Deployment of Avi Service Engines in the First Region

Configuring Tenant on the Avi Controller for the First Workload Domain

Each Workload Domain will be hosted in a dedicated Tenant on the Avi Controller. The Avi Service Engines would be provisioned in the admin Tenant and will be provided to be used in the Workload Domain(s). Load balanced applications would be created within the Tenant(s) created for the Workload Domains.

Prerequisites

  • Avi Controller cluster is setup.

  • Workload domain is setup.

  • The Avi Controller should be setup in the Enterprise edition mode. Tenancy is not available in the Basic edition.

Procedure to create one Tenant (Provider Mode) on the Avi Controller for each Workload Domain

The following are the steps to create one tenant on Avi Vantage for every workload domain:

  1. Login to SSH to the Avi Controller via admin@sfo-m01-avic01.sfo.rainpole.io.

  2. Specify the Avi CLI by executing shell –user admin –password xxxx code.

  3. Configure the tenant for the workload domain by executing the following CLI commands:

    
      configure tenant {Workload-Domain}
      config_settings
      se_in_provider_context
      tenant_access_to_provider_se
      no tenant_vrf
      save
      save  

Configuring Credential Objects on the Avi Controller for the First Workload Domain

Create User Credential objects on the Avi Controller for the NSX-T Cloud on Avi to access the NSX-T Manager and the vCenter of the Workload Domain.

Prerequisites

  • Avi Controller cluster has been setup

  • Workload domain has been setup

Procedure to create ‘User Credentials’ config for vCenter and NSX-T Manager

The following are the steps to create ‘User Credentials’ config for vCenter and NSX-T Manager:

  1. Login as a admin user and navigate to the Avi Controller which has been initialized on your browser via https://sfo-m01-avic01.sfo.rainpole.io.

  2. Navigate to Administration > User Credentials.

  3. Click on Create to create NSX-T User Credentials object.

  4. Specify the following details:
    Setting Value
    Name NSX-T-01
    Credentials Type NSX-T
    User username
    Password NSX-T Manager Password
  5. Click on Save.

  6. Click on Create to create vCenter User Credentials object.

  7. Specify the following details:
    Setting Value
    Name vCenter-01
    Credentials Type vCenter
    User username
    Password vCenter Password
  8. Click on Save.

Creating a Content Library for Avi Service Engine OVAs

You can create content library for each workload domain(s). This Content Library will be used by the Avi NSX-T Cloud Connector to host Avi Service Engine OVAs.

Prerequisites

  • vCenter is setup in the Workload Domain.

Procedure to create a content library in the workload domain:

The following are the steps to create a content library:

  1. Log in to the vCenter server of the corresponding workload domain.

  2. Navigate to Menu > Content Libraries.

  3. Click on + to add a new content library to host Avi Vantage Service Engine OVAs.

  4. Specify the following information in the Name and Location section:
    Setting Value
    Name sfo-w01-avise
    Notes Content Library created to host Avi Service Engine OVAs
    vCenter Server Select vCenter Server for the corresponding {WORKLOAD_DOMAIN}
  5. Click on NEXT button. 

  6. Specify the following details in the Configure content library section:

    Setting Value
    Local content library Select
    Enable publishing Select
  7. Click on NEXT option.

  8. In the Add Storage section, select the vSAN  datastore.
  9. Click on NEXT option.

  10. Review the data and click on FINISH option.

Configuring NSX-T Cloud on the Avi Controller for the First Workload Domain

The following are the two topologies:

  1. Two or more Workload Domain(s) share an NSX-T Manager and share a transport zone. A single NSX-T Cloud Connector would be required to provide load balancing services for these Workload Domain(s).

  2. Two or more Workload Domain(s) share an NSX-T Manager and utilize unique Transport Zones. A unique NSX-T Cloud Connector for each Workload Domain would be required to provide load balancing services for these Workload Domain(s).

