In this post, I’m going to walk through the configuration of a highly available VMware Platform Services Controller that is being front-ended by an NSX load balancer.

I’ve got both of my lab PSC’s load balanced by an edge appliance. So, I am no longer using a CNAME to point my PSC HA hostname ( to one PSC or the other.

Rather than run routing & load balancing on the same edge, I created a new one (with HA enabled), named



The two (2) VMs that comprise the HA edge are running on different clusters/hosts. I had to vMotion one of them to make it so, as NSX Manager will deploy them to just one place (host, cluster).



This edge has one (1) active uplink NIC, with two (2) IP addresses assigned to it: One for itself (, & one for the PSC load balanced/HA IP (,



I loaded those into DNS – it is important that a pointer aka reverse DNS (IP-to-name) record exist as well.




I enabled load balancing with logging on lb01.



I created a new application profile, so that TCP connections to the PSC’s would persist (“stick”) based on source IP.

Note that I did not choose to offload SSL to the load balancer, as this is not necessary for HA purposes. The KB that covers creating the shared SSL certificate on the PSCs skips the cert passphrase option, and the edge requires that SSL certs it serves be signed.



I am using the one of the health checks that comes out-of-the-box – the default HTTPS monitor – to health-check each PSC. It’s ID is monitor-3.



I have a pool with both PSCs in it, using round-robin real server assignment & monitoring each PSC with the default HTTPS monitor.




And lastly, I have a virtual server, psc-ha, that serves-up the required TCP ports for the PSC service (443, 389, 636, 2012, 2014 & 2020).



To verify that load balancing is working, I used wget on my Mac & on the vCenter server appliance, to see the contents of the redirect info in the index.html file served-up by each PSC.

My Mac was pointed to psc02.



The VCSA was pointed to psc01.



Note that when I was using the CNAME method, I would often get errors when I was re-pointed to the real PSC via DNS resolution (psc-ha -> psc01). The PSC address wouldn’t match the original in the URL field, and often my vCenter logins would error. TLDR; the CNAME method is not optimal.

Now, the URL maintains the proper name after being redirected to the real server.



– Alec Taylor, IVOXY Consulting


Leave a Reply

Your email address will not be published.