23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx

Confidential │ ©2022 VMware, Inc.
Deep dive into VMware Cloud
Director (vCD) and NSX Advanced
Load Balancer (NSX ALB) integration
Md Abdul Aziz, Senior Technical Product Line Manager
June 2023
Public Webinar

Confidential │ ©2022 VMware, Inc. 2
Disclaimer
This presentation may contain product features or functionality that are currently
under development.
This overview of new technology represents no commitment from VMware to deliver
these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders,
or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new features/functionality/technology discussed
or presented, have not been determined.
The information in this presentation is for informational purposes only and may not be incorporated into any contract. There is no commitment or obligation to deliver any
items presented herein.

Agenda VMware NSX Advanced Load Balancer (Avi)
Overview
NSX Advanced Load Balancer with VMware Cloud Director
Integration Overview
Integration – Provider’s Operations
Tenant Portal Operations
Future Roadmap
Demo

Advanced Load Balancing
Critical for Any Digital Transformation and Cloud
We Live in Application Economy
Application Experience = Business Growth & Customer Satisfaction
195M Apps in 2021  750M Apps in 2025 as per IDC
Every Application Requires Advanced Load Balancers
NSX ALB Enables Better Application Experience
Fundamental building block as Compute, Network, Storage & Security

Use Cases for Cloud Services Providers to Create New Revenue Streams
Universal solution for Land and Expand, CSP’s Customers Start with One Use Case and Expand
Load Balancing
in Private Cloud
Load Balancing in
Hybrid Clouds
Load Balancing for
Modern Apps
Load Balancing for
EUC/VDI
Web Application
Security
Automation
Self-service
Elasticity
Rich analytics
Cloud-native experience
Multi-cloud consistency
Rich analytics
Integrated LB, Ingress,
GSLB, App Security
K8s-native automation
Rich analytics
Comprehensive security
Elastic scale across clouds
Ease of use
Rich analytics
Integrated with Horizon
Multi-site, multi-cloud
Ease of use
Rich analytics
Network & Platform
team
Cloud architects
Platform team
Platform team
App security team
Platform team
Desktop infrastructure
Network team

Control Plane
Bare Metal Virtualized Containers
ON PREMISES
PUBLIC CLOUD
Centralized policies and full lifecycle management
NSX Advanced Load Balancer Distributed Architecture
Data Plane
NSX Advanced Load Balancer
Controller
(Customer-managed | SaaS)
ELASTICITY
Application Services Fabric
ANALYTICS /
OBSERVABILITY
AUTOMATION
CENTRAL
ORCHESTRATION
RESILIENCE
PULSE

NSX ALB Enables Cloud Operating Model for Load Balancing
Business Agility, Operational Simplicity, and Cost Savings for Any Cloud
AUTOMATION UTILIZATION TROUBLESHOOTING INTEGRATION
Legacy
Load Balancers
(F5, Citrix, A10)
Not Designed for
Cloud Operating Model
!
Highly
Over-Provisioned
!
Hard to
Troubleshoot
!
Not Integrated with
VMware Stacks
!
Manual configs of each
appliance, Lacks elasticity,
Complex
Less than 15% utilization,
No active-active
Finger pointing among server,
network,
app teams
Complex to deploy,
lacks unified automation
& visibility
VMware
NSX Advanced
Load Balancer
Built for Cloud
Operating Model
Optimal Capacity
Management
Easy to
Troubleshoot
Integrated with
VMware Stacks
Zero tickets, Self Service
automation, Elastic auto-scale,
Software defined
High Utilization, Zero touch
auto-scale, Active-Active
Stop the blame game
with rich and contextual
analytics
Validated design;
Unified automation
workflows & visibility

VMware Cloud Director
• 10.2.x and onwards
• vCenter: 6.7, 7.0
• NSX-T : 3.x
• NSX ALB (Avi)
• Depends on VCD version
• Licensing
• 10.3.0 and lower – Avi Basic default with option to upgrade to Avi Enterprise
• 10.4.0 and higher - NSX ALB Standard and Premium Edition within vCD.
LBaaS
NSX ALB + NSX-T + VCD

