vCloud Director 9 load balancing with NSX edge gateway

For high availability and performance reasons, it makes sense to run multiple vCloud Director cells. To do this, you can place a load balancer in front of it. And since we already use NSX for vCloud Director 9, it makes even more sense to use an edge gateway for load balancing.

However, there are a few pitfalls, for example with terminating HTTP connections, session persistence and especially with the VM Remote Console via the browser.

In my blog post I show you how to configure NSX and vCloud Director 9 and what to consider for this setup.

Architecture for load balancing vCloud Director 9 cells with a NSX edge gateway

The setup is very simple. You have the Edge Gateways in front of the vCloud Director 9.x cells, the cells are in a DMZ and the load balancer service is enabled on the Edges.

vCloud Director NSX load balancing architecture

Certificates for NSX load balancing

For convenience, I recommend using a single valid wildcard certificate. vCloud Director in conjunction with NSX Loadbalancer has multiple IP addresses and DNS entries and therefore requires multiple certificates. In effect, using a wildcard certificate makes life much easier.

In short:

  • Each vCloud Director cell needs 2 certificates: One for the portal and one for the console proxy.
  • The NSX loadbalancer needs 2 certificates for the 2 virtual servers. One for the portal access and one for the web console proxy.
  • The NSX loadbalancer also needs the certificates from the vCloud Director cells for the Pool Side SSL.

If a SSL configuration for the web console proxy is not set correctly, you will see a blank page and a timeout in the web console window of a VM.

The same error appears if it’s a self signed certificate. You have to accept it in the browser first or import it in the certificate store.

Configuration of the NSX edge gateway and vCloud Director

You only need 5 easy steps to configure NSX load balancing for vCloud Director 9.

1.) Create an application profile for the vCloud Director portal:

NSX Load Balancer for vCD portal

For session persistence I use a cookie which will be inserted in every request. That way I can nail a session to a specific vCD cell. And for better security I specify the certificates for the cells (prevents MITM attacks).

2.) Create a monitor for this load balancer:

vcd nsx lb monitor

You may have noticed that I use the special URL/cloud/server_status and a RegEx to monitor the vCloud Director cells. You will only receive the string “Service is up.” in response if the vCloud Director process is running completely.¬†This is especially practical because vCD is based on Java and it sometimes takes a while until it is fully operational.

3.) Create a server pool with the cells as members:

vcd-nsx-pool-portal

4.) Create a virtual server¬†with the load balancer’s public address for the portal:

nsx vserver for vcd portal

5.) Last but not least, Adjust the public address settings in vCloud Director:

vcd public addresses

vCloud Director 9.x Web Console and NSX load balancing

I had some trouble until the console proxy of vCloud Director 9 was running without any errors. And I could only find one way to do that. That’s why I’m sharing it here.

The basic configuration is the same as for the vCloud Director portal. But it differs at 2 points:

  • Session persistence must be set to “Source IP”
  • SSL Passthrough must be enabled

But one step at a time.

1.) Create an application profile:

vCloud Director NSX Load balancing Web Console

2.) Create a monitor for load balancing:

vcd-nsx-monitor-console

3.) Create a server pool with the vCD public addresses for the web console:

vcd nsx load balancing

4.) Create a virtual server with a load balancer ip for the web console (must be different from the portal load balancer address):

vCloud Director NSX load balancing

5.) Change the public address settings in vCloud Director for the web console:

vCloud Director public address settings for web console

As certificate chain I use the complete chain, including root, indermediate and server certificate. The server certificate is the same as I use in the NSX loadbalancer configuration.

Further information

Leave a Reply

Your email address will not be published. Required fields are marked *