null avi networks — technical reference (18.2) · used by azure to probe the service engine...

22
Avi Networks — Technical Reference (18.2) null Copyright © 2020 Avi Networks, Inc. Page 1 of 22

Upload: others

Post on 28-Sep-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 1 of 22

Page 2: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 2 of 22

IntroductionAbout Microsoft Azure

Microsoft Azure is a cloud computing service that offers hosting and related public cloud services, as well as developer products to build a range of programs from simple websites to complex applications.

Azure provides a set of modular cloud-based services with a host of development tools, including hosting and computing, cloud storage, data storage, translation APIs and prediction APIs. Figure 1 depicts a sample Azure deployment.

Figure 1. Azure deployment

About Avi Vantage

The Avi Vantage Platform provides enterprise-grade distributed ADC solutions for on-premises as well as public-cloud infrastructure. Avi Vantage also provides built-in analytics to diagnose and improve the end-user application experience, while making operationalizing easier for network administrators.

Avi Vantage is a complete software solution which runs on commodity x86 servers or as a virtual machine and is entirely enabled by its REST API.

Purpose of This Guide

This document describes the process of provisioning and configuring Avi Vantage as an application delivery controller for application workloads running inside Azure.

Page 3: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 3 of 22

1. 2.

3.

4.

5.

Intended Audience

The document is intended for

Network administrators: To configure and operationalize the Avi Vantage solution.Azure system administrators: To provision the Avi Vantage solution.

We assume familiarity with

The basics of load balancing and application delivery.Basic Azure functionality. For detailed information refer to the .Microsoft Azure Documentation

Overview

Use of Avi Vantage with Azure provides the following functionality:

The Avi Vantage Controller is available as an Azure appliance (VHD).Once the Avi Controller is deployed, Azure account details and credentials are provided to it. It then connects to the Azure infrastructure and automatically provisions Service Engines as required.A single interface is available on the SE for control and data traffic (in-band management).VIP addresses are allocated from Azure IPAM.An optional, public VIP can be allocated automatically to a virtual service, along with a private VIP address.

Installation ProcedurePrerequisites and Assumptions

Both Microsoft Azure and Avi Vantage provide a variety of configuration and deployment options, based on individual requirements. This guide makes the following assumptions regarding the infrastructure:

Privileges

For resource group where the Avi Controller is spawned, a role of or higher is required.contributorFor virtual network where the Avi Service Engine instances are to be deployed, a role of or higher is AviControllerrequired. For more details on creating the AviController role, refer to the Role Setup for Installation into Microsoft

KB article.AzureSpecific ports need to be allowed on the Service Engine and Controller management subnets to enable Controller-to-Service Engine communication. For details, refer to the Protocol Ports Used by Avi Vantage for Management

KB article.CommunicationThe Service Engine subnet should allow incoming TCP connections on from the IP address . This is port 7 168.63.129.16used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's

article.Understand load balancer probesStarting with 18.1.4, Avi Vantage supports Azure Pay-as-you-go (Azure PAYG) license. Currently, Avi Vantage 18.1.4 has only beta support for Azure PAYG license. This version should be used in non-production environments only. You must choose the license type during the cloud creation, and it cannot be changed later. For more information on the different type of licenses available for Azure deployment, refer to Azure Marketplace

.Licensing

Networking

The resource group must have an (VNet) configured with a subnet.Azure Virtual Network

Page 4: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 4 of 22

1.

1.

2.

3.

For the purpose of this document, the resource group will be used to deploy the Avi solution. As displayed in the avi-vantagescreenshot below, this group has VNet, with an available address space of and a avi-vantage-vnet 10.20.0.0/16

subnet of .10.20.0.0/24

Microsoft Azure Resource Limits

Microsoft Azure objects have predefined limits to the number of instances that can be instantiated.

These limits are based on the location of a given subscription. For instance, the total number of cores that can be used by the subscription in a particular location defines these limits.

