This section shows the different steps in configuring VPC mode and also lists the caveats involved in this mode.

Configuration Workflow

1. NSX Enterprise Admin (System Admin in NSX ALB) creates the NSX Cloud in Avi Load Balancer with the VPC mode enabled as shown below:



2. The System Admin configures the NSX cloud with NSX Manager IP and user credentials along with management subnet for SE. Enter the NSX Managed IP or FQDN and configure NSX Manager Credetials.



3. Configure the data network Transport Zone and the data segments are auto populated.

  • For VPC, it is the default overlay transport zone.

  • Under vCenter Servers, click Add and select the vCenters with the respective user credentials to be utilised for the SE to provide the load balancing fuctionality.



Note:

  • The NSX cloud in Avi Load Balancer is Admin-scoped. Tenant-scoped NSX clouds are not supported in the VPC mode.

  • Service Engines are deployed in Provider mode. The Service Engine groups can be shared across tenants (NSX Projects/VPCs). Dedicated Service Engine Groups can be created for respective VPCs.

4. The NSX VPCs in NSX are created by the project admin. The option Enable for NSX Advanced Load Balancer is turned on for this VPC to get discovered for load balancing service:



5. The NSX Project is discovered and automatically created as a tenant in Avi Load Balancer. In this case, the NSX Project Alpha with VPC "AlphaFin-VPC" is discovered by Avi Load Balancer and created as a tenant s shown below:



6. The data Segment for the Service Engine is auto configured with the allocated subnet as shown below:



7. A new VRF for each NSX VPC is created automatically in the Alpha tenant.



8. The network profile for the VRF auto created for NSX VPC is provisioned automatically.

Configuring Load Balancer Services

This section shows the configuration on Avi Load Balancer for load balancer services by the NSX Project Admin and NSX VPC admin:

1. NSX Projects and NSX VPC can have their own respective admins with restricted roles.



  • The NSX Project Admin is mapped as Tenant Admin in Avi Load Balancer

  • The NSX VPC Admin is mapped as Application Admin with the respective VRF (that is NSX VPC) access only using label based RBAC.



2. The tenant Admin can login to Avi Load Balancer and can access/configure only the tenant objects (NSX Project mapped all VPCs) and Application Admin can access/configure only the Application objects (i.e. only the VPC for which they are admin).



The NSX Project Admin logged in as Tenant Admin in Avi Load Balancer is as shown below:



The NSX Project Admin (Tenant Admin) has only access to their Project/Tenant Alpha:

3. Application Admin (NSX VPC Admin) can login to Avi Load Balancer to create the respective load balancing objects.

4. The NSX VPC Admin (Application Admin) creates the virtual service.

  • The Application Admin selects the NSX Cloud and VPC/VRF:



  • The Application Admin has the option to create the VIP in Private or Public subnet of the VPC.



  • The Application Admin completes the VIP object creation for the virtual service as shown below:



  • The Application Admin can provide NS Group as the Pool server membership and finish VS creation.

  • The virtual service gets placed on the Service Engine with auto allocated VIP.

  • The Virtual Service VIP is created as static route on the VPC and is ready for load balancing application traffic.