Protect a specific URL using NSX Edge Services Gateway Load Balancer

The NSX Edge Load Balancer L7 Engine is based on HAProxy (OpenSource LoadBalancer,, for this reason you can leverage the HAProxy Access Control List (ACL) capabilities to manage access to your applications.
In this article I show how a specific URL can be easily protected based on source IP address.

The goal of this exercise is to configure the NSX Load Balancer to serve a Public Application to all IP address, but to grant access to a specific application section (let’s pretend it’s a reserved area, don’t already protected by any form of authentication or segregation) only to a specific IP address.

The configuration I’ll use it’s the following:

  • The jumphost I use to manage my lab infrastructure: IP address
  • The Load Balancer VIP configured on the Edge Gateway: IP address
  • The Web Servers I’m balancing: IP addresses and I use an Inline Load Balancer configuration.

The Load Balancer Pool is configured with the two Web Servers.
Web Servers are configured to listen on Port 80 – http.

Leveraging HAProxy ACLs, I create an Application Rule:

“src” is self explanatory, is the IP address I want to allow.
“path_beg -i” tells the Load Balancer to protect the URL which Directory part begins with /cgi-bin, ignoring case.
“block” instruct the Load Balancer on what to block. In this case, anything different from the trusted IP (!trusted_ip) that request the protected URL (protected_page) is blocked.

The Application Rule, once created, is applied to the Virtual Server configured with VIP
The Virtual Server is configured to listen on Port 443 – https.

The Public URL of my Web Application is
The Private URL of my Web Application is
In the following section I show the results of the test accessing the Application sections from different sources.

  1. Access from my jumphost with IP to the Public URL of the application. Expected result: success.

    Result: Success.
  2. Access from my jumphost with IP to the Protected URL of the application. Expected result: success.

    Result: success.
  3. I have used curl on a Linux client to test access to Public and Protected URL from a different IP address. The IP address is shown in the screenshot.
    Expected result accessing the Public URL: success.
    Expected result accessing the Protected URL: failure.

    Access to Public URL succesful.
    Access to Protected URL unsuccesful.

All the tests worked as expected and I’ve obtained my goal to protect the access to a specific application URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.