VMware User Role for Avi Vantage

Overview

Avi Vantage manages the lifecycle of the load balancer within each cloud. In VMware write access cloud, the Controller requires vCenter URL, username, and password to establish a connection with the vCenter portal. With this the Controller discovers the vCenter managed objects to build an internal relation graph. As a part of the load balancer lifecycle management, Avi Service Engine is created and port groups are added and (or) removed from the virtual machines.

On deploying vCenter cloud, Avi Vantage is not provided the root credentials for security reasons. On creating the cloud in Avi Vantage, the vCenter user is assigned certain roles that allow the Controller to manage the load balancer lifecycle. The user is mapped to two roles during the role configuration on vCenter. One of the roles is applied at the vCenter root level and another at the folder level where the Service Engines are created by the Avi Controller.

The following section discusses defining role privileges for two roles AviRole1 and AviRole2 that are assigned to the vCenter user.

Configuring Role Settings

In the example below, avilab.com is part of the LDAP and avilab.com\hybrid is the user. Login to VMware vCenter as the hybrid user.

intro

Root Folder Level Role

AviRole1 is the role applied at the root folder level, which allows the assigned user to:

  • Deploy Service Engine in a data center.
  • Create virtual NIC for the Service Engine.
  • Discover all available networks with Read Only access.
  • Discover the best possible host to deploy the Service Engine in Read Only mode.

To configure the role settings, navigate to Administration > Roles and locate the Avi role name - AviRole1.

Apply the AviRole1 role to the root level of the vCenter object hierarchy for giving the Avi Controller access to discover vCenter resources.

Step3

Under Privilege > All Privileges, define the following parameters for this role:
1. Datastore settings
2. Network configuration
3. Resource
4. Virtual machine configuration
5. vApp import

  1. Navigate to Datastore. Expand the list and click on the checkbox for Allocate space.

    step3a

  2. Navigate to Host and select Configuration. Expand the list and click on the checkbox for Network configuration.

    Step3b_1

    Navigate to Network and select Assign network.

    Step3b_2

  3. Navigate to Resource and select Assign virtual machine to resource pool.

    step3c

  4. Navigate to Virtual machine > Configuration and select the following options:

    • Add new disk
    • Advanced

    step3d

  5. Navigate to vApp and select Import.

    step3e

SE Creation Folder Level Role

AviRole2 role is applied at the folder level where the Service Engines are created by the Avi Controller. With this role, the user is restricted to perform all operations on a Service Engine within a particular folder and is not allowed to edit any resources outside the specific folder.

This role is required for the user to access the datastore, host, and networking settings that allow creating the Service Engine.

Under Privilege > All Privileges, define the following parameters for this role:
1. Datacenter settings
2. Datastore settings
3. Distributed switch configuration
4. Host configuration
5. Network, performance, virtual machine, and vApp import settings

  1. Navigate to Datacenter. Expand the list and click on the checkbox for:
    • Network protocol profile configuration
    • Query IP pool allocation
    • Release IP allocation

    Step4a

  2. Navigate to Datastore. Expand the list and click on the checkbox for:
    • Allocate space
    • Browse datastore
    • Configure datastore
    • Low level file operations
    • Remove file
    • Update virtual machine files
    • Update virtual machine metadata

    Step4b

  3. Navigate to Distributed switch. Expand the list and click on the checkbox for:
    • Create
    • Host operation
    • Modify
    • Network I/O control operation
    • Policy operation
    • Post configuration operation
    • Port setting operation

    Step4c

  4. Navigate to Host. Expand the list and click on the checkbox for:
    • CIM
    • Local operations
    • Inventory
    • Under Configuration, select the following options:
      • Change settings
      • Hyperthreading
      • Image configuration
      • Memory configuration
      • Network configuration
      • Power
      • System Management
      • System resources
      • Virtual machine autostart configuration

    Step4d

  5. Select the checkbox to enable all parameters under the following categories:

    • Network
    • Performance
    • Tasks
    • Virtual machine
    • dvPort group
    • vApp

    Step4e

Assign AviRole2 to a folder that is defined for the Service Engine creation as shown in the example below. The folder name used in this example is Jenkins-Hybrid-Se.

Step5_1

In Avi UI, navigate to Infrastructure > Service Engine Group and enter the folder name from the previous step under the Service Engine Folder field.

Step6

Displaying vCenter Information

The following examples show the Avi Controller CLI commands used for displaying vCenter outputs:


[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara datastores
+---------------+------------------------------------------------+
| Field         | Value                                          |
+---------------+------------------------------------------------+
| datacenter    | datacenter-2-cloud-81cxxxxx-5bxx-46xx-89xx-5fexxxxx |
+---------------+------------------------------------------------+

[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara redis
+-----------------------+----------------------------+----------+
| Name                  | Inventory State            | Progress |
+-----------------------+----------------------------+----------+
| 10.10.2.11-SantaClara | VCENTER_DISCOVERY_COMPLETE | 100      |
| 10.10.2.5-SantaClara  | VCENTER_DISCOVERY_COMPLETE | 100      |
+-----------------------+----------------------------+----------+

[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara hostresources
+---------------------+-------------------+------------+--------+---------+------------+
| Name                | Managed Object Id | Host Scale | Num Se | Se Fail | Se Success |
+---------------------+-------------------+------------+--------+---------+------------+
| 10.160.5.23         | host-603          | 2558       | -      | -       | -          |
| 10.160.5.24         | host-588          | 1217       | -      | -       | -          |
| cum-esx-9.avi.local | host-5526         | 431        | -      | -       | -          |
| cum-esx-8.avi.local | host-5513         | 543        | -      | -       | -          |