Avi Vantage Integration with VMware Cloud on AWS
This guide describes the details of integrating Avi Vantage with VMware cloud on AWS. Avi Vantage is deployed as a customer-managed solution in VMC.
- Avi Vantage is installed in No Orchestrator mode on VMWare cloud on AWS (VMC).
- The deployment of Service Engines on VMC is manual. Once SE is integrated with Avi Controller, virtual service placement and scaling can be handled centrally from the Avi Controller.
The screenshot shown below depicts a typical Avi Vantage deployment with VMC.
The following are the observations from the above diagram:
For Avi Service Engines
- Avi Service Engines (SEs) are deployed as virtual machines (VMs) on VMC.
- SEs are connected to the logical networks. The following are the two types of logical networks:
- Routed network – over IPsec VPN
- Extended network – over L2 VPN
- The SEs connect to the Avi Controller over the management network, which is the logical network connection to the vNIC0 of the SE VM.
For Avi Controller
- The Avi Controller cluster is dedicated to the VMC environment or is used for load balancing local vCenters.
- Considering the monetary cost of resources on VMC and its ephemeral nature, it is recommended to deploy Avi Controller cluster outside of the VMC environment. However, this is not a restriction.
The following diagram depicts the deployment of Avi Controller cluster and SEs on the VMC infrastructure.
The following are the options currently supported for high availability (in the order of recommendation):
N+M with SE’s in DFW exclusion list (Refer to Manage the Distributed Firewall Exclusion List for more details on distributed firewall exclusion list).
Active/Active with SE’s in DFW exclusion list (Refer to Manage the Distributed Firewall Exclusion List for more details on distributed firewall exclusion list).
Active/standby with MAC masquerade disabled. SNAT is required for this and the default gateway mode is not supported.
SE VMs require manual creation. The lack of automation on VMC is because the firstname.lastname@example.org user does not have all required permissions to read/write to vCenter API and there is no access to the ESX management plane. The access to the ESX management plane is required for Avi automated deployment in on-prem vCenter.
This section covers the following:
- Downloading SE image
- Uploading SE image to Content Library
- Deploying SE VM
Downloading SE Image
Log in to Avi UI as the admin user.
Navigate to Infrastructure > Cloud. Download the SE OVA image using the download icon on the cloud. Use the Default-Cloud or create a new No Orchestrator cloud. Use the following steps to create a new cloud using the No Orchestrator option.
Downloading OVA using the Default-Cloud
Downloading OVA from a No Orchestrator Cloud
Uploading SE Image to Content Library
The downloaded .OVA file is used directly to create an SE VM, but this requires uploading the image to vCenter every time a new VM needs to be created. For faster deployment, the SE image is uploaded to the content library on VMC and can be used multiple times.
Follow the below steps to upload the SE image to the content library.
Login to vCenter and select the option to create a new content library. Provide the name and select the desired vCenter server as shown below.
Select a storage location for the library contents.
Content library accepts .ova and .vmdk files as VM templates. .ova files are treated as general files. Before uploading files to the content libraries,
untarthe .ova file to get .ovf and .vmdk files.
tar -xvf se.ova x se.ovf x se.mf x se-disk1.vmdk
Select the Import Item option available on vSphere client and upload the .ovf and .vmdk files as shown below.
Deploying SE VM
The following data are required for deploying SE VM.
- Avi Controller IP address
Authentication token and cloud UUID. Navigate to Infrastructure > Cloud, select the required cloud, and click on the key icon to the generate cloud UUID and the authentication token as shown below.
- Management IP address, subnet, and subnet mask. This is required only if DHCP is not enabled on management logical network.
Log in to the vSphere client, select the Templates option, and click on the New VM from this template to create a new VM as shown below.
Select a VM location as shown below.
Optional step: Create a new folder under Workloads to place all the SEs.
Click on the Select a compute resource option to select the resource pool for the deployment.
Click on the Select storage option to select the required datastore.
Click on the Select network option to configure the required networks.
The Management network label (vNIC0) is mapped to the management logical network. The remaining network labels (Data Network 1 – 9) is connected to any of the front-end virtual service’s network or back-end server’s logical network as required. It is left disconnected if not required.
Select the Customize template option to create vApp properties. Provide Avi Controller IP address details, the Cluster UUID, and the authentication token as described in the Prerequisites section.
Review and click on Finish.
Powered on the deployed VM.
To check the newly deployed SE, navigate to Infrastructure > Service Engine tab on the Avi UI.
If the SE VMs are switched on but not connected to the Avi Controller, check firewall ports configured on the Compute Gateway option in VMC console. This option is used to allow management traffic from the SE to the Avi Controller.
For more information on the required ports and protocols, refer to Protocol Ports Used by Avi Vantage for Management Communication.
Note: The SEs open TCP connections to the Avi controller, so the firewall rules should allow outgoing traffic. Since the firewall is stateful, the reverse traffic is automatically allowed.
If the Avi Controller is accessed using public IP address (for example, when it is deployed on another VPC on AWS or if Avi SaaS offering is being used), add NAT rules to allow SE traffic over the internet.