Global Load Balancing using NSX ALB in VMC

Manish Jha

Overview

Global Server Load Balancing (GSLB) is the method of load balancing applications/workloads that are distributed globally (typically, multiple data centers and public clouds). GSLB enables the efficient distribution of traffic across geographically dispersed application servers. 

In a production environment, the corporate name server delegates one or more subdomains to Avi Load Balancer GSLB, which then owns these domains and responds to DNS queries from clients. DNS-based load balancing is implemented by creating a DNS Virtual Service. 

How GSLB Works?

Let’s understand the working of GSLB using the example. 

2 SDDCs are running in VMC, and both SDDC has local load balancing configured to load balance set of web servers in their respective SDDC. The 2 Virtual Services (SDDC01-Web-VS & SDDC02-Web-VS) have a couple of web servers as pool members and the VIP of the Virtual Service is translating to Public IP via NAT.  

Let’s assume the 4 web servers running across 2 SDDC are servicing the same web application and you are looking for doing a global load balancing along with local load balancing. 

To achieve this, you should have a common URL via which all 4 web servers can be accessed. When this URL is accessed, the load is distributed across all the web servers that are participating in GSLB. 

In this case, client requests will be sent to the GSLB Virtual Service which is a DNS based virtual service. The GSLB virtual service then checks its pool and based on the algorithm used, forwards requests to one of the local virtual services configured in the SDDC. The local VS then forwards the traffic to one or more pool members. 

GSLB Use Cases

The following are a few use cases of Avi GSLB functionality:

  • Provide optimal application experience by load balancing applications across 2 or more datacenters.
  • Application high availability across the datacenters.
  • Traffic redirection to the DR site in case of the primary site failure.

GSLB Deployment Topology in VMC on AWS

The diagram below, taken from David Zhang’s blog, shows a high-level topology of GSLB implementation across 2 SDDC (connected via vTGW) in VMC on AWS. 

As shown in the above diagram, applications (web servers) are deployed in SDDC1 and SDDC2. A local instance of Avi Load Balancer is deployed in both the SDDC’s and is performing local load balancing in their respective SDDC. The SDDCs are in different availability zones, hence connectivity between them is provided via VMware Transit Gateway (vTGW). The segments where applications are deployed have reachability across SDDC’s. 

Pre-requisites for GSLB Implementation

  • At least 2 SDDCs are deployed and configured in VMC.
  • The SDDCs should have connectivity with each other, and the Avi management network should have reachability across SDDCs.
  • Avi Controller & Service Engines are deployed in SDDC. Steps for deploying and configuring Avi in VMC are available here
  • Local load balancing of applications inside individual SDDC is configured. Steps for configuring load balancing in VMC are available here
  • DNS subdomain for applications is hosted either on-prem or Cloud DNS. The subdomain should be resolvable over the Internet.
  • Avi Controller and Service Engines should be able to resolve the DNS subdomain that is hosted outside of VMC.

GSLB Implementation Steps

The table below lists the components and associated IP addresses I used in my configuration.

Create DNS Virtual Service

GSLB is a DNS based solution and is implemented via DNS Virtual Service. To create DNS Virtual Service, login to the Avi controller of SDDC1 and navigate to Applications > Virtual Services > Create Virtual Service > Advanced Setup.

Configure the following settings:

  • Name: Provide a name for the DNS Virtual Service. 
  • FQDN/IPv4 Address: Provide a free IP address from the pool which you configured for the Avi VIP. If the IP address is DNS resolvable, you can provide an FQDN instead. 
  • Application Profile: Choose System-DNS profile. 
  • TCP/UDP Profile: Accept the default for the TCP/UDP Profile field (System-UDP-Per-Pkt)
  • Pool: No pool is required; the DNS service will run within the SE’s virtual machine. 
  • Service Port: Select Port 53 by switching to the advanced view under the Service Port sub-section. 

You can leave the other settings (Policies/Analytics/Advanced) to the system default unless you want to enable specific functionality.

Ensure that the newly created DNS Virtual Service is healthy and its status is Up. 

Repeat the process of creating a DNS Virtual Service in SDDC02. 

Configure GSLB Sites

NSX Advanced Load Balancer differentiates data centers by categorizing them into sites. GSLB sites fall into two broad categories:

  • Avi Sites: An Avi site refers to the environment that is running NSX ALB Controllers and Service Engines. 
  • External Sites: An external site runs third-party ADCs from vendors such as F5, Citrix, etc.

Each Avi site is characterized as either an active or a passive site. Active sites are further classified into two types:

  • GSLB leader
  • GSLB followers 

The active site from which the initial GSLB site configuration is performed is the designated GSLB leader. Changes to GSLB configuration are permitted only from the leader node, which propagates those changes to all accessible followers. The only way to switch the leadership role to a follower is by overriding the configuration of the leader from a follower site. This override can be invoked in the case of site failures or for maintenance.

