This section discusses the use of revoke_vip_route flag available under virtual service configuration for NSX-T cloud deployment.
The following diagram explains routing in an NSX-T deployment when T0 and T1 routers are used.
In the deployment mode shown above, SE's interface connected to T1 accepts request for the VIP 1.1.1.1 as per the routing configuration at T0 and T1. The SE then forward requests to the application server.
Now, consider a scenario when there are two active sites as shown below; S1 Active Site and S2 Backup Site.
When health checks to the pool are blocked and the Server(pool) is marked down at S1 Active Site, then the roting table state does not get updated and the route for the VIP 1.1.1.1 to the SE still persists. T1 router keep forwarding incoming requests for VIP 1.1.1.1 as router advertise is still available at the SE. To prevent the issue of traffic lost, the virtual service state updation and route removal should be done immediately once the pool goes down.
To avoid the issue mentioned above, use revoke_vip_route flag at the virtual service coniguration level. The default state for revoke_vip_route flag is false.
Currently, revoke_vip_route flag is applicable only for NSX-T cloud deployment.
These changes are not applicable for Brownfield deployment (via upgrade).
When the revoke_vip_route flag is enabled and whenever a pool or an application server goes down, the following state update happens:
Revoking the route to the SE
Virtual service state changes to DOWN with an error message.
The following diagram depicts the changes when the revoke_vip_route flag is enabled. Route for VIP 1.1.1.1 is no longer availale at T1 and T2 and it does not forward request for the application or pool which is in down state.
Once the pool comes up, routing information gets updated automatically, and T1 starts forwarding requests for VIP 1.1.1.1 to the connection SE's connected interface, as shown below.
Configuring Route Revoke Using CLI
Login to Avi Load Balancer CLI and use the configure virtualservice command to set the value of the revoke_vip_route to true. The default value of the revoke_vip_route flag is false.
[admin:10-50-51-111]: > configure virtualservice vs1 Updating an existing object. Currently, the object is: +------------------------------------+-----------------------------------------------------+ | Field | Value | +------------------------------------+-----------------------------------------------------+ | uuid | virtualservice-42df5c41-7822-497d-9113-da5070637ef4 | | name | vs1 | | enabled | True | | services[1] | | | port | 80 | | enable_ssl | False | | port_range_end | 80 | | enable_http2 | False | | horizon_internal_ports | False | | is_active_ftp_data_port | False | | application_profile_ref | System-HTTP | | network_profile_ref | System-TCP-Proxy | | pool_ref | vs1-Pool | | se_group_ref | Default-Group | | network_security_policy_ref | vs1-NetworkSecurityPolicy | | http_policies[1] | | | index | 11 | | http_policy_set_ref | vs1-HTTPPolicySet-0 | | analytics_policy | | | full_client_logs | | | enabled | False | | duration | 0 min | | throttle | 10 per_second | | client_insights | NO_INSIGHTS | | all_headers | False | | metrics_realtime_update | | | enabled | False | | duration | 0 min | | udf_log_throttle | 10 per_second | | significant_log_throttle | 10 per_second | | learning_log_policy | | | enabled | False | | vrf_context_ref | Tier1-01 | | enable_autogw | True | | analytics_profile_ref | System-Analytics-Profile | | weight | 1 | | delay_fairness | False | | max_cps_per_client | 0 | | limit_doser | False | | type | VS_TYPE_NORMAL | | cloud_type | CLOUD_NSXT | | ssl_sess_cache_avg_size | 1024 | | remove_listening_port_on_vs_down | False | | close_client_conn_on_config_update | False | | bulk_sync_kvcache | False | | advertise_down_vs | False | | revoke_vip_route | True | | tenant_ref | admin | | cloud_ref | test-nsxt-cloud | | east_west_placement | False | | scaleout_ecmp | True | | active_standby_se_tag | ACTIVE_STANDBY_SE_1 | | flow_label_type | NO_LABEL | | content_rewrite | | | rewritable_content_ref | System-Rewritable-Content-Types | | sideband_profile | | | sideband_max_request_body_size | 1024 bytes | | vsvip_ref | vs1-VsVip | | use_vip_as_snat | False | | vh_type | VS_TYPE_VH_SNI | | enable_session | False | +------------------------------------+-----------------------------------------------------+
| revoke_vip_route | True |
