The role requirements are defined for the following two stages:

The role requirements are defined for the following two stages:

  • Controller Deployment

  • Microsoft Azure Cloud Configuration

NSX Advanced Load Balancer Controller Deployment

The NSX Advanced Load Balancer Controller cluster needs to be deployed in a resource group where the controller admin has a role of contributor or higher.

Microsoft Azure Cloud Configuration

In Azure, the NSX Advanced Load Balancer Controller interacts with various resources and manages their lifecycles.

These operations require specific permissions. The contributor role provides sufficient level of permissions when attached to the required resource groups. However, NSX Advanced Load Balancer solution requires permissions that is a subset of those granted by the contributor role.

Hence, it is recommended to use a custom role that provides appropriate level of access that are limited to the required resources.

  1. The NSX Advanced Load Balancer Controller is configured to deploy Service Engines in a specific resource group that is tied to the user’s subscription. This user should have the contributor role for this resource group.

  2. The deployed cloud can provide load balancing services to a VNet present in a different resource group from the one mentioned above. In addition, the NSX Advanced Load Balancer Controller uses the following resources in this resource group:

    1. If enabled during cloud configuration in the Controller, DNS zones to be used for Azure DNS

    2. Scale sets and Azure VMs used as back-end servers.

Resource groups provide an easy way to manage access to a group of resources in Azure. It is recommended to provision NSX Advanced Load Balancer Controller cluster in a new resource group of its own, for better isolation. Service Engine VM instances and all other Azure resources that are dynamically created by NSX Advanced Load Balancer Controller can reside in the same resource group (for small deployments), or can exist in a resource group of their own.

The Controller and Service Engines can be attached to an existing VNet for connectivity, independent of which resource group they reside in.

Note:

  • For resource group where the Controller is spawned, a role of contributor or higher is required.

  • For virtual network where the Service Engine instances are to be deployed, a role of NSX Advanced Load Balancer Controller or higher is required.

Deployment Scenario

Figure 1. Figure 1. Role definition in NSX Advanced Load Balancer deployment for Azure

In Figure 1, Cloud Credential is a credential asset which could either be a service principle object, as in case of an application or an username/password credential set, as in the case of an user.

The NSX Advanced Load Balancer Controller belongs to NSX Advanced Load Balancer Controller Resource Group. The Controller admin exercises his privileges to deploy the Controller in this resource group.

The Controller creates the required resources in the NSX Advanced Load Balancer Cloud Resource Group. The credential asset needs contributor or a role of higher access to the NSX Advanced Load Balancer Cloud Resource Group.

The credential asset also needs custom role access to other resources, such as, VNet, DNS zones, and scale sets. This custom role helps define access to specific resources. Details on configuring custom role is provided in the following section.

The NSX Advanced Load Balancer cloud and VNet resource groups are configured as a part of the credential asset.