Solution Guide for Azure Integration with Avi Vantage
About Microsoft Azure
Microsoft Azure is a cloud computing service that offers hosting and related public cloud services, and developer products to build a range of programs from simple websites to complex applications.
Azure provides a set of modular cloud-based services and development tools, which include hosting, computing, cloud storage, data storage, translation APIs, and prediction APIs.
Figure 1. Sample Deployment for Azure
Premium Load Balancing for Microsoft Azure with Avi Vantage
The Avi Vantage Platform is a next-generation, full-featured elastic application services’ fabric that is built on software-defined architectural principles.
Avi Vantage offers application services such as load balancing, security, application monitoring and analytics, and multi-cloud traffic management for workloads deployed in bare-metal, virtualized, or container environments in a data center or a public cloud (Amazon Web Services, Google Cloud Platform, or Microsoft Azure).
A consistent feature set across diverse cloud environments enable IT teams to be agile without having to constantly re-skill their IT personnel.
Figure 2. Avi Vantage implementation in a cloud platform
With Avi Vantage, enterprises can close the gap left by cloud-native solutions and traditional application delivery controllers (ADCs). Unlike these solutions, Avi Vantage offers a flexible, yet comprehensive solution that is infrastructure-independent, agile, and elastic at a reduced total cost of ownership (TCO).
What Avi Vantage provides for Microsoft Azure
Enterprises modernize and maximize infrastructure utilization with Microsoft Azure. The next phase of this modernization is to extend the application centrality to the networking stack. Avi Vantage offers elastic application services that extend beyond load balancing to deliver real-time application and security insights, simplify troubleshooting, auto scale predictively, and enable developer self-service and automation.
Avi Networks provides an enterprise grade feature set and superior experience for applications deployed in on-premise and multiple cloud infrastructures.
Full featured load balancing
Azure Application Gateway and Azure Load Balancer provide basic load balancing capabilities but lack enterprise-class features and advanced policy support. Avi Vantage delivers full-featured load balancing, including multiple load balancing algorithms, advanced HTTP content switching capabilities, comprehensive persistence, customizable health monitoring, DNS services, and GSLB across multiple clouds. Avi provides these capabilities in an as-a-service experience with native Azure API integration.
Avi Vantage is a 100% REST API-based solution, that offers Python SDK, Ansible playbook, and ARM templates for automating configuration and operations. Avi Vantage natively integrates with Azure APIs for spinning up VMs, allocating IPs, integrating Azure DNS, and auto scaling with Azure scale sets. Avi Vantage simplifies continuous integration and continuous delivery (CI/CD) operations by supporting blue-green deployments and canary upgrades.
Azure Application Gateway and Azure Load Balancer lack advanced security policies, SSL insights, and DDoS capabilities. Avi Vantage provides network ACLs, advanced HTTP security policies, SSL insights, DDoS detection and mitigation capabilities, along with micro segmentation in container environments.
Visibility and monitoring
With Azure Application Gateway and Azure Load Balancer, administrators and developers can not integrate real-time telemetry and have to deploy third party tools and services for analytics. Avi Vantage delivers real-time insights into application health, end-user experience, log analytics, and security status.
Multi-cloud load balancing
Inconsistent capabilities across clouds create challenges for network engineers to move workloads across multiple cloud infrastructures. This also forces enterprises to reinvest in training and education. Using native tools locks enterprises to the specific cloud, preventing workload mobility and increasing business risk. Avi Vantage enables dynamic workload mobility across clouds based on business metrics such as cost, performance, security, and compliance requirements, thus reducing risk and providing flexibility.
Avi Vantage deployment for Azure offers the following advantages:
- Single Avi Controller cluster manages services for applications across multiple virtual networks (VNets).
- Auto virtual IP address allocation and auto DNS registration allows full automation for application load balancing.
- Avi Controller automatically detects membership change in Azure scale set and updates pool membership for application autoscaling.
To understand the solution guide, we assume familiarity with:
- Basics of Azure functionality. For detailed information, refer to Microsoft Azure Documentation.
- Basics of load balancing and application delivery. For detailed information, refer to Avi Documentation.
