Installing NSX ALB in Oracle Cloud VMware Solutions

Overview

About Oracle Cloud VMware Solution

Oracle Cloud VMware Solution (OCVS) is one of the fastest and most flexible ways to extend, migrate and run your VMware-based applications in Oracle Cloud without changes to your apps, tools, or processes.

Oracle Cloud VMware Solution is a fully customer-managed service that lets you run your own VMware platform in Oracle Cloud. OCVS provides VMware operational consistency so you can benefit from a cloud consumption model and lower your total cost of ownership. OCVS also offers on-demand provisioning, pay-as-you-grow, and capacity optimization. The service provides all the hardware and VMware licenses you need to run a dedicated VMware SDDC in Oracle Cloud.

About NSX Advanced Load Balancer (NSX ALB)

VMware NSX Advanced Load Balancer (NSX ALB, also known as Avi Vantage) is an enterprise grade, full featured load balancer, web application firewall and GSLB solution. Avi is a software based, distributed solution capable of providing application delivery features in both private and public cloud environments.

Network Services in Oracle Cloud VMware Solution

The following diagram demonstrates high-level network architecture of Oracle Cloud VMware Solution inside Oracle Cloud Infrastructure’s network services- Private Cloud VMware Network services.

OCVM

As depicted in the above diagram, Oracle Cloud VMware Solution is pre-provisioned with the following NSX-T network configurations:

  • Tier-0 Gateway configured in Active/Standby mode
  • North-bound connectivity through a default route on tier-0 gateway
  • Pre-provisioned tier-1 gateway for workload segment connectivity
  • Route advertisement enabled on pre-provisioned tier-1 gateway
  • Route redistribution enabled on tier-0 gateway internal networks
  • Ability to enable routing to/from native OCI resources and services
  • Outbound internet access for SDDC workloads with an option to disable or convert to inbound/outbound

Customers have root access to fully manage their NSX-T network configuration such as:

  • Creating overlay segments and connecting workloads
  • Deploying additional Tier-0 or Tier-1 Gateways
  • Deploying distributed services such as DFW
  • Deploying stateful services such as Load Balancer, DNS and DHCP on Tier-1 Gateway
  • Control routing or NATing between the SDDC and local or remote Oracle Cloud or On-Prem networks

NSX Advanced Load Balancer for Oracle Cloud VMware Solution

Avi-OCVM

Avi provides Load Balancing for applications running in the Oracle Cloud VMware Solution SDDC. Avi integrates as a 2nd party load balancing solution, with communication between the Avi Controller, NSX Manager and VMware vCenter within Oracle Cloud VMware Solution. This integration enables Avi to deploy and manage Service Engines automatically based on demand, providing for an elastic, automated approach to load balancing. Avi leverages the NSX-T Cloud Connector mode of operation in Oracle Cloud VMware Solution as well. This is facilitated by the similarity in the VMware infrastructure between an on-premises NSX-T deployment as well as Oracle Cloud VMware Solution deployment, as far as objects of interest for Avi are concerned. The following schematic provides an overview of the integration:

Key points in the above deployment:

  • The NSX Advanced Load Balancer Controller is a cluster of 3 control plane VMs. The Controllers are recommended to run within the Oracle Cloud VMware Solution SDDC. The Controllers need IP reachability from the Service Engines.
  • The Controller connects with the NSX-Manager and VMware vSphere vCenter within Oracle Cloud VMware Solution and discovers the VMware objects such as Port groups, clusters, NSX T1, Segments etc.
  • The Controller automatically deploys an Avi Service Engine (SE), which is the data path instance. The Avi SE is a virtual machine running within the Oracle Cloud VMware Solution SDDC.
  • The Controller ensures that the NSX-T DFW is programmed correctly to allow traffic.
  • NSX Advanced Load Balancer allows for various deployment configurations of the underlying NSX system, such as shared segment for the Virtual Service front-end IP (VS IP) and pool members, as well as dedicated segments for each.
  • NSX Advanced Load Balancer also supports the default Tier 1 gateway as well as additional Tier 1 gateways created within Oracle Cloud VMware Solution by the customer.
  • While NSX Advanced Load Balancer supports various VLAN backed segment topologies, these are generally not applicable in the context of Oracle Cloud VMware Solution as, although the OCVS supports OCI VLAN backed PortGroups, it also supports NSX-T overlay segments created by customers.

Installing NSX Advanced Load Balancer for Oracle Cloud VMware Solution

The following sections discuss the installation steps in detail.

Prerequisites

Licensing

  • NSX Advanced load balancer only supports Enterprise Edition license for OCVS integration. To know more about the Enterprise Edition license, see License Management on NSX Advanced load balancer.
  • NSX ALB Licenses can be added to the Controller at any time as per the requirement. The licenses are available at my.vmware.com. Login to your account at my.vmware.com to access the VMware serial key(DLF).
  • NSX ALB Controllers manage licenses and central capacity pool for NSX ALB Service Engines.
  • NSX ALB allows for a 10% overage of the total license capacity.

Role Requirements

  • Avi Controller requires the NSX Network Engineer role or higher.
  • Avi Controller requires VMware vCenter permissions as defined at Roles and Permission for vCenter NSX-T Users.
  • You can use the administrator@vsphere.local credentials provided in the Oracle Cloud console, or any account you have created whose role includes the required permissions sufficient for the integration.

Content Library

The Avi Controller uploads the Service Engine image to the content library on the vCenter server and uses this to create new virtual machine (VM) every time a new Service Engine is required. The content library must be created on vCenter before configuring the NSX-T cloud.

  1. In the vCenter vSphere client, navigate to Content Libraries.

    Content Library

  2. Click on Create. The New Content Library wizard opens.

  3. In the Name and location page, enter the Name and select a vCenter Server instance for the content library as shown below:

    Content Library

  4. Click on Next.

  5. In the Configure content library page, select Local content library.

    Content Library

  6. Click on Next.

  7. In the Add storage page, select datastore as a storage location for the content library contents

    Storage

  8. Click on Next

  9. In the Ready to complete page, review the details.

    Ready

  10. Click on Finish.

Deploying the Avi Controller OVA

The Avi Controller cluster VMs are deployed using OVA, connected to the same management port group as the NSX-T Manager.

To deploy the Avi Controller OVA,

  1. Log in to the vCenter server through a vCenter client, using the fully-qualified domain name (FQDN). From the Cluster Actions menu, select Deploy OVF Template.

    OVA

  2. Select the controller.ova file from your local machine.

  3. In the Deploy OVF Template wizard,

    • Select the VM name and the location to deploy.

      OVA

    • Select the compute resource.

      OVA

    • Review the details.

    • Select the vSAN Datastore for the deployment location

      OVA

    • Choose a management network for the Avi Controller.

      OVA

    • Enter the management IP address, subnet mask and default gateway. In the case of DHCP, leave this field empty.

      Note: Using static IP address is recommended for production setups.

      OVA

  4. Review the settings and click on Finish. Power on the virtual machine.

Setting up the Avi Controller

This section shows the steps to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller’s web interface.

To complete the setup,

  1. Navigate to the Avi Controller IP on your browser.

    Note: While the system is booting up, a 503 status code or a page with following message will appear, “Controller is not yet ready. Please try again after a couple of minutes”. Wait for about 5 to 10 minutes and refresh the page. Then follow the instructions below for the setup wizard.

  2. Enter the admin details as shown below:

    initial setup

    Note: The Email Address is required for admin password reset in case of lockout.

  3. Enter the backup passphrase, DNS server information.

    initial setup

    Note: The DNS Server configured here must be able to resolve the vCenter FQDN. You can configure a stub zone in the local DNS to replicate the records from the Oracle Cloud VCN’s Private DNS zone, or, configure a DNS listener endpoint in your VCN and then either use that as the

  4. Configure the Email/SMTP information.

    initial setup

  5. Click on Save.

Creating an NSX-T Cloud

To create an NSX-T cloud, log into the Avi Controller and follow the steps given below:

Create Credentials

  1. Navigate to Administration > User Credentials, click on Create, provide a name for the Credential, select NSX-T as the Credentials Type and provide NSX username and password which you can find in the SDDC Information page of the OCI Console.

    nsxt-cloud.png

  2. Click Save.
    Repeat to create vCenter credentials.

Configuring Cloud

  1. Navigate to Infrastructure > Clouds. Click on Create and select NSX-T Cloud.

configure-cloud

As shown in the image below:

  • Enter the Name of the NSX-T cloud.
  • Check the DHCP option if SE management segment has DHCP enabled.
  • Enter a Prefix String. The prefix string must only have letters, numbers, and underscore. This field cannot be changed once the cloud is configured.
  • Enter the NSX-T manager hostname or IP address as the NSX-T Manager Address and select the NSX-T Manager Credentials.
  • Click on Connect to authenticate with the NSX-T manager.
  1. In the Management Network section
    • Select the Transport Zone required from the drop-down.
    • Select the Tier1 Logical Router ID and Segment ID.

    management-network

    • Select the Tier-1 gateway and logical switch for VIP placement.
    • Click on Add to select one more Tier-1 router and a connected logical segment for VIP placement

    data-networks
    Under vCenter Servers, click on Add. Enter the vCenter Server Name and configure the credentials. Click on Connect.

  2. Select the Content Library and click on Done.

    new-vcenter

  3. Select the IPAM/DNS Profile, as required. Click on Save to create the NSX-T cloud.
    The Cloud Connector Status will turn green, and the system is ready for creation of a Virtual Service.

Creating a Virtual Service

  1. Navigate to the Controller UI and click on Applications > CREATE VIRTUAL SERVICE(Basic Setup).

    vs

  2. Select the Cloud.

    vs

  3. Enter the required name of virtual service, application type of virtual service, VS-VIP( create a new, if not already there ) :

    vs-details

  4. For creating new VS VIP, Add the Tier-1 router name.

    tier1

  5. Add new VIP to above VIP object by assigning IP using Auto-Allocate or static.

    new-vip

  6. Additional to above add Pool members, Tier 1 Logical Router, etc and click on Save to create the Virtual Service. On successful creation of a Service Engine, the Virtual Service will come up and will be ready to process traffic.

    vs-ready