Key Components of VMware NSX ALB

VMware NSX Advanced Load Balancer (ALB) is a comprehensive application delivery controller (ADC) that provides advanced load balancing, web application firewall (WAF), and global server load balancing (GSLB) capabilities. NSX ALB offers a wide range of features and components that play a crucial role in ensuring modern applications' availability, performance, and security. In this article, we will explore the key components of NSX ALB and their functions.

Service Engine

The NSX ALB Service Engines (SEs) are crucial for managing data plane operations. They execute instructions from the Controller, handling tasks such as load balancing and network interactions with clients and servers. SEs also gather real-time application data from traffic flows and support high availability.

In a typical load-balancing scenario, a client connects to a virtual service hosted in NSX ALB by an SE, which is an IP address and port combination. The virtual service processes the connection through various profiles. For HTTP traffic, the SE might handle client TCP connection termination, SSL termination, and HTTP request proxying. After validation, the request is forwarded internally to a pool, which selects an available server. A new TCP connection is then established from the SE, using its internal IP address as the source IP. Return traffic follows the same path. Importantly, clients only interact with the virtual service IP, not the server IP addresses.

Related Image: © VMware

Controller

The Controller serves as the central hub of management and control for the entire NSX ALB system, functioning as its brain. Typically deployed in a redundant three-node cluster, it provides a single point of management irrespective of the number of applications or SEs involved. Through its REST API, the Controller offers visibility into all configured applications.

Related Image: © VMware

Controllers can automatically create and configure new SEs as new applications are added, using virtual services in write access mode deployments. They securely exchange information with SEs and among themselves. SEs collect data like server health, client connection statistics, and client-request logs, which are regularly sent to the Controllers for processing. The Controllers can also send commands, such as configuration changes, to the SEs. Communication between Controllers and SEs occurs over their respective management IP addresses.

Console

The Console is the user interface of NSX ALB, providing a graphical representation of the application delivery infrastructure. Administrators can use the Console to monitor real-time traffic statistics, troubleshoot issues, and perform configuration changes. The Console also supports role-based access control, allowing different access levels for administrators and operators.

Data Plane Scaling

Virtual services can be scaled across one or more Service Engines (SEs) using native (L2 punting) or BGP-based load-balancing techniques.

Each SE shares the load in a multi-SE setup, although this distribution may not be equal due to varying available CPU and resource requirements. SEs typically handle traffic for multiple virtual services simultaneously.

Related Image: © VMware

With native SE scaling, one SE acts as the primary for a virtual service and advertises its IP address using its own MAC address. The primary SE can either process and load balance a client connection itself or forward the connection at layer 2 to a secondary SE's MAC address based on capacity.

Each SE load balances and forwards traffic to servers using its IP address within the server network as the source IP address of the client connection. This ensures that even if multiple SEs are sending traffic to the same server pool, return traffic follows the same path back through the same SE. When SEs are scaled out in a VMware environment, secondary SEs respond directly back to clients without routing return traffic through the primary SE.

NSX ALB Cloud Services

NSX ALB Cloud Services offer two key Software-as-a-Service (SaaS) components:

Related Image: © VMware

1. NSX ALB Cloud Console (formerly Pulse): A platform designed to enhance distributed NSX ALB Controller cluster deployments with value-added services in a SaaS-like model. It aims to simplify customer operations and enable seamless support and services.

2. NSX ALB Cloud Controller: A fully hosted controller offering tailored for VMware Cloud on AWS workloads.

NSX ALB Cloud Console Features:

• Case Management: Allows users to create and manage cases, attach technical support, and automate support attachments through the UI or REST API calls.

• WAF CRS Updates: Provides updates to the Web Application Firewall (WAF) Core Rule Set (CRS) for enhanced security.

• IP Reputation Database Updates: Offers updates to the IP reputation database for improved security measures.

• Bot Detection: Helps identify and manage bot traffic for better security and performance.

• Centralized Licensing: Simplifies licensing management by centralizing it through the cloud console.

• Controller Inventory and Metrics: Provides visibility into the inventory and metrics of the NSX ALB Controllers.

These services are optional and can be enabled on customer accounts and Controllers. NSX ALB Cloud Console aims to enhance customer experience, offer live security threat intelligence feeds, and seamlessly integrate with customer operations.

The NSX ALB Cloud Console is designed to evolve the NSX ALB platform from being an on-premises product to delivering a SaaS-like experience, simplifying the management of globally distributed NSX ALB deployments.

Data Plane Scaling

NSX ALB supports horizontal scaling of the data plane by adding more Service Engines. This allows for seamless expansion of the application delivery infrastructure to handle increased traffic loads. The Controller automatically distributes traffic among the available Service Engines, ensuring optimal performance and reliability.

Virtual Services

Virtual services are the core of NSX ALB's functionality. They represent the applications or services that are load-balanced by the ADC. Each virtual service has its own configuration, including IP address, port, protocol, and associated backend servers. NSX ALB supports a variety of load-balancing algorithms to distribute traffic across backend servers, such as round-robin, least connections, and IP hash.

Server Pools

Server pools, also known as backend pools, are groups of servers that host the application or service being load-balanced. NSX ALB allows you to define server pools based on criteria such as server health, location, or application type. You can also configure health checks to monitor the status of backend servers and remove them from the pool if they become unhealthy.

Health Monitors

Health monitors are used to periodically check the health and availability of backend servers. NSX ALB supports a variety of health check methods, including HTTP, HTTPS, TCP, and ICMP. If a server fails a health check, NSX ALB can automatically remove it from the server pool and redirect traffic to healthy servers.

SSL Offloading

SSL offloading is the process of decrypting SSL/TLS traffic at the ADC and forwarding it to the backend servers in unencrypted form. This offloads the computational burden of SSL encryption from the servers, improving performance and scalability. NSX ALB supports SSL offloading for HTTPS traffic, allowing you to offload SSL termination to the ADC.

Global Server Load Balancing (GSLB)

GSLB is used to distribute traffic across geographically dispersed data centers based on factors such as proximity, server load, and health. NSX ALB provides GSLB capabilities, allowing you to create a global server load-balancing configuration that spans multiple data centers and regions. This ensures high availability and optimal performance for your applications.

Web Application Firewall (WAF)

NSX ALB includes a powerful WAF that protects your applications from a variety of threats, including SQL injection, cross-site scripting (XSS), and application-layer DDoS attacks. The WAF uses a combination of signature-based detection, anomaly detection, and behavioral analysis to identify and block malicious traffic.

Content Switching

Content switching allows you to route traffic based on criteria such as URL path, hostname, or request method. NSX ALB supports content switching, allowing you to create flexible routing rules to direct traffic to the appropriate backend servers based on the content of the request.

In conclusion, NSX ALB offers a comprehensive set of features and components that are essential for ensuring the availability, performance, and security of modern applications. By understanding these key components, you can leverage NSX ALB to build a robust and resilient application delivery infrastructure.

Conclusion

NSX ALB's Service Engine is a crucial component that manages all data plane operations, including load balancing and network interactions. It plays a vital role in ensuring the high availability, performance, and security of applications by efficiently handling traffic and collecting real-time telemetry. Understanding the Service Engine's functionality is essential for effectively deploying and managing NSX ALB in modern network environments.