NSX Advance Load Balancer
Welcome to NSX Advance Load Balancer (ALB) lab.
Through this lab, you will learn how to integrate the VMware NSX ALB with the latest version of VMware Cloud Director (VCD) 10.2 and test the features and functionality of the ALB with the integration.
Topics that will be covered are:
- Pre-requisite before integration
- vCenter pre-requisites
- NSX-T pre-requisites
- VMware Cloud Director pre-requisites
- NSX ALB integration
- NSX ALB startup
- Integrating with NSX-T Manager
- Generating ALB certificate for VCD use
- Integrating NSX ALB with VCD
- Load Balancing tenant workloads
- Adding Server Pool
- Adding Virtual Service
- Test Load Balanced Servers
Overview
This section provides a high-level overview of the integration between NSX ALB, NSX-T and VMware Cloud Director.
If you would want to proceed directly to the lab, please click >>HERE<<
Infrastructure Overview
The image above shows the communication path for the NSX ALB integration.
NSX ALB will add NSX-T manager as a "cloud" and within that integration, it will also link to the vCenter that NSX-T had integrations with.
VMware Cloud Director will then add the NSX ALB Controller and the respective Service Engine Groups (that are prepared for VCD use).
Dataplane Overview
This section will elaborate on the dataplane topology implementation for VCD's integration with NSX ALB.
There are two types of implementation:
- Dedicated Service Engines
- Shared Service Engines
Dedicated Service Engine Group

The diagram above depicts the topology if a dedicated ALB Service Engine Group is created for a tenant . For this implementation, Service Engines are dedicated to a particular tenant and no other tenants will share these SEs. This is a good use case for tenants that want dedicated performance for load balancing their services or when they want total data isolations (e.g. financial institutions or government requirements).
Shared Service Engine Group
The diagram above depicts the topology if shared Service Engine Group is created for multitenant utilization. This implementation is a recommended implementation as it allows shared service engine resources to be fully utilized. We also do not need to worry too much on over-sizing as NSX ALB can auto-scale the service engines in the service engine groups on demand.
Pre-Requisites Before Integration
Before the integration is being done, there are pre-requisites that are to be met:
- NSX-T already integrated with VCD
- VCD running on version 10.2 and above
- NSX-T running on version 3.0 and above
- NSX ALB running on version 20.1.1 (versions higher are not yet tested)
- vSphere content library has to be created
- A management segment has to be created for the ALB Service Engines (SE) with DHCP enabled
- VCD's NSX-T Network Pool Transport Zone has to be same as the Transport Zone selected on NSX ALB
vCenter Pre-Requisites
In this section, we will prepare the pre-requisites on vCenter to integrate with NSX ALB.
Login to the vCenter

Access the webUI of vcsa-01a and key in the credentials to access vCenter:
- Click on the vCenter shortcut on the browser
- Username: administrator@corp.local
- Password: VMware1!
- Click Login
Creating A Content Library
When integrating NSX ALB, you will be required to create a Content Library. This is to allow NSX ALB Controllers to place the image files of the Service Engines so that it can request on-demand creations of Service Engines to the vCenter
Go to Content Libraries

From vCenter's main page:
- Click on Menu
- Select Content Libraries
Create New Content Library

On the Content Library page click on +Create.
Provide Name and Location for Content Library
On the first page of creating a content library:
- Provide content library name of alb-content-lib
- Click Next
Select storage for Content Library
To select the storage:
- Select RegionA01-ISCSI01-COMP01
- Click Next
Review New Content Library Creation
After reviewing the configuration to be correct, click on Finish.
NSX-T Pre-Requisites

In this section, we will need to prepare NSX-T for the NSX ALB integration. We will need to create the Tier-1 router (in orange) as the management segment gateway for the Service Engines that will be created by the ALB Controller. This will allow management plane communication between the ALB Controller and the Service Engines.
This segment will also have to be enabled with DHCP in order for the SEs to automatically obtain IPs when provisioned. In our lab, we will utilize the DHCP service from NSX-T.
Do note that the SE Management Segment has to be advertised from Tier-0 to the upstream network so that they will know how to reach it.
Login to NSX-T Manager

