Load Balancing is one of the features provided by the NSX Edge
Services Gateway (ESG). It can provide L7 Load Balancing by utilizing the
HAProxy (OpenSource Load Balancer). In many NSX training material, only the
Load Balancer basic functions are introduced. However, there are many more
feature rich functions can be provided by the “Application Rules”. (Please do
not be confused with “Application Rule
Manager” which is used to create both Security Groups and DFW rules by analysing
the live traffic flows.)
If you want to do source/ destination control, URL/Path
control or backend Pool routing, we will need to utilize the “Application rules”.
I will give a couple of examples for the “Application rules”
The following examples shows options we can have for the URL
blocking:
# “source” is the name if this source acl. In this example, when the
source IP is in “10.0.0.0/8” range, acl “source” returns a “TRUE”
acl source src
10.0.0.0/8
# “link” is the name of this url acl. In this example, when the “Path”
(starts from the first “/” in the URL) begins with “/cgi-bin”, the acl “link”
returns a “TRUE”.
# URL matching ONLY work in "HTTP" or "HTTPs SSL offload" mode. "HTTPs pass though mode won't work.
acl link
path_beg -i /cgi-bin
# the following acl will match the path begins with “/cgi-bin” or “/home”
or ”log”.
#Each of these keywords will be separated by a “space”. And “OR” logic will be applied implicitly.
acl link
path_beg -i /cgi-bin /home /log
# A “403” error will be provided by the Load Balancer if both “source”
and “link” acls return “true”.
block if source
link
# “AND” logic is implicit applied.
If logic “OR” is required, we need
block if source
|| link
# if we want to block any source except 10.0.0.0/8
block if !source link
|
The following examples show how we can do the backend pool
routing:
# first we need to define a “pool” in ESG call “webpool”
# then we specific the condition. In here we define the source IP
range
acl source src 192.168.0.0/16
# when the acl “source” returns a “TRUE”, then the traffic will be
routed to the “webpool” pool.
use_backend
webpool if source
# Noted, if “default pool” is configured under the Virtual Sever,
then if the acl condition is not met, then traffic will be routed to the “default
pool”.
|
The following screenshot shows how to apply the “application
rule” to the Virtual Server:
For more configuration details, please refer to HAProxyDocumentation.