INTRODUCTION - ARCHITECTURAL

OVERVIEW
The NSX Advanced Load Balancer (Avi) platform is built on software-defined principles,
enabling a next generation architecture to deliver the flexibility and simplicity expected by
IT and lines of business. The Avi architecture separates the data and control planes to
deliver application services beyond load balancing, such as application analytics,
predictive autoscaling, micro-segmentation, and self-service for app owners in both on-
premises or cloud environments. The platform provides a centrally managed, dynamic pool
of load balancing resources on commodity x86 servers, VMs or containers, to deliver
granular services close to individual applications. This allows network services to scale
near infinitely without the added complexity of managing hundreds of disparate
appliances.

The Avi Controller cluster uses big data analytics to analyze the data and
present actionable insights to administrators on intuitive dashboards on the
Avi Admin Console.
Avi provides out-of-the-box integrations for on-premises or cloud
deployments. These integrations with private cloud frameworks, SDN
controllers, container orchestration platforms, virtualized environments and
public clouds enable turnkey application services and automation.

AVI COMPONENTS
The Avi Platform has three core components Avi Service Engines, Avi Controller cluster,
and Avi Admin Console

SERVICE ENGINE

Avi Service Engines (SEs) handle all data plane operations within Avi platform by
receiving and executing instructions from the Controller. The SEs perform load balancing
and all client- and server-facing network interactions. It collects real-time application
telemetry from application traffic flows. High availability is supported.

In a typical load balancing scenario, a client will communicate with a virtual service,
which is an IP address and port hosted in Avi by an SE. The virtual service internally
passes the connection through a number of profiles. For HTTP traffic, the SE may
terminate and proxy the client TCP connection, terminate SSL, and proxy the HTTP
request. Once the request has been validated, it will be forwarded internally to a pool,
which will choose an available server. A new TCP connection then originates from the SE,
using an IP address of the SE on the internal network as the requests source IP address.
Return traffic takes the same path back. The client communicates exclusively with the
virtual service IP address, not the real server IP.

CONTROLLER
The Avi Controller is a single point of management and control that is the brain of the
entire Avi system, and typically deployed as a redundant three-node cluster. The entire Avi
system is managed through a centralized point (and IP address) regardless of the number
of new applications being load balanced and the number of SEs required to handle the
load. Via its REST API, it provides visibility into all applications configured . Controllers
can automatically create and configure new SEs as new applications are configured via
virtual services (in write access mode deployments).

Controllers continually exchange information securely with the SEs and with one other.
The server health, client connection statistics, and client-request logs collected by the SEs
are regularly offloaded to the Controllers, which share the processing of the logs and
analytics information. The Controllers also send commands down to the SEs, such as
configuration changes. Controllers and SEs communicate over their management IP
addresses.

CONSOLE
The Avi Console is a modern web-based user interface that provides role-based access to
control, manage and monitor applications. Its capabilities are likewise available via the
Avi CLI. All services provided by the platform are available as REST API calls to enable
IT automation, developer self-service, and a variety of third party integrations.
 NSX-ALB PULSE SERVICES
Avi Pulse is a cloud services platform that is built to deliver value add services to
distributed Avi Controller cluster deployments in a SaaS-like model. It provides services
to simplify customers operations and enable friction-less support and services

Avi Pulse has been built with the goal to evolve Avi Vantage from being an on-premises
product to deliver SaaS like experience. It is built to simplify management of globally
distributed Avi deployments and deliver value added services.

Avi Pulse provides advanced support and security services to Avi deployments via the
following features:

 Creating cases and attaching tech support to cases from the Controller, from the UI or using
REST API calls
 Provides automated tech-support attachment to the customer cases
 WAF CRS (Core Rule Set) signatures updates
 IP reputation database updates
 Bot detection
 Centralized licensing

These are optional services that customers can enable on their accounts and the
Controllers. Avi Pulse will deliver enhanced customer experience, provide live security
threat intelligence feed and integrate with customer operations.

