Avi Vantage Interaction with vCenter

Overview

Avi Vantage may be deployed with a VMware cloud in either no access, read access, or write access mode. Each mode results in escalating functionality and automation, but also requires higher levels of privilege for the Avi Controller within VMware vCenter.

Refer to Orchestrator Access Modes for more information on access modes, and Installing Avi Vantage for VMware vCentre KB article for instructions on installing Avi Vantage into a VMware vCenter environment.

Note: VM migration of the Controller and Service Engine images using vMotion is supported but not necessarily recommended. It is recommended to use Avi Vantage’s built-in virtual service migration functionality.

  • In case of planned maintenance, the Avi Controller spins up a new SE on a different host and non-disruptively migrates all applications (virtual services) to the new SE.
  • In case of a host outage, as part of Avi Vantage’s self-healing capability, the Avi Controller automatically moves virtual services to a different SE (spinning up a new SE if needed). Furthermore, if elastic active/active HA has been configured, there is no disruption to application traffic.

Initial Discovery (Read Operation)

The Avi Controller retrieves the following objects from vCenter in both read access and write access modes.

SelectbyNetwork2

  • Datacenter: Discovered datacenters are provided as a list for the user to select the specific datacenter for more detailed discovery.
  • Networks: This includes all networks (standard/distributed port group)
    • Networks: It provides networks as a list for the user to select Management Network.
    • IP Subnet: The IP subnet for each port group based on vNiCs in that port group (if vmtools is running on the VM). The IP subnet learned is used for placing the virtual service on appropriate networks.
    • Hosts: Used to execute the placement algorithms for creating SE VMs.
    • Clusters: Used to constrain the set of ESX hosts to be considered while creating the SE VMs.
    • Virtual Machines: All the virtual machines in the datacenter are discovered. This is to retrieve the IP subnet for each network. Discovered virtual machines also aid in the pool server selection.
    • Datastores: The user can select which datastore to use for SE VM creation (only shared datastores are considered).

Service Engine VM Creation (Read/Write Operation)

The Avi Controller interacts with vCenter’s OVF Manager to spawn an SE VM. The Controller needs the following access while in write access mode.

  • Folders: The Avi Controller creates the SE VM in the default AviSeFolder or a folder the user specifies. It creates the folder AviSeFolder if it is not present.
  • Datastores: The Avi Controller performs the data transfer for the SE VM directly to the ESX host’s datastore.
  • Network: 9 out of 10 vNICs for the SE VM are placed in the Avi Internal portgroup of vSwitch0. The Avi Internal standard portgroup is created in vSwitch0 of the ESX host. If vSwitch0 (default standard switch) is not present, then the Avi Controller creates vSwitch0 in the ESX host.
  • vApp: The Avi Controller updates OVF parameters of the SE VM which relate to vApp functionality.

VS Placement and VM Deletion

  • VS Placement: When placing a virtual service on an SE VM (Write Operation), the Avi Controller moves vNICs of the SE VM from Avi Internal to the required port group (standard/distributed). This stitches the network connectivity for the VS while in write access mode.
  • VM Deletion: The Avi Controller deletes the SE VM by interacting with vCenter.

vCenter Stats

ServerMetrics
The Avi Controller retrieves stats from vCenter for virtual machines and hosts. This data is for metrics-based analytics, such as assigning resource penalties. This data is queried by Avi Vantage while in both read and write access modes.

Custom vCenter Roles

Avi Vantage may leverage a custom role created within vCenter to limit the scope of access, as shown below. No change is required on Avi Vantage.

vCenterAviRole

vCenter Connectivity Probes

Avi Vantage takes the following measures to verify connectivity with vCenter on an ongoing basis.

  1. Initial login to vCenter: When a vCenter cloud is configured in Avi Vantage, a user login request is sent to the vCenter. The response time for the login request is measured. If it is greater than 10 seconds, an error is displayed in the Avi UI. Concurrently, a system event (VCENTER_ACCESS_SLOW) is generated.
  2. 5-second probe: Avi Controller polls the vCenter every 5 seconds for changes in objects such as virtual machines, datacenters, clusters, networks, and ESX hosts.
  3. 1-minute probe: The Avi Controller polls the vCenter once every minute to retrieve vCenter performance stats for the SE VMs and back-end server VMs configured in the pools.
  4. 10-minute probe: The Avi Controller issues an ssh probe to all the ESX hosts present in the datacenter. This ensures that connectivity is still intact between the Avi Controller and the ESX host. The vmdk for the SE VM gets transferred directly to the ESX host.
    Avi Controller also initiates a new connection request every 10 minutes to ensure that the user credentials configured for the vCenter cloud are valid. vCenter credentials are changed once every 6 months or 1 year, depending on the customer’s security policy.