The following limits must be increased appropriately, to allow scaling Avi virtual service and object creation in Microsoft Azure:

Networking Limits

Public IP addresses - Static

The default value is 20. This value should be increased if the deployment is expected to have more 20 public IPs.

Load Balancer Limits

Frontend IP configuration - Basic

The default value is 10. It is recommended to set this to a higher value. Each virtual service IP and port combination consumes one frontend IP configuration.

Rules per resource - Basic

The default value is 150. It is recommended to increase this to a higher value. Each virtual service IP and port combination consumes one rule.

Load Balancers

Page 5: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 5 of 22

3.

1.

2.

3.

The default value is 100. This limit should be raised as required, if more than 100 Service Engine groups are expected.

Additional Information

The above limits can be increased by submitting a request to Microsoft Azure via a support case. For more details, please refer to Azure subscription and service limits, quotas, and constraints.

Avi Controller Instantiation

Avi Vantage is available in Azure Marketplace as a (BYOL) offering.Bring Your Own License

Access Azure Marketplace at and log in using your Azure credentials. https://azuremarketplace.microsoft.com/Alternately, you can log in using your Azure credentials at .https://portal.azure.com

Marketplace Link : Navigate to the page on Azure Marketplace.Avi Vantage

Click on to start the deployment process. If the deployment is via the Azure portal then create a new VM Get it Nowand search for Avi Networks. The Avi Vantage VM will show up in the search results.

Page 6: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 6 of 22

1.

Follow the given steps to initiate the deployment:

Provide the information requested under the tab.Basics

Page 7: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 7 of 22

2.

Click on OK to continue to the next tab.

Note: This public key option provided in this step does not allow you to ssh into the machine once launched. After the VM is up and running, it prompts us to setup the Avi Controller. It uses that username and password to ssh into the Avi Controller.

Based on deployment scale considerations, choose an appropriate VM size. The following table lists the minimum requirements for the VMs on which the Avi Controller and Avi SEs are installed.

<th width="60%">Component</th>

<th>Memory</th>

<th>vCPUs</th>

<th>Disk</th>

<td>Avi Controller</td>

<td>24 GB</td>

<td>8</td>

<td>64 GB</td>

<td>Service Engine</td>

<td>2 GB</td>

<td>2</td>

<td>10 GB</td>

For Avi Controller, we recommend the following instance types:

Deployment SizeVirtual Service Scale

Instance Type

Memory vCPUsDisk (Minimum)

Small 100 DS4_V2 28 GB 8 64 GB

Medium 1000 DS5_V2 56 GB 16 64 GB

Large 5000 F32S_V2 64 GB 32 64 GB

Refer to the section in the for recommended hard disk size. The Disk Capacity Allocation Avi Controller Sizing KBbelow example shows a choice of eight CPUs and 28 GB memory. (Instance: )DS4_V2

Page 8: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 8 of 22

2.

3. In the tab, select the following options:Settings

Page 9: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 9 of 22

3.

4.

Availability set: It is recommended to use an availability set for Avi Controllers.Storage : Select for managed disks.YesVirtual network: Create a new VNet, or use an existing VNet.Subnet: Select a subnet for Avi controller management IP address to be allocated from.(Optional) Public IP address: Allocate an existing or new public IP address to the controller VM.Network security group (firewall): Apply an existing or new network security group to restrict traffic to the controller. : For security group rules on the subnet for the external IP to be accessible, the rule should Notehave a destination set as the floating IP address for the virtual service and a source as any and port as any.

Click on followed by to run final validations and initiate the deployment.OK Purchase

Page 10: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 10 of 22

4.

5. (Optional) Create a Controller cluster To ensure complete redundancy, two additional Avi Controller nodes can be added to create a 3-node Avi Controller cluster.

To create a Controller cluster,If deploying from the Microsoft Azure Marketplace, use the JSON template found .hereIf deploying from a downloaded version of VHD, use the JSON template found .here

Once the Controller is up, it can be configured via a web browser. The FQDN will be mentioned as an output of the template execution, as in this case, .avicontrollerpubip.westus.cloudapp.azure.com

Page 11: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 11 of 22

1.