Avi Vantage Architecture
The Avi Vantage Platform provides enterprise-grade distributed ADC solutions for on-premise as well as public cloud infrastructure. Avi Vantage also provides inbuilt analytics that guarantees superior end-user application experience as well as operational ease for network administrators.
Avi Vantage is a complete software solution which runs on commodity x86 servers or as a Virtual Machine and is entirely enabled by REST APIs.
Avi Vantage Architecture Components
As explained in the earlier sections, Avi Vantage is designed with clear control plane and data plane separation.
The Avi Controller is deployed first and this in turn is used to interact with various Azure objects as required, such as, initial configuration, virtual service creation, etc.
The Avi Vantage Platform is built on software-defined architectural principles which separates the data plane and control plane. The product components include:
- Avi Service Engines (data plane)
Distributed load balancers that are deployed closest to the applications across multiple cloud infrastructures. The Avi Service Engines collect and send real-time application telemetry to Avi Controller.
- Avi Controller (control plane)
Central policy and management plane that analyses the real-time telemetry collected from Avi Service Engines and displays actionable dashboards for administrators using an intuitive user interface built on RESTful APIs.
How Avi Vantage Works in Microsoft Azure
As explained in earlier sections, Avi Vantage is designed with clear control plane and data plane separation.
The Avi Controller is deployed first, and this in turn interacts with various Azure objects for initial configuration, virtual service creation, and other activities as required.
This section explains the process in brief.
Avi Controller Installation in Microsoft Azure
The Avi Vantage Controller is available in Azure Marketplace and can be deployed directly from there.
After the controller is deployed, Azure account details and credentials are provided. Avi Controller then connects to the Azure infrastructure and automatically provisions Service Engines as required.
For more information on prerequisites and deployment, see Avi Deployment Guide for Microsoft Azure.
Avi Controller Configuration for Microsoft Azure Cloud
After Avi Controller has been successfully deployed, it should be configured with a Microsoft Azure cloud so that the controller can access, create, configure, and manage Azure resources. This is required by Avi Vantage to perform operations such as creation of an Avi Service Engine, virtual service, etc.
The following parameters should be specified to configure the Azure cloud:
- Name of the cloud – For identification within the Avi Controller.
- Azure Credentials – An Azure username/password pair, or a service principal associated with an application ID.
- Subscription ID – An Azure subscription ID where the SEs will be created, and ADC functionality will be provided.
Once Avi Vantage authenticates with Azure, the location, resource group for Service Engines, and VNET or SE subnet can be configured.
This completes the cloud configuration.The Avi Controller generates a Virtual Hard Disk (VHD) for the Service Engine and copies it into an Azure storage account within the resource group specified above so that it can be used for SE creation as required.
Avi Virtual Service (and Service Engine) Lifecycle
After provisioning Avi Controller and configuring Azure cloud, the system is ready for provisioning virtual services.
When a virtual service is created, multiple interactions occur between the Avi Controller and Azure infrastructure to configure and enable the virtual service for traffic. The following is a brief sequence of events for a simple, HTTP virtual service.
- The Avi Controller checks for existing Service Engine VM managed by it, available in the Azure VNet. During initial deployment, there will be no SE VM available, and hence Avi Controller will use the Service Engine VHD in the storage account to provision the VMs. The VMs are of type Standard F1s by default, but can be changed under the SE group settings.
- Once the Service Engine is running, the Avi Controller programs the Service Engine.
- The Service Engine connects to Avi controller via the management IP, using SSH. This connection is used for all communication between the Controller and the Service Engine
- The virtual service IP is added to the Azure Load Balancer. If a public IP was requested, then it is added to the external Load Balancer as well.
- In case a FQDN was specified in the virtual service configuration, a host record is added to Azure DNS (or the appropriate DNS solution).
- The backend pool members will be reachable by the same interface, while the routing is handled by Azure. Health monitoring, if configured, is initiated.
- The required SSL certificates are copied to the Service Engine in-memory.
- Once all the configuration is completed successfully, the virtual service is marked available for accepting incoming requests.
