Using OCI Load Balancer to Publish App on OCVS to the Internet

Cloud, OCI, VMware

Once you have deployed your workloads on Oracle Cloud VMware Solution, the most important aspect is for your users to access the application(s) deployed in your newly deployed VMware SDDC on Oracle Cloud Infrastructure.

In my previous post, we discussed the steps you will need to perform in order to connect your OCVS environment to the internet using NAT Gateway. The explained connectivity mechanism would allow outbound connection from your OCVS cluster.

In this post, we will discuss how you can expose an application to internet users, by using OCI Public Load Balancer connected to a Public Subnet using the VMs on OCVS as the Backend Servers.

Assumption

It is assumed that there is already a public subnet provisioned in your environment and is connected to the internet using Internet Gateway.

For more information on Internet Gateway and Public Subnet(s), you can review my post about OCI Networking Fundamentals.

Create External Logical Switch

The purpose of this blog is to publish a web application hosted on OCVS to the internet. We will create a separate logical switch for this purpose and will treat it as an external logical switch.

In order to create the segment we will go into the NSX Manager > Networking > Segments and click on Add Segment

We will provide the necessary configuration parameters for the new logical switch:

  • Segment Name: We are using the name “Ext-Web-LS-01”
  • Connected Gateway & Type: Connected the New LS to the existing T1 Router “Tier-1”
  • Transport Zone: This is an Overlay segment so we select the corresponding Transport Zone “Overlay-TZ | Overlay”

The next step in the External Logical Switch creation is the configuration of the Subnet for this segment. We click on Set Subnets and then on ADD SUBNET in the new window. We will configure the chosen IP Range and corresponding Gateway here.

  • Gateway IP/Prefix Length: 192.168.193.1/24

Click on Add and then Apply

We will deploy and connect the web servers for the application to this newly deployed segment.

Configure OCI Load Balancer

We will now move on to the configuration of the OCI Load Balancer. Since the intent here is to publish the application to the internet, we will be using Public Load Balancer to serve the purpose.

Let’s start by creating a Public Load Balancer. We will use the following initial specifications for our LB.

Step-1 – Provide Initial Load Balancer Details

Once you choose to create a new load balancer, the wizard takes you through the configuration in a step-by-step manner.

We start by providing the basic load balancer details:

  • Load Balancer Name: LB-OCVS-01
  • Choose Visibility Type: Public
  • Assign Public IP Address: Ephemeral IP Address (you can choose reserved IP Address if you want to assign (and/or reserve) a public IP Address.

Click on Next

In the next step, we are asked to provide the backend details:

  • Load Balancing Policy: Weighted Round Robin
  • Backend Servers: We will not add backends in this step, as our web servers are deployed on OCVS. We will create backend set at a later stage.

We will leave the other settings to default and Click on Next.

The next is related to the configuration of the load balancer listener:

  • Listener Name: OCVS-LB-Listener-01
  • Type of Traffic: HTTP
  • Port the listener monitors: 80

The last step is where we configure the relevant logging for the load balancer being created. We will currently leave all settings to default and click on Submit.

Step-2 – Create Backend Set

We skipped the creation of the Backend Set while configuring the Load Balancer, as our backend servers are hosted on the NSX Logical Segment.

We will now create the Backend Set and add our servers to the newly created set.

  • Name: OCVS-Ext-Web-Pool
  • Traffic Distribution Policy: Weighted Round Robin
  • Health Check:
    • Protocol: HTTP
    • URL Path (URI): /

Provide all relevant information and click on Create Backend Set.

Once the backend set has been created successfully, we will proceed with the addition of Backends to the same. In order to complete this step, we will click on the newly created Backend Set and then Add Backends.

On the Add Backends window, we will select the backends by entering IP Addresses. We will use this option as our backend servers are not OCI VMs, but rather Virtual Machines on OCVS connected to the External Logical Switch in the NSX Overlay. In order to do the same, we click on the IP Addresses option.

Next we will add as many backend servers as required, by providing the details and click on the +Additional Backend option to add more.

For our purposes, we will be using the follofing information:

  • IP Addresses: 192.168.193.1, 192.168.193.1
  • Port: 80
  • Weight: 1 (we are using equal weight for both servers)

Verify Routing & Security Rules

In one of my previous blog on Establishing Connectivity to VCN Resources from the OCVS environment, we had already configured the relevant route to the entire overlay IP Address space. We will re-visit the configuration to verify the route, to ensure traffic is correctly forwarded to the backend servers on OCVS:

We have to remember that OCI is built on the principles of least trust and hence the access to the Load Balancer VIP and the backend servers may not be available. This will require configuration of security rules, via Security Lists and/or Network Security Groups.

In our case, we have configured security rules according to the following:

  • Access to Public Subnet for LB VIP – Allow HTTP access from all sources
    • Rule Type: Ingress / Stateful
    • Source Type: CIDR
    • Source CIDR: 0.0.0.0/0
    • Protocol: TCP
    • Destination Port: 80
    • This rule will be added to the Security List for the Public Subnet.

  • Access to Overlay Subnet from Public Subnet – Allow HTTP access
    • Rule Type: Ingress / Stateful
    • Source Type: CIDR
    • Source CIDR: Public Subnet
    • Protocol: TCP
    • Destination Port: 80
    • This rule will be added to NSG attached to the NSX Edge Uplink VLAN.

Test Application Access

Now that we have completed the necessary configuration, it is time to test our setup by accessing the web page hosted on our Web Servers deployed in the OCVS overlay. The access will be achieved via the OCI Public Load Balancer VIP.

The above image shows that the access to the web page was successful. We will now move on to looking at the packet walk for the above setup.

Traffic Flow

  1. The users will initiate a request to the FQDN mapped to the Virtual IP Address of the OCI Public Load Balancer to access the web application.
  2. The traffic will be received by the OCI Public Load Balancer. The route table for the Public Subnet has a route for the subnet mapped to the External Web Logical Segment we created in NSX-T.
  3. The Load Balancer will take the forwarding decision according to the configured Load Balancing policy and will send the traffic to the chosen web server IP Address.
  4. The traffic is forwarded to the IP Address of the NSX Tier-0 router uplink interface, which is 172.16.0.131 in this case.
  5. The packet will traverse the Tier-0-Tier-1 inter-router link and reach the Tier-1 router, which is connected to the Logical Switch for the required segment.
  6. The packet is forwarded to the relevant web server.
  7. The return traffic will be sent to the by the web web server to it’s default gateway on the Tier-1 router.
  8. The Tier-1-Tier-0 inter-router link is traversed and the Tier-0 router forwards the traffic over it’s uplink interface to the next hop configured in it’s routing table.
  9. The next hop is 172.16.0.129 in this case and is the virtual interface of the Uplink VLAN.
  10. The SVI forwards the traffic to the Load Balancer and from there it is sent back to the relevant user who initiated the requested.

Additional Resources

Leave a Reply