Notes:

  • Always setup a new Avi NSX-T Cloud Connector when setting up the first Workload Domain for an NSX-T Manager.

  • Recommendation is to add 1 Overlay Logical Segment for every Tier-1 Logical Router that requires load balancing.

Prerequisites

  • Avi Controller cluster is setup.

  • Workload domain is setup

  • Content Library on the Workload Domain has been created

  • Tier-1 Logical Router has been setup

  • Overlay Logical Segment has been setup for Avi Service Engine Management

  • Overlay Logical Segment has been setup for Avi Service Engine Data

Procedure to create one Cloud on Avi Vantage for every Workload Domain

Create one NSX-T Cloud on Avi for every unique Overlay transport zone that contains transport nodes that require load balancing. The Cloud is created in the Provider (admin) tenant scope.

The following are the steps to create one cloud on Avi Vantage for every workload domain. The cloud is created within the scope of the tenant dedicated for the workload domain.

  1. Navigate to the Avi Controller which has been initialized on your browser via  https://sfo-m01-avic01.sfo.rainpole.io.

  2. Navigate to Infrastructure > Clouds. Click on Create icon to create a new cloud.

  3. Select NSX-T Cloud option.

  4. Specify the following details to configure the cloud:
    Setting Value
    Name {Workload-Domain}-Cloud
    DHCP Select (If using DHCP on the data networks)
    Object Name Prefix sfo-w01-avise
    This prefix will be used for all objects created this Avi NSX-T Cloud
  5. Specify the following NSX-T Credential information:

    Setting Value
    NSX-T Manager Address FQDN of the NSX-T Manager that is managing this Workload Domain
    NSX-T Manager Credentials NSX-T-01
    Name of the NSX-T Credential object configured on the Avi Controller
  6. Click on Connect
    Setting Value
    Transport Zone Select the Overlay Transport Zone where Avi Service Engines would be placed
    Management Network Segment
    Tier1 Logical Router ID Select the Tier-1 Logical Router from the drop-down where Avi Service Engines Management NIC would be connected
    Segment ID Select the Overlay Logical Segment from the drop down connected to the selected Tier-1 Logical Router where Avi Service Engines Management NIC would be connected
    Data Network Segment(s) (Click ADD for each new Logical Segment)
    Logical Segments Config Mode Manual
    Logical Router ID Select the Tier-1 Logical Router from the drop down where Avi Service Engines Data NIC would be connected
    Segment Select the Overlay Logical Segment from the drop down connected to the selected Tier-1 Logical Router where Avi Service Engines Data NIC would be connected
  7. Click on Add to specify the following vCenter Servers information:

    Setting Value
    Name {Workload-Domain}
    Credentials
    vCenter Address Pick the vCenter that is managing the Workload Domain from the drop-down
    vCenter Credentials vCenter-01
    Name of the vCenter Credential object configured on the Avi Controller
  8. Click on Connect option.

  9. Select sfo-w01-avise as the Content Library from the drop-down list.

  10. Click on Done option.

  11. Click on Save option.

Attach the Default-Group SE Group as a template to the Cloud. This will allow new SE Group creation and protect against versioning issues when a single Avi Controller cluster is managing multiple workload domains, each in different versions.

  • SSH to the Avi Controller via admin@sfo-m01-avic01.sfo.rainpole.io

  • Specify the Avi CLI by executing shell –user admin –password xxxx

  • Configure the SE Group template on the Cloud by executing the following CLI commands:


configure cloud {Workload-Domain}-Cloud
se_group_template_ref Default-Group
save 

Configuring Service Engine Group on the Avi Controller for the First Workload Domain

Notes:

  • This is to be used as a reference to guide creation of Service Engine Groups. You can choose to create Service Engine Groups depending on their use-cases.
  • Active/Active and N+M elastic HA modes are only available in the Enterprise edition. Basic edition mode only supports Active/Standby HA mode.

