Load balance VMware Cloud Director traffic via NSX Advanced Load Balancer

I am doing a write-up about how to load balance VMware Cloud Director (VCD) cells (3) and console/proxy traffic with VMware NSX Advanced Load Balancer (NSX ALB / AVI). Hopefully, this will enable someone to successfully implement NSX ALB as a Load Balancer solution for non-tenant VCD traffic.

First of all, I want to share the configuration details:

DescriptionValue
Load Balancer VIP 1VIP Address for VCD UI Access (Port 443)
Load Balancer VIP 2VIP Address for VCD Console/Proxy Access (Port 8443)
VIP1 DNS:vcd.test.wesleygeelhoed.local
VIP2 DNS:vcd-console.test.wesleygeelhoed.local
Certificates:vcd.test.wesleygeelhoed.local. vcd-console.test.wesleygeelhoed.local
VCD Version10.3.2 (appliance based)
NSX ALB version21.1.3

A good thing to mention here is that with my setup I only installed the certificates on the load balancer side (via AVI Controller), and not on the VCD cells.

The first thing to do in VCD is to set the Public Access URLs via the VCD Provider page -> Administration -> Settings -> Public Addresses. Obviously, your internal and external DNS servers must reflect these settings as well.

For now, that’s all we have to configure within VCD. All the following configurations will be set in the AVI Load Balancer. In this example, I am using two different certificates provided by my internal PKI. However, this also works perfectly fine with Public Signed Certificates. Regarding the AVI configuration in this blog, I am only covering how to set up the Virtual Services and so on.

In total, I will create a 4 Virtual Services
– Parent VIP for port 443
– Parent VIP for port 8443
– Child VIP (SNI) for vcd.test.wesleygeelhoed.local -> bound to Parent VIP 443
– Child VIP (SNI) for vcd-console.test.wesleygeelhoed.local -> bound to Parent VIP 8443
The reason for 4 different VIPs and in particular the use of Parent VIPs is because I can reuse that Parent VIP for other services that listen on 443 and 8443. This might come in handy If you need such thing as NAT and you have limited WAN IP addresses available.
*If you are not using the Parent/Child VIP combination and only have two VIPs you can configure the VIP application profile used for the console as L4 SSL instead of System-Secure-HTTP. This is better for performance if you do not need load balancing based on SNI.

#1: Public VIP 443 (Parent) Configuration via advanced setup in AVI.

– Add a name
– Select Virtual Hosting VS
– Select Parent and SNI
– Create a VS VIP with an IP address in DNS points to vcd.test.wesleygeelhoed.local
– Application profile choose: System-Secure-HTTP
– Services: 443 and Enable SSL
* No need to select a Pool or Certificate on the Parent VIP.

#2: Public VIP 8443 (Parent) Configuration via advanced setup in AVI.

– Add a name
– Select Virtual Hosting VS
– Select Parent and SNI
– Create a VS VIP with an IP address in DNS points to vcd-console.test.wesleygeelhoed.local
– Application profile choose: System-Secure-HTTP
– Services: 8443 and Enable SSL
* No need to select a Pool or Certificate on the Parent VIP.

#3: vcd.test.wesleygeelhoed.local 443 (Child) Configuration via advanced setup in AVI.

– Select Virtual hosting Parent: Public-VIP (443)
– Enter domain name (used for SNI): vcd.test.wesleygeelhoed.local
– Select Virtual Hosting VS
– Select Child and SNI
– Use the same System-Secure-HTTP Application profile
– Select the Pool with VCD Cells for HTTPS access on 443 (pool configuration can be found later in this blogpost)
– Select the certificate with the Common Name and SAN: vcd.test.wesleygeelhoed.local

#4: vcd-console.test.wesleygeelhoed.local 8443 (Child) Configuration via advanced setup in AVI.

– Select Virtual hosting Parent: Public-VIP (8443)
– Enter domain name (used for SNI): vcd-console.test.wesleygeelhoed.local
– Select Virtual Hosting VS
– Select Child and SNI
– Use the same System-Secure-HTTP Application profile
– Select the Pool with VCD Cells for Console/Proxy Access on port 8443 (pool configuration can be found later in this blogpost)
– Select the certificate with the Common Name and SAN: vcd-console.test.wesleygeelhoed.local


Pool Configuration VCD Cells for UI access on Port 443
– Default Server Port: 443
– Enable SSL
– Profile: System Standard
– Enable TLS SNI


– Add VCD Cells to the server tabs only on IP addresses

Pool Configuration VCD Cells for console/proxy on Port 8443

– Default Server Port: 8443
– Enable SSL
– Profile: System Standard
– Enable TLS SNI
– Persistence: Client IP (only for console load balancing)


– Add VCD Cells to the server tabs only on IP addresses

And with this configuration, you are running on a highly available and load-balanced VCD topology for both system/UI and console proxy traffic. If there are any remarks and/or questions please reach out!

Cheers! – Wesley

One comment

  1. Hello Wesley,

    nice write-up. I am going to follow this blog form my deployment. I will keep you updated :).

    Thank you very much for taking time and helping the world

    Liked by 1 person

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s