Snapshot/Summary of NSX ALB Capabilities in VCD
Tenant Admin
Provider Admin
 Onboard NSX ALB to provide LBaaS
 Expose LBaaS (SE-Group) to respective Tenants
 Dedicated or Shared
 Quota/Limit the LBaaS capacity per Tenant
 Monetize LBaaS billing Tenants
 Manage the Lifecyle
 Create/Delete, Upgrade
 LB Sizing and System settings (via NSX ALB UI)
 Certificates Management (via NSX ALB UI)
 Out of Band additional functionality (via NSX ALB UI)
 Self-consume LB services in Standard or Premium
 Standard provides L4, L7 LB, SSL with IPv4 and IPv6
 Premium = Standard + (Metrics/Analytics + Elastic HA)
+ (additional LB Algos and Persistence options).
Upcoming
 Automated Billing with Usage Meter (1H CY23)
 More vCD in-built LB capabilities (2H CY23)
 Custom Monitors, HTTP Policies, WAF
 ** Enhancements to Multi-tenancy *** (Q4 FY24)
*Currently it is not possible to give access to AVI portal/UI to tenants: VCD uses a single service account to access Avi

with VMware Cloud Director
Integration Overview

NSX-T Manager
vCenter
Avi Controller
API
ESXI
API
ESXI
Deploy SEs
on ESXi
ESXI
Notifications
Provider VDC
NSX-T backed virtual data centers
LBaaS in VMware Cloud Director
Network Pool (Overlay Transport Zone)
The integration happens through an
NSX-T Cloud configured in NSX
ALB before being imported in
NSX ALB controllers deployed and
managed by provider
NSX-T Cloud and PVDC Network
Pool must use the same Geneve
Network Pool
Core load balancing functionality
provided via integration with NSX
Advanced Load Balancer (Avi)
Avi Service Engine Groups are set
up with DHCP on a management
network and imported to VMware
Cloud Director

BRAVO
ALPHA
LBaaS with VMware Cloud Director
Provided by NSX Advanced Load Balancer (Avi)
Tenant has full self-service UI and API
load balancing service in VCD
Tenant has full analytics on capacity,
utilization and performance of the virtual
services
Provider has option to assign both
shared or dedicated server engine
groups to edge gateways
Provider can specify policies on number
of virtual services
L4, L4 SSL/TLS, HTTP and HTTPS
Tier-0 Gateway Tier-0 Gateway
Tier-1
Gateway
Tier-1
Gateway
Pool for Virtual Service 1 – SEG-A Pool for Virtual
Service 2 – SEG-A
Pool for Virtual
Service 3 – SEG-B
Service Engine
Group A – SEG-A
(shared)
Service Engine Group
B – SEG-B
(dedicated)

BRAVO
ALPHA
External Network
(Tier-0/VRF)
Org VDC Edge
Gateway (Tier-1)
Service networks
Pool A1
Pool A2
Pool B1
Avi Service Engines Management
Network Segment
Org VDC Org VDC
Tier-1 Avi
Management
Tier-0
Management
192.168.255.0/25
192.168.255.0/25
Static route for VIP to
Service Engines
Static route for VIP to
Service Engines
Management
10.67.10.0/24 10.67.10.0/24
10.67.20.0/24
Org VDC Edge
Gateway (Tier-1)
Under the hood – Logical view
NSX ALB (Avi) Integration with VMware Cloud Director
VMware Cloud Director Management

Under the hood – Physical view
DHCP is configured on the management
and service segments
Org VDC
Service Engine Group Load Balancer Pool