Prerequisites

  • Avi Controller cluster is setup.

  • NSX-T Cloud for the workload domain is setup.

Procedure to create Service Engine Group on the Avi Controller for the First Workload Domain

The following are the steps to create Service Engine group on the Avi Controller for the first workload domain:

  1. Navigate to the Avi Controller which has been initialized on your browser via https://sfo-m01-avic01.sfo.rainpole.io.

  2. Switch to the admin Tenant.

  3. Navigate to Infrastructure > Service Engine Group.
  4. Select the appropriate Cloud from the Select Cloud drop-down list and click on Create icon.

  5. Specify the following to configure the Basic Settings of the SE group:
    Setting Value
    Name sfo-w01-avisegrp-01
    High Availability Mode Active/Active
    VS Placement across SEs Distributed
  6. Configure the appropriate Service Engine Capacity and Limit Settings based on How to Size Service Engines.
    Setting Value
    Maximum Number of Service Engines Adjust according to scale requirements
    Memory per Service Engine Adjust according to scale requirements
    vCPU per Service Engine Adjust according to scale requirements
    Disk per Service Engine 3x the Memory per Service Engine with a minimum of 15GB
    Memory Reserve Select
    CPU Reserve Select
  7. Specify the following information:
    Setting Value
    Service Engine Name Prefix String that would help identify these VMs as Avi Service Engines.
    Recommended to use a name that helps identify the workloads that these Avi Service Engines would be servicing.
    Service Engine Folder Place the Avi Service Engines in a common vCenter VM Folder. AviSEFolder will be created by default
  8. Ensure Avi Service Engines are scoped to the Hosts/Storage of the Workload Domain.
    Setting Value
    Host Scope Service Engine within Select 'Host' and ‘Include’ the ESXi hosts which are part of this Workload Domain.
    Note: This is important when multiple Workload Domains share a Transport Zone and therefore share a Avi NSX-T Cloud.
    Data Store Scope for Service Engine Virtual Machine Select ‘Shared’ and ‘Include’ the shared datastores used by the Workload Domain.
    Note: This could be the shared vSAN datastore.
  9. Click on Advanced and specify the following details under Advanced HA & Placement window.

    Setting Value
    Buffer Service Engines 0
    Scale Per Virtual Service (Minimum) 2
    Scale Per Virtual Service (Maximum) 4
    Dedicated Dispatcher CPU Select if configured vCPU per Service Engine >= 4
  10. Click on Save option.

Configuring a Sample Load Balanced Web Application in the first Workload Domain in Region A

This section will showcase how to create a Load Balanced Web Application. This section should be used as a template. The following Resources would be created on the Avi Controller:

  • Pool
  • Virtual Service

Prerequisites for creating a Pool

  1. Tenant for the Workload domain is setup. (Only applicable if the Avi Controller has been setup in the Enterprise edition mode)

  2. NSX-T cloud for the workload domain is setup.

Procedure to create Avi Service Engine in first Workload Domain

The following are the steps to create Avi Service Engine in first workload domain:

  1. Navigate to the Avi Controller which has been initialized on your browser via  https://sfo-m01-avic01.sfo.rainpole.io.

  2. Switch to the appropriate tenant by clicking on admin and selecting {Workload-Domain} tenant. (Note: Use the default admin Tenant if the Avi Controller is setup in the Basic edition)

  3. Navigate to Applications > Pools and click on Create Pool.

  4. Select the appropriate {Workload-Domain}-Cloud from Select Cloud and click on Next.

  5. Specify the Name for the Pool, for instance, Sample-WebPool.

  6. Select the Tier-1 logical router from the Tier1 Logical Router drop-down list.

  7. Click on Add Active Monitor and select System-HTTP Health Monitor from the Select a Health Monitor drop-down list.

  8. Click on Next option to select backend (upstream) servers.

  9. Select Backend Servers

    • Option 1: Specify the range or list of IP Addresses for the backend Servers and click on Add Server
    • Option 2: Click on Security Groups and select the configured NSGroup for the backend servers from the NSX Security Groups drop-down list.
  10. Click on Next option.