Interaction with Azure Components
Avi Controller communicates with the Azure components via standard Azure APIs to achieve the following :
Subscription and Resource Group
The Avi Controller, when deployed on Azure, is within a subscription and resource group. In addition, the Azure cloud(s) configured in the Avi Controller are associated with a subscription, and a particular resource group within the subscription. This resource group will be used to create Service Engines and the load balancing infrastructure.
- Authentication and IAM
The Avi Controller needs permissions to deploy and manage the Service Engines, and optionally interact with Azure DNS and scale sets. The following are the two methods used by Avi Vantage for authentication:
- Credentials of an Azure user account.
- Service principal via an application ID.
In either of the two cases, there is a specific set of permissions required to be able to interact with Azure and deploy resources. For more information on role requirements, refer to Role Setup for Installation in Microsoft Azure.
Avi Vantage deploys the Controller and Service Engine VMs in a specified resource group. Typically, a resource group and VNet would have been provisioned for your infrastructure, including the application servers. Avi Vantage will be deployed within this VNet and will utilize resources connected to this VNet, as described in the sections below.
The Avi Service Engine (SE) is the load balancing entity on which the virtual service and VIP are programmed. The SEs are automatically spawned by the Avi Controller when an application is configured. The entire lifecycle of the SE is automated.
The SE can be of varied instance type. Depending on your traffic and load requirements, the appropriate instance type can be configured.
In addition, multiple SEs can be spawned (scaled out) to handle more incoming traffic.
Azure Load Balancer
Avi Vantage utilizes basic Azure load balancer internally to route incoming traffic to appropriate Service Engines.
There are two Azure Load Balancers created for each SE Group — one internal and one external. The external Load Balancer is used to route traffic coming from the internet to the Service Engines.
The Azure Load Balancers have the Service Engines as backend pool members, and act as an equal-cost multi-path load balancer.
When a virtual service is created, the virtual service IP is configured on the Azure Load Balancer and a rule is added to distribute traffic coming on the IP to the appropriate backend Service Engine pool.
When a Service Engine is created, it is added to the Azure Load Balancer’s pool as a member and appropriate rules are added to enable traffic to the Service Engine.
All the above operations are automated and handled by the Avi Controller. The user or operator is not required to configure or tweak any of these configurations.
Networking: VNets, NICs, and IP Addresses
The Avi Controller interacts with the following Azure networking constructs :
- VNets: An Azure cloud configured on the Avi Controller is associated with a particular VNet. The load balancing service should be provided in this VNet. In addition, the Service Engines communicate with the Avi Controller using a specified management VNet (and subnet). This management VNet could be different from the one containing the workload.
- IP address for the Service Engine’s interface.
- IP address for the virtual services. A public IP can be provisioned for the virtual service in addition to the mandatory private IP.
- NICs: Avi Vantage automatically creates NICs and assigns IP addresses from the appropriate subnet, and attaches these to the requisite Service Engine.
DNS – IPAM, Azure DNS, and 3rd Party Integrations
Avi Vantage provides native support for DNS (to resolve virtual service IPs) as well as IPAM (for virtual service IP address management). Both these services are optional, but will likely be used in production deployments.
In addition to providing native support, Avi Vantage can also interact with various third party services depending on the configured cloud ecosystem.
In case of Azure, IPAM for native Azure workloads is provided by default, without any configuration. As Avi Controller and Service Engines are powered up, they interact with the Azure networking infrastructure to receive appropriate IP addresses.
For DNS, the options available for Azure are Avi DNS, Azure DNS, or Route 53.
When Azure DNS or Route 53 is used, Avi Vantage will request for an optional FQDN for each created virtual service. On being provided with a valid FQDN, Avi Vantage will program this record on Azure DNS or AWS Route 53 DNS as the case may be.
When the virtual service is deleted, all resources including the DNS record are removed.
For more details on configuring DNS, refer to DNS Configuration for Azure in Avi Vantage .
Azure Scale Sets An Avi pool configuration can reference an Azure scale set. When this is configured, Avi Vantage polls the scale set for membership changes and synchronizes the Avi pool configuration accordingly.
For example, when a new application instance is added to the scale set, Avi Vantage will automatically add it to the Avi pool configuration without any user intervention. This new instance will then start servicing client requests. Conversely, when an instance is removed from the scale set, the same event is synchronised with Avi’s pool configuration.