To access the NSX-T Manager:
- Access the browser and click on the NSX-T shortcut
- Username: admin
- Password: VMware1!VMware1!
- Click Log In
Creating NSX-T Tier-1 Gateway

The NSX-T Tier-1 Gateway will be used as the gateway for the NSX ALB Service Engine's gateway. This is an infrastructure requirement from NSX ALB integration with NSX-T. This NSX-T Tier-1 gateway will then be connected to a Tier-0 gateway which can be the same Tier-0 router as the tenant's external network or it can be a separate Tier-0 router (if you would like to have a segregation of management and tenant networks. In this lab, we'll utilize the same Tier-0 router as the tenant's external network to conserve resources.
Adding NSX-T Tier-1 Gateway

To add a Tier-1 gateway:
- Go to Networking
- Select Tier-1 Gateways
- Click on Add Tier-1 Gateway
Fill in the Tier-1 details
Configure these settings:
- Tier-1 Gateway Name: nsxalb-se-mgmt
- Linked Tier-0 Gateway: nextgen-gw
- Edge Cluster: nextgen-edge-cluster
- Click Save
Continue Configuring Tier-1 Gateway

- Click Yes to continue configuring nsxalb-se-mgmt Tier-1 router
Set DHCP Server on nsxalb-se-mgmt Tier-1
- On the DHCP setting option, click on Set DHCP Configuration
Set DHCP Configuration

- Select DHCP Server from the Type dropdown menu
- DHCP Server Profile, click on the 3 dots (menu) button
- Select Create DHCP Profile
Create DHCP Profile
- Profile Name: DHCP-Profile
- Edge Cluster: nextgen-edge-cluster
- Click Save
TIPS: We can leave Server IP Address blank and it would default to 100.96.0.1
Save DHCP Server Configuration

- Click Save to save the DHCP configuration
Advertise nsxalb-se-mgmt Connected Segments to External
To advertise the nsxalb-se-mgmt connected segments:
- Expand Route Advertisement
- Toggle All Connected Segments & Service Ports
- Click Save
Close Editing Mode

- Click Close Editing at the bottom of the edit dialog to exit edit mode and return to the list of Tier-1 Gateways.
Create NSX ALB Service Engine Segment

The NSX ALB Service Engines management vnic will need to connect to an NSX-T Segment. This Segment will be connected to the nsxalb-se-mgmt NSX-T Tier-1 router that was created in the previous step, then given a gateway IP.
Adding a Segment
To create a Segment:
- Go to Networking
- Select Segments on the left pane
- Click on Add Segment
Fill in the details
Configure these settings:
- Segment Name: nsxalb-se-seg
- Select nsxalb-se-mgmt Tier-1 Router
- Select TZ-HOL-Overlay Transport Zone
- Subnets: 192.168.160.1/24
- Scroll down a little
- Click Save
Continue Configuring Segment

It will prompt you on whether you want to continue the Segment configuration:
- Click Yes
Setting up DHCP for NSX ALB Management Segment
- To set up DHCP for this particular segment, click Set DHCP config
Set DHCP config
- Select DHCP Type to be Gateway DHCP Server from dropdown
- Ensure DHCP Profile is DHCP-Profile
- Enable DHCP Config
- Set DHCP Ranges to 192.168.160.11-192.168.160.200
- Click Apply
VMware Cloud Director Pre-Requisites
For VCD pre-requisite, we must note down the Transport Zone used for the NSX-T network pool. This is required when integrating NSX ALB with NSX-T to ensure successful integration with VCD.
Login to VMware Cloud Director

To access the VMware Cloud Director provider portal:
- Access the browser and click on the vCD - Provider shortcut
- Username: admin
- Password: VMware1!
- Click Sign In
Review Network Pool Configuration
To review the configuration:
- Go to Resources
- Ensure it is on Cloud Resources
- On the left pane, select Network Pools
- Click on regionA name
NSX Advance Load Balancer (ALB) Bringup and Integration with NSX-T
In this lab, we have already deployed the NSX ALB controller from the ova file to save time. The ova deployment will request for the infrastructure details e.g. which ESXi host to install on and what IP address to use for the management IP.
You will begin the NSX ALB from first bootup, then integrate it with NSX-T manager.
NSX ALB Startup
At startup, NSX ALB will request for more configuration settings to complete the installation.
Create ALB Controller Administrator Account
Access the NSX ALB webUI via the browser:
- Click on the Avi Controller shortcut
- Password & Confirm Password: VMware1!
- Click on Create Account
Provide System Settings

Provide system settings for:
- DNS Resolver(s): 192.168.110.10
- DNS Search Domain: corp.local
- Backup Passphrase & Confirm Backup Passphrase: VMware1!
TIPS: 192.168.110.10 is the vPod's AD/DNS server.

