Avi Integration with NSX-T

Overview

VMware NSX-T provides an agile software-defined infrastructure to build cloud-native application environments.

NSX-T is focused on providing networking, security, automation, and operational simplicity for emerging application frameworks and architectures that have heterogeneous endpoint environments and technology stacks. NSX-T supports cloud-native applications, bare metal workloads, multi-hypervisor environments, public clouds, and multiple clouds.

To know more about VMware NSX-T, refer to the VMware NSX-T documentation.

This guide describes how to deploy Avi Vantage in a vSphere environment with NSX-T managed networking and security.

Prerequisites

The integration requires the Avi Controller to be able to authenticate with the NSX-T manager and the vCenter server(s).

The user accounts configured on the Avi Controller require the following roles and permissions for the integration to work successfully:

Configuring NSX-T Role Requirements

The NSX-T cloud should be configured with admin credentials for NSX-T manager.

To create the username and password to talk to the NSX-T manager,

  1. Navigate to Administration > User Credentials.

    NSXT Credentials

  2. Enter the Name.

  3. Select NSX-T as the Credentials Type.

  4. Enter the Username and Password.

    The New User Credentials screen is as shown below:

    NSXT Credentials

  5. Click on Save.

Note: In case the password expired, and Avi tries to reconnect using the expired password. After five consecutive failed login attempts, the administrator account is locked for 15 minutes. Refer to the Account Lockout article to know more.

Configuring vCenter Role Requirements

To configure vCenter objects, you should log in to the vCenter server with administrator credentials.

To create the username and password to talk to the vCenter server, in the New User Credentials screen,

  1. Enter the Name.

  2. Select vCenter as the Credentials Type.

  3. Enter the Username and Password.

    The New User Credentials screen is as shown below:

    vCenter Credentials

  4. Click on Save.

Content Library

The Avi Controller uploads the Service Engine image to the content library on the vCenter server and uses this to create new virtual machine (VM) every time a new Service Engine is required. The content library must be created on vCenter before configuring the NSX-T cloud.

  1. In the vCenter vSphere client, navigate to Content Libraries.

    Content Library

  2. Click on Create. The New Content Library wizard opens.

  3. In the Name and location page, enter the Name and select a vCenter Server instance for the content library as shown below:

    Content Library

  4. Click on Next.

  5. In the Configure content library page, select Local content library.

    Content Library

  6. Click on Next.

  7. In the Add storage page, select datastore as a storage location for the content library contents

    Content Library

  8. Click on Next

  9. In the Ready to complete page, review the details.

    Content Library

  10. Click on Finish.

Deploying the Avi Controller OVA

The Avi Controller cluster VMs are deployed using OVA, connected to the same management port group as the NSX-T Manager.

To deploy the Avi Controller OVA,

  1. Log in to the vCenter server through a vCenter client.

  2. From the File menu, select Deploy OVF Template.

    OVA

  3. Select the controller.ova file from your local machine.

  4. In the Deploy OVF Template wizard,
    • Select the VM name and the location to deploy.

      OVA

    • Select the compute resource.

      OVA

    • Review the details.

    • Select the storage and set the disk format to Thick Provision Lazy Zeroed.

      OVA

    • Choose a management network for the Avi Controller.

      OVA

    • Enter the management IP address, subnet mask and default gateway. In the case of DHCP, leave this field empty.

      Note: Using static IP address is recommended for production setups.

      OVA

      Note: The Avi Controller OVA supports additional OVF properties. The following properties have been added to facilitate automated deployment of the Avi Controller by the NSX Manager:

      • NSX-T Node ID
      • NSX-T IP Address
      • Authentication token of NSX-T
      • NSX-T thumbprint
      • Hostname of Avi Controller

    These fields should be left blank in case of a direct deployment of the Avi Controller.

    • Review the settings and click on Finish.
  5. Power on the virtual machine.

Checking the Status of Controller Registration

After deploying the NSX Advanced Load Balancer Controller via NSX, you can check the status of registration using the show nsxt_registration command:

  • Status is Not Registered:

[admin:1234]: > show nsxt_registration
+--------+----------------+
| Field  | Value          |
+--------+----------------+
| status | NOT REGISTERED |
+--------+----------------+
  • Status is Registered:

[admin:1234]: > show nsxt_registration
+---------+---------------+
| Field   | Value         |
+---------+---------------+
| nsxt_ip | 10.xxx.xxx.xx |
| status  | REGISTERED    |
+---------+---------------+

Setting up the Avi Controller

This section shows the steps to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller’s web interface.

