Load Balancing vCloud Director Cells with vShield Edge

Big deployments of vCloud Director should have at least two vCloud Director cells for high availability and load balancing reasons. This implies usage of a load balancer. One can choose either physical box (for example F5) or virtual one (Citrix Netscaler, Riverbed Stingray, Zenloadbalancer, …). With the new release of VMware vCloud Networking and Security (vCNS) which is the successor of VMware vShield it is possible to use the Edge (version 5.1) as a load balancer.

Compared to the old vShield Edge (5.0) there are quite a few enhancements. Besides being able to load balance not only HTTP connection as was the case in the previous versions, load balancing of HTTPS and generic TCP connections is also supported. Additionally the new Edge can have up to 10 network interfaces, can connect to VXLAN networks, provide traffic shaping, relay DNS, create SSL VPN and can scale up to 3 sizes (compact, large, x-large) with statefull active passive high availability.

I am going to describe how to use Edge as a load balancer in front of two vCloud Director cells. The following picture shows my lab network setup.

This is based on quite standard architecture where the vCloud Director cells sit in DMZ zone usually separated by two firewalls from the internet and the management zone. In order to deploy the Edge, vCNS Manager (former vShield Manager) must be deployed first. If two different vCenters are used for management of resource group cluster and management cluster, also two different vCNS Managers must be used as there is 1:1 relationship between the vCenter and vCNS Manager.

Deployment Process

1. Deploy vCNS Manager (OVF virtual appliance), configure and register with management cluster vCenter

2. Either using vSphere Client (use the .NET version as there is no vShield plugin for Web Client available yet) or directly through vCNS Manager web GUI go to Host and Clusters view, select Datacenter and click Network Virtualization tab. Click + icon to add a new Edge.

3. Configure the Edge deployement size, HA, network interfaces (portgroups, IPs and subnets), default firewall policy and placement. In my lab I have used compact size, no HA and two interfaces (INT and EXT as shown in the picture).

4. Once the Edge is deployed (Manager deploys OVF and then with VIX API pushes configurations to the Edge VM), select it and click the gear icon Actions to go to Manage menu.

Before we configure the load balancer we must add additional IP(s) to the external interface. This is vCloud Director requirement as both portal/API and VMware Remote Console (VMRC)  Proxy use the same port 443. I have used the default Edge external IP address for the vCloud Director portal and added a second one for VMRC Proxy. This can be done in Configure tab, interfaces menu.

5. Now we can configure the load balancer. Firstly Pools of real servers must be created and then Virtual Server can be configured.

I have created two pools: VCD_80-443 with two services enabled: HTTP and HTTPS, both using LEAST_CONN Balancing Method on Ports 80 and 443. I have enabled HTTP health check with the default settings on URI /cloud/server_status. The members were the VCD cells with IPs and and respective ports 80 and 443 on each IP.

The second pool:  VMRC_443 has a TCP service with LEAST_CONN Balancing Method and default TCP health check on port 443. The VCD cell IPs and with ports 443 were added.

6. Two Virtual Servers were then created. One for each external IP from step 4. “vcloud” Virtual Server uses VCD_80-443 Pool with external IP address. “VMRC” Virtual Server uses VMRC_443 Pool with external IP address.

7. The configurations must be uploaded to the Edge by clicking the Publish Changes button.

Happy load balancing.

16 thoughts on “Load Balancing vCloud Director Cells with vShield Edge

  1. Hello Tom,

    I am trying to configure that but i cannot enable the SSL_SESSION_ID for the vCloud HTTPS access???
    Do you have any ideas about that?


  2. Hi Tom,

    can you explain why you have used 3 ip’s per vcloud director cell?
    eth0 and eth0:0 are for webinterface and console, i think.
    And the third one?

    Thank you


  3. Hoi To, i don’t see the option the L mode option.
    Do you have change the L mode after the installation of vcns?
    If yes, do you a script for that?

    Thank you very much.

  4. Hi Tom,

    I’ve followed your guide but i’m having issues with VMRC.
    On the vSM UI i don’t see the SSL_SESSION_ID (i believe that is required for the VMRC to work) but on the API the configuration is there.

    I tested the VMRC is working on each cell individually (bypass the LB) using the LB with only one server on the pool also works fine.
    with the 2 cells configure on the LB everything seems to work only if the vcenter proxy is on cell 1, if cell 2 becomes active as vcenter proxy the vmrc doesn’t seem to work.

    Any suggestion how to troubleshoot the from the LB point of view (how to check if the initial connection https is on cell one the vmrc also goes to cell one)


      1. I understand that VMRC is pure socket connection however i believe that we need to ensure if the request to open the console goes to cell one the client connection to the consoleproxy should also be forward to cell one. Am I correct? If so how can accomplish this?



      2. I do not think this is the case. The VMRC connection is stateless. The client gets the from one of the cells the screen ticket with the VMRC external IP address and then gets redirected to any other cell. It is easy to test – I have disabled in the http pool the second cell and in the vmrc cell disabled the first cell. The first cell issued the ticket and second cell opened the console connection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.