Provider and tenant responsibilities
Cloud Director
NSX ALB
Controller
Tenant A
Admin
Tenant B
Admin
Provider Admin
Day 0 – NSX ALB UI
NSX ALB controllers deployed and
managed
NSX-T Cloud configuration
Service Engine Group(s)
configuration
Day 1 – VCD Tenant
Create and configure Virtual Services
NSX-T
Manager
Day 1 – Automated (Avi / VC / NSX-T)
Service Engine VMs are created
Service Engine interfaces are connected to Virtual
Service Segment
DFW policies are updated to allow load balanced
traffic
Day 0 – VCD Provider
Connect AVI in VCD
Import NSX-T Cloud(s)
Import Service Engine Group(s)

NSX ALB Integration with
Extend to Avi Enterprise features not exposed
in VMware Cloud Director as additional
Managed Services

Although some advanced features are not exposed in VMware Cloud Director, they can be provided
as a managed service*.
This includes (but is not limited to):
Extend to Avi Enterprise Features not Exposed in VCD
WAF
*It is not possible to give access to AVI portal to tenants: VCD uses a single service account to access Avi
VS Traffic Logs HTTP Policies

Demo

Thank You
Confidential │ ©2022 VMware, Inc.
Contact (mdabdula@vmware.com) for more
information or to provide feedback.

Appendix A
New controller certificate

Templates > Security > SSL/TLS Certificates
Create a new certificate for the controller

Administration > Settings > Access Settings
Assigned the new certificate to the Avi Controller(s)

Appendix B
Troubleshooting

Where to find logs?
• On the Avi controller, navigate to the /opt/avi/log folder
• NSX-T Cloud logs: cloudconnectorgo.*
How to use the Avi CLI?
• When logged into the Avi Controller:
– shell --user <controller username> --password <controller password>
Troubleshooting

Avi Controllers continually exchange information securely with Avi Service Engines (SEs).
• Documentation: https://avinetworks.com/docs/20.1/controller-se-secure-communication/
Logging to service engines can be useful, especially to test connectivity to the controllers:
• The service engines have a default password which can be found in the download portal (may differ by
version)
Avi Controller to SE Communication

Integration – Provider’s operations

Step-by-step integration workflow
NSX Advanced Load Balancer with VMware Cloud Director
Environment
Preparation
NSX ALB
Controller
Configuration
Service Engine
Group(s)
Configuration
Avi Controller
Registration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Registration
Service Engine
Group(s) Import
NSX-T Cloud(s)
Configuration
NSX ALB UI
Provider Admin Portal
Repeat if
required
Repeat if
required
Repeat if
required
System is ready
for LBaaS
Progression
vSphere
NSX-T
Repeat if
required

Environment Preparation
Day 0 – NSX ALB controllers deployed and managed by the provider
Prerequisites are described in the Avi documentation and includes
• vSphere config (Content Library, permissions, etc.)
• NSX-T config (SE management network with DHCP, roles and
permissions, etc.)
– NSX-T DHCP configuration for the management networking is described in
Appendix A
Latency
• Latency among Avi controllers – Less than 10 ms
• Latency between any Avi SE to any Avi Controller – Less than 75 ms*
recommended
• Latency between Avi Controller and NSX-T Manager – Less than 10 ms
recommended
– Best practice is to co-locate in the same port group/management
infrastructure as NSX-T
• Latency between Avi Controller and VMware Cloud Director – Best
practice is to have have VCD cells in the same management
infrastructure as NSX-T manager and Avi controller
SYSTEM ADMIN
* There are some deployments with 80 msec with few changes to default Heartbeat and other settings
Environment
Preparation y

NSX ALB Controller cluster must be deployed as a cluster of three highly available virtual appliances
• It is recommended that the 3 Avi Controllers are on the same management network
Use the vSphere client to deploy Avi Controller OVA file:
• Follow the Deploy OVA Template wizard instructions
• For production, select Thick Provision Lazy Zeroed for disk format
• Choose a port group for Destination Networks in Network Mapping
• This port group will be used by the Avi Controller to communicate with vCenter
• Specify the management IP address and default gateway
Power on the VMs
Controller deployment
Environment
Preparation y
NSX ALB
Controller
Deployment
SYSTEM ADMIN