Note: The NSX-T cloud is not a part of the deployment wizard. Therefore, select No Orchestrator as the integration option.

To complete the setup,

  1. Navigate to the Avi Controller IP on your browser.

    Note: While the system is booting up, a 503 status code or a page with following message will appear, “Controller is not yet ready. Please try again after a couple of minutes”. Wait for about 5 to 10 minutes and refresh the page. Then follow the instructions below for the setup wizard.

  2. Enter the admin details as shown below:

    initial setup

    Note: The Email Address is required for admin password reset in case of lockout.

  3. Enter the DNS and NTP server information.

    initial setup

  4. Configure the Email/SMTP information.

    initial setup

  5. Under Orchestrator Integration, select No Orchestrator.

    initial setup

  6. Select No under Support Multiple Tenants.

    initial setup

Configuring Management Networking for SE

The Avi SE management interface has to be connected to an overlay logical segment. It also needs a tier-1 gateway to provide external connectivity to be able to reach the Avi controller management IP. It is recommended to have a dedicated tier-1 gateway and segment for Avi SE management.

Before creating the NSX-T cloud create the following:

Creating a Tier-1 Gateway

A tier-1 gateway is created in an NSX-T manager a tier-1 gateway has northbound connections to tier-0 gateways and southbound connections to segments.

To add a Tier-1 Gateway,

  1. In the NSX-T manager, navigate to Networking > Tier-1 Gateways.

    Tier 1 Gateway

  2. Click on Add Tier-1 Gateway.

  3. Enter the Name and select a tier-0 gateway to connect to this tier-1 gateway.

  4. (Optional)Select an NSX Edge Cluster if you want this tier-1 gateway to host stateful services such as NAT, load balancer, or firewall.

    Tier 1 Gateway

  5. (Optional) Next to IP Address Management, click on No Dynamic IP Allocation.

  6. (Optional) In the Type drop-down menu, select DHCP Server and select a DHCP profile to attach to this gateway.

    Tier 1 Gateway

    Note: Enabling DHCP on the tier-1 gateway is optional. SEs can also be configured to have static IPs configured for its interfaces by configuring IP address pool on the corresponding network object on the Avi Controller.

  7. Click on Save.

  8. Under Route Advertisement, select the options as shown below:

    Tier 1 Gateway

  9. Click on Save.

The tier-1 gateway is as shown below:

Tier 1 Gateway

Creating a Segment

To create a segment,

  1. In the NSX-T manager, navigate to Networking > Segments.

  2. Click on Add Segment.

    Segment

  3. Enter a Name for the segment.

  4. Under Connectivity, select the tier-1 gateway that has to be connected.

  5. Select the Overlay Transport Zone.

  6. Enter the Subnets.

    Segment

  7. (Optional)To configure DHCP on the segment, click on Set DHCP Config.

  8. (Optional)Enable DHCP Config and enter the DHCP Ranges.

    Segment

  9. Click on Apply

  10. Click on Save.

Creating an NSX-T Cloud

To create an NSX-T cloud, log in in to the Avi Controller and follow the steps given below:

  1. Navigate to Infrastructure > Clouds.

  2. Click on Create and select NSX-T Cloud.

    NSX-T Cloud

  3. Enter the Name of the NSX-T cloud.

    Note: NSX-T Cloud is selected as the Cloud Type by default.

  4. Check the DHCP option if SE management segment has DHCP enabled.

    Note: The prefix string must only have letters, numbers and underscore. This field cannot be changed once the cloud is configured.

  5. Enter the NSX-T manager hostname or IP address as the NSX-T Manager Address and select the NSX-T Manager Credentials.

  6. Click on Connect to to authenticate with the NSX-T manager.

    NSX-T Cloud

  7. Select the Transport Zone required from the drop-down.

    Note: If Virtual LAN (VLAN)-backed logical segments are used instead of Overlay transport zone, refer NSX-T VLAN Logical Segment.

  8. In the Management Network Segment, select the Tier1 Logical Router ID and Segment ID.
    Note: Currently, only the Manual is supported as the Logical Segments Config Mode. Hence the option is greyed out. This requires the segment to be pre-created on NSX manager.

