Modernize and Secure Kubernetes Ingress for VKS on VCF with Avi
Load Balancing Container Ingress

Avi Load Balancer: Modernize and Secure Kubernetes Ingress for VKS on VCF

Modern Kubernetes applications leveraging VMware Kubernetes Service (VKS) demand agility but many enterprises still rely on multi-vendor ingress solutions that create operational silos and drive up complexity. This fragmentation increases costs, reduces efficiency, obscures visibility into applications while bolt-on security leaves gaps in protection. To address these challenges, organizations must adopt a unified ingress strategy that integrates performance, security, and automation at scale. 

It is also worth noting that the Kubernetes project announced the retirement of the Ingress NGINX Controller. This leaves many Kubernetes ingress installations without a supported path forward and gives customers only a few months to migrate to an alternative solution. While the retirement of Ingress NGINX is disruptive, it can also become a catalyst for modernizing Kubernetes ingress. To make this transition easier, we are introducing Avi Conversion Tool (ACT) to migrate NGINX ingress and annotation to Avi Gateway API.

For VMware Cloud Foundation (VCF) customers using VMware Kubernetes Service (VKS), VMware Avi Load Balancer (Avi) offers a superior and unified Kubernetes ingress solution. This represents a major architectural improvement over legacy and open-source technologies, simplifying operations by removing the need for separate ingress tools and mitigating the risks associated with alternatives.

Avi Advantage for VMware Kubernetes Service (VKS) over legacy solutions

Traditional appliance-based load balancing and legacy ingress solutions are ill-equipped for modern, containerized microservices architectures. While these legacy tools offer common application services like load balancing, network performance monitoring, and application security for traditional applications, they struggle to adapt these services for container-based environments. Key shortcomings include a lack of support for dynamic application autoscaling and inadequate native integration with peripheral services such as DNS, IPAM, and Web Application Firewalls (WAF).

This forces organizations to rely on a fragmented, multi-vendor approach, which significantly increases operational complexity in managing and troubleshooting independent components. This fragmented solution severely hinders end-to-end observability, making it difficult to detect issues like application latency or security violations. Furthermore, it results in only partial automation, demanding extensive, product-specific scripting knowledge and ultimately limiting flexibility and portability across various environments.

In contrast, Avi offers substantial advantages for container ingress in enterprise Kubernetes deployments by providing a unified, software-defined platform that seamlessly integrates load balancing, ingress, security, and observability services.

For VCF  customers using VKS, Avi delivers:

  • Seamless integration with VKS on VCF: Avi ties directly into VKS enabling intelligent, automated application delivery for Kubernetes workloads.
  • Automated load balancing and ingress: Upon creation of new Kubernetes services, Avi automatically provisions the required Layer 4 load balancing and Layer 7 ingress configurations—no manual steps needed.
  • Instant cluster awareness: Integration with the VKS Supervisor Cluster ensures new workloads are instantly discovered and secured with consistent networking and policy enforcement.
  • Enterprise‑grade application delivery: Avi offers consolidated ingress with advanced capabilities such as WAF, Global Server Load Balancing (GSLB), and DNS/IPAM for resilient, multi‑site deployments.
  • Unified operations for DevOps teams: Centralized automation, real‑time visibility, and rich telemetry simplify Day‑2 operations, allowing DevOps teams to manage both containerized and VM‑based applications through a single, consistent model.
  • Fortified web app security: Avi delivers a built-in immune system for web applications, offering superior security with integrated WAF and Automated mTLS compared to traditional bolt-on appliances. 

Let us take a closer look at how Avi’s seamless integration with VKS  benefits Kubernetes application deployment on VCF.

Simplified Deployment and Lifecycle Management

Avi’s integration with VKS by virtue of Avi Kubernetes Operator (AKO) offers a true “plug-and-play” experience improving operational velocity and simplifying deployment and lifecycle management for Kubernetes applications on VCF:

  • Embedded service: The AKO operates as an embedded service on the vSphere Supervisor. Once licensed for Avi, customers can activate it in the Supervisor environment with just a few commands.
  • Automatic installation with VKS Add-on: The latest VKS add-on release now automatically includes the AKO package. This integration means that the AKO agent is deployed instantly when new VKS clusters are created, removing the necessity for manual Helm installations.
  • Automated Lifecycle Management with compatibility checks: Using the official VKS AKO package is crucial for seamless operations. This package guarantees proper management of the software lifecycle and compatibility requirements, as the AKO version is specifically designed and tested to align with the VKS release. This integrated approach simplifies upgrades and prevents potential version conflicts.

