This webinar covered the integration between VMware NSX Advanced Load Balancer (Avi) and NSX-T. It demonstrated how to configure a cloud in Avi using NSX-T inventory, upload the Avi service engine OVA, and deploy service engines on ESXi hosts. It then showed how to create a virtual service in Avi and connect the service engine virtual NIC to the logical switch. It demonstrated how Avi automates scale-out of service engines and application backends through NSX-T routes and groups. The webinar provided next steps for attendees to learn more about and try out the Avi and NSX-T integration.

1. Confidential │ ©2021 VMware, Inc.
Live Webinar EMEA
Deploying Elastic, Self-Service Load
Balancing for VMware NSX-T
Nicolas Bayle Technical Evangelist
Christoph Altherr VCN Lead Solution Engineer
October 21st, 2021

2. Confidential │ ©2020 VMware, Inc.
Agenda
2
NSX Data Center – Introduction
Avi / NSX Advanced Load Balancer – Introduction
Avi & NSX Integration Deep Dive
QA
Next Steps

3. 3
Confidential │ ©2021 VMware, Inc.
VMware NSX
Data Center

4. Confidential │ ©2021 VMware, Inc. 4
Leads to security compromises
Traditional Network and Security Architectures
Realities
Complex to insert into the network
Unable to dynamically scale
Blind spots and lack of controls
Inconsistent and unmanageable
policy
Expensive
(HW, SW, maintenance, power,
cooling, cabling,
rack space,…)
IDS/IPS
FIREWALL / L3 Gateway
LOAD BALANCER
ANALYTICS

5. Confidential │ ©2019 VMware, Inc. 5
Traditional network & security
approach of the past 20 years
Built to meet the needs of
specific infrastructure
environments
(DC, Campus, Branch)
What’s needed: A new approach
for the next 20+ years
Flexible, programmable
network fabric designed to run
everywhere where applications
and
data reside

6. Confidential │ ©2021 VMware, Inc. 6
Provides complete coverage and eliminates blind spots
NSX distributes Network and Security features to every workload
Solution
Kernel-based L4-7 FW with
Advanced Threat Prevention
Distributed architecture eliminates
traffic hair pinning
Single management console
Easy to Deploy - no changes
required to physical
Agile (automatic policy provisioning
/ deprovisioning)
Consistent policy across all
workloads and multi-cloud
More cost effective
(up to 70%+ savings)
IDS/IPS
FIREWALL / L3 Gateway
LOAD BALANCER
ANALYTICS

7. Confidential │ ©2021 VMware, Inc. 7
VMware NSX is the
“Network & Security Hypervisor”

8. Confidential │ ©2021 VMware, Inc. 8
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Physical
Infrastructure
Hypervisor

9. Confidential │ ©2021 VMware, Inc. 9
NSX Data Center
DATA CENTER
Virtualization Layer
NSX Platform
Workloads
vSwitch

10. Confidential │ ©2019 VMware, Inc. 10
Sysdig 2021
Container Security and Usage Report
Source: https://dig.sysdig.com/c/pf-2021-container-security-and-usage-report

11. Confidential │ ©2019 VMware, Inc. 11
Multi-cluster Policy and Visibility from NSX Manager
Kubernetes Solution Overview
App Dev and Ops
K8s Platform Ops
Network and Security Ops
VMware vSphere
Tanzu K8s Cluster
Antrea Ingress and ALB
Physical/Virtual Servers
Upstream K8s Cluster
Antrea Ingress and ALB
Kubernetes
VMware vSphere
OCP K8s Cluster
Antrea Ingress and ALB
NSX
NSX-T
Security Policies
Visibility and Troubleshooting
Security Policies within NSX-T for
both NSX-T and container cluster
endpoints
Unified Visibility and Operations across
Container and VM Networking and
Security
Support for Wide Variety of
Kubernetes Distributions

12. Confidential │ ©2021 VMware, Inc. 12
Network virtualization and security platform that enables a virtual cloud network
across data centers, clouds, and application frameworks
What is VMware NSX?

13. 13
©2020 VMware, Inc.
Avi NSX Advanced Load Balancer
Intro

14. Confidential │ ©2019 VMware, Inc. 14
Load Balancing Is a Key Blocker for Digital Transformation
Not Flexible
Not Scalable Not Agile
AUTOMATION
C H A L L E N G E S
Compute
Storage
Load
Balancers
Drivers
Time to
Market
Modern
Apps
Cost
Efficiency
# Env/Infra
# Apps
# Changes
Increased
IT Demands
Network

15. Confidential │ ©2019 VMware, Inc. 15
Delivers agility, operational Simplicity, and cost savings
To Modern Distributed Architecture
Expensive, Inflexible, and Restrictive
Hardware/Virtual Load Balancer Challenges
Separate control points –
operational complexity, hard to
automate, painful upgrades
Capacity management – manual VIP
placement, costly overprovisioning,
no fungible capacity
Not designed for modern new
environments
On-premises Cloud
Data Center 1 Data Center 2
DEPT1 DEPT2
Active Standby
0% Used
Capacity
15% Used
Capacity
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Data Plane
Control Plane
Data Plane
Control Plane
Data Plane
Control Plane
Data Plane
Control Plane
Hard to troubleshoot, finger-pointing
between app and network team
Network Team
App Owners
?
Container

