Configuring NSX-T loadbalancer – one-arm loadbalancing deployment mode

In this blog, we are going to discuss about one-arm load balancing mode in NSX-T.

In one-arm mode, the load balancer is not in the traffic path between the client and the server. In
this mode, the client and the server can be anywhere. The load balancer performs Source NAT
(SNAT) to force return traffic from the server destined to the client to go through the load
balancer. This topology requires virtual server SNAT to be enabled.

As part of setting this up in NSX-T, you requires much more configuration than traditional setup.

For a one-arm configuration you need to deploy a Tier 1 gateway which is not connected to Tier 0 gateway.  This allows the stand alone Tier 1 to be connected to the same network segment and act like a appliance. We need to configure service interface to connect it to same segment where our pools exists and if we want to send traffic to outbound we need static route to existing Tier1 gateway which is connect to Tier 0 gateway.

Let’s look at step by step configuration.

1.) Create a standalone Tier 1 Gateway and allocate edge cluster to it. In this screenshot you can see I have created “one-ArmLB” T1 and allocated edge cluster “EdgePod” to it. In next steps we will add this Tier1 gateway to load-balancer.

2.) In this step go ahead and create a service interface. Expand Service Interface > In add interface wizard, assign IP address to this interface and connect it same segment where pools exists (In my case it is “web-segment”)

3.) Now, expand static routes and add static routic in the wizard. This will make sure that your standalone Tier1 will send the outbound traffic to existing Tier1 gateway. So, here add static route as and next hop is ( which is gateway of existing Tier1 and connected to Tier0)

4.) Make sure to check on Route Advertisment below two routes have been enabled.

5.) Go to Networking> Load Balancing > Load balancer and Add Load balancer.

6.) You need to add virtual server, I have added L7 HTTP VS with IP address, please make sure VS IP address should be in same subnet as Pools are.

Please note to ignore the state of VS as degraded as out of three server, one is not responding, but we can test with two pool members.

7.) In server pools, Algorithm is selected as Round Robin, members as web-workload, in the back end web-workload exists of two active servers. Make sure to have SNAT translation mode to “Automap”. And choose any one of active monitor, I have selected http active monitor.

8.) Now, it is time to test the configuration. Below are the screenshots of my web servers webvm and webvm2 attached to segment web-ls.

9.)  From my test machine which is outside of nsx domain, I am trying to reach my load balancer IP address In this step you could see that I am able to load balancer between webvm2 and webvm.

As mentioned above, in one-arm configuration all the LB traffic between client and web-pool will go through load balancer as we are using SNAT. You can have client anywhere whether outside NSX domain or inside NSX domain. It depends on the use case.

Thank you and happy learning!