, and under "Manage – Applied Object", add the Security Group where are the clients VMs
Configure DLB VIP (3/4) 4. Publish DLB Filter to the VMs NIC in the SG_Web – Under "NSX – Service Definitions – Services" – Edit DLB Service – Click on the left "Service Instance" and select Service Instance "NSX Distributed Load Balancer" – Select tab "Manage - Settings", click Publish
Configure DLB VIP (4/4) 5. Configure the VIP – Under "NSX – Firewall", tab "Configuration – Partner Security Services", create a new rule – And "Publish Changes"
Validation (1/2) • Validate the Web VMs have the DLB filter (slot 4) – SSH to the ESXi hosting the Web VM and run the command "summarize-dvfilter" [root@localhost: ~] summarize-dvfilter <snip> world 148217 vmm 0: Web 01 vc. Uuid: '50 09 f 1 b 7 88 0 e c 4 f 3 -a 0 b 7 7 d 28 2 a 09 e 9 76' port 50331658 Web 01. eth 0 v. Nic slot 2 name: nic-148217 -eth 0 -vmware-sfw. 2 agent. Name: vmware-sfw state: IOChain Attached vm. State: Detached failure. Policy: fail. Closed slow. Path. ID: none filter source: Dynamic Filter Creation v. Nic slot 1 name: nic-148217 -eth 0 -dvfilter-generic-vmware-swsec. 1 agent. Name: dvfilter-generic-vmware-swsec state: IOChain Attached vm. State: Detached failure. Policy: fail. Closed slow. Path. ID: none filter source: Alternate Opaque Channel v. Nic slot 4 name: nic-148217 -eth 0 -serviceinstance-1. 4 agent. Name: serviceinstance-1 state: IOChain Attached vm. State: Detached failure. Policy: fail. Open slow. Path. ID: none filter source: Dynamic Filter Creation
Validation (2/2) • Validate the DLB config pushed to the VM Web – SSH to the ESXi hosting the Web VM and run the command "vsipioctl getrules -f " [root@localhost: ~] vsipioctl getrules -f nic-148217 -eth 0 -serviceinstance-1. 4 ruleset 1417 { # DNAT rules rule 1427 at 1 out protocol tcp from addrset ip-securitygroup-10 to ip 172. 16. 1. 6 port 80 dnat addrset ip-securitygroup-11 round-robin; } ruleset 1417_L 2 { }
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 21
How to demo DLB 1. Deploy a 3 -Tier App – VMware employees can find an example of 3 -Tier App on Vault (https: //vault. vmware. com/group/nsx- poc-resources)
How to demo DLB 2. Define the DLB VIP for VIP App-Tier
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 24
Video of a DLB demo
Agenda 1 Presentation of DLB 2 Understand how to enable DLB + configure DLB VIP 3 How to demo DLB 4 Video of a DLB demo 5 Known limitations 26
Known limitations • VIP in the same subnet as the Client-VM / Client and Server in same subnet => fails (bug 1479932) • Do NOT restore a server up in the DLB pool once detected down (bug 1490258) • Can add only one cluster in DLB Global Instance (bug 1497514)
Backup 28
Packet Flow (1/2) • Case with the DGW = DLB: Client-VM-v. NIC (out) Client-IP@ (Client-mac@) => VIP-IP@ (dlrmac@) Server-VM-v. NIC (out) Server-IP@ (Server-mac@) => Client-IP@ (dlr-mac@) DLB (out) DLR (out) Client-IP@ (Client-mac@) => Server 1 -IP@ (dlr-mac@) Client-IP@ (dlr-mac@) => Server 1 -IP@ (Server 1 -mac@) dest-IP@ is changed but not dest-mac@ sce-mac@ and dest-mac@ are changed DLR (out) ESXi Server VTEP Encapsulate to ESXi hosting Client. Server-IP@ (dlr-mac@) => Client-IP@ (client-mac@) sce-mac@ and dest-mac@ are changed ESXi Client VTEP Encapsulate to ESXi hosting Server 1. ESXi Server VTEP De-encapsulate (usual) ESXi Client VTEP De-encapsulate (usual) DLR (out) VIP-IP@ (dlrmac@) => Client-IP@ (Client-mac@) sce-IP@ is changed but not sce-mac@ Server-VM-v. NIC (in) Client-IP@ (dlr-mac@) => Server 1 -IP@ (Server 1 -mac@) Client-VM-v. NIC (in) VIP-IP@ (dlrmac@) => Client-IP@ (Client-mac@) 29
Packet Flow (2/2) • Case with the DGW = Edge: Client-VMv. NIC (out) DLB (out) Client-IP@ (Client-mac@) => VIP-IP@ (edge -mac@) Client-IP@ (Client-mac@) => Server 1 -IP@ (edge-mac@) ESXi Client VTEP Encapsulate to ESXi hosting Edge. ESXi Edge (out) VTEP De-encapsulate Client-IP@ (edge-mac@) (usual) => Server 1 -IP@ (Server 1 mac@) dest-IP@ is changed but not dest-mac@ Server-VMv. NIC (out) Server-IP@ (Server-mac@) => Client-IP@ (edge-mac@) ESXi Server VTEP Encapsulate to ESXi hosting Edge. ESXi Edge VTEP Encapsulate to ESXi hosting Server 1. ESXi Server-VMVTEP v. NIC (in) De-encapsulate Client-IP@ edge-mac@) (usual) => Server 1 -IP@ (Server 1 mac@) sce-mac@ and dest-mac@ are changed ESXi Edge (out) VTEP De-encapsulate Server-IP@ (edge-mac@) (usual) => Client-IP@ (client-mac@) sce-mac@ and ESXi Edge VTEP Encapsulate to ESXi hosting Client. ESXi Client DLR (out) VTEP De-encapsulate VIP-IP@ (edge -mac@) (usual) => Client-IP@ (Client-mac@) sce-IP@ is Client-VMv. NIC (in) VIP-IP@ (edge -mac@) => Client-IP@ (Client-mac@) 30
- Slides: 30