Authors and Contributors
I want to thank both Bhushan Pai, and Matt Karnowski, who joined VMware from the Avi Networks acquisition, for helping with the Avi Networks setup in my VMware Cloud on AWS lab and helping with some of the details in this blog.
- Humair Ahmed, Sr. Technical Product Manager, VMware NSBU
- Bhushan Pai, Sr. Technical Product Manager, VMware NSBU
- Matt Karnowski , Product Line Manager, VMware NSBU
With the recent acquisition of Avi Networks, a complete VMware solution leveraging advanced load balancing and Application Delivery Controller (ADC) capabilities can be leveraged. In addition to load balancing, these capabilities include global server load balancing, web application firewall (WAF) and advanced analytics and monitoring.
In this blog, we walk through an example of how the Avi Networks load balancer can be leveraged within a VMware Cloud on AWS software-defined data center (SDDC). A video of a demo is shown at the end of the blog; feel free to jump to the demo if you like.
Deep Dive on VMware Cloud on AWS at VMworld 2019
Also, if you would like additional details or would like to see a demo, I presented this specific demo in the second session below, VMware Cloud on AWS: Networking and Security Design [HBI1223BU].
VMworld 2019 Sessions to Watch
Session: VMware Cloud on AWS: NSX-T Networking and Security Deep Dive [CNET1219BU]
Speakers: Humair Ahmed, Sr Technical Product Manager, VMware and Haider Witwit, VMware Specialist , AWS
Session: VMware Cloud on AWS: Networking and Security Design [HBI1223BU]
Speakers: Humair Ahmed, Sr Technical Product Manager, VMware and Ed Shmookler, Staff VMware Cloud SE, VMware
Leveraging Avi Networks Load Balancer within VMware Cloud on AWS SDDC
In the below diagram, you can see I’ve deployed a network segment named Web. Three web servers have been deployed on this Web network segment. You can also see a network segment named MGMT where the Avi Networks controllers are deployed; these are basically deployed OVF appliances.
There is also a network segment deployed named LB. This is where the Avi Networks service engines or load balancers are deployed. First, the Avi controllers are deployed, and then from the Avi Networks management console, accessible by accessing the IP address of any of the controllers, the service engines or load balancers are deployed.
Note: you may have seen some designs where the load balancer appliance is connected to each network segment it is providing load balancing for. Although this design will work, it is not ideal because of the additional configuration required and the limitation that a virtual appliance can only have ten interfaces.
In the design shown above, you can see the Avi Networks service engines or load balancers route to and from the web servers they are providing load balancing for. This design is recommended for several reasons:
- Can scale out better as there is no need to connect networks you need load balancing services for directly to the load balancing appliance
- There is less configuration and complexity involved
- Less error prone as you don’t need to manually connect each network segment to the appliance
- Note: the Avi Networks service engines are connected to both the MGMT network and LB network; this provides separation of management/control traffic and dataplane traffic.
In the below diagram, you can see workloads On Prem are accessing the VMware Cloud on AWS SDDC over Direct Connect Private VIF.
You can see from below screen shot of the Avi Networks management graphical user interface (GUI), I have configured a virtual IP (VIP) of 10.61.4.66; also, note, the services being load balanced: HTTPS (port 443) and HTTP (port 80). The pool for the virtual service to use is also selected and you can see WAF policy is also enabled.
Avi Networks also provides monitoring and analytical data like throughput and latency. Both the virtual service and the server pool have graphs and tables showing different analytical data. Switching over to the server pool I created, I’m presented with the below graph.
Below I click the Servers tab, to see the respective servers I have configured in this pool; the health status of each server is shown.
You can click the ‘pencil’ icon on the top right to see the configuration or modify settings like Load Balancing algorithm; you can see below I have selected Round Robin as the load balancing algorithm.
Clicking on the Servers tab allows you to modify the server pool membership.
Using a web browser, I enter the domain name system (DNS) server name for my web server. The web page requests are load balanced via round robin algorithm as expected. The first request goes to web server 1.
The second request goes to web server 2.
The third request goes to web server 3.
The really cool thing about Avi Networks load balancer is that it is a full blown Application Delivery Controller (ADC) and can be leveraged for things like WAF. To demonstrate this, I make the next website request via IP address of the VIP on the Avi Networks service engine/load balancer. Remember from prior in the post, WAF is already enabled, so this action will automatically be flagged.
Below I make the next website request via IP address of the VIP on the Avi Networks service engine/load balancer instead of the DNS name as prior.
Now, I go back to the Avi Networks management console and take a look at the logs. As you can see, the last web request has been flagged.
You can also click on the specific log to see exactly why the request/traffic was flagged and what WAF specific rule(s) were triggered. After clicking in the log, you will see client information such as the below which include, IP Address, web browser used, operating system used, and other client details.
Scrolling down, you can see the exact WAF rule that caused the flagging. In this case, the flag was the result of an IP address being used instead of a DNS name.
Clicking on the WAF Rules under WAF Analytics on the right side menu you can see all the WAF rules that have been triggered since the web server has been up and the most frequently hit rules. This is pretty cool as it give you some good insight on what’s going on, traffic behavior, and things you may want to address.
Clicking on WAF Latency gives you a good view on what latency users are experiencing. Clicking further in, you can also see which specific clients are seeing the most latency.
You may be asking yourself, if instead of detection or just flagging, you can take a specific action like dropping traffic if WAF rules are hit – the answer is, yes.
First, go to Virtual Services – > Click you virtual service you want to configure ->Click the WAF tab. You will see something like the below where you can see all the rules enabled; you can also modify the configuration and disable specific rules here.
Next, click on the ‘pencil’ icon at the top right and again click on the ‘pencil’ icon under WAF Policy. You will then see the option to change the mode from Detection to Enforcement as shown below.
Pretty cool stuff right! You can now leverage Avi Networks Load Balancer ADC in VMware Cloud on AWS for both load balancing and security for your applications!
Demo of VMware Cloud on AWS with NSX Advanced Load Balancer
You can see a video of the demo described above below. Note, as described in a more recent blog post, Avi Networks is now part of VMware and the Avi Networks Load Balancer/ADC product is now called VMware NSX Advanced Load Balancer.
VMware Cloud on AWS Resources
- Check out my prior posts on VMware Cloud on AWS: NSX Networking and Security on the VMware Network Virtualization Blog!
- Read my latest book on VMware Cloud on AWS: NSX Networking and Security
- Attending VMworld, make sure to attend one of my VMworld sessions, book signing, or Meet the Experts Session!
- Follow me on Twitter!