- Scroll down to the end
- Replace the first NTP Server to 192.168.100.1 (from 0.us.pool.ntp.org)
- Click Next
TIPS: 192.168.100.1 is the vPod Router which is the vPod's ntp server.
Provide Email/SMTP settings

- Leave everything default and click Next
Orchestrator Integration

- Select No Orchestrator
INFO: NSX-T Integration selection is not visible here yet. It'll be done at a later stage.
TIPS: You could also select 'VMware', but it'll be a redundant configuration because using NSX-T Integration will include vCenter integration.
Choose Support of Multi-Tenancy

- Select Yes for multiple tenant support
TIPS: It doesn't really matter whether it is Yes or No with VCD integration because VCD will be the multi-tenant portal, however we still choose Yes here because we don't want to take away the option to support multi-tenant from NSX ALB level when choose to do so in the future.
Tenant Settings

Under the multi-tenant settings:
- Select Per tenant IP
- Select Service Engines are managed within the tenant context, not shared across tenants
- Click on Complete
TIPS: Again, it doesn't really matter which one you choose in the context of VCD integration, but if there wasn't any VCD integration, you will select as such to provide self-service multi-tenant load balancing infrastructure to your tenants.
Integrating with NSX-T
After completing the NSX ALB startup, you'll be greeted with the NSX ALB Dashboard. You'll need access the NSX-T integration page
- Click on the top left side corner menu
- Select Infrastructure
Creating the NSX-T Cloud
To create the NSX-T cloud:
- Click on Clouds
- Click on Create
- Select NSX-T Cloud
Configuring ALB NSX-T Cloud (cont.)
Under NSX-T Credentials section:
- Scroll down a little
- NSX-T Manager Address: nsx-mgr.corp.local
- Click on the 3 dots (options menu)
- Click on Create
Add NSX-T Credentials
To create NSX-T credentials for ALB's usage:
- Name: nsxt-cred
- Credentials Type select NSX-T
- Username: admin
- Password: VMware1!VMware1!
- Click Save
Select Transport Zone
- Select TZ-HOL-Overlay
WARNING! This MUST be the same transport zone as the one used in VCD. We have already noted this down in the VCD Pre-requisite step.
Select Management Network Segment
- Select earlier created Tier1 Logical Router ID: nsxalb-se-mgmt
- Select earlier created Segment ID: nsxalb-se-seg
- Click Add
- Select same Tier1 router: nsxalb-se-mgmt
- Select same Segment: nsxalb-se-seg
Configure vCenter Servers
- Scroll down a little more
- Under vCenter Server(s), click Add
Adding vCenter Server
- Name: vcsa-01a
- Select 192.168.110.22 on the dropdown menu
- Click on the 3 dots (options menu)
- Click on Create
Add vCenter Credentials
- Name: vcsa-01a-cred
- From the dropdown menu, select vCenter as the Credentials Type
- Username: administrator@corp.local
- Password: VMware1!
- Click on Save
Select Content Library
- Select the alb-content-lib created in the vCenter Pre-requisite
- Click on Done
Generate ALB Certificate for VMware Cloud Director
By default, the NSX ALB uses a default SSL/TLS security certificate in which VCD will reject. You can also use your organization's valid signed certificate, but for simplicity of the lab, we will create a new self-signed certificate (that meets VCD's requirements).
Access the Security Page UI
To access the certificate page, you will need to:
- Click on top left corner menu
- Select Templates
- Select Security tab
- Click on Create

