Sunday, February 17, 2019

NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HAProxy (OpenSource Load Balancer). In many NSX training material, only the Load Balancer basic functions are introduced. However, there are many more feature rich functions can be provided by the “Application Rules”. (Please do not be confused with “Application Rule Manager” which is used to create both Security Groups and DFW rules by analysing the live traffic flows.)


If you want to do source/ destination control, URL/Path control or backend Pool routing, we will need to utilize the “Application rules”. I will give a couple of examples for the “Application rules”

The following examples shows options we can have for the URL blocking:


# “source” is the name if this source acl. In this example, when the source IP is in “10.0.0.0/8” range, acl “source” returns a “TRUE”
acl source src 10.0.0.0/8

# “link” is the name of this url acl. In this example, when the “Path” (starts from the first “/” in the URL) begins with “/cgi-bin”, the acl “link” returns a “TRUE”.
# URL matching ONLY work in "HTTP" or "HTTPs SSL offload" mode. "HTTPs pass though mode won't work.
acl link path_beg -i /cgi-bin

# the following acl will match the path begins with “/cgi-bin” or “/home” or ”log”.
#Each of these keywords will be separated by a “space”. And “OR” logic will be applied implicitly.
acl link path_beg -i /cgi-bin /home /log



# A “403” error will be provided by the Load Balancer if both “source” and “link” acls return “true”.
block if source link

# “AND” logic is implicit applied. If logic “OR” is required, we need
block if source || link

# if we want to block any source except 10.0.0.0/8
block if !source link


The following examples show how we can do the backend pool routing:

# first we need to define a “pool” in ESG call “webpool”

# then we specific the condition. In here we define the source IP range
acl source src 192.168.0.0/16

# when the acl “source” returns a “TRUE”, then the traffic will be routed to the “webpool” pool.
use_backend webpool if source

# Noted, if “default pool” is configured under the Virtual Sever, then if the acl condition is not met, then traffic will be routed to the “default pool”.




The following screenshot shows how to apply the “application rule” to the Virtual Server:


For more configuration details, please refer to HAProxyDocumentation.


NSX Load Balancer "Application Rules" Examples:

Load Balancing is one of the features provided by the NSX Edge Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the HA...