The following diagram describes the landscape of Avi Pulse cloud services:
 CENTRALIZED LICENSING
This lab is configured to use Avi Pulse services and has enabled most opt-in features that
are supported. This is especially important for the 2337-03 WAF/Security lab where we
demonstrate Bot Detection.

For more information:

https://www.youtube.com/watch?v=fxeDNAuwaMo

LAB ARCHITECTURE

CLOUD CONNECTOR CONFIGURATION

REVIEW
The goal of this module is to introduce and review the basics of VMware Cloud Connector
configuration. Please use Firefox for the lab exercises.

Clouds are containers for the environment where Avi Service Engines will be operating.
During initial setup of Avi Controller, a default cloud object is always created with name
of Default-Cloud. Additional clouds may be added, containing SEs and virtual services.
For deploying redundant Controllers in a 3-node cluster, all three Controllers must be
deployed in the same cloud.

In the lab scenario, Avi runs on virtual machines (VMs) managed by VMware vCenter.
When deployed into a vCenter-managed VMware cloud, the Avi platform performs as a
fully distributed, virtualized system consisting of the Avi Controller and Avi Service
Engines each running as a VM.

The Avi platform is built on software-defined architectural principles which separate the
data plane and control plane. The product components include:

 Avi Controller (control plane) The Avi Controller stores and manages all policies related to
services and management. Through vCenter, the Avi Controller discovers VMs, data centers,
networks, and hosts. Based on this auto-discovered information, virtual services can quickly be
added using the web interface. To deploy a virtual service, the Avi Controller automatically
selects an ESX server, spins up an Avi SE (described below), and connects it to the correct
networks (port groups).

Note: Avi Controllers need access to the desired ESXi hosts (over port 443) to allow the
Avi Controller-to-vCenter communication.

The Avi Controller can be deployed as a single VM or as a high availability cluster of 3

Avi Controller instances, each running on a separate VM.

 Avi Service Engines (data plane) Each Avi Service Engine runs on its own virtual machine.
The Avi SEs provide the application delivery services to end-user traffic, and also collect real-
time end-to-end metrics for traffic between end-users and applications.

Knowledge base references(s):

 https://avinetworks.com/docs/latest/cloud-vmware/
 https://avinetworks.com/docs/latest/architectural-overview/infrastructure/#clouds

REVIEW CLOUD CONNECTOR

Haga clic para ampliar

Validate the state of existing cloud Default-Cloud

1. Click on the Infrastructure tab
2. Click on Clouds
3. Hover your mouse over the status button.
 EDIT CLOUD - INFRASTRUCTURE

Avi can be deployed with a VMware cloud in either no access or write

access mode. Each mode is associated with different functionality and
automation, and also requires different levels of privileges for Avi
Controller within VMware vCenter. For complete information, refer to
attached knowledge base references.
As you have noticed, VMware Write Access integration requires a few
infrastructure configuration details to be successfully initialized:

 vCenter URL/IP
 vCenter credentials
 vSphere Data Center (Shown on the Datacenter tab)
 Management Network - port group where Avi service engines management nic
will be attached (Shown on the Network tab)

These configuration items are needed for the Avi controller to

communicate with vCenter in order to manage the lifecycle of the service
engine virtual machines.
IPAM and DNS profiles are optional and will be used in the lab to perform
auto-allocation of IPs and FQDNs to Virtual Services.
 1. Write access is the recommended deployment mode. It is the quickest and
easiest way to deploy and offers highest levels of automation between Avi and
vCenter.
2. Click on the Data Center and then the Network tab to review them.

EDIT CLOUD - DATA CENTER

Here we will select the Data Center in vCenter where the Avi service engines will be
created. We can also select some defaults around how the service engines are addressed,
as well as some advanced networking configuration.