- Select Controller Certificate
Add Certificate (SSL/TLS)
Key in these configuration:
- Name: avicorplocal
- Common Name: avi-controller
- Organization Unit: HOL
- Organization: VMware
- Locality or City: Palo Alto
- State Name or Province: California
- Country: US
Add Certificate (SSL/TLS) (cont.)
- Scroll down to the end
- Subject Alternate Name (SAN): avi-controller.corp.local
- Click on Save
Apply New Self-Signed Certificate
After creating the new self-signed certificate, we will need to apply it:
- Click on top left corner menu of the webUI
- Select Administration
- Select the Settings tab
- Choose Access Settings sub-tab
- Click on the pencil (edit) button on the right
Replace the SSL/TLS Certificate
Delete the 2 existing SSL/TLS Certificate:
- Delete System-Default-Portal-Cert
- Delete System-Default-Portal-Cert-EC256
Replace the SSL/TLS Certificate (cont.)
Add the newly created self-signed certificate:
- From SSL/TLS Certificate dropdown menu, select avicorplocal
- Click on Save
INFO: After clicking on Save, we will have to refresh our web browser because the SSL certificate that we are using has changed.
Create Service Engine Group for VCD
To access the Service Engine Group configuration:
- Click on top left corner menu
- Select Infrastructure
- Select the Service Engine Group tab
- Select Cloud you will select nsxt-cloud
- Click on Create on the right
Configure Service Engine Group Settings
This is where you configure the Service Engine Group. Here we are trying to configure a group for VCD to use as a shared service engine mode
- Service Engine Group Name: VCD-Shared-SE-Group
- Max Number of Service Engines: 2
- Click on Save
INFO: We only select 2 for Max number of SEs because we don't want it to accidentally grow too huge in our resource-constraint lab.
TIPS: VCD will use one SE group per shared or dedicated SE pool assignment. You will need to create more if you want provide few dedicated SE pools or separate shared SE pools.
TIPS: Under the Advance tab, you will see Buffer Service Engines which is set to 1. Hence, when first Virtual Service is created, 2 Service Engines will be created immediately, because 1 is in use, another 1 is for buffer.
VMware Cloud Director Integration
After setting up the infrastructure, we move on to integrating the VMware Cloud Director with NSX ALB.
Login to VMware Cloud Director

To access the VMware Cloud Director provider portal:
- Access the browser and click on the vCD - Provider shortcut
- Username: admin
- Password: VMware1!
- Click Sign In
Add NSX ALB Controllers to VCD
To add an NSX ALB Controller to VCD:
- Go to Resources
- Select the Infrastructure Resources tab
- Click on Controllers under the NSX-ALB on the left pane
- Click on Add
Add Controller

Key in the configurations for the NSX ALB Controller:
- Name: avi-controller
- URL: https://avi-controller.corp.local
- Username: admin
- Password: VMware1!
- Enterprise License toggle green
- Click on Save
TIPS: If you do not toggle the enterprise license, the NSX ALB will only allow the basic edition features. For this lab, we will use Enterprise License
Trust NSX ALB Certificate
VCD will ask you whether you want to trust this NSX ALB Controller:
- Click on Trust
Add NSX-T Cloud from NSX ALB

To add an NSX-T Cloud from NSX ALB:
- Select NSX-T Clouds under the NSX-ALB on the left pane
- Click on Add
Add NSX-T Cloud
Configure these settings:
- Select avi-controller from the dropdown menu
- Name: avi-controller
- Select nsxt-cloud from the Available Clouds
- Click on Add
Add Service Engine Group from NSX ALB
To configure the available Service Engine Groups from NSX ALB into VCD:
- Go to the Service Engine Groups under NSX-ALB on the left pane
- Click Add
Add Service Engine Group