NSX Advanced Load Balancer UI
Controller configuration
Go through the initial configuration wizard (access the Avi
Controller IP/FQDN) on the first Avi controller:
• Admin account creation
• DNS/NTP configuration
• Select “No Orchestrator”
• Select “No” at the “Support Multiple Tenants” question
Form the controller cluster:
• Navigate to Administration > Controller and click Edit
• Enter the shared IP address for the Controller cluster
• Enter the IP addresses of the 2 additional controllers
By default, a fresh Avi deployment doesn’t have an SSL certificate
with a valid Subject Alternative Name (SAN)
• You need to create a new certificate and apply it to the controllers
before connecting VMware Cloud Director to Avi (Appendix B)
Environment
Preparation y
NSX ALB
Controller
Configuration
NSX ALB
Controller
Deployment
SYSTEM ADMIN

NSX-T Cloud configuration
Environment
Preparation y
NSX ALB
Controller
Configuration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Configuration
SYSTEM ADMIN
Navigate to Infrastructure > Cloud and click Create > NSX-T Cloud
The first vNic of each service engines will be
connected to that management network (which
must be created upfront, with DHCP enabled)
vCenter information are required so that Avi can
lifecycle the service engine VMs
Geneve transport zone, which maps to the network
pool in VMware Cloud Director
An NSX-T cloud is defined by an NSX-T manager and a transport zone. If an
NSX-T manager has multiple transport zones, each will map to a new NSX-T
cloud. To manage load balancing for multiple NSX-T environments each
NSX-T manager will map to a new NSX-T cloud.
NSX-T Manager Address must be identical as
the one configured in VMware Cloud Director

Service Engine Group(s) configuration
Environment
Preparation y
NSX ALB
Controller
Configuration
Service Engine
Group(s)
Configuration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Configuration
SYSTEM ADMIN
A service engine group has a unique set of compute characteristics that you define
upon creation. Its configuration is based on tenant requirements.
Navigate to Infrastructure > Service Engine Groups and select the
concerned Cloud, then click Create
Basic Settings:
• HA mode (if AVI Basic, then choose Active/Standby)
• Virtual Services per Service Engines
• Maximum Number of Service Engines
• Capacity and Limit (CPU, memory, disk)
Advanced:
• Placement options (only available in 20.1.3+)

VMware Cloud Director Provider Admin Portal
Avi Controller registration
A system administrator can register an AVI Controller
Cluster with VMware Cloud Director:
• Go to “Infrastructure Resources”  Controllers
• Click on “ADD” to add an AVI controller
• A provider can add multiple AVI controllers
Environment
Preparation y
NSX ALB
Controller
Configuration
Service Engine
Group(s)
Configuration
Avi Controller
Registration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Configuration
SYSTEM ADMIN

NSX-T Cloud registration
A system administrator can add the NSX-T Cloud previously
configured in the NSX ALB UI to VMware Cloud Director:
• Go to “Infrastructure Resources”  NSX-T Clouds
– Note: the initial sync between VMware Cloud Director and NSX ALB may
take up to 15 mins after the NSX ALB Controller registration
• Click on “ADD” to add an NSX-T Cloud
Environment
Preparation y
NSX ALB
Controller
Configuration
Service Engine
Group(s)
Configuration
Avi Controller
Registration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Registration
NSX-T Cloud(s)
Configuration
SYSTEM ADMIN

Service Engine Group(s) import
A system administrator can import Service Engine Group(s) :
• Go to “Infrastructure Resources”  Service Engine Groups
• Click on “ADD”
Environment
Preparation y
NSX ALB
Controller
Configuration
Service Engine
Group(s)
Configuration
Avi Controller
Registration
NSX ALB
Controller
Deployment
NSX-T Cloud(s)
Registration
Service Engine
Group(s) Import
NSX-T Cloud(s)
Configuration
SYSTEM ADMIN
Can be dedicated or shared

