vSphere IaaS control plane uses the Default-Group as a template to configure a Service Engine Group per Supervisor. Optionally, you can configure the Default-Group Service Engines within a group which defines the placement and number of Service Engine VMs within vCenter. You can also configure high availability if the NSX Advanced Load Balancer Controller is in Enterprise mode.

Procedure

  1. In the NSX Advanced Load Balancer Controller dashboard, select Infrastructure > Cloud Resources > Service Engine Group.
  2. In the Service Engine Group page, click the edit icon in the Default-Group.
    The General Settings tab appears.
  3. In the High Availability & Placement Settings section, configure high availability and virtual services settings.
    1. Select the High Availability Mode.
      The default option is N + M (buffer). You can keep the default value or select one of the following options:
      • Active/Standy
      • Active/Active
    2. Configure Number of Service Engines. This is the maximum number of Service Engines that may be created within a Service Engine group. Default is 10.
    3. Configure Virtual Service Placement Across Service Engines.
      Default option is Compact. You can select one of the following options:
      • Distributed. The NSX Advanced Load Balancer Controller maximizes the performance by placing virtual services on newly spun-up Service Engines up to the maximum number of Service Engines specified.
      • Compact. The NSX Advanced Load Balancer Controller spins up minimum possible Services Engines and places the new virtual service on an existing Service Engine. A new Service Engine is created only when all the Service Engines are utilized.
  4. You can keep the default values for the other settings.
  5. Click Save.

Results

The AKO creates one Service Engine Group for each vSphere IaaS control plane cluster. The Service Engine Group configuration is derived from the Default-Group configuration. Once the Default-Group is configured with the required values, any new Service Engine Group created by the AKO will have the same settings. However, changes made to the Default-Group configuration will not reflect in an already created Service Engine Group. You must modify the configuration for an existing Service Engine Group separately.

Register the NSX Advanced Load Balancer Controller with NSX Manager

Register the NSX Advanced Load Balancer Controller with NSX Manager.

Prerequisites

Verify that you have deployed and configured the NSX Advanced Load Balancer Controller.

Procedure

  1. Log in to NSX Manager as a root user.
  2. Run the following commands: 
    curl -k --location --request PUT 'https://<nsx-mgr-ip>/policy/api/v1/infra/alb-onboarding-workflow' \
--header 'X-Allow-Overwrite: True' \
--header 'Authorization: Basic <base64 encoding of username:password of NSX Mgr>' \
--header 'Content-Type: application/json' \
--data-raw '{
"owned_by": "LCM",
"cluster_ip": "<nsx-alb-controller-cluster-ip>",
"infra_admin_username" : "username",
"infra_admin_password" : "password"
}'
    If you provide DNS and NTP settings in the API call, the global settings are overridden. For example, "dns_servers": ["<dns-servers-ips>"] and "ntp_servers": ["<ntp-servers-ips>"].

Assign a Certificate to the NSX Advanced Load Balancer Controller

The NSX Advanced Load Balancer Controller uses certificates that it sends to clients to authenticate sites and establish secure communication. Certificates can be either self-signed by the NSX Advanced Load Balancer or created as a certificate signing request (CSR) that is sent to a trusted certificate authority (CA), which then generates a trusted certificate. You can create a self-signed certificate or upload an external one.

You must provide a custom certificate to enable Supervisor. You cannot use the default certificate. For more information about certificates, see SSL/TLS Certificates.

If you use a private Certificate Authority (CA) signed certificate, the Supervisor deployment might not complete and the NSX Advanced Load Balancer configuration might not be applied. For more information, see NSX Advanced Load Balancer Configuration Is Not Applied.

Prerequisites

Verify that the NSX Advanced Load Balancer is registered with the NSX Manager.

Procedure

  1. In the Controller dashboard, click the menu in the upper-left hand corner and select Templates > Security.
  2. Select SSL/TLS Certificates.
  3. To create a certificate, click Create and select Controller Certificate.
    The New Certificate (SSL/TLS) window appears.
  4. Enter a name for the certificate.
  5. If you do not have a pre-created valid certificate, add a self-signed certificate by selecting Type as Self Signed.
    1. Enter the following details:
      Option Description
      Common Name

      Specify the fully-qualified name of the site. For the site to be considered trusted, this entry must match the hostname that the client entered in the browser.
      Algorithm Select either EC (elliptic curve cryptography) or RSA. EC is recommended.
      Key Size Select the level of encryption to be used for handshakes:
      • SECP256R1 is used for EC certificates.
      • 2048-bit is recommended for RSA certificates.
    2. In Subject Alternate Name (SAN), click Add.
    3. Enter the cluster IP address or FQDN, or both, of the NSX Advanced Load Balancer Controller if it is deployed as a single node. If only the IP address or FQDN is used, it must match the IP address of the NSX Advanced Load Balancer Controller VM that you specify during deployment.
      See Deploy the NSX Advanced Load Balancer Controller. Enter the cluster IP or FQDN of the NSX Advanced Load Balancer Controller cluster if it is deployed as a cluster of three nodes.
    4. Click Save.
    You need this certificate when you configure the Supervisor to enable the Workload Management functionality.
  6. Download the self-signed certificate that you create.
    1. Select Security > SSL/TLS Certificates.
      If you do not see the certificate, refresh the page.
    2. Select the certificate you created and click the download icon.
    3. In the Export Certificate page that appears, click Copy to clipboard against the certificate. Do not copy the key.
    4. Save the copied certificate for later use when you enable workload management.
  7. If you have a pre-created valid certificate, upload it by selecting Type as Import.
    1. In Certificate, click Upload File and import the certificate.
      The SAN field of the certificate you upload must have the cluster IP address or FQDN of the Controller.
      Note: Make sure that you upload or paste the contents of the certificate only once.
    2. In Key (PEM) or PKCS12, click Upload File and import the key.
    3. Click Validate to validate the certificate and key.
    4. Click Save.
  8. To change the certificate, perform the following steps.
    1. In the Controller dashboard, select Administration > System Settings.
    2. Click Edit.
    3. Select the Access tab.
    4. From SSL/TLS Certificate, remove the existing default portal certificates.
    5. In the drop-down, select the newly created or uploaded certificate.
    6. Select Basic Authentication.
    7. Click SAVE.