This section explains the steps to create Avi Load Balancer cloud of type Google Cloud Platform (GCP). It spawns the Service Engines in the configured GCP project, zone, and VPC. The Service Engines will start load balancing the workloads in GCP.

To create the Avi Load Balancer cloud of type GCP,

  1. Log in to the Controller using your credentials.

  2. From the Avi Load Balancer UI, navigate to Infrastructure > Clouds.

  3. Click Create and select Google Cloud Platform from the dropdown.

  4. Configure the details under the General tab.

    1. Enter a Name for the cloud.

    2. Enter the Object Name Prefix which will be added to all the objects created under this cloud.

    3. Under Management Network, Enable IPv4 is selected by default to Enable IPv4 on the Management Interface of the Service Engine.



  5. Under the GCP tab, configure the Credentials for GCP API access.

    1. Under the GCP tab, click SET CREDENTIALS.

    2. In the GCP Credentials screen,

      1. Enter the Service Engine Project ID. This is the Project ID from the GCP console. This is where the Service Engines will be created.

      2. To Configure API access,

        • If the Controller is running in GCP and a service account is attached to the Avi Controller VM, then select Compute Account as Defalult Service Account.

        • If the Controller is outside GCP (in some other public/private cloud) or there is no GCP service account attached to the Avi Controller VM, then add a user with GCP service account JSON key in Avi Load Balancer as discussed:

      3. If the CREDENTIALS object is created, select it or click the three ellipses are the right-corner of the Credentials field and click Create. In the NEW USER CREDENTIALS screen, perform one of the following steps:

        1. In the NEW USER CREDENTIALS screen, select the Credentials Type as GCP.

        2. click IMPORT File and select the file to upload or copy the Service Account Key and paste it in the text box provided.

        3. Click Save. The new credential is selected under Credentials.



        4. Click CONNECT.

    3. Under Regions & Zones, configure the following:

      1. Select the GCP Service Engine Region where the Service Engine will be deployed.

      2. Select the Availiability Zones from the selected region. The Service Engines will be distributed among the selected zones.



        Note:

        It is recommended to have more than one zone for Service Engine High Availability.

    4. Under Network, select and configure the required Network Configuration Mode.

    5. Select firewall Target Tags to be applied on the Service Engine virtual machines to allow the ingress and egress traffic to the Controller, other Service Engines, and virtual services.

    6. Under Storage, the Cloud Storage ID corresponding to the Service Engine project is selected by default. Enter the Cloud Storage Bucket Name, where the Service Engine image will be uploaded.

      Note:

      Cloud Storage Bucket Name is required only in the cases where the service account does not have the permissions to create a bucket in the Google Storage Project.

      If the service account has permissions to create the bucket in the Google storage project as described in the Authentication section, the NSX Advanced Load Balancer creates the bucket while creating the SE image in GCP and deletes the bucket once the image is created.

    7. Under Encryption Keys, configure the Customer Managed Encryption Keys (CMEK) for different resources.

      1. Service Engine Image Encryption Key ID: CMEK Resource ID to encrypt Service Engine GCE Image.

      2. Service Engine Disk Encryption Key ID: CMEK Resource ID to encrypt Service Engine Disks.

      3. GCS Bucket Encryption Key ID: CMEK Resource ID to encrypt Google Cloud Storage Bucket. This Bucket is used to upload Service Engine raw image.

      4. GCS Objects Encryption Key ID: CMEK Resource ID to encrypt Service Engine raw image. The raw image is a Google Cloud Storage Object.

  6. Configure the VIP Allocation Mode.

    1. Under Management, choose one of the following VIP allocation modes:

      1. Routes: The GCP routes for the VIP will be created in both the frontend data and backend data VPCs.

      2. ILB: The VIP reachability is through the Internal Load Balancer (ILB), where VIP is allocated from a GCP subnet and the VIP will be frontend IP of the ILB.

    2. Click Enable Subnet Routes to match the SE group subnets for VIP Placement.

  7. Configure the IPAM/ DNS Profile.

    1. Select an IPAM Profile for the cloud to allocate VIP from the Avi Load Balancer internal network.

    2. Select a DNS Profile for the cloud, if required.

  8. Create custom, cloud-level Tags for easier resource management.

    1. Click Add.

    2. Enter the Key and Value pairs.

  9. Click Save.

On saving the cloud configuration, the GCP cloud is available as shown below:



The Controller validates the configuration and starts creating the Service Engine image in the SE project. After the image is successfully uploaded, the NSX Advanced Load Balancer cloud becomes ready for virtual service creation.