Configure these settings:
- Select avi-controller from the NSX-T Cloud dropdown menu
- Reservation Model select Shared
- Name: VCD-Shared-SEGroup-01
- Select VCD-Shared-SE-Group under the Available Service Engine Groups
- Click on Add
TIPS: Reservation Shared will allow multiple tenants utilize the same Service Engine group. This will allow providers to overprovision the service engines for best ROI. Reservation Dedicated will only allow one tenant to utilize that service engine group - hence dedicated
Load Balancing Workloads
The topology above depicts how the current setup is. There is an organization "e-corp" with their organization VDC of e-corp-nextgen-paygo that has 3 virtual machines already deployed on the NSX-T backed Provider VDC (nextgen-resources). Their requirement is to load balance those 3 web VMs and front it with the virtual IP of 100.100.3.10.
INFO: 100.100.3.0/24 subnet has been allocated to tenant e-corp as an VCD External Network
Accessing the Tenant Portal
To access the e-corp tenant:
- Click on Resources on the top menu
- Select Cloud Resources on the tab below
- Select Organizations on the left pane
- Click on the popup menu beside "e-corp"
Accessing the Organization VDC
- The tenant portal will pop up and you will need to click on the organization VDC e-corp-nextgen-paygo
Configuring Load Balancer under Edge Gateway
To access the load balancer configuration, you must access the edge gateway:
- Select Edges on the left pane
- Select the existing Edge Gateway ecorp-gw
Enable Load Balancer Service
Before using the load balancer, we'll need to enable it first:
- Click on General Settings under Load Balancer
- Select Edit
Edit Load Balancer General Settings

- Toggle Load Balancer State to Active
- Click on Save
What Happens on the Backend?
TIPS: Service Network Specification is to define the IP address range for the internal VIPs. If we Use Default, VCD will assign the 192.168.255.0/25 range. This segment will attach to the Tier-1 gateway of the tenant. You can choose to change this if the default subnet clashes with an existing network of the tenant
Adding Service Engine Group to Tenant Org VDC
After enabling the Load Balancer service, we will see more options under Load Balancer. Next, we have to select the Service Engine Group to be assigned to this tenant:
- Click on Service Engine Groups
- Click on Add
Add Service Engine Group
This window will allow the tenant to consume the earlier added Service Engine Group. Maximum allowed virtual services is to allow the tenant to create a maximum number of virtual services. Reserved is the number of Service Engines reserved for this tenant from the pool.
- Select VCD-Shared-SEGroup-01
- Maximum Allowed: 2
- Reserved: 0
INFO: This will allow the tenant to configure maximum of 2 virtual services and 0 service engines will be reserved for this tenant. This is inline with provider over-provisioning concepts.
Adding Server Pool
To load balance workloads, we must first create the pool in which the servers in that pool will be load balanced.
- Click on Pools
- Click on Add to add a new server pool
General Settings for Load Balancer Pool
- Name: web-cities-pool
- Load Balanacer Algorithm: Round Robin
- Active Health Monitor: Add Monitor
- Select HTTP
Members for Load Balancer Pool
- Click on Members Tab
- Click on Add
- Address: 172.16.30.21
- Port: 80
- Do the same for 172.16.30.22 and 172.16.30.23
- Click Save
Adding Virtual Service
Virtual Service is where we configure the Virtual IP of the service we want to load balance. To configure the virtual service:
- Click on Virtual Services
- Click on Add
Add Virtual Service for the Load Balancer
- Name: web-cities-vs
- Service Engine Group: VCD-Shared-SEGroup-01
- Load Balancer Pool: web-cities-pool
- Virtual IP: 100.100.3.10
- Service Type: HTTP
- Click Save
What Happens on the Backend?

Because this is an as-a-service service, after completing the creation of the virtual service, you will see the service engines being provisioned on vCenter.
From NSX ALB Infrastructure > Service Engine > nsxt-cloud you will see the same thing
From topology point of view, the blue Tier-1 will create a static route for VIP 100.100.3.10 towards the specific Service Engine that holds the VIP via the 192.168.255.x VCD LB segment network.
Verifying Service is Up from NSX ALB
From the NSX ALB webUI
- Click on the top left corner menu
- Select Applications
- Go to Virtual Services tab
We should see the corresponding VIP (100.100.3.10) and the Health is Green and the
Verifying Services is Up from VCD Tenant Portal
From the VCD Tenant Portal:
- Select the e-corp-nextgen-paygo on Datacenter tab
- Click on Edges
- Select ecorp-gw
- Click on Virtual Services
We should be able to see the Health is Up
Testing Load Balanced Servers
Once all the Service Engines are up and healthy, we should be able to access the Virtual IP.
- From the browser, go to http://100.100.1.30
- Click on the browser Refresh button
You should be able to see the IP address of the corresponding backend server and a picture (New York City, Singapore or Paris) every time we press the refresh.
View Virtual Service Statistics
Under the ecorp-gw
- Click on the arrow button
We should be able to see the virtual service statistics just like NSX ALB UI itself