Configure NSX Advanced Load Balancer Controller cluster to provide a highly available control plane for the NSX Advanced Load Balancer.

Prerequisites

  1. Deploy three Controller VMs in the management domain.

  2. Reserve one IP in the management network to be assigned as the Controller cluster VIP which will be used as a single end point to manage NSX Advanced Load Balancer.

  3. To guarantee priority recovery of the Controller VMs, configure VM Override rules with the following properties:

    1. Set VM Restart Policy to ‘Medium’.

    2. Set Host Isolation Response to ‘Disable’.

Procedure

  1. Initialize the first NSX Advanced Load Balancer Controller VM

    1. In a web browser, log in to the first Controller by using https://sfo-m01-avic01a.sfo.rainpole.io/.

      Note:

       While the system is booting up, a blank web page or a 503-status code may appear. Wait for about 5 to 10 minutes and then follow the instructions below for the setup wizard.

    2. Once the NSX Advanced Load Balancer welcome screen appears, create an 'admin' account by specifying the following information and click on Create Account:

      Setting

      Value

      username

      admin

      Password

      <COMPLEX_PASSWORD>

      Confirm Password

      <COMPLEX_PASSWORD>

      Email Address

      Specify the administrator email address

    3. Specify the DNS and NTP information and click on Next.

    4. Setup SMTP source as 'Local Host' with From Address as [email protected] and click onNext.

    5. Under Tenant Settings select Share IP route doman across tenets.

    6. Under Service Engines are managed within the select Provider.
    7. Under Tenet Access to Service Engine select Read Access.
    8. Click Save.

      The UI will log into the NSX Advanced Load Balancer Controller dashboard.

  2. Configure an NSX Advanced Load Balancer Controller cluster.

    1. Navigate to Administration > Controller and select Edit.

    2. Specify the 'Name' of the cluster as sfo-m01-avic.

    3. Specify the 'Controller Cluster IP' that had been reserved.

    4. Add the following details for each of the three NSX Advanced Load Balancer Controller nodes.  

      Setting

      Value

      IP

      <CONTROLLER_IP_ADDRESS>

      Name

      sfo-m01-avic01a (sfo-m01-avic01b and sfo-m01-avic01c)

      Password

      Leave blank

      Public IP

      Leave blank

    5. Click on Save. It will take a few minutes for the services to restart and the Controller cluster to be up.

      1. In a web browser, log in to the Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

      2. Navigate to Administration > Controller and ensure all the Controllers show ‘State’ as ‘Active’ which represents a healthy Controller cluster.

  3. Setup the Controller cluster Portal Certificate. By default, the Controller cluster Portal will be setup with a self-signed certificate. It is recommended to setup a trusted CA signed certificate for the Controller cluster Portal.

    Note:

    Steps to sign a CSR by a Trusted CA are not covered in this document.

    1. In a web browser, log in to the Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    2. Navigate to Templates > Security > SSL/TLS Certificates and click on CREATE and select on Controller Certificate.

    3. Select Type as ‘CSR’ and specify the following information:

      Setting

      Value

      Name

      sfo-m01-avic01-portal-certificate

      Common Name

      sfo-m01-avic01.sfo.rainpole.io

    4. Click on SAVE to generate a Certificate Signing Request.

    5. Click on Edit (pencil icon) on the sfo-m01-avic01-portal-certificate and copy the CSR.

    6. Take the copied CSR and get it signed from a trusted CA. This will generate a signed Certificate. Copy the signed Certificate to be used for the Controller cluster portal.

    7. Click on Paste text and paste the copied signed certificate.

    8. Click on SAVE.

    9. Navigate to Administration > Settings > Access Settings and edit System Access Settings.

    10. Remove the pre-existing SSL/TLS Certificate entries (these are the self-signed Controller cluster portal certificates) and select the sfo-m01-avic01-portal-certificate certificate from the drop-down.

    11. Click on SAVE.

    12. Refresh the browser to re-negotiate TLS with the Controller cluster portal. The signed Certificate should be presented by the Controller cluster portal.

  4. Setup the Controller Cluster Secure Channel Certificate. By default, the Controller cluster will be setup with a self-signed certificate to be used for communication between the Controllers and the Service Engines. It is recommended to setup a trusted CA signed certificate for the Controller cluster Secure Channel.

    Note:

    Steps to sign a CSR by a Trusted CA are not covered in this document.

    1. In a web browser, log in to the Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    2. Navigate to Templates > Security > SSL/TLS Certificates and click on CREATE and select Controller Certificate.

    3. Select Type as ‘CSR’ and specify the following information:

      Setting

      Value

      Name

      sfo-m01-avic01-secure-channel-certificate

      Common Name

      sfo-m01-avic01.sfo.rainpole.io

    4. Click SAVE to generate a Certificate Signing Request.

    5. Click on Edit (pencil icon) on the sfo-m01-avic01-secure-channel-certificate and copy the CSR.

    6. Take the copied CSR and get it signed from a trusted CA. This will generate a signed Certificate. Copy the complete signed Certificate bundle to be used for the Controller cluster portal.

    7. Click on Paste text and paste the copied complete signed Certificate bundle.

    8. Click on SAVE

    9. Navigate to Administration > Settings > Access Settings and edit System Access Settings.

    10. Remove the pre-existing Secure Channel SSL/TLS Certificate entry (this is the self-signed Controller cluster secure channel certificates) and select the sfo-m01-avic01-secure-channel-certificate Certificate from the drop-down.

    11. Click on SAVE.

  5. All Service Engines that will be created will use this certificate to authenticate the Controller cluster.