Deploy the NSX Advanced Load Balancer Controller VM to the Management Network in your vSphere IaaS control plane environment.

Prerequisites

Procedure

  1. Log in to the vCenter Server by using the vSphere Client.
  2. Select the vSphere cluster that is designated for management components.
  3. Create a resource pool named AVI-LB.
  4. Right-click the resource pool and select Deploy OVF Template.
  5. Select Local File and click Upload Files.
  6. Browse to and select the controller-VERSION.ova file you downloaded as a prerequisite.
  7. Enter a name and select a folder for the Controller.
    Option Description
    Virtual machine name avi-controller-1
    Location for the virtual machine Datacenter
  8. Select the AVI-LB resource pool as a compute resource.
  9. Review the configuration details and click Next.
  10. Select a VM Storage Policy, such as vsanDatastore.
  11. Select the Management Network, such as network-1.
  12. Customize the configuration as follows and click Next when you are done.
    Option Description
    Management Interface IP Address Enter the IP address for the Controller VM, such as 10.199.17.51.
    Management Interface Subnet Mask Enter the subnet mask, such as 255.255.255.0.
    Default Gateway Enter the default gateway for the Management Network, such as 10.199.17.235.
    Sysadmin login authentication key Optionally, paste the contents of a public key. You can leave the key blank.
    Hostname of Avi Contoller Enter the FQDN or the IP address of the Controller.
  13. Review the deployment settings.
  14. Click Finish to complete the configuration.
  15. Use vSphere Client to monitor the provisioning of the Controller VM in the Tasks panel.
  16. Use the vSphere Client to power on the Controller VM after it is deployed.

Deploy a Controller Cluster

Optionally, you can deploy a cluster of three controller nodes. Configuring a cluster is recommended in production environments for HA and disaster recovery. If you are running a single node NSX Advanced Load Balancer Contoller you must use the Backup and Restore feature.

To run a three node cluster, after you deploy the first Controller VM, deploy and power on two more Controller VMs. You must not run the initial configuration wizard or change the admin password for these controllers. The configuration of the first controller VM is assigned to the two new Controller VMs.

Procedure

  1. Go to Administration > Controller.
  2. Select Nodes.
  3. Click the edit icon.
  4. Add a static IP for Controller Cluster IP.
    This IP address must be from the Management Network.
  5. In Cluster Nodes, configure the two new cluster nodes.
    Option Description
    IP IP address of the controller node.
    Name Name of the node. The name can be the IP address.
    Password Password of the controller node. Leave the password empty.
    Public IP The public IP address of the controller node. Leave this empty.
  6. Click Save.
    Note: Once you deploy a cluster, you must use the controller cluster IP for any further configuration and not the controller node IP.

Power On the Controller

After you deploy the Controller VM, you can power it on. During the boot up process, the IP address specified during the deployment gets assigned to the VM.

After power on, the first boot process of the Controller VM can take up to 10 minutes.

Prerequisites

Deploy the Controller.

Procedure

  1. In the vCenter Server, right click the avi-controller-1 VM that you deployed.
  2. Select Power > Power On.
    The VM is assigned the IP address that you specified during deployment.
  3. To verify if the VM is powered on, access the IP address in a browser.
    When the VM comes online, warnings about the TLS certificate and connection appear.
  4. In the This Connection Is Not Private warning, click Show Details.
  5. Click visit this website in the window that appears.
    You are prompted for user credentials.

Configure the Controller

Configure the Controller VM for your vSphere IaaS control plane environment and set up a cloud.

To connect the load balancer control plane with the vCenter Server environment, the Controller requires several post-deployment configuration parameters. During the initial configuration of the Controller, a Default-cloud cloud is created where the first Controller is deployed. To allow the load balancer to service multiple vCenter servers or multiple data centers, you can create custom clouds of type VMware vCenter for each vCenter and data center combination. For more information, see NSX Advanced Load Balancer Components.

Prerequisites

Procedure

  1. Using a browser, navigate to the IP address that you specified when deploying the Controller.
  2. Create an Administrator Account.
    Option Description
    Username The administrator user name for initial configuration. You cannot edit this field.
    Password Enter an administrator password for the Controller VM.

    The password must be at least 8 characters and contain a combination of numeric, special, uppercase, and lowercase characters.

    Confirm Password Enter the administrator password again.
    Email Address (optional) Enter an administrator email address.

