Authors and Contributors

I want to thank both Bhushan Pai, and Matt Karnowski, who joined VMware from the Avi Networks acquisition, for helping with the Avi Networks setup in my VMware Cloud on AWS lab and helping with some of the details in this blog.

  • Humair Ahmed, Sr. Technical Product Manager, VMware NSBU
  • Bhushan Pai, Sr. Technical Product Manager, VMware NSBU
  • Matt Karnowski , Product Line Manager, VMware NSBU

With the recent acquisition of Avi Networks, a complete VMware solution leveraging advanced load balancing and Application Delivery Controller (ADC) capabilities can be leveraged. In addition to load balancing, these capabilities include global server load balancing, web application firewall (WAF) and advanced analytics and monitoring.

In this blog, we walk through an example of how the Avi Networks load balancer can be leveraged within a VMware Cloud on AWS software-defined data center (SDDC). A video of a demo is shown at the end of the blog; feel free to jump to the demo if you like.

Deep Dive on VMware Cloud on AWS at VMworld 2019

Also, if you would like additional details or would like to see a demo, I presented this specific demo in the second session below, VMware Cloud on AWS: Networking and Security Design [HBI1223BU].

VMworld 2019 Sessions to Watch

Session: VMware Cloud on AWS: NSX-T Networking and Security Deep Dive [CNET1219BU]
Speakers: Humair Ahmed, Sr Technical Product Manager, VMware and Haider Witwit, VMware Specialist , AWS

Session: VMware Cloud on AWS: Networking and Security Design [HBI1223BU]
Speakers: Humair Ahmed, Sr Technical Product Manager, VMware and Ed Shmookler, Staff VMware Cloud SE, VMware

Leveraging Avi Networks Load Balancer within VMware Cloud on AWS SDDC

In the below diagram, you can see I’ve deployed a network segment named Web. Three web servers have been deployed on this Web network segment. You can also see a network segment named MGMT where the Avi Networks controllers are deployed; these are basically deployed OVF appliances.

There is also a network segment deployed named LB. This is where the Avi Networks service engines or load balancers are deployed. First, the Avi controllers are deployed, and then from the Avi Networks management console, accessible by accessing the IP address of any of the controllers, the service engines or load balancers are deployed.

Figure 1: VMware Cloud on AWS with NSX and Avi Networks Load Balancer ADC

Figure 1: VMware Cloud on AWS with NSX and Avi Networks Load Balancer ADC

Note: you may have seen some designs where the load balancer appliance is connected to each network segment it is providing load balancing for. Although this design will work, it is not ideal because of the additional configuration required and the limitation that a virtual appliance can only have ten interfaces.

In the design shown above, you can see the Avi Networks service engines or load balancers route to and from the web servers they are providing load balancing for. This design is recommended for several reasons:

  • Can scale out better as there is no need to connect networks you need load balancing services for directly to the load balancing appliance
  • There is less configuration and complexity involved
  • Less error prone as you don’t need to manually connect each network segment to the appliance
  • Note: the Avi Networks service engines are connected to both the MGMT network and LB network; this provides separation of management/control traffic and dataplane traffic.

In the below diagram, you can see workloads On Prem are accessing the VMware Cloud on AWS SDDC over Direct Connect Private VIF.

Figure 2: Workloads On Prem Accessing Web Servers Sitting Behind Avi Networks Load Balancer in the SDDC

Figure 2: Workloads On Prem Accessing Web Servers Sitting Behind Avi Networks Load Balancer in the SDDC

You can see from below screen shot of the Avi Networks management graphical user interface (GUI), I have configured a virtual IP (VIP) of 10.61.4.66; also, note, the services being load balanced: HTTPS (port 443) and HTTP (port 80). The pool for the virtual service to use is also selected and you can see WAF policy is also enabled.

Figure 3: Avi Networks Virtual Service Configuration

Figure 3: Avi Networks Virtual Service Configuration

Avi Networks also provides monitoring and analytical data like throughput and latency. Both the virtual service  and the server pool have graphs and tables showing different analytical data. Switching over to the server pool I created, I’m presented with the below graph.

Figure 4: Avi Networks Server Pool Analytics

Figure 4: Avi Networks Server Pool Analytics

Below I click the Servers tab, to see the respective servers I have configured in this pool; the health status of each server is shown.

Figure 5: Configured Server Pool Members and Health

Figure 5: Configured Server Pool Members and Health

You can click the ‘pencil’ icon on the top right to see the configuration or modify settings like Load Balancing algorithm; you can see below I have selected Round Robin as the load balancing algorithm.

