Avi Load Balancer manages the lifecycle of the load balancer within each cloud. In VMware write access cloud, the Controller requires vCenter URL, username, and password to establish a connection with the vCenter portal. With this, the Controller discovers the vCenter managed objects to build an internal relation graph. As a part of the load balancer lifecycle management, SE is created and port groups are added and (or) removed from the virtual machines.

On deploying vCenter cloud, Avi Load Balancer is not provided the root credentials for security reasons. On creating the cloud in Avi Load Balancer, the vCenter user is assigned certain roles that allow the Controller to manage the load balancer lifecycle. The user is mapped to two roles during the role configuration on vCenter. One of the roles is applied at the vCenter root level and another at the folder level where the Service Engines are created by the Controller.

For detailed information on creating the required roles and the permissions, see vSphere Permissions and User Management Tasks.

The following section discusses defining role privileges for two roles AviRole1 and AviRole2 that are assigned to the vCenter user.