Configure Avi Controller cluster to provide a highly available control plane for the VMware NSX Advanced Load Balancer.

Prerequisites

  1. Deploy three Avi Controller VMs in the management domain.

  2. Reserve one IP in the management network to be assigned as the Avi Controller cluster VIP which will be used as a single end point to manage VMware NSX Advanced Load Balancer.

  3. To guarantee priority recovery of the Avi Controller VMs, configure VM Override rules with the following properties:

    1. Set VM Restart Policy to ‘Medium’.

    2. Set Host Isolation Response to ‘Disable’.

Procedure

  1. Initialize the first Avi Controller VM

    1. In a web browser, log in to the first Avi Controller by using https://sfo-m01-avic01a.sfo.rainpole.io/.

      Note:

       While the system is booting up, a blank web page or a 503-status code may appear. Wait for about 5 to 10 minutes and then follow the instructions below for the setup wizard.

    2. Once the VMware NSX Advanced Load Balancer welcome screen appears, create an 'admin' account by specifying the following information and click on Create Account:

      Setting

      Value

      username

      admin

      Password

      <COMPLEX_PASSWORD>

      Confirm Password

      <COMPLEX_PASSWORD>

      Email Address

      Specify the administrator email address

    3. Specify the DNS and NTP information and click on Next.

    4. Setup SMTP source as 'Local Host' with From Address as admin@avicontroller.net and click onNext.

    5. Select No Orchestrator in the Orchestrator Integration page and click the arrow.

    6. In the Tenant Settings select 'No' to support multiple tenants and click on Complete.

    7. The UI will log into the Avi Controller dashboard.

  2. Configure an Avi Controller cluster.

    1. Navigate to Administration > Controller and select Edit.

    2. Specify the 'Name' of the cluster as sfo-m01-avic.

    3. Specify the 'Controller Cluster IP' that had been reserved.

    4. Add the following details for each of the three Avi Controller nodes. It is recommended to use a FQDN for the Avi Controllers, including the Avi Controller cluster endpoint (also known as the Avi Controller cluster VIP). 

      Setting

      Value

      IP

      sfo-m01-avic01a (sfo-m01-avic01b and sfo-m01-avic01c)

      Name

      sfo-m01-avic01a (sfo-m01-avic01b and sfo-m01-avic01c)

      Password

      Leave blank

      Public IP

      Leave blank

    5. Click on Save. It will take a few minutes for the services to restart and the Avi Controller cluster to be up.

      1. In a web browser, log in to the Avi Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

      2. Navigate to Administration > Controller and ensure all Avi Controllers show ‘State’ as ‘Active’ which represents a healthy Avi Controller cluster.

  3. Setup Avi Controller cluster Portal Certificate. By default, the Avi Controller cluster Portal will be setup with a self-signed certificate. It is recommended to setup a trusted CA signed certificate for the Avi Controller cluster Portal.

    Note:

    Steps to sign a CSR by a Trusted CA are not covered in this document.

    1. In a web browser, log in to the Avi Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    2. Navigate to Templates > Security > SSL/TLS Certificates and click on CREATE and select on Controller Certificate.

    3. Select Type as ‘CSR’ and specify the following information:

      Setting

      Value

      Name

      sfo-m01-avic01-portal-certificate

      Common Name

      sfo-m01-avic01.sfo.rainpole.io

    4. Click on SAVE to generate a Certificate Signing Request.

    5. Click on Edit (pencil icon) on the sfo-m01-avic01-portal-certificate and copy the CSR.

    6. Take the copied CSR and get it signed from a trusted CA. This will generate a signed Certificate. Copy the signed Certificate to be used for the Avi Controller cluster portal.

    7. Click on Paste text and paste the copied signed certificate.

    8. Click on SAVE.

    9. Navigate to Administration > Settings > Access Settings and edit System Access Settings.

    10. Remove the pre-existing SSL/TLS Certificate entries (these are the self-signed Avi Controller cluster portal certificates) and select the sfo-m01-avic01-portal-certificate certificate from the drop-down.

    11. Click on SAVE.

    12. Refresh the browser to re-negotiate TLS with the Avi Controller cluster portal. The signed Certificate should be presented by the Avi Controller cluster portal.

  4. Setup Avi Controller Cluster Secure Channel Certificate. By default, the Avi Controller cluster will be setup with a self-signed certificate to be used for communication between Avi Controllers and the Avi SEs. It is recommended to setup a trusted CA signed certificate for the Avi Controller cluster Secure Channel.

    Note:

    Steps to sign a CSR by a Trusted CA are not covered in this document.

    1. In a web browser, log in to the Avi Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    2. Navigate to Templates > Security > SSL/TLS Certificates and click on CREATE and select Controller Certificate.

    3. Select Type as ‘CSR’ and specify the following information:

      Setting

      Value

      Name

      sfo-m01-avic01-secure-channel-certificate

      Common Name

      sfo-m01-avic01.sfo.rainpole.io

    4. Click SAVE to generate a Certificate Signing Request.

    5. Click on Edit (pencil icon) on the sfo-m01-avic01-secure-channel-certificate and copy the CSR.

    6. Take the copied CSR and get it signed from a trusted CA. This will generate a signed Certificate. Copy the complete signed Certificate bundle to be used for the Avi Controller cluster portal.

    7. Click on Paste text and paste the copied complete signed Certificate bundle.

    8. Click on SAVE

    9. Navigate to Administration > Settings > Access Settings and edit System Access Settings.

    10. Remove the pre-existing Secure Channel SSL/TLS Certificate entry (this is the self-signed Avi Controller cluster secure channel certificates) and select the sfo-m01-avic01-secure-channel-certificate Certificate from the drop-down.

    11. Click on SAVE.

  5. All Avi SEs that will be created will use this certificate to authenticate the Avi Controller cluster.