Networking Design for Avi Vantage Platform
In the network design for the Avi Vantage Platform you provide two types of connectivity; management connectivity between the Avi Controllers and Avi Service Engines and data IP connectivity for the Avi Service Engines to service application traffic.
The following table summarizes the design decisions for the networking design support of the Avi Vantage platform:
|Decision ID||Design Decision||Design Justification||Design Implication|
|AVI-VI-VC-003||Deploy the Avi Controller Cluster Nodes on the VMware Cloud Foundation Management Network.||The network is for traffic sourced from and destined to the Avi Controller Cluster Nodes. Administrative tasks, connectivity to Avi Service Engines and connectivity to network services will all use this network.||Using the same network for all 3 Avi Controller Cluster Nodes allows for configuring a floating cluster VIP; a single IP address that will be assigned to the cluster leader.|
|AVI-VI-VC-004||Deploy the Avi Service Engines management vnic on an Overlay Segment attached to a Tier-1 router on NSX.||This is required to configure the Avi Controller NSX-T Cloud Connector.
Note: This Overlay network should have connectivity to the IP addresses of each of the Avi Controllers.
|NSX-T Cloud Connector cannot be used to deploy Avi Service Engines|
|AVI-VI-VC-005||Configure one or more Data Network(s) for Avi Service Engines to service application services.
Note: Each data network should be attached to a separate Tier-1 router and should be of Overlay type.
|The Avi Service Engines require an overlay data network attached to a Tier-1 router to provide access for load balanced applications and associated application health monitoring.||NSX-T Cloud Connector cannot be used to deploy Avi Service Engines.|
|AVI-CTLR-001||Use static IPs for Avi Controllers if DHCP cannot guarantee a permanent lease.||Avi Controller cluster uses management IPs to form and maintain quorum for the control plane cluster. Any changes would be disruptive.||Avi Controller control plane might go down if the management IPs of the Avi Controller change.|
|AVI-CTLR-002||Latency between Avi Controllers must be <1ms.||Avi Controller quorum is latency sensitive.||Avi Control plane might go down if latency is high.|
|AVI-VI-001||Reserve an IP in the management subnet to be used as the Cluster IP for the Avi Controller Cluster||A floating IP that will always be accessible regardless of a specific individual Avi Cluster node||Admin problem solving is required to figure out how to access the Avi cluster if the specific node being accessed is unavailable|
|AVI-VI-002||Configure DHCP on the networks/logical segments used for data traffic||Having DHCP enabled for data networks would make Avi Service Engine configuration simple||Operators would have to program IP pools for the data networks to be used by the Avi Service Engines|
Connectivity for the Avi Vantage Platform
When configuring the Avi Vantage Platform, consider the following best practices:
Management connectivity — Reserve/carve out sufficient IP addresses in a subnet for Controllers and Service Engines respectively for management access.
Have sufficient IP addresses available for future growth.
Subnet assigned for Controller management and Service Engine management could be different.
Note: Avi Service Engines management network would be configured on a Tier-1 attached Overlay Segment, whereas Avi Controllers management network could be configured on a VLAN Port group.
IP connectivity between the Controller and the Service Engine management subnets.
Data IP connectivity for Service Engines: Have sufficient IPs available in the subnets/logical segments mapped to be used for data traffic.
Avi Service Engines would use Overlay Segments attached to Tier-1 routers as data networks.
A single Overlay Segment is necessary for each Tier-1 router
Have sufficient IP addresses available for future growth
Have sufficient IP addresses reserved for Virtual Service IP addresses (VIPs) if load-balanced applications (Virtual Services) would use IP addresses in the subnet mapped to data Overlay Segments.
Port Requirements in Avi Vantage Platform
|Avi Controller to Controller Access|
|22||TCP||Avi Controller Cluster Nodes||Avi Controller Cluster Nodes||secure-channel over SSH|
|443||TCP||Avi Controller Cluster Nodes||Avi Controller Cluster Nodes||access to portal over HTTPS (UI)|
|8443||TCP||Avi Controller Cluster Nodes||Avi Controller Cluster Nodes||secure key exchange portal over HTTPS|
|Avi Service Engine to Avi Controller Cluster Node Access|
|22||TCP||Avi Service Engine management IPs||Avi Controller Cluster Nodes||secure-channel over SSH|
|8443||TCP||Avi Service Engine management IPs||Avi Controller Cluster Nodes||secure key exchange over HTTPS|
|123||UDP||Avi Service Engine management IPs||Avi Controller Cluster Nodes||NTP time synchronization|
|Avi Service Engine to Avi Controller Cluster Node Access|
|22||TCP||Administrator user IPs||Avi Controller Cluster Nodes||SSH access to Avi Controller Cluster shell/CLI|
|443||TCP||Administrator user IPs||Avi Controller Cluster Nodes||HTTPS access to Avi Controller Cluster system portal (UI/SDK)|
|161||UDP||Administrator user IPs||Avi Controller Cluster Nodes||SNMP Poll|
|5054||TCP||Administrator user IPs||Avi Controller Cluster Nodes||(Optional) Avi Controller CLI through remote shell|
|22||TCP||Admin User IPs||Avi Controller Cluster Nodes||SSH access to Avi Controller Cluster shell/CLI|
|443||TCP||Admin User IPs||Avi Controller Cluster Nodes||HTTPS access to Avi Controller Cluster system portal (UI/SDK)|
|161||UDP||Admin User IPs||Avi Controller Cluster Nodes||SNMP Poll|
|5054||TCP||Admin User IPs||Avi Controller Cluster Nodes||(Optional) Avi Controller CLI through remote shell|
|Avi Controller Cluster Nodes to external services|
|25||TCP||Avi Controller Cluster Nodes||SMTP servers||SMTP notifications|
|49||TCP||Avi Controller Cluster Nodes||TACACS servers||TACACS+|
|53||UDP||Avi Controller Cluster Nodes||DNS servers||DNS|
|123||UDP||Avi Controller Cluster Nodes||NTP servers||NTP|
|389||TCP/UDP||Avi Controller Cluster Nodes||LDAP servers||LDAP|
|636||TCP/UDP||Avi Controller Cluster Nodes||LDAP servers||LDAPs|
|162||UDP||Avi Controller Cluster Nodes||SNMP trap collectors||SNMP traps|
|514||UDP||Avi Controller Cluster Nodes||Syslog servers||Syslog notifications|
|*||*||Application clients||Avi Service Engines||Open up the required TCP/UDP ports for the clients to communicate with the application.|
|*||*||Avi Service Engines||Application Servers||Open up the required TCP/UDP ports for the Avi Service Engines to communicate with the backend application servers.|