Figure 6: Configured Server Pool Load Balancing Algorithm

Figure 6: Configured Server Pool Load Balancing Algorithm

Clicking on the Servers tab allows you to modify the server pool membership.

Figure 7: Configured Server Pool Membership

Figure 7: Configured Server Pool Membership

Using a web browser, I enter the domain name system (DNS) server name for my web server. The web page requests are load balanced via round robin algorithm as expected. The first request goes to web server 1.

Figure 8: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm - Hitting Web Server 1

Figure 8: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm – Hitting Web Server 1

The second request goes to web server 2.

Figure 9: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm - Hitting Web Server 2

Figure 9: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm – Hitting Web Server 2

The third request goes to web server 3.

Figure 10: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm - Hitting Web Server 3

Figure 10: Avi Networks Load Balancer with Round Robin Load Balancing Algorithm – Hitting Web Server 3

The really cool thing about Avi Networks load balancer is that it is a full blown Application Delivery Controller (ADC) and can be leveraged for things like WAF. To demonstrate this, I make the next website request via IP address of the VIP on the Avi Networks service engine/load balancer. Remember from prior in the post, WAF is already enabled, so this action will automatically be flagged.

Below I make the next website request via IP address of the VIP on the Avi Networks service engine/load balancer instead of the DNS name as prior.

Figure 11: Making Webpage Request via IP Address Instead on DNS Name

Figure 11: Making Webpage Request via IP Address Instead on DNS Name

Now, I go back to the Avi Networks management console and take a look at the logs. As you can see, the last web request has been flagged.

Figure 12: Avi Networks Management Console Displaying Logs and Flagged Web Page Request

Figure 12: Avi Networks Management Console Displaying Logs and Flagged Web Page Request

You can also click on the specific log to see exactly why the request/traffic was flagged and what WAF specific rule(s) were triggered. After clicking in the log, you will see client information such as the below which include, IP Address, web browser used, operating system used, and other client details.

Figure 13: Avi Networks Management Console - Logs Showing Client Information for Flagged Request/Traffic

Figure 13: Avi Networks Management Console – Logs Showing Client Information for Flagged Request/Traffic

Scrolling down, you can see the exact WAF rule that caused the flagging. In this case, the flag was the result of an IP address being used instead of a DNS name.

Figure 14: Avi Networks Management Console - Log Showing Specific WAF Rule That Caused Flagging

Figure 14: Avi Networks Management Console – Log Showing Specific WAF Rule That Caused Flagging

Clicking on the WAF Rules under WAF Analytics on the right side menu you can see all the WAF rules that have been triggered since the web server has been up and the most frequently hit rules. This is pretty cool as it give you some good insight on what’s going on, traffic behavior, and things you may want to address.

Figure 15: Avi Networks Management Console Displaying Which WAF Rules are Hit Most Often

Figure 15: Avi Networks Management Console Displaying Which WAF Rules are Hit Most Often

Clicking on WAF Latency gives you a good view on what latency users are experiencing. Clicking further in, you can also see which specific clients are seeing the most latency.

Figure 16: Avi Networks Management Console - WAF Displaying Latency Details

Figure 16: Avi Networks Management Console – WAF Displaying Latency Details

You may be asking yourself, if instead of detection or just flagging, you can take a specific action like dropping traffic if WAF rules are hit – the answer is, yes.

First, go to Virtual Services – > Click you virtual service you want to configure ->Click the WAF tab. You will see something like the below where you can see all the rules enabled; you can also modify the configuration and disable specific rules here.

Figure 17: Avi Networks Management Console - WAF Settings

Figure 17: Avi Networks Management Console – WAF Settings

Next, click on the ‘pencil’ icon at the top right and again click on the ‘pencil’ icon under WAF Policy. You will then see the option to change the mode from Detection to Enforcement as shown below.

Figure 18: Avi Networks Management Console - Changing WAF Mode Between Detection and Enforcement

Figure 18: Avi Networks Management Console – Changing WAF Mode Between Detection and Enforcement

Pretty cool stuff right! You can now leverage Avi Networks Load Balancer ADC in VMware Cloud on AWS for both load balancing and security for your applications!

Demo of  VMware Cloud on AWS with NSX Advanced Load Balancer

You can see a video of the demo described above below. Note, as described in a more recent blog post, Avi Networks is now part of VMware and the Avi Networks Load Balancer/ADC product is now called VMware NSX Advanced Load Balancer.

 

VMware Cloud on AWS Resources