    It is recommended that you provide an email address for password recovery in a production environment.

  3. Configure System Settings.
    Option Description
    Passphrase Enter a passphrase for the Controller backup. The Controller configuration is automatically backed up to the local disk on a periodic basis. For more information, see Backup and Restore.

    The passphrase must be at least 8 characters and contain a combination of numeric, special, uppercase, and lowercase characters.

    Confirm Passphrase Enter the backup passphrase again.
    DNS Resolver Enter an IP address for the DNS server you are using in the vSphere IaaS control plane environment. For example, 10.14.7.12.
    DNS Search Domain Enter a domain string.
  4. (Optional) Configure the Email/SMTP settings.
    Option Description
    SMTP Source Select one of the following options None, Local Host, SMTP Server, or Anonymous Server.

    Default is Local Host.

    From Address Email address.
  5. Click Next.
  6. Configure the multi-tenant settings.
    1. Retain the default tenant access.
    2. Select Setup Cloud After and click Save .
      Note: If you did not select Setup Cloud After option before saving, the initial configuration wizard exits. The Cloud configuration window does not automatically launch and you are directed to a Dashboard view on the controller. In this case browse to Infrastructure > Clouds and configure the Cloud.
  7. Configure the VMware vCenter/vSphere ESX cloud. Click Create and VMware vCenter/vSphere ESX as the cloud type.
    The NEW CLOUD settings page is displayed.
  8. Configure the General settings.
    Option Description
    Name Enter a name for the cloud. For example Custom-Cloud.
    Type The cloud type is VMware vCenter/vSphere ESX.
  9. (Optional) In the Default Network IP Address Management section, select DHCP Enabled if DHCP is available on the vSphere port groups.
    Leave the option unselected if you want the Service Engine interfaces to use only static IP addresses. You can configure them individually for each network.

    For more information, see Configure a Virtual IP Network.

  10. Configure the Virtual Service Placement settings.
    Option Description
    Prefer Static Routes vs Directly Connected Network for Virtual Service Placement Select this option to force the Service Engine VM to access the server network by routing it through the default gateway.

    By default, the Controller directly connects a NIC to the server network and you must force the Service Engine to connect only to the Data Network and route to the Workload Network.

    Use Static Routes for Network Resolution of VIP Leave this option unselected.
  11. Configure the vCenter/vSphere credentials.
    Click Set Credentials and enter the following details:
    Option Description
    vCenter Address Enter the vCenter Server hostname or IP address for the vSphere IaaS control plane environment.
    Username

    Enter the vCenter administrator user name, such as administrator@vsphere.local.

    To use lesser permissions, create a dedicated role. See VMware User Role for details.

    Password Enter the user password.
    Access Permissions

    Read: You create and manage the service engine VMs.

    Write: Controller creates and manages the service engine VMs.

    You must select Write.

  12. Configure the Data Center settings.
    1. Select the vSphere Data Center where you want to enable Workload Management.
    2. Select the Use Content Library option and select the local content library from the list.
  13. Select SAVE & RELAUNCH to create the VMware vCenter/vSphere ESX cloud with the settings you configured.
  14. Configure the Network settings.
    Option Description
    Management Network Select the VM Network. This network interface is used by the Service Engines to connect with the Controller.
    Service Engine Leave the Template Service Engine Group empty.
    Management Network IP Address Management Select DHCP Enabled.
  15. (Optional) Configure the following network settings only if you do not select DHCP Enabled.
    Option Description
    IP Subnet Enter the IP subnet for the Management Network. For example, 10.199.32.0/24.
    Note: Enter an IP subnet only if DHCP is not available.
    Default Gateway Enter the default gateway for the Management Network, such as 10.199.32.253.
    Note: Enter an IP subnet only if DHCP is not available.
    Add Static IP Address Pool Enter one or more IP addresses or IP address range. For example, 10.99.32.62-10.199.32.65.
    Note: Enter an IP subnet only if DHCP is not available.
  16. Create an IPAM profile and configure IPAM/DNS settings.
    IPAM is required to allocate virtual IP addresses when virtual services get created.
    1. From the More actions menu of IPAM Profile, select Create.
      The NEW IPAM/DNS PROFILE page is displayed.
    2. Configure the IPAM Profile.
      Option Description
      Name User-defined string, such as ipam-profile
      Type

      Select AVI Vantage IPAM

      Allocate IP in VRF Deselect this option.
      Cloud Select Custom-Cloud from the drop-down list.
    3. Click Add in the Usable Network and select the Virtual IP network that you configured. This network is the primary network.
    4. Click SAVE.
  17. (Optional) Configure NTP settings if you want to use an internal NTP server.
    1. Select Administration > Settings > DNS/NTP.
    2. Delete existing NTP servers if any and enter the IP address for the DNS server you are using. For example. 192.168.100.1.