Note: GSLB implementation in VMC leverages Avi Sites. 

To configure GSLB sites, log in to the Controller node that will be designated as the leader and navigate to Infrastructure > GSLB. Edit the GSLB settings and define GSLB sites. 

Configure the following settings:

  • Name: Provide a name for the GSLB Site.
  • Credentials: Provide the credentials of the controller node. 
  • IP Address: Provide the IP address of individual controller nodes and enter port 443.

Note: You can either enter the Controller Cluster IP address or specify an individual node when configuring controller information.

Under GSLB Subdomain, enter the publicly resolvable URL which will be used to access the application servers. This URL will be the single point of entry for all application servers that are load-balanced via GSLB. 

Note: In my lab, I have the domain vmclab.net hosted in AWS. 

Click the Save and Set DNS Virtual Services button. 

Under DNS Virtual Service, select the Virtual Service that you have created earlier and map it with the GSLB Subdomain, and hit save.

The first GSLB site is always added as Active and is designated with a Leader role. Subsequent sites can be added as Active or Passive depending upon the infrastructure needs.

To add a new site, click the Add New Site button. 

Configure the following settings: 

  • Name: Provide a name for the GSLB Site.
  • Credentials: Provide the credentials of the controller node. 
  • IP Address: Provide the VIP address of the controller cluster from the second SDDC and enter port 443.
  • Active Member: Selected. 

Click on Save and Set DNS Virtual Services to map the DNS Virtual Service with the GSLB Subdomain.

Click the save button to finish the site addition wizard. 

At this point, the two Avi sites are talking to each other, and configuration synchronization is enabled.

NAT Private VIP with Public VIP

Typically, the IP address used in the VIP configuration for a local virtual service is private. These IP addresses are not reachable by the client over the Internet. To fix this, you must enable the NAT-aware Public-Private GSLB feature. This feature has been described in detail here

To configure this, navigate to Infrastructure > GSLB > Active Members and edit the settings of the Leader Site. Under Advanced Settings, select Client Group IP Address Type as Private and enter the following parameters:

  • 10.0.0.0/8
  • 172.16.0.0/15
  • 192.168.0.0/16

Enable GSLB Service and Configure GSLB Pools

To enable GSLB service, navigate to Applications > GSLB Services > Create > Advanced Setup

Configure the following settings:

  • Name: Name for the GSLB service.
  • Application Name: www
  • Subdomain: Select the GSLB subdomain that you created while performing the GSLB site configuration. 
  • Health Monitor: Appropriate health monitor as per your application. The commonly used health monitors for web-based applications are System-GSLB-HTTP and System-GSLB-HTTPS
  • Health Monitor Scope: All Members
  • Controller Health Status: Enabled

Next is to create GSLB Pool members.

Under GSLB Pool, click on the Add Pool option and enter the following parameters:

  • Name: Name for the GSLB Pool.
  • Pool Members Load Balancing Algorithm: Round Robin (Note this means the client will be sent to the local load balancer in both SDDC01 and SDDC02)

Under Pool Members, select the type as Virtual Service and configure the following settings:

  • Site Cluster Controller: GSLB Leader Site.
  • Virtual Service: Web Virtual Service that has been configured in the leader site (SDDC01).
  • Public IP Address: Public IP address serving as VIP for the web server in SDDC01.
  • Ratio: A ratio of 1 means all pool members will get an equal load.
  • Enabled: Selected.

Repeat the process for adding SDDC02 GSLB pool members.

Configure the number of IPs returned by the DNS Server to 1 and set the TTL to 300.

Click on the save button to finish the GSLB Pool configuration. 

The configuration of Active-Active GSLB for the web-based application server is now completed.

Configure Public IP and NAT/Firewall Rules for DNS Virtual Service

To create NAT/Firewall rules for the DNS Virtual Service, you have to first request a Public IP. Please refer to the VMC on AWS official documentation to learn about how to request a Public IP and create NAT/firewall rules. 

Configure DNS Subdomain

For hosting a DNS subdomain in Public Cloud, please refer to the service provider documentation. A sample DNS subdomain configuration in AWS is shown in the screenshot.

Verify Global Load Balancing

To test the GSLB working, open a web browser and enter the application name that you have configured in your GSLB configuration.

In my lab, the application url is configured as www.sddc.vmclab.net. This is a publicly resolvable URL created via the AWS Route 53 service. 

On hitting the application URL, you should see the response from each pool member. 

 

And that’s it for this post. 

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing