VMware User Role for Avi Vantage

Overview

Avi Vantage manages the lifecycle of the load balancer within each cloud. In VMware write access cloud, the Controller requires vCenter URL, username, and password to establish a connection with the vCenter portal. With this the Controller discovers the vCenter managed objects to build an internal relation graph. As a part of the load balancer lifecycle management, Avi Service Engine is created and port groups are added and (or) removed from the virtual machines.

On deploying vCenter cloud, Avi Vantage is not provided the root credentials for security reasons. On creating the cloud in Avi Vantage, the vCenter user is assigned certain roles that allow the Controller to manage the load balancer lifecycle. The user is mapped to two roles during the role configuration on vCenter. One of the roles is applied at the vCenter root level and another at the folder level where the Service Engines are created by the Avi Controller.

The following section discusses defining role privileges for two roles AviRole1 and AviRole2 that are assigned to the vCenter user.

Configuring Role Settings

For 6 - 6.5 versions

In the example below, avilab.com is part of the LDAP and avilab.com\hybrid is the user. Login to VMware vCenter as the hybrid user.
intro

For 6.7 version

Login to VMware vCenter as follows:
login

Root Folder Level Role

AviRole1 is the role applied at the root folder level, which allows the assigned user to:

  • Deploy Service Engine in a data center.
  • Create virtual NIC for the Service Engine.
  • Discover all available networks with Read Only access.
  • Discover the best possible host to deploy the Service Engine in Read Only mode.

To configure the role settings, navigate to Administration > Roles and locate the Avi role name - AviRole1.

Apply the AviRole1 role to the root level of the vCenter object hierarchy for giving the Avi Controller access to discover vCenter resources.

For 6 - 6.5 versions

Step3

For 6.7 version

AviRootRole

Under Privilege > All Privileges, define the following parameters for this role:
1. Datastore settings
2. Network configuration
3. Resource
4. Virtual machine configuration
5. vApp import

  1. Navigate to Datastore. Expand the list and click on the checkbox for Allocate space.
    For 6 - 6.5 versions

    step3a

    For 6.7 version

    datastore

  2. Navigate to Host and select Configuration. Expand the list and click on the checkbox for Network configuration.

    For 6 - 6.5 versions

    Step3b_1

    For 6.7 version


    host_configuration

  3. Navigate to Network and select Assign network.

    For 6 - 6.5 versions

    Step3b_2

    For 6.7 version


    network

  4. Navigate to Resource and select Assign virtual machine to resource pool.
    For 6 - 6.5 versions

    step3c

    For 6.7 version


    resource

  5. Navigate to Virtual machine > Configuration and select the following options:
    • Add new disk
    • Advanced

    For 6 - 6.5 versions

    step3d

    For 6.7 version


    virtualmachine

  6. Navigate to vApp and select Import.
    For 6 - 6.5 versions

    step3e

    For 6.7 version


    vapp

SE Creation Folder Level Role

AviRole2 role is applied at the folder level where the Service Engines are created by the Avi Controller. With this role, the user is restricted to perform all operations on a Service Engine within a particular folder and is not allowed to edit any resources outside the specific folder.

This role is required for the user to access the datastore, host, and networking settings that allow creating the Service Engine.

Under Privilege > All Privileges, define the following parameters for this role:
1. Datacenter settings
2. Datastore settings
3. Distributed switch configuration
4. Host configuration
5. Network, performance, virtual machine, and vApp import settings

  1. Navigate to Datacenter by expanding the list and click on the checkbox for:
    • Network protocol profile configuration
    • Query IP pool allocation
    • Release IP allocation

    For 6 - 6.5 versions

    Step4a

    For 6.7 version


    Datacenter </br>

  2. Navigate to Datastore by expanding the list and click on the following checkboxes:
    • Allocate space
    • Browse datastore
    • Configure datastore
    • Low level file operations
    • Remove file
    • Update virtual machine files
    • Update virtual machine metadata

    For 6 - 6.5 versions

    Step4b

    For 6.7 version


    DataStore </br>

  3. Navigate to Distributed switch by expanding the list and click on the checkbox for:
    • Create
    • Host operation
    • Modify
    • Network I/O control operation
    • Policy operation
    • Post configuration operation
    • Port setting operation

    For 6 - 6.5 versions

    Step4c

    For 6.7 version


    03_DistributedSwitch

  4. Navigate to Host by expanding the list and click on the checkbox for:</p>
    • CIM
    • Local operations
    • Inventory
    • Under Configuration, select the following options:
      • Change settings
      • Hyperthreading
      • Image configuration
      • Memory configuration
      • Network configuration
      • Power
      • System Management
      • System resources
      • </li>Virtual machine autostart configuration</li>

    For 6 - 6.5 versions

    Step4d

    For 6.7 version


    04_Host

  5. Select the checkbox. Enable all parameters under the following categories:
    • Network
    • Performance
    • Tasks
    • Virtual machine
    • dvPort group
    • vApp

    For 6 - 6.5 versions

    Step4e

    For 6.7 version


    05_01_Others

Assign AviRole2 to a folder that is defined for the Service Engine creation as shown in the example below:
For 6 - 6.5 versions

The folder name used in this example is Jenkins-Hybrid-Se.
Step5_1

For 6.7 version

Assign AviRootRole1 to a folder that is defined for the Service Engine creation as shown in the example below. The folder name used in this example is FE-Se. The diagram is as follows:
06_fe_ses

In Avi UI, navigate to Infrastructure > Service Engine Group and enter the folder name from the previous step under the Service Engine Folder field.

Step6

Displaying vCenter Information

The following examples show the Avi Controller CLI commands used for displaying vCenter outputs:


[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara datastores
+---------------+------------------------------------------------+
| Field         | Value                                          |
+---------------+------------------------------------------------+
| datacenter    | datacenter-2-cloud-81cxxxxx-5bxx-46xx-89xx-5fexxxxx |
+---------------+------------------------------------------------+

[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara redis
+-----------------------+----------------------------+----------+
| Name                  | Inventory State            | Progress |
+-----------------------+----------------------------+----------+
| 10.10.2.11-SantaClara | VCENTER_DISCOVERY_COMPLETE | 100      |
| 10.10.2.5-SantaClara  | VCENTER_DISCOVERY_COMPLETE | 100      |
+-----------------------+----------------------------+----------+

[admin:jenkins-hybrid-controller]: > show vinfra vcenter 10.1.1.1-SantaClara hostresources
+---------------------+-------------------+------------+--------+---------+------------+
| Name                | Managed Object Id | Host Scale | Num Se | Se Fail | Se Success |
+---------------------+-------------------+------------+--------+---------+------------+
| 10.160.5.23         | host-603          | 2558       | -      | -       | -          |
| 10.160.5.24         | host-588          | 1217       | -      | -       | -          |
| cum-esx-9.avi.local | host-5526         | 431        | -      | -       | -          |
| cum-esx-8.avi.local | host-5513         | 543        | -      | -       | -          |