16. Confidential │ ©2019 VMware, Inc. 16
Can I have the Best of Both Worlds?
The legacy VEs and cloud provider solutions are an unacceptable compromise
Load Balancing Challenges/Tradeoffs in the Public Cloud
Legacy
Virtual
LB
offers
features
Cloud
Provider LB
offers
automation &
elasticity
?
Tradeoff operational simplicity,
automation, and cloud-native
capabilities
Tradeoff features, multi-cloud
consistency, and portability

17. Confidential │ ©2019 VMware, Inc. 17
Consistent L4-L7 enterprise-grade app services across multi-cloud environments
Avi Networks (now VMware NSX Advanced Load Balancer)
App Analytics / Insights
Container Ingress Services
DNS and IP Address
Management (IPAM)
Web Application Firewall (WAF)
and App Security
Global Server Load Balancing
(GSLB)
Enterprise-grade Load
Balancing
NSX
Horizon(VDI)
vSphere/vCenter
Deliver
Any App
on
Any Cloud
with
One Platform
VCF
VMC
Tanzu
vRO/vRA

18. Confidential │ ©2019 VMware, Inc. 18
Control Plane
Bare Metal Virtualized Containers
ON PREMISES
PUBLIC CLOUD
Centralized policies and full lifecycle management
Avi Distributed Architecture for Multi-Cloud Application Services
Data Plane
Avi Controller
(Customer-managed | SaaS)
ELASTICITY
Application Services Fabric
ANALYTICS /
OBSERVABILITY
AUTOMATION
RESILIENCE
Avi PULSE
CENTRAL ORCHESTRATION

19. Confidential │ ©2019 VMware, Inc. 19
Consistent experience across multi-cloud envs.
Single LB Fabric Across Clouds
Single
Management
Point Centrally manage
multi-cloud deployments
Automate moves, adds,
and changes across clouds
No feature trade-offs
between on-prem vs cloud
Manage multi-site deployments
with GSLB
Bare Metal Virtualized Containers
Across On-prem and Public Cloud
Avi Controller

20. Confidential │ ©2019 VMware, Inc. 20
v2
Tenant 1
Always Active-Active, automatic failure handling
Resilient, Self-Healing Fabric
VIPs running on
Avi Service Engines
Active-Active
Per-tenant/per-app LB-tenant
isolation
Service Engines (SE) are
deployed in Active-Active
configuration with anti-
affinity rules
Automatically moves VIPs if SE
fails (e.g. accidental power off)
and instantiates new SE
Traffic is automatically rerouted
with moves and changes
Avi Controller
Tenant 2

21. Confidential │ ©2019 VMware, Inc. 21
Flexible, Non-Disruptive Upgrades
Tenant 1 Tenant 3
Tenant 2
v1 v1 v1 v1
v2
v2
Facilitates partial
(non-disruptive) upgrades
Upgrade select tenants or
SE groups within tenant to
V2 (after controller upgrade
or later time)
• Upgrade Tenant-2, Tenant-3 (SE
group 3) to V2
• Config allowed, but any config
changes to VSs in these SE groups
are queued until
SE group upgrade is completed
• Upgrade other tenants or SE groups
weeks later
Rollbacks of Controller and
SEs supported
Avi Controller

22. Confidential │ ©2019 VMware, Inc. 22
Simplify troubleshooting, eliminate TCP Dumps
Analytics and App Insights
Eliminate finger-pointing
Troubleshoot app performance, security and
end-user issues in minutes
Bare Metal Virtualized Containers
Avi Controller
• Connection log analytics
• Security insights: DDoS
• App performance metrics
• End user experience
End-to-End Timing
Total Response Time
End User
Client
RTT
Server
RTT
App
Response
Load
Balancer Server App

23. Confidential │ ©2019 VMware, Inc. 23
Simplify troubleshooting, eliminate TCP Dumps
Analytics and App Insights
Bare Metal Virtualized Containers
Eliminate finger-pointing
Troubleshoot app performance, security and
end-user issues in minutes
Avi Controller
• App performance metrics
• End user experience
• Connection log analytics
• Security insights: DDoS
End-to-End Timing
Total Response Time
End User
Client
RTT
Server
RTT
App
Response
Load
Balancer Server App

24. Confidential │ ©2019 VMware, Inc. 24
Simplify troubleshooting, eliminate TCP Dumps
Analytics and App Insights
Bare Metal Virtualized Containers
Eliminate finger-pointing
Troubleshoot app performance, security and
end-user issues in minutes
Avi Controller
• App performance metrics
• End user experience
• Connection log analytics
• Security insights: DDoS
End-to-End Timing
Total Response Time
End User
Client
RTT
Server
RTT
App
Response
Load
Balancer Server App

25. Confidential │ ©2019 VMware, Inc. 25
Scale vertically with more CPUs or horizontally with more Service Engines
Elastic Autoscaling
2x 1-core SEs
32x 1-core SEs
1 core
2,500 SSL TPS
5,000 SSL TPS
1M SSL TPS
Scale to millions of TPS
or hundreds of GBs of
throughput

