NSX-T Load Balancer With External Devices

Have you ever wanted to use the NSX-T load balancer to provide access to resources outside of NSX-T? This sounds easy enough but the routing of the outside network stack may cause some issues. A diagram helps here:

In this example when the external client accesses a load balancer or DNAT on the T1 directed at the external web server the response comes back a different path. As an example if the External Client has an IP of 10.0.3.2 and the NAT/L4 LB has an address of 10.0.2.1 the packet walk looks like this:

You can see that the destination of the initial packet does not match the source of the reply. This is because the packet does not come back through the NAT/L4 LB device. The external client will drop the reply packet. To solve this an L7 load balancer can be used to change the source of the connection to the external server. The one thing that needs to be done on the NSX L7 LB outside of the ordinary is to set the SNAT Translation mode to IP Pool and assign an IP from an interface on the T1

By doing this the packets will look like this

With this configuration the client gets a response from the expected IP. This is very much like a reverse proxy. This may or may not be supported but it will allow you to access external resources via the NSX-T load balancer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: