Networking Design for Avi Vantage Platform
Overview
In the network design for the Avi Vantage Platform you provide two types of connectivity; management connectivity between the Avi Controllers and Avi Service Engines and data IP connectivity for the Avi Service Engines to service application traffic.
The following table summarizes the design decisions for the networking design support of the Avi Vantage platform:
| Decision ID | Design Decision | Design Justification | Design Implication |
|---|---|---|---|
| AVI-VI-VC-002 | Deploy the Avi Controller Cluster Nodes on the VMware Cloud Foundation Management Network. | The network is for traffic sourced from and destined to the Avi Controller Cluster Nodes. Administrative tasks, connectivity to Avi Service Engines and connectivity to network services will all use this network. | Using the same network for all 3 Avi Controller Cluster Nodes allows for configuring a floating cluster VIP; a single IP address that will be assigned to the cluster leader. |
| AVI-VI-VC-003 | Deploy the Avi Service Engines management vnic on a VMware Cloud Foundation Management Network. | This Avi Service Engines require a designated management network used to connect to the Avi Controller Cluster. | This network is for Avi Service Engine management, this is NOT used for load balanced application traffic and data. |
| AVI-VI-VC-004 | Configure one or more Data Network(s) for Avi Service Engines to service application services. | The Avi Service Engines require a data network to be used for providing access for load balanced applications and associated application health monitoring. | The Avi Service Engine needs to have a data nic assigned to every network that contains the IP subnets that will be used for load balanced VIPS. |
| AVI-CTLR-001 | Use static IPs for Avi Controllers if DHCP cannot guarantee a permanent lease. | Avi Controller cluster uses management IPs to form and maintain quorum for the control plane cluster. Any changes would be disruptive. | Avi Controller control plane might go down if the management IPs of the Avi Controller change. |
| AVI-CTLR-002 | Latency between Avi Controllers must be <1ms. | Avi Controller quorum is latency sensitive. | Avi Control plane might go down if latency is high. |
| AVI-VI-001 | Reserve an IP in the management subnet to be used as the Cluster IP for the Avi Controller Cluster | A floating IP that will always be accessible regardless of a specific individual Avi Cluster node | Admin problem solving is required to figure out how to access the Avi cluster if the specific node being accessed is unavailable |
Connectivity for the Avi Vantage Platform
When configuring the Avi Vantage Platform, consider the following best practices:
Management connectivity — Reserve/carve out sufficient IP addresses in a subnet for Controllers and Service Engines management access.
-
Have sufficient IP addresses available for future growth.
-
Subnet assigned for Controller management and Service Engine management could be different.
-
IP connectivity between the Controller and the Service Engine management subnets.
Data IP connectivity for Service Engines — Have sufficient IPs available in the subnets mapped to the port-groups / segments used for data traffic
-
Each Service Engine VM assigned to a particular data port-group would consume an IP address mapped to the port-group.
-
Up to 9 data port-groups can be connected per Service Engine VM.
-
Have sufficient IP addresses available for future growth.
-
Have sufficient IP addresses reserved for virtual service IP addresses (VIPs) if load-balanced applications (virtual services) would use IP addresses in the subnet mapped to the data port-groups.
Port Requirements in Avi Vantage Platform
| Port | Protocol | Source | Destination | Description |
|---|---|---|---|---|
| Avi Controller to Controller Access | ||||
| 22 | TCP | Avi Controller Cluster Nodes | Avi Controller Cluster Nodes | secure-channel over SSH |
| 443 | TCP | Avi Controller Cluster Nodes | Avi Controller Cluster Nodes | access to portal over HTTPS (UI) |
| 8443 | TCP | Avi Controller Cluster Nodes | Avi Controller Cluster Nodes | secure key exchange portal over HTTPS |
| Avi Service Engine to Avi Controller Cluster Node Access | ||||
| 22 | TCP | Avi Service Engine management IPs | Avi Controller Cluster Nodes | secure-channel over SSH |
| 8443 | TCP | Avi Service Engine management IPs | Avi Controller Cluster Nodes | secure key exchange over HTTPS |
| 123 | UDP | Avi Service Engine management IPs | Avi Controller Cluster Nodes | NTP time synchronization |
| Avi Service Engine to Avi Controller Cluster Node Access | ||||
| 22 | TCP | Administrator user IPs | Avi Controller Cluster Nodes | SSH access to Avi Controller Cluster shell/CLI |
| 443 | TCP | Administrator user IPs | Avi Controller Cluster Nodes | HTTPS access to Avi Controller Cluster system portal (UI/SDK) |
| 161 | UDP | Administrator user IPs | Avi Controller Cluster Nodes | SNMP Poll |
| 5054 | TCP | Administrator user IPs | Avi Controller Cluster Nodes | (Optional) Avi Controller CLI through remote shell |
| Administration Access | ||||
| 22 | TCP | Admin User IPs | Avi Controller Cluster Nodes | SSH access to Avi Controller Cluster shell/CLI |
| 443 | TCP | Admin User IPs | Avi Controller Cluster Nodes | HTTPS access to Avi Controller Cluster system portal (UI/SDK) |
| 161 | UDP | Admin User IPs | Avi Controller Cluster Nodes | SNMP Poll |
| 5054 | TCP | Admin User IPs | Avi Controller Cluster Nodes | (Optional) Avi Controller CLI through remote shell |
| Avi Controller Cluster Nodes to external services | ||||
| 25 | TCP | Avi Controller Cluster Nodes | SMTP servers | SMTP notifications |
| 49 | TCP | Avi Controller Cluster Nodes | TACACS servers | TACACS+ |
| 53 | UDP | Avi Controller Cluster Nodes | DNS servers | DNS |
| 123 | UDP | Avi Controller Cluster Nodes | NTP servers | NTP |
| 389 | TCP/UDP | Avi Controller Cluster Nodes | LDAP servers | LDAP |
| 636 | TCP/UDP | Avi Controller Cluster Nodes | LDAP servers | LDAPs |
| 162 | UDP | Avi Controller Cluster Nodes | SNMP trap collectors | SNMP traps |
| 514 | UDP | Avi Controller Cluster Nodes | Syslog servers | Syslog notifications |
| Application Connectivity | ||||
| * | * | Application clients | Avi Service Engines | Open up the required TCP/UDP ports for the clients to communicate with the application. |
| * | * | Avi Service Engines | Application Servers | Open up the required TCP/UDP ports for the Avi Service Engines to communicate with the backend application servers. |