1. Click the Network tab to advance to the next section.

EDIT CLOUD - NETWORK

Here we can choose a management port group for the Avi service engines to use for their
management nics. Avi will also create a port group on a standard switch called Avi-
Internal that is used for parking NICs that aren't needed for the current load balancing
configuration. We can also select a template service engine group to use for the
automatically created service engines. This template is an Avi construct, and not the same
as a vSphere template. It allows you to specify things like CPU count, memory, and disk
size.
When Avi Cloud Connector indicates Cloud is ready for Virtual Services placement that
means all prerequisites met to perform the deployment of Avi Service Engines and proceed
with Virtual Services placement.

The Avi Controller interacts with vCenters OVF Manager to spawn an SE VM. The
Controller needs the following access while in write access mode.

 Folders: The Avi Controller creates the SE VM in the default AviSeFolder or a folder the user
specifies. It creates the folder AviSeFolder if it is not present.
 Datastores: The Avi Controller performs the data transfer for the SE VM directly to the ESX
hosts datastore.
 Network: 9 out of 10 vNICs for the SE VM are placed in the Avi Internal portgroup of
vSwitch0. The Avi Internal standard portgroup is created in vSwitch0 of the ESX host. If
vSwitch0 (default standard switch) is not present, then the Avi Controller creates vSwitch0 in
the ESX host.
 vApp: The Avi Controller updates OVF parameters of the SE VM which relate to vApp
functionality.

1. Click the dropdown to examine the populated list of port groups. This list is populated by Avi
polling vCenter for available port groups. Leave VM-RegionA01-vDS-COMP selected.
 ACCESS URL

1. Access the following URL in the next Firefox tab:

https://avicon-01a.corp.local/api/cloud?include_name

NOTE: You can highlight the URL in the manual and drag/drop it in to the Firefox
browser on the Main Console.

As you can observe Avi REST API interface allows to easily access the configuration state
of the cloud component.

To access the runtime state of cloud configuration Inventory API. Inventory APIs bring
together configuration, runtime, health score, alert, and metrics information about objects
under 1 API. While the information provided will not be as complete as making a request
to each specific endpoint, these APIs provide a good snapshot of your objects with 1
request.
 ACCESS CLOUD INVENTORY URL

1. Open another Firefox tab and enter this URL:

https://avicon-01a.corp.local/api/cloud-inventory?include_name

Compare with the previous REST API tab. If you scroll to the bottom, you'll see a section
for status in the cloud-inventory response.

Learn more about Avi REST API interface using built-in

swagger: https://avinetworks.com/docs/latest/openapi-swagger-2-0-specification-
integration/
 REVIEW CLOUD CONNECTOR
CONFIGURATION LEVERAGING AVI
COMMAND LINE INTERFACE
1. From the taskbar, Open Terminal.
2. In terminal, type ssh [email protected]

Type shell at the prompt and log in with the following credentials

Login: admin Password: VMware1!

Type the following to show the cloud configuration for the Default-Cloud:
show cloud Default-Cloud
 SHOW CLOUD STATUS

To see the status, type the following command:

show cloud Default-Cloud status

DISPLAY API DETAILS

Any interaction with Avi Control Plane are based on REST API and Avi Command Line
Interface is not exception. Avi Shell REST API queries can be seen by entering typing:

terminal display_api_details

Then enter:

show cloud Default-Cloud status

As you can observe similar REST API path was used to obtain runtime state of Default-
Cloud as in REST API exercise.

MODULE 1 CONCLUSION
In this module you learned the Day 0 configuration of Avi Cloud Connector which allows
Avi Controller to interface with vCenter and discover all the required resources to
automate Virtual Service placement.

Knowledge base references(s):

 https://avinetworks.com/docs/latest/cloud-vmware/
 https://avinetworks.com/docs/latest/architectural-overview/infrastructure/#clouds
 https://avinetworks.com/docs/latest/vantage-interaction-with-vcenter/