The Avi Load Balancer integration for NSX is designed to unify the multi-tenancy and self-consumption for Application Admins across the two products. This section explains the design for this integration.

To support NSX multi-tenancy, a new configuration option Enable VPC Mode is introduced in the NSX cloud configuration in in Avi Load Balancer.

The Enterprise Admin, with the role of System Admin in Avi Load Balancer, configures the NSX cloud configuration with VPC mode as well as the Service Engine Management network.

In the VPC mode, data networks will be configured automatically unlike the non-VPC mode where the data networks and their respective IPAM are user-configured.

In the VPC mode, NSX provisions the subnet, IPAM, and DHCP automatically to simplify the overall consumption and configuration.

To configure VPC mode in an NSX Cloud,

1. From the Avi Load Balancer, navigate to Infrastructure > Clouds > CREATE.

2. Select NSX Cloud from the dropdown menu.

3. Click Enable VPC Mode as shown below:
   
   

4. Configure the other fields as required and Save the cloud.

Within the NSX environment with multi-tenancy enabled through NSX projects and NSX VPCs, the Project Admin enables the Avi Load Balancer setting load_balancer_vpc_endpoint.

On enabling VPC Mode in the NSX Cloud configuration in Avi Load Balancer, the Avi Load Balancer will start the discovery of all the NSX VPCs with the NSX ALB flag enabled and prepares the respective list of NSX Projects to which the discovered NSX VPCs belong.

In the diagram shown below, Project Admins of Project-1 and Project-2 enabled the Avi Load Balancer for VPC-Green and VPC-Red but not for their respective VPCs VPC-Pink and VPC-Grey. Avi Load Balancer periodically discovers the new NSX VPCs  VPC-Green and VPC-Red with their respective Projects Project-1 and Project-2.

For each NSX Project discovered by Avi Load Balancer cloud connector, an equivalent tenant is created in the Avi Load Balancer and for the respective NSX VPCs the equivalent NSX Cloud data network configuration (VPC and the associated NSX dedicated NSX ALB Data subnet represented with the name “_AVI_SUBNET--LB”) is populated in NSX Cloud which effectively creates the dedicated VRF for each NSX VPC in the respective Tenants (NSX Project) which they belong in.

Once the NSX VPCs and NSX Projects are synced with respective configuration on Avi Load Balancer, the integration is ready to be consumed by the NSX Project users (Project Admin, and others) and NSX VPC users  (VPC Admin, and others). The NSX VPC Admin users (mapped as Application Admin in NSX ALB) can now start creating their load balancer objects (VS, Pool) for their applications (server pool members). Once the VPC Admin triggers the creation of the VS, Avi Load Balancer will start provisioning the load balancing fabric ( Avi Load Balancer Service Engines, tha is the Datapath LB elements), realizing the load balancing policies, and catering the Application traffic.

From the diagram, the VPC Admins of VPC-Green and VPC-Red in the respective projects Project-1 and Project-2 created the virtual service VS1 for their respective application needs,. For example VS1 in VPC-Green can be a L7 VS with SSL enabled for their application web servers and VS1 in VPC-Red can be a L4 VS with pass through SSL for their blockchain web servers.

As soon as the intent of the load balancing entity to configure virtual service gets realized on the Avi Load Balancer either through the Avi Load Balancer UI or API or through any other automation (Ansible, Terraform, and others) Avi Load Balancer will provision the LB fabric (Datapath), that is Avi Load Balancer Service Engines with the respective High Availability settings, sizing and other properties configured by the Enterprise Admin as part of the Service Engine group configuration.

NSX Project and NSX VPC User Mapping

This section explains the NSX Project and NSX VPC user mapping to Avi Load Balancer users and tenants.

Create the user mapping between the two products as shown below:

NSX Role	Avi Load Balancer Role	Activities Performed
Enterprise Admin	System Admin	Creates NSX Cloud on Avi Load Balancer in admin tenant with VPC mode enabled. Creates the Service Engine Group with appropriate HA mode, SE sizing, and settings required for the consumption by NSX Project Admins and NSX VPC Admins. The Enterprise Admin creates the NSX Projects with respective users as project admins and quota limits at project level, if required in the NSX Manager.
Project Admin	Tenant Admin	The Project Admin creates NSX VPC in their respective Projects with additional Network services like NAT, IPAM networks, DFW, Route filtering, ALB, and more. The Project Admin can login to Avi Load Balancer as Tenant Admin and will be able to see/access only VPCs ( VRFs in Avi Load Balancer) belonging to their Project (Tenant in Avi Load Balancer). The Project Admin (Tenant Admin) will be able to create load balancing objects (VS, Pool, and more) for the classic Tier-1s under the NSX Projects provided that the Enterprise Admin (System Admin in Avi Load Balancer) adds the Tier-1 and the respective data Segment to the NSX Cloud configuration. The Project Admin (Tenant Admin) will not be able to access other Projects(Tenants) load balancer configurations (VS, Pool, and more)
VPC Admin	Application Admin	The VPC Admin gets mapped as Application Admin user in Avi Load Balancer. The VPC Admin can start consuming load balancing functionality by creating the Virtual Service and relevant objects (Pool, VsVIP, HTTP Policies, Network Policies, and more) for their application needs. The VPC Admin (Application Admin) will be able to create the VIP IP address from either a private subnet or a public subnet associated with the VPC.

In summary,

• A single Avi Load Balancer cluster is deployed per NSX Manager cluster.

• NSX Project Admins are mapped as Tenant Admins in Avi Load Balancer and will be able to manage the respective NSX VPCs (VRFs, Networks) belonging to their Projects.

• NSX Project Admins (Tenant Admins in Avi Load Balancer) will be able to configure load balancing (VS, Pool, and more) for the Classic Tier-1s, provided that the Enterprise Admin has configured the Classic Tier-1 and the respective data segment to the NSX Cloud configuration.