  9. Select the tier-1 gateway and logical switch for VIP placement.

  10. Click on Add to select one more tier-1 router and a connected logical segment for VIP placement

    NSX-T Cloud

  11. Under vCenter Servers, click on Add.

  12. Enter the vCenter Server Name, and configure the credentials.

  13. Click on Connect.

  14. Select the Content Library and click on Done.

    NSX-T Cloud

  15. Select the IPAM/DNS Profile, as required.

    NSX-T Cloud

  16. Click on Save to create the NSX-T cloud.

Multiple NSX-T Clouds

Starting with Avi Vantage version 20.1.3, multiple NSX-T clouds (maximum of 5) can be created.

Each NSX-T Cloud can be either created for the same NSX-T manager or different NSX-T manager. If different NSX-T managers are pointing to the same vCenter, then only one SE image per vCenter will be created.

If there are multiple NSX-T managers pointing to respective different vCenters then the SE image will be created in the respective content libraries.

Note: The cleanup of the SE image happens only after the last NSX-T cloud pointing to the SE image is removed.

NSX-T Cloud

SE Group Scoping in NSX-T Cloud

Folder Scoping for SE Placement

Service Engine Folder

To select the folder to place all the SE virtual machines in vCenter,

  1. From the Avi UI, navigate to Infrastructure > Service Engine Group.

  2. Select the NSX-T cloud.

  3. Edit the service engine group required.

  4. Click on the Advanced Tab.

  5. Select the Service Engine Folder as shown below:

    Note: The folder to be configured has to be pre-created in the respective vCenter. Avi Vantage does not auto-create the folders.

    Folder Scoping

Host and Data Store Scope

Host Scope

SEs may be deployed on any host that most closely matches the resources and reachability criteria for placement. This setting directs the placement of SEs.

By default, Avi Vantage allows SEs to be deployed to any host that best fits the deployment criteria. However, you can specify the preferred hosts as shown below:

To specify the hosts,

  1. Under Host Scope Service Engine Within, click on Host.

  2. Select Include to deploy SEs only on the specified hosts or click on Exclude for not deploying SEs on the specified host.

    Note: All the hosts from vCenter are listed here.

  3. Select the required hosts to be included/ excluded.

    Host Scoping

Data Store Scope

Under Data Store Scope, set the storage location for SEs.

By default, Avi Vantage will determine the best option for data storage. However, you can select specific shared data stores to be included or excluded.

To specify the shared data store,

  1. Under Data Store Scope for Service Engine Virtual Machine, select Shared.

  2. Select Include to select the data stores to be included or Exclude to select the data stores to be excluded.

  3. Select the shared data stores to be included or excluded.

    Data Store Scoping

  4. Click on Save.

Creating the Virtual Service

To create a new virtual service,

  1. Navigate to Application > Virtual Services.

  2. Click on Create Virtual Service > Basic Setup.

  3. Select the NSX-T cloud cloud and click on Next.

  4. Configure the virtual service. Under Add Servers, click on Security Groups and select the NSX Security Group.
    Note: Starting with Avi Vantage version 20.1.2, the front-end (VIP) IP supports an IPv6 address.

    Virtual Service

  5. Click on Save.

In the aforementioned steps, IPAM is used. Therefore, the segment, subnet and T1 logical route had to be selected. If IPAM is not configured, you must specify the VIP and select the T1 logical route.

Note:
If the virtual service is scaled out with N+M or Active/Active Mode, enable the se_tunnel_mode from 0 to 1 under SE Group properties.


[admin:1234]: > configure serviceenginegroup <SEG Name>
[admin:1234]: serviceenginegroup> se_tunnel_mode 1
Overwriting the previously entered value for se_tunnel_mode
[admin:1234]: serviceenginegroup> save

After enabling se_tunnle_mode, NSX Advanced Load Balancer will make sure that the reverse path is from backend to secondary to primary and then to the client and thereby DFW will not drop it.

Additional Reading

Document Revision History

Date Change Summary
June 17, 2021 Updated the content for additional OVF properties(Version 20.1.6)
December 22, 2020 Multiple NSX-T Clouds (Version 20.1.3)
July 30, 2020 Published the Installation Guide for NSX-T Integration with Avi Vantage (Version 20.1.1)
May 18, 2020 Published the Installation Guide for NSX-T Integration with Avi Vantage (Tech Preview)