Networking Design for Avi Vantage Platform

Overview

In the network design for the Avi Vantage Platform you provide two types of connectivity; management connectivity between the Avi Controllers and Avi Service Engines and data IP connectivity for the Avi Service Engines to service application traffic.

The following table summarizes the design decisions for the networking design support of the Avi Vantage platform:

Decision ID Design Decision Design Justification Design Implication
AVI-VI-VC-003 Deploy the Avi Controller Cluster Nodes on the VMware Cloud Foundation Management Network. The network is for traffic sourced from and destined to the Avi Controller Cluster Nodes. Administrative tasks, connectivity to Avi Service Engines and connectivity to network services will all use this network. Using the same network for all 3 Avi Controller Cluster Nodes allows for configuring a floating cluster VIP; a single IP address that will be assigned to the cluster leader.
AVI-VI-VC-004 Deploy the Avi Service Engines management vnic on an Overlay Segment attached to a Tier-1 router on NSX. This is required to configure the Avi Controller NSX-T Cloud Connector.
Note: This Overlay network should have connectivity to the IP addresses of each of the Avi Controllers.
NSX-T Cloud Connector cannot be used to deploy Avi Service Engines
AVI-VI-VC-005 Configure one or more Data Network(s) for Avi Service Engines to service application services.
Note: Each data network should be attached to a separate Tier-1 router and should be of Overlay type.
The Avi Service Engines require an overlay data network attached to a Tier-1 router to provide access for load balanced applications and associated application health monitoring. NSX-T Cloud Connector cannot be used to deploy Avi Service Engines.
AVI-CTLR-001 Use static IPs for Avi Controllers if DHCP cannot guarantee a permanent lease. Avi Controller cluster uses management IPs to form and maintain quorum for the control plane cluster. Any changes would be disruptive. Avi Controller control plane might go down if the management IPs of the Avi Controller change.
AVI-CTLR-002 Latency between Avi Controllers must be <1ms. Avi Controller quorum is latency sensitive. Avi Control plane might go down if latency is high.
AVI-VI-001 Reserve an IP in the management subnet to be used as the Cluster IP for the Avi Controller Cluster A floating IP that will always be accessible regardless of a specific individual Avi Cluster node Admin problem solving is required to figure out how to access the Avi cluster if the specific node being accessed is unavailable
AVI-VI-002 Configure DHCP on the networks/logical segments used for data traffic Having DHCP enabled for data networks would make Avi Service Engine configuration simple Operators would have to program IP pools for the data networks to be used by the Avi Service Engines

Connectivity for the Avi Vantage Platform

When configuring the Avi Vantage Platform, consider the following best practices:

Management connectivity — Reserve/carve out sufficient IP addresses in a subnet for Controllers and Service Engines respectively for management access.

  • Have sufficient IP addresses available for future growth.

  • Subnet assigned for Controller management and Service Engine management could be different.
    Note: Avi Service Engines management network would be configured on a Tier-1 attached Overlay Segment, whereas Avi Controllers management network could be configured on a VLAN Port group.

  • IP connectivity between the Controller and the Service Engine management subnets.

Data IP connectivity for Service Engines: Have sufficient IPs available in the subnets/logical segments mapped to be used for data traffic.

  • Avi Service Engines would use Overlay Segments attached to Tier-1 routers as data networks.

  • A single Overlay Segment is necessary for each Tier-1 router

  • Have sufficient IP addresses available for future growth

  • Have sufficient IP addresses reserved for Virtual Service IP addresses (VIPs) if load-balanced applications (Virtual Services) would use IP addresses in the subnet mapped to data Overlay Segments.

Port Requirements in Avi Vantage Platform

Port Protocol Source Destination Description
Avi Controller to Controller Access
22 TCP Avi Controller Cluster Nodes Avi Controller Cluster Nodes secure-channel over SSH
443 TCP Avi Controller Cluster Nodes Avi Controller Cluster Nodes access to portal over HTTPS (UI)
8443 TCP Avi Controller Cluster Nodes Avi Controller Cluster Nodes secure key exchange portal over HTTPS
Avi Service Engine to Avi Controller Cluster Node Access
22 TCP Avi Service Engine management IPs Avi Controller Cluster Nodes secure-channel over SSH
8443 TCP Avi Service Engine management IPs Avi Controller Cluster Nodes secure key exchange over HTTPS
123 UDP Avi Service Engine management IPs Avi Controller Cluster Nodes NTP time synchronization
Avi Service Engine to Avi Controller Cluster Node Access
22 TCP Administrator user IPs Avi Controller Cluster Nodes SSH access to Avi Controller Cluster shell/CLI
443 TCP Administrator user IPs Avi Controller Cluster Nodes HTTPS access to Avi Controller Cluster system portal (UI/SDK)
161 UDP Administrator user IPs Avi Controller Cluster Nodes SNMP Poll
5054 TCP Administrator user IPs Avi Controller Cluster Nodes (Optional) Avi Controller CLI through remote shell
Administration Access
22 TCP Admin User IPs Avi Controller Cluster Nodes SSH access to Avi Controller Cluster shell/CLI
443 TCP Admin User IPs Avi Controller Cluster Nodes HTTPS access to Avi Controller Cluster system portal (UI/SDK)
161 UDP Admin User IPs Avi Controller Cluster Nodes SNMP Poll
5054 TCP Admin User IPs Avi Controller Cluster Nodes (Optional) Avi Controller CLI through remote shell
Avi Controller Cluster Nodes to external services
25 TCP Avi Controller Cluster Nodes SMTP servers SMTP notifications
49 TCP Avi Controller Cluster Nodes TACACS servers TACACS+
53 UDP Avi Controller Cluster Nodes DNS servers DNS
123 UDP Avi Controller Cluster Nodes NTP servers NTP
389 TCP/UDP Avi Controller Cluster Nodes LDAP servers LDAP
636 TCP/UDP Avi Controller Cluster Nodes LDAP servers LDAPs
162 UDP Avi Controller Cluster Nodes SNMP trap collectors SNMP traps
514 UDP Avi Controller Cluster Nodes Syslog servers Syslog notifications
Application Connectivity
* * Application clients Avi Service Engines Open up the required TCP/UDP ports for the clients to communicate with the application.
* * Avi Service Engines Application Servers Open up the required TCP/UDP ports for the Avi Service Engines to communicate with the backend application servers.