NSX ALB Integration with
Tenant Portal Operations

Just 4 steps away from your virtual service
Consuming NSX ALB from VMware Cloud Director Tenant Portal
Add Service Engine
Group(s) to the Edge
2
Enable Load Balancer
(per Edge Gateway)
1
Create Pool(s)
3
Create Virtual Services
4
System admin tasks Tenant tasks

Done per edge gateway
Enable Load Balancing Service SYSTEM ADMIN
Only change the default IPv4 service network (192.168.255.1/25) if it
overlaps an existing organization VDC network.
The services networks are an internal construct; as such, they are not
exposed to the tenant.
Before an organization administrator can configure load balancing services,
a system administrator must enable the load balancer on the NSX-T edge
gateway and assign at least one service engine group to the edge gateway
Transparent mode – This allows to configure
Preserve Client IP on a Virtual Service. URPF
Mode of Service Network will be set to NONE.

Assignments by edge gateway
Assign Service Engine Group(s) SYSTEM ADMIN
One edge gateway can have one or multiple
service engine groups assigned
For shared service engine groups, the system admin must
set the maximum and reserved number of virtual services
(within the capacity of the service engine group)
Transparent Mode requires Service Engine Groups with Legacy
Active/Standby HA Mode. Once SEGs are added, one can see if it is
supported or not in "Preserve Client IP" column on details pane.

Load Balancer Pool Creation ORG ADMIN
Notice the change of persona: pool
and virtual services can be
implemented by an organization user
(with sufficient permissions)
Note: Pool health status and pool member health status will remain Down until
a virtual service is created and service engines are deployed
Pool members can be added:
• individually with their IP
• by selecting a Dynamic Group, Static Group or IP Set (VCD 10.4.1 required).

Virtual Service Creation ORG ADMIN
VIP can be:
• An external network IP a public IP; no DNAT is required, but you cannot
use this IP for NAT anymore due do the internal packet processing of NSX-
T.
• An arbitrary internal IP (DNAT required)
• An IP on the same subnet as an org VDC network (VCD 10.4 required)
Constraints (for VMware Cloud Director 10.2.x and 10.3.x only). Those
constraints have been removed in 10.4:
• VIP can not use an Org VDC network IP
• VIP can not be an IPv6
Considerations: If you want to use an IPv6 service network to configure IPv6
virtual IP addresses for virtual services and IPv6 load balancer pool members,
verify that you enabled DHCPv6 for the NSX edge gateway.
Starting with version 10.4.1, VMware Cloud Director supports transparent load balancing.
Transparent mode indicates whether the source IP address of the client in incoming packets is visible to
the backend servers.
A pool with only a group-based membership is supported. List of IP addresses aren't allowed if Preserve
Client IP is selected.

Networking and Security for VMware Cloud Providers
NSX Data Center
• Distributed, in software and scalable firewall services
• Logical network and security across any workload
• Zero-trust protection for workloads
• Application Delivery Controller (ADC) with built-in WAF
• Consistent experience across multi-clouds
• Real-time visibility and security analytics
Multi-Tenancy
One-Click Deployment Containers Apps Monitoring Automation
Extensible
Open

Why Avi (NSX Advanced Load Balancer)?
Public cloud agility with enterprise class capabilities
ENTERPRISE CLASS
FEATURES
Full-featured L4-L7 LB
GSLB
Distributed WAF
CLOUD-NATIVE AUTOMATION
1-click App Provisioning
Elastic Autoscaling
DNS, IPAM, AZ Integration
PERVASIVE ANALYTICS
Real-time App Monitoring
Security Insights
Log Analytics
MULTI-CLOUD CONSISTENCY
Consistency Across Public
Clouds & On-Prem
Central Control and Management

23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx

Similar to 23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx (20)

More from Avi Networks

More from Avi Networks (16)

Recently uploaded

Recently uploaded (20)

23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx