Cisco ACI Network Policy Mode on Write Access VMware Cloud

Overview

Avi Vantage provides L4-L7 ADC services to workloads on VMware vCenter infrastructure, connected to an ACI fabric. APIC uses contracts for access control between endpoint groups (EPGs) and the VMware distributed vSwitch is configured with portgroups corresponding to the relevant APIC EPGs. These port groups are picked up by Avi Vantage automatically.

In this mode, Avi vantage will be deployed on VMware infrastructure with write access. This is the recommended deployment mode where APIC provides network connectivity and access control using contracts and EPGs without the use of L4-L7 Service graphs.

Avi Vantage can be deployed in one-arm or two-arm mode.

For more information on VMware write access deployment, refer to Deploying in Write Access Mode.

Logical Traffic Flow

The traffic flow for web VM, accessing app virtual service hosted on Avi’s Service Engines is as shown below:

  1. Web VM → ACI Fabric → Web EPG
  2. Web EPG → Contract → Avi SE EPG
  3. Avi SE → Load balancing to back-end servers → ACI fabric → Avi SE EPG
  4. Avi SE EPG → contract → App EPG
  5. App EPG → App server VM
    The return traffic will follow the same path as the incoming traffic.

traffic flow

Physical Traffic Flow

The traffic flow for web VM, accessing app virtual service hosted on Avi’s Service Engines is as shown below:

  1. Web VM → ACI fabric (with contract) → Avi SE VM (Avi SE EPG)

  2. Avi SE (with Source NAT and load balancing) → App VMs

The App VMs will respond to the Service Engine’s translated IP address, and the Service Engines will send the return traffic back to Web VM which initiated the request.

Physical Traffic Flow

High Availability Recommendations

Avi Vantage provides a couple of elastic high availability (HA) modes for data traffic resiliency. Both of these are scalable. Therefore, multiple Service Engines can be utilized for any given virtual service.

For critical applications, active/active HA is recommended. In this HA mode, the virtual service is placed on at least two Service Engines. This ensures that the traffic is not disrupted in case of a Service Engine failure.

For lower priority applications, n+m HA mode can also be considered. This ensures that there is at least “m” number of Service Engine capacity available as buffer, in case of Service Engine failure.

To know more about the features of Avi Vantage High Availability refer to Overview of Avi Vantage High Availability.