Reduce MTTR with Real-time Application Visibility for Kubernetes

Avi Analytics is a critical differentiator, revolutionizing troubleshooting for Kubernetes applications by providing deep, enterprise-grade visibility on VCF.

Avi delivers deep, unified analytics directly in the platform, encompassing end-to-end latency tracking, microservice flow insights, real-time anomaly detection, and detailed security event visibility per pod, service, and client. This comprehensive Avi Analytics helps VCF admins and DevOps teams troubleshoot faster, identify root-cause issues, detect attack patterns and suspicious behaviors, and close visibility gaps often present with open-source ingress tools. Furthermore, the ability to delegate Avi analytics access to the DevOps team using granular Role-Based Access Control (RBAC) helps reduce time spent on cross-team triaging thus reducing MTTR.

Future-proof Kubernetes Investments with Comprehensive Gateway API support

Adopting Kubernetes Gateway API is crucial for customers aiming for a modern, flexible, and scalable traffic management solution. Gateway API delivers advanced routing capabilities, strengthened security, and finer role-based control. By embracing Gateway API support, organizations can future-proof their infrastructure with a standardized, extensible foundation capable of meeting the demands of constantly evolving technologies and dynamic applications. 

As mentioned earlier, with the Ingress NGINX Controller’s maintenance ending in March 2026, Kubernetes users must migrate to new solutions soon, presenting a chance to modernize infrastructure and turn this forced migration into an architectural upgrade. Avi is Gateway Api ready today and offers a powerful upgrade path, providing advanced operational and security features beyond what open-source or traditional controllers deliver.

Comprehensive Layer 4 and Layer 7 Ingress for Kubernetes Workloads

Modern Kubernetes workloads predominantly operate at the API/HTTP (Layer 7) level, requiring advanced capabilities beyond basic Layer 4 (L4) load balancing. Avi, through AKO, provides a unified, enterprise-grade solution:

  • Layer 7 (L7) Ingress: AKO delivers essential L7 routing, enabling sophisticated traffic manipulation, host- and path-based routing, TLS offload, and security functions like Web Application Firewall (WAF).
  • Consolidated ingress solution: Avi extends far beyond basic ingress and L4 services. It acts as a single, comprehensive platform, offering:
    • Ingress
    • L4 Load Balancing
    • WAF
    • GSLB via AMKO
    • DNS
    • IP Address Management (IPAM)

This integrated approach eliminates the complexity and operational overhead associated with assembling multiple disparate solutions to achieve enterprise-grade functionality. Avi is uniquely positioned as the only load balancer offering out-of-the-box L4 and L7 load balancing with native multi-tenancy support, which is critical for VCF automation.

Ensure App Resiliency with Multi-Cluster GSLB Support 

The Avi Multi-Cluster Kubernetes Operator (AMKO) brings enterprise GSLB capabilities into Kubernetes, which is essential for Disaster Recovery (DR), active-active deployments, and application migration. AMKO allows developers to tie together multiple clusters. By using a Global Virtual Service, developers can gradually shift traffic via DNS from the old cluster to the new VKS cluster by manipulating weights or priorities through a Kubernetes Custom Resource Definition (CRD), without needing to involve GSLB or DNS teams.

Avi’s GSLB provides:

  • Cross-cluster traffic distribution
  • Automated failover between AZs or datacenters
  • Cluster- and site-level health monitoring
  • Global DNS-based routing
  • Service-level load sharing across regions
  • Migration of workloads between clusters, K8s flavors and more

Fortified Web App Security for VKS with Integrated WAF and Automated mTLS 

Avi serves as the secure entry point for your VKS environment, simplifying the process of protecting and securing the applications running within it. By providing a cohesive security approach with built-in Web Application Firewall (WAF) and mutual TLS (mTLS) support, Avi ensures easier deployment and robust, consistent protection. This integrated model removes the complexities and potential security gaps associated with multiple point solutions. The resulting streamlined security ensures easier management, stronger defense for modern Kubernetes environments, and helps maintain compliance with standards such as PCI DSS, NIST, and GDPR.

Avi’s fully integrated WAF provides:

  • Application layer protection at cluster ingress
  • OWASP Top 10 Protection
  • BOT Detection 
  • DDoS Protection
  • Behavioral and signature-based detection
  • API protection capabilities
  • Rate Limiting

Avi simplifies and automates mTLS across services with:

  • Central certificate lifecycle management
  • Identity-based trust between microservices
  • Policy-driven enforcement mechanisms

Here are a few useful resources to help you learn more about Avi:

Related Articles