For additional configuration flexibility, isolation, and delegation of ADC administration, the Avi Load Balancer supports the creation of a cloud inside a tenant.

The Tenant-scoped clouds feature is currently restricted to AWS, Azure, Linux Server Clouds, NSX-T, and no-orchestrator clouds. Attempts to choose other cloud types result in an error code.

For more information on no-orchestrator (no-access clouds), in which adding, removing, or modifying properties of an SE requires an administrator’s manual intervention, see Orchestrator Access Modes topic in the VMware Avi Load BalancerInstallation Guide.

Features

Configuration Flexibility

Users with Tenant-Admin role access can create/read/update/delete (CRUD) cloud infrastructure (VRF contexts, SE groups, and SEs) within their tenant (the one to which the cloud is scoped). In addition, tenant administrators can access and use the infrastructure of clouds in the admin tenant, as before, based on tenant settings. If the infrastructure in an admin-tenant cloud is configured in provider mode, tenant administrators can use it. It is used in addition to, and independent of any tenant-scoped clouds under their direct control.

  • Provider Mode — It is a configuration in which SEs are shared across tenants. In provider mode, all the network resources of the cloud remain in the admin tenant and cannot be moved. To configure VRF contexts and move port groups into them, the Avi Load Balancer user must have write privileges for the admin tenant.

Isolation

The tenant-scoped cloud and its associated objects (VRF context, SEs, SE groups) are only visible in the cloud’s tenant. They are not visible in other tenants or the admin tenant.

Administration

The admin user is authorized and responsible for performing the highest-level configuration operations, such as user creation and authorization, tenant creation, and all infrastructure associated with the admin tenant. However, the admin user can and likely prefers to delegate the creation of clouds scoped to their respective tenants to tenant administrators.

When creating a tenant-scoped cloud, Avi Load Balancer automatically:

  1. Creates two VRF contexts for the cloud in the particular tenant. One is assigned data-plane traffic and the other is control-plane (management) traffic.

  2. Creates the first SE group for the cloud in this tenant (it will be named Default-Group).

  3. Changes default permissions to enable the user having the Tenant-Admin role for creating and managing tenant-scoped clouds and associated objects.

Avi Load Balancer UI Tenant-Scoped Cloud Creation

  • Log in to the admin user, click admin on the top right of the toolbar to show the complete list of tenants defined and select a tenant from the All Tenants drop-down menu. The administrator's intent is to switch the context to that tenant.

  • When a new tenant is selected, the name of the selected tenant is displayed in place of admin on the top right of the toolbar.

    Note:

    The admin user is still logged in, and only the tenant context is changed.

  • After navigating to Infrastructure > Clouds, click the CREATE drop-down menu. Select the desired cloud the user intends to create.

    Note:

    It is not necessary for the admin user to create the cloud within the tenant.

  • Cloud creation can proceed as normal.

  • Typically, the tenant administrator of the selected tenant is logged in. No other tenants are listed when the selected tenant is clicked in the top right corner of the toolbar. It is preferrable to be limited to a single tenant.

  • The user can also opt to create other clouds with the selected tenant.

Note:

The steps to create a cloud are same as for clouds that are not a tenant-scoped. It depends on the tenant context of the user.