The section discusses the role requirements for Avi Load Balancer Controllerdeployment and Microsoft Azure cloud configuration

Avi Load Balancer Controller Deployment

The Avi Load Balancer Controller cluster needs to be deployed in a resource group where the controller admin has the role of contributor or higher.

Microsoft Azure Cloud Configuration

In Azure, the Avi Load Balancer Controller interacts with various resources and manages their lifecycles.

These operations require specific permissions. The contributor role provides a sufficient level of permissions when attached to the required resource groups. However, the Avi Load Balancer solution requires permissions that are a subset of those granted by the contributor role.

Hence, it is recommended to use a custom role that provides the appropriate level of access that is limited to the required resources.

  1. The Avi Load Balancer Controller is configured to deploy Service Engines in a specific resource group that is tied to the user’s subscription. This user should have the contributor role for this resource group.

  2. The deployed cloud can provide load-balancing services to a VNet present in a different resource group from the one mentioned above. In addition, the Avi Load Balancer Controller uses the following resources in this resource group:

    1. If enabled during cloud configuration in the Controller, DNS zones to be used for Azure DNS

    2. Scale sets and Azure VMs used as back-end servers.

Resource groups provide an easy way to manage access to a group of resources in Azure. It is recommended to provision the Avi Load Balancer Controller cluster in a new resource group of its own, for better isolation. Service Engine VM instances and all other Azure resources that are dynamically created by Avi Load Balancer Controller can reside in the same resource group (for small deployments), or can exist in a resource group of their own.

The Controller and Service Engines can be attached to an existing VNet for connectivity, independent of which resource group they reside in.

Note:
  • For resource groups where the Controller is spawned, a role of contributor or higher is required.

  • For a virtual network where the Service Engine instances are to be deployed, a role of Avi Load Balancer Controller or higher is required.

Deployment Scenario

Cloud Credential is a credential asset which could either be a service principle object, as in the case of an application or a username/password credential set, as in the case of a user.

Figure 1. Figure 1. Role definition in Avi Load Balancer deployment for Azure

The Avi Load Balancer Controller belongs to the Avi Load Balancer Controller Resource Group. The Controller admin exercises his privileges to deploy the Controller in this resource group.

The Controller creates the required resources in the Avi Load Balancer Cloud Resource Group. The credential asset needs a contributor or a role of higher access to the Avi Load Balancer Cloud Resource Group.

The credential asset also needs custom role access to other resources, such as VNet, DNS zones, and scale sets. This custom role helps define access to specific resources.

The Avi Load Balancer cloud and VNet resource groups are configured as a part of the credential asset.