Notes on NSX Edge Gateway Services

Here are my course notes from the VCP6-NV v6.2 Course touching on VMware NSX Edge Gateway Services. Ive got two more chapters of hand notes to clean up and post in hopes it will assist someone else as it did me.


7.1 NSX Edge Gateway Services

  • DHCP, VPN, NAT, routing and load balancing
  • Near real time service
  • Support for dynamic service differentiation per tenant or app
    • NAT RFC2663
      • IP replaced in header
      • In source NAT the source IP is replaced by another IP
      • In destination NAT the destination ip is replaced by another

7.2 NSX Edge Load balancing

  • Load sharing along multiple backend servers
  • Improved app availability
  • Improved scalability
  • Used to balance
    • Virtual IP
    • Server pool
    • Server monitor
    • Application profile
    • 64 to 1024 per edge IP support
  • One-arm LB
    • On same segment as web server to be load balanced
    • Simple to deploy
    • Downside-requires more edge instances and mandates source NAT that doesn’t allow servers in the DC to have visibility to original client IP
    • Doesn’t preserve client IP
  • Inline LB
    • Performs only DNAT
    • have visibility to original client IP
    • Client IP is preserved
    • Vms point to the edge gw as default gw
  • L4 – NSX edge uses the faster L4 engine L4 VIP processed before edge FW
  • L7 is after FW
  • Supports existing load balancers from 3rd party

7.3 NSX Edge HA

  • Can be deployed in pairs
  • Placed on different hosts and anti affinity rules are created by default
  • All edge services run on active
  • Via internal interface status updates sent to secondary
  • Default 15 sec 6 sec fail
  • Sh service high availability
  • LB and vpn must reconnect
  • NSX Edge stateful Active-Standby
    • Forwarding information base
    • NAT VIO and VPN are preserved

7.4 NSX Edge VPN Services

  • L2VPN
    • SSL based
    • Web proxy support
    • L2 bridge to cloud
    • Cloud on boarding, cloud bursting and DC migration
    • Listens to port 443 by default
    • Requires trunk and uplink at local an client’s site
    • Max 200 subnets
  • IPSecVPN
    • Interoperable
    • 3des, aes128, aes256
    • 2gbps per tenant
    • Allows unicast traffic
    • 64 tunnels
    • Across max 10 sites
    • Uses IKE – udp/500
    • IKE Phases
      • P1 – mutual authentication, negotiate crypto parameters, and create session keys
      • P2 – negotiates tunnel by creating key material for the tunnel to use, either by using the IKE phase 1 keys as a base or creating a new key exchange
    • Encapsulating security payload (ESP)
      • Confidentiality
      • Data origin authentication
  • SSL VPN Plus
    • Supports clients on all major OS
    • Remote authentication via , AD, RSA secure ID, LDAP and radius
    • Allows TCP acceleration
    • 3DES, AES128, AES256
    • Network and web access mode


Leave a Reply

Your email address will not be published. Required fields are marked *