2.

Avi Vantage ConfigurationInitial Configuration

Follow the given steps to complete the initial configuration. Each step is provided with an associated screenshot.

Provide credentials for the administrator account (Username: ).admin

Page 12: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 12 of 22

2.

3.

Provide DNS and NTP Settings (Can be edited later).

Provide an email address to be used for alerts from the controller (Can be set up at a later stage).

Page 13: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 13 of 22

3.

4. Select to complete the initial configuration.No Orchestrator

Page 14: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 14 of 22

4.

5.

6.

Continue by clicking on for (Multi tenancy can be enabled later).No Support multiple Tenants

Once the setup is completed, the browser will automatically refresh to the Avi Controller dashboard.

Page 15: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 15 of 22

1.

2.

3.

Configuring Azure Cloud

At this point, the Avi Controller is provisioned but not connected to any ecosystem. The next step is to create a cloud configuration of type , so that Avi Vantage can spin up Service Engines in the Azure VNet, and the load balance Azureworkloads present there.

: Before proceeding with the steps to configure Azure cloud, it is recommended to finalize the license model as per the Noterequirement. Avi UI has the following two options for the : * Azure Pay-as-you-go ? The licensing and usage is license modelcalculated based on the Service Engines instantiated in Azure. * Bring your own license ? The license type can be selected either based on the vCPU, or the SE Bandwidth.

Follow the given steps to complete the cloud configuration. Each step is provided with an associated screenshot.

Click on the tab and navigate to -> Applications Infrastructure Clouds

Click on the button to add a new cloud. Provide a name, and select Microsoft Azure as the Cloud infrastructure Createtype.

On the next tab, provide information related to the Azure account.

Page 16: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 16 of 22

3.

4.

Starting with 18.1.4, Avi UI has the option to select the desired .License Model

Start by clicking on tab and provide Azure credentials.Create Credentials

You can either choose an Azure account username/password, or an Application ID. In the screenshot below, the username method is used.

Page 17: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 17 of 22

4.

5.

6.

7.

Select the license model that you want to use. You can either choose the , or the Pay-as-you-go Bring your own licenseoption. The below screenshot exhibits the option for the license model. For the PAYG licence model, Pay-as-you-gothe license type is set to automatically.SE Bandwidth

For the model, you can use the drop-down option to use the following licence types:Bring your own licenseCoresSE Bandwidth

For more information on the new license model, refer to .Azure Marketplace Licensing

Save and select these newly created credentials and provide the Azure subscription ID. Click .Next

Page 18: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 18 of 22

7.

8.

9.

1. 2.

1.

2.

3.

4.

Provide the Azure location details. These details are associated with the location of resource group, the resource group and VNet that can be used, and the subnet for Service Engine management network.

Optionally, a DNS provider can be selected as well. Instead of Azure DNS, AWS Route 53 can also be used by selecting .Other

Select from the drop-down list from section.Template Service Engine Group Service Engine

<a href="img/image23.png"><img src="img/image23.png" width="800" height="450"></a>

Click on , to provision the Azure cloud. At this time, the Controller will upload the Service Engine VHD into Completean Azure storage account, so that SEs can be deployed as required by the applications.

Save the settings. The system is now ready for virtual service creation.

Virtual Service ConfigurationTo create a virtual service to load balance an application workload, perform the following steps:

Create a pool containing application servers that need to be load balanced.Create a virtual service with a front-end virtual IP.

Pool Creation

Navigate to -> and click .Application Pools Create Pool

Provide a pool name. The other fields are optional and the defaults are sufficient. Click .Next

Add one or more application (back-end) servers. If the applications are part of an Azure scale set, the scale set option can be selected. If not, just provide the IP addresses of the servers and click .Next

Page 19: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 19 of 22

4.

1.

2.

3.

4.

5.

6.