  11. Set Connection Ramp to 0.

  12. Click on Next option.

  13. Click on Save option.

Prerequisites for creating a Virtual Service

  • Tenant for the Workload domain has been set-up (Only applicable if the Avi Controller has been setup in the Enterprise edition mode)

  • NSX-T Cloud for the Workload domain has been setup

  • SE Group to host the Service Engine(s) has been setup

  • Pool with Backend (upstream) Servers has been configured

  • DHCP on NSX-T has been enabled for the Avi Service Engine data networks (Recommended)

Procedure for creating a Virtual Service

The following are the steps to create a virtual service:

  1. Navigate to the Avi Controller which has been initialized on your browser via sfo-m01-avic01.sfo.rainpole.io

  2. Switch to the appropriate Tenant by clicking on admin and selecting the {Workload-Domain} Tenant. (Note: Use the default ‘admin’ Tenant if the Avi Controller is setup in the Basic edition)

  3. Navigate to Applications > Virtual Services and click on Create Virtual Service and select Advanced Setup option.

  4. Select the appropriate {Workload-Domain}-Cloud from Select Cloud and click on Next option.

  5. Specify the Name for the Virtual Service. For instance, Sample-WebVS.

  6. Specify the VIP IP in the FQDN or IPv4 Address box.

  7. Select the Tier-1 Logical Router from the Tier1 Logical Router drop-down list.
    Note: This should match what was selected for the Sample-WebPool.

  8. Specify the following in the Services section (Click on Add Port to add the second service).

Setting Value
Service 1 (HTTP) Port: 80
SSL: Unselected
HTTP2: Unselected
Service 2 (HTTPs) Port: 443
SSL: Selected
HTTP2: Unselected
  1. Select Traffic Enabled option.

  2. Select System-TCP-Proxy option from the TCP/UDP Profile drop-down list.

  3. Select System-Secure-HTTP option from the Application Profile drop-down list.

  4. Select the created Sample-WebPool from the Pool drop-down list.

  5. Select System-Standard-PFS option from the SSL Profile drop-down list.

  6. Select System-Default-Cert and System-Default-Cert-EC from the SSL Certificate drop-down list.

  7. Click on Next option.

  8. Click on Next option.

  9. Unselect Non-Significant logs if you are using Avi Basic Edition.

  10. Click on Next option.

  11. Select the sfo-w01-avisegrp-01 Service Engine Group from the SE Group drop-down list.

  12. Click on Save option.

Creating an Anti-affinity Rule for Avi Service Engines in the first Workload Domain in Region A

You can create Anti-affinity VM or host rule to keep Avi Service Engines VMs distributed on the available ESXi hosts.

Prerequisites

  • At least 1 Virtual Service is deployed and configured.

Procedure to create an Anti-affinity Rule

The following are the steps to create an anti-affinity rules:

  1. Log in to the vCenter server of the corresponding workload domain.

  2. Navigate to the vCenter cluster configuration where the Avi Service Engine VMs are going to be deployed vCenter > DataCenter > Cluster > Configure.

  3. Under the VM/Host rules, click on + icon to add a new VM/Host rules to create an anti-affinity rule for Avi Service Engine VMs.

  4. Specify the following information in the Create VM/Host Rule section.

    Setting Value
    Name sfo-w01-avise
    Type Separate Virtual Machines
  5. Click on + to add the Avi Service Engine .

  6. Search for Avi Service Engine VMs by entering sfo-w01-avise in the search filter.

  7. Click on OK to add the Avi Service Engine VMs to the rule.

  8. Click on OK button to save the configuration.

Note: You need to add a new Avi Service Engine VMs to this rule.