Hello,
I am looking for best practices and guidelines to configure a UDP/514 syslog Load Balancer (LB) VIP on NSX-T.
Guidance along the lines of, whether 'in-line' vs. 'one-arm' topology is preferred for it? I am leaning towards one-arm (its own T1 and not directly connetced with tier 0, and able to communicate within same segment/network. No need for SNAT etc.
High Level Topology would look like:
Client-Sending-Syslog ---> Tier 0 --> Tier 1 --> Tier1-LB-VIP ==> few syslog servers or "site collectors", that will push all logs to our SIEM. (Logs would include, firewall, switches, and Window event collector etc.) So a tons of traffic 24/7.
since it will be UDP traffic, no need for stateful or reply back traffic, are there any benefits of in-line vs. one-arm? Is there a traffic congestion or increase latency concerns if we go with 'in-line', rather than 'one-arm?'
Currently on our tier 0 and tier 1, only one service is enabled ' Gateway firewall rules'. Can I configure LB service on UDP on same tier1 and would it have any impact on current production? Is it better to keep it "clean" and have a new tier1-Lb as to one-arm config of LB?
Hope it's a fairly popular use-case and someone can assist in guiding me through this!
Thank you.