By default, the VIP will be allocated from one of the “Usable Networks” listed in the north-south IPAM object configured in the Kubernetes/OpenShift cloud.

In some instances, it can be desirable to specify that the VIP be allocated from a specifically named subnet. This can be achieved by defining the network in NSX Advanced Load Balancer and then referencing the network by name in the service annotation as follows:

apiVersion: v1
kind: Service
metadata:
  name: avisvc
  labels:
    svc: avisvc
  annotations:
    avi_proxy: >-
      {"virtualservice":{"enable_rhi": true, "east_west_placement": false, "auto_allocate_ip": true,
      "ipam_network_subnet": {"network_ref": "/api/network/?name=ns-cluster-network-bgp"}}}
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: http
  selector:
    name: avitest

When explicitly referencing a network in this way, it is not necessary to include that network in the Usable Networks list in the north-south IPAM object.

  • Networks created in the NSX Advanced Load Balancer “admin” tenant can be referenced in any Kubernetes namespace/OpenShift project.

  • Networks created in a specific NSX Advanced Load Balancer tenant can be referenced only in the corresponding namespace/project.

  • Networks with the same name, defining different subnets, can be created in different tenants.

Combining these capabilities allows for great flexibility in the allocation of VIPs in different subnets, for example:

  • Global default subnet(s) for unannotated services

    • Add network(s) defined in the “admin” tenant to the north-south IPAM configuration.

  • Per-namespace default subnet(s) for unannotated services

    • Add network(s) defined in the non-admin tenants only to the north-south IPAM configuration.

  • Allow application owners to place services in the specific subnet(s) through annotations

    • Define networks in the “admin” tenant

    • Can or can not be added to the north-south IPAM configuration

  • Allow application owners to place services in namespace/project-specific subnet(s) through annotations

    • Define networks in the tenant corresponding to the namespace/project.

    • Can or can not be added to the north-south IPAM configuration.