26. Confidential │ ©2019 VMware, Inc. 26
Built-in ecosystem integration/cloud connectors
Automation / Self-Service
Bare Metal Virtualized Containers
Avi Controller
Operational Automation
vRO/vRA
Cisco
CloudCenter
Infrastructure Automation

27. Confidential │ ©2019 VMware, Inc. 27
VMware NSX Advanced Load Balancer
VMware NSX
Integration
+
Standalone
Multi-cloud
LB & WAF
NSX Data Center NSX Cloud
NSX Service Mesh
VMware Cloud on AWS (VMC)
VMware Horizon & UAG

28. 28
Confidential │ ©2020 VMware, Inc.
Avi NSX-T integration Deep Dive

29. Confidential │ ©2020 VMware, Inc. 30
Overall Architecture
Avi and NSX-T Integration
NSX-T Manager
Avi management traffic over
secure channel API
vCenter
Avi Controller
Avi UI
API
REST API
ESXI
API
ESXI
Deploy SEs
on ESXi
ESXI
Notifications

30. Confidential │ ©2020 VMware, Inc. 31
Cloud Creation
Avi and NSX-T Integration
Admin 1. Configure Cloud
2. Fetch NSX-T Inventory
Logical Segments, NSGroups, Transport
Nodes
3. Fetch Content Library
4. Upload SE OVA to content library
NSX-T Manager
vCenter
ESXI ESXI ESXI
1
2
3
4
Avi Controller

31. Confidential │ ©2020 VMware, Inc. 32
Avi and NSX-T Integration
Demo 2: Virtual Service Creation
NSX-T Manager
vCenter
ESXI ESXI ESXI
Admin 1. Create Virtual Service
2. Create SE VMs & connect SE vNIC to Logical
Switch
3. Deploy SEs on ESXi
4. Create: Routes for VIP elastic scaling,
NSGroups for Avi Objects
1
2
3
Avi Controller
4

32. Confidential │ ©2020 VMware, Inc. 33
VIP Routes and Scale out automation
Demo 3: SE Auto Scale Out
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE1
Active SEs
S S
Redistribute tier 1 static
routes via BGP
Redistribute static
Routes form VIP subnet
App
Segment
VIP gets placed on one or
more SEs depending on HA
mode configured (Active-
Active in this case)
Static Route:
VIP → SE1
VIP static routes get created on
tier-1 to which the VIP logical
segment is connected
* All HA modes supported

33. Confidential │ ©2020 VMware, Inc. 34
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE1
Active SEs
S S
Redistribute tier 1 static
routes via BGP
Redistribute static
Routes form VIP subnet
App
Segment
* All HA modes supported
Increase of Traffic
VIP Routes and Scale out automation
Demo 3: SE Auto Scale Out

34. Confidential │ ©2020 VMware, Inc. 35
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE1
Active SEs
S S
Redistribute tier 1 static
routes via BGP
Redistribute static
Routes form VIP subnet
App
Segment
* All HA modes supported
Increase of Traffic
High CPU
detected
on SE1
VIP Routes and Scale out automation
Demo 3: SE Auto Scale Out

35. Confidential │ ©2020 VMware, Inc. 36
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE2
SE1
Active SEs
S S
Redistribute tier 1 static
routes via BGP
Redistribute static
Routes form VIP subnet
App
Segment
VIP gets placed on one or
more SEs depending on HA
mode configured (Active-
Active in this case)
Static Route:
VIP → SE1, SE2 data vnic IP
VIP static routes get created on
tier-1 to which the VIP logical
segment is connected
* All HA modes supported
VIP Routes and Scale out automation
Demo 3: SE Auto Scale Out

36. Confidential │ ©2020 VMware, Inc. 37
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE2
SE1
Active SEs
S S
App
Segment
* All HA modes supported
Avi and NSX-T Integration
Demo 4: Application Backend Scale Out

37. Confidential │ ©2020 VMware, Inc. 38
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE2
SE1
Active SEs
S S
App
Segment
NSX-T group
updated
* All HA modes supported
S
Avi and NSX-T Integration
Demo 4: Application Backend Scale Out

38. Confidential │ ©2020 VMware, Inc. 39
Tier-0
Tier-1
VIP/Data
Segment
Pool1
NSX-T Manager
Avi Controller
SE2
SE1
Active SEs
S S
App
Segment
Pool1 updated
NSX-T group
updated
* All HA modes supported
S
Avi and NSX-T Integration
Demo 4: Application Backend Scale Out

39. Confidential │ ©2021 VMware, Inc. 44
Next Steps
• Contact your VMware Sales representative
• Contact us: learnavi@vmware.com
• Attend one of our 4 days workshop:
https://info.avinetworks.com/workshops#allWorkshops
• Play with AVI via VMware HOL (hands-on Labs): https://labs.hol.vmware.com/
• Download and Install AVI in your own environment:
https://customerconnect.vmware.com/
• AVI docs: https://avinetworks.com/docs

40. Confidential │ ©2020 VMware, Inc.
Thank You