7.

Click through the remaining steps, by retaining the defaults to complete the pool creation process.

Creating the Virtual Service

Navigate to -> and click . Select .Application Virtual Services Create Virtual Service Advanced Setup

Provide a VS name.

Select a network from which the front-end VIP should be allocated. The VIP will be allocated by Azure.

If the virtual service needs to be accessible via the Internet, select the option Assign Public IP for External Client .Access

Select the service ports. Port 80 is configured by default. Add port 443 as an SSL port as well.

In the section, select the previously created pool from the dropdown menu.Pool

Click through the remaining screens. Click at the last screen to complete the provisioning.Next Save

At this point, the UI will refresh to the VS dashboard.

Page 20: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 20 of 22

7.

1.

2.

The Avi deployment and virtual service configuration is now complete. Wait for 2-3 minutes for the internal Azure network configurations to be completed, before sending traffic for verification. Send some traffic from a client to the virtual service IP to verify if the virtual service is functioning.

Azure VM Sizes for the Avi Service EnginesAvi Service Engines are automatically deployed on Azure by the Avi Controller, based on the virtual services that have been configured.

Avi SEs can be deployed on VMs with various sizes. This can be configured under -> .Service Engine Group Advanced setting

The table below shows the maximum SSL TPS performance observed on some Azure VM sizes.

Azure VM Size

SSL TPS Performance

F1s 1900

F2s 3850

F4s 6300

F8s 11000

Notes:

The performance results provided above are indicative numbers for a subset of instance types. There are other VM sizes available under the Service Engine group settings that can be used.SSL performance (TPS - transactions per second) has been measured considering one configured virtual service (HTTPS, ECDHE-ECDSA-AES256-SHA cipher) and GET requests for a 128-byte payload without session reuse. More details regarding Service Engine performance can be found .here

Azure Dedicated Management InterfaceAvi Vantage on Microsoft Azure runs Service Engines in any of the following modes:

? In this mode Service Engine has only one NIC. In-band Management? In this mode Service Engine has two NICs, one for the management traffic and other for the data Dedicated Management

traffic in the same virtual network. This configuration will be at the cloud level, SE group level override is not allowed at present. Dedicated Management SEs are supported with basic ALB, standard ALB and multi-AZ mode of the Azure cloud.

SEs are created with one NIC which is used as the management interface as well as the data interface.

In-band ManagementThis set-up is simple to configure and manage. But, all servers, SEs, and management interface need to be connected.

Page 21: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 21 of 22

1.

2. 3.

Dedicated ManagementSEs are created with two NICs, one for the management traffic and the other for the data traffic.

Cloud takes input for the management network and the data network for the SE.

NIC0 is the management network.NIC1 is the data network.

Both the NICs should be in the same virtual network. This mode provides better isolation for the management and data traffic.

Configuring Dedicated Management for New Cloud Deployment

Define the required network topology. Refer to for more Deployment Topology for Microsoft Azure with Avi Vantagedetails.Install Avi Controller in Azure cloud. Refer to .Installing Avi Controller in Microsoft AzureConfigure Azure cloud. The following are the necessary attributes for configuring an Azure cloud.

Page 22: null Avi Networks — Technical Reference (18.2) · used by Azure to probe the Service Engine health. For more details on this requirement, refer to Microsoft's Understand load balancer

Avi Networks — Technical Reference (18.2)null

Copyright © 2020 Avi Networks, Inc. Page 22 of 22

Cloud credentialsDetails about region, zones, etc. where the Service Engines need to be deployedFor the dedicated management, configure the data and the management subnet. Data and the management subnet should be in the same virtual network.

Configuring Dedicated Management for Existing Cloud Deployments

Navigate to > . Select the desired cloud and click on the edit option and enable dedicated Infrastructure Cloudmanagement.Choose a management subnet which is in the same VNET.Configure a virtual service

For existing deployments, the change will apply only to the newer SEs created. The existing SEs will keep functioning in the in-band mode.