Results

Once you complete the configuration, you see the Controller Dashboard. Select the Infrastructure > Clouds and verify that the status of the Controller for Custom-Cloud is green. Sometimes the status can be yellow for some time till the Controller discovers all the port groups in the vCenter Server environment, before it turns green.

Add a License

Once you configure the NSX Advanced Load Balancer, you must add a license to it. The Controller boots in evaluation mode that has all the features equivalent to an Enterprise edition license available. You must assign a valid Enterprise Tier license to the Controller before the evaluation period expires.

Prerequisites

Verify that you have the Enterprise Tier license.

Procedure

  1. In the NSX Advanced Load Balancer Controller dashboard select Administration > Licensing.
  2. Select Settings.
  3. Select Enterprise Tier
  4. Click SAVE.
  5. To add the license, select Upload from Computer.
    After the license file is uploaded, it appears in the Controller license list. The system displays the information about the license, including the start date and the expiration date.

Assign a Certificate to the Controller

The Controller must send a certificate to clients to establish secure communication. This certificate must have a Subject Alternative Name (SAN) that matches the NSX Advanced Load Balancer Controller cluster hostname or IP address.

The Controller has a default self-signed certificate. But this certificate does not have the correct SAN. You must replace it with a valid or self-signed certificate that has the correct SAN. You create a self-signed certificate or upload an external certificate.

For more information about certificates, see the Avi documentation.

Procedure

  1. In the Controller dashboard, click the menu in the upper-left hand corner and select Templates > Security.
  2. Select SSL/TLS Certificates.
  3. To create a certificate, click Create and select Controller Certificate.
    The New Certificate (SSL/TLS) window appears.
  4. Enter a name for the certificate.
  5. If you do not have a pre-created valid certificate, add a self-signed certificate by selecting Type as Self Signed.
    1. Enter the following details:
      Option Description
      Common Name

      Specify the fully-qualified name of the site. For the site to be considered trusted, this entry must match the hostname that the client entered in the browser.

      Algorithm Select either EC (elliptic curve cryptography) or RSA. EC is recommended.
      Key Size Select the level of encryption to be used for handshakes:
      • SECP256R1 is used for EC certificates.
      • 2048-bit is recommended for RSA certificates.
    2. In Subject Alternate Name (SAN), click Add.
    3. Enter the cluster IP address or FQDN, or both, of the Avi Controller if it is deployed as a single node. If only the IP address or FQDN is used, it must match the IP address of the Controller VM that you specify during deployment.
      Enter the cluster IP or FQDN of the NSX Advanced Load Balancer Controller cluster if it is deployed as a cluster of three nodes. For information about deploying a cluster of three controller nodes, see Deploy a Controller Cluster.
    4. Click Save.
    You need this certificate when you configure the Supervisor to enable the Workload Management functionality.
  6. Download the self-signed certificate that you create.
    1. Select Security > SSL/TLS Certificates.
      If you do not see the certificate, refresh the page.
    2. Select the certificate you created and click the download icon.
    3. In the Export Certificate page that appears, click Copy to clipboard against the certificate. Do not copy the key.
    4. Save the copied certificate for later use when you enable workload management.
  7. If you have a pre-created valid certificate, upload it by selecting Type as Import.
    1. In Certificate, click Upload File and import the certificate.
      The SAN field of the certificate you upload must have the cluster IP address or FQDN of the Controller.
      Note: Make sure that you upload or paste the contents of the certificate only once.
    2. In Key (PEM) or PKCS12, click Upload File and import the key.
    3. Click Validate to validate the certificate and key.
    4. Click Save.
  8. To change the portal certificate, perform the following steps.
    1. In the Controller dashboard, select Administration > System Settings.
    2. Click Edit.
    3. Select the Access tab.
    4. From SSL/TLS Certificate, remove the existing default portal certificates.
    5. In the drop-down, select the newly created or uploaded certificate.
    6. Select Basic Authentication.
    7. Click SAVE.