Architectural Overview of Avi Vantage Platform
Avi Vantage Platform
Avi Vantage is built on software-defined principles, enabling a next generation architecture to deliver the flexibility and simplicity expected by IT and lines of business. The Avi Vantage architecture separates the data and control planes to deliver application services beyond load balancing, such as application analytics, predictive autoscaling, micro-segmentation, and self-service for application owners in both on-premises or cloud environments. The platform provides a centrally managed, dynamic pool of load balancing resources on commodity x86 servers, VMs or containers, to deliver granular services close to individual applications. This allows network services to scale near infinitely without the added complexity of managing hundreds of disparate appliances.
Avi Vantage provides out-of-the-box integrations for on-premises or cloud deployments. These integrations with private cloud frameworks, software-defined network (SDN) controllers, container orchestration platforms, virtualized environments and public clouds enable turnkey application services and automation.
Avi Controller Cluster
The Avi Controller is the single point of management and control that serves as the “brain” and for high availability is typically deployed as a three-node cluster. As its name implies, the Controller implements the control plane. A single Avi Vantage deployment is managed from this Controller/cluster (identified by FQDN and/or cluster IP address), regardless of the number of applications being load balanced or the number of Avi Service Engines (SEs) required. The Controller’s REST API provides visibility into all applications (virtual services) configured. For a higher degree of automation, in write access mode deployments, Controllers work with the underlying orchestrator to launch new SEs as required. With the SEs automatically or manually created (as they would be in read or no access mode deployments), it is the Controller’s duty to place virtual services on SEs to load balance new applications or increase the capacity of running applications.
Controllers continually exchange information securely with the SEs and with one another. This secure channel is over an encrypted SSH tunnel using mutual authentication based on SSH keys and connectivity between services is through SSH port-forwarding. Users used for communication are only allowed key-based authentication. This ensures security and protects against man-in-the-middle attacks. The health of servers, client connection statistics, and client-request logs collected by the SEs are regularly offloaded to the Controllers, which share the work of processing the logs and aggregating analytics. The Controllers also send commands down to the SEs, such as configuration changes. Controllers and SEs communicate over their management IP addresses.
Avi Service Engines
Avi Service Engines (SEs) handle all data plane operations within Avi Vantage by receiving and executing instructions from the Controller. The SEs perform load balancing and all client and server facing network interactions. It collects real-time application telemetry from application traffic flows and high availability is supported.
In a typical load balancing scenario, a client will communicate with a virtual service, which is an IP address and port hosted in Avi Vantage by an SE. The virtual service internally passes the connection through a number of profiles. For HTTP traffic, the SE may terminate and proxy the client TCP connection, terminate SSL/TLS, and proxy the HTTP request. Once the request has been validated, it will be forwarded internally to a pool, which will choose an available back-end server. A new TCP connection then originates from the SE, using an IP address of the SE on the internal network as the request’s source IP address. Return traffic takes the same path back. The client communicates exclusively with the virtual service IP address, not the back-end server IP.
Avi Admin Console
The Avi Admin Console is a modern web-based user interface that provides role-based access to control, manage and monitor applications. Its capabilities are also available via the Avi CLI. All services provided by the platform are available as REST API calls to enable IT automation, developer self-service, and a variety of third party integrations. The Avi Admin Console is hosted by default on the Controller and can be accessed via the Avi Controller cluster FQDN/IP address. The Avi Controller cluster uses big data analytics to analyze the data and present actionable insights to administrators on intuitive dashboards on the Avi Admin Console.
Services housed within Avi Controllers to provide life-cycle-management of data-plane entities, as known as, Avi Service Engines across various ecosystems such as vCenter/AWS/Azure/Baremetal etc.
Note: Avi Vantage integration with VCF 3.9.1 will be achieved through a no-access cloud, where Avi Controller will not life-cycle-manage Avi Service Engines.
Load Balancing Architecture for VMware Environment
Unlike legacy Application Delivery Controllers (ADCs), which carry forward the disadvantages of their hardware appliances into their virtual software load balancers, Avi Vantage separates the data and control planes to deliver application services in on-premises or cloud environments. This provides a centrally managed dynamic pool of load balancing resources for individual applications.
The Avi Controllers in VCF 3.9.1 will be configured in No-Access mode. In the No-Access mode, the Avi Vantage platform has no access to the orchestrator. In this case it will be the vCenter server and the NSX-T manager. When in this mode, adding, removing, or modifying properties of a Service Engine requires an administrator to manually perform the changes. For instance, an administrator would need to install a new Service Engine through the vCenter Server, by uploading the OVA and setting the resource and networking properties. If a new virtual service is created, admin access to vCenter server may again be required to change the network settings to support the new virtual server. Servers and networks cannot be auto discovered and must be manually configured. DFW rules will have to be manually provisioned on NSX-T. In this mode, the Avi Vantage platform cloud setting is configured in a no orchestrator mode.
Load Balancing Features
The Avi Vantage Platform is a full-featured elastic application services’ fabric. The following are the core feature sets provided by the Avi Vantage platform:
Enterprise-class load balancing — HTTPS/HTTP2 load-balancing with modern TLS 1.2/1.3 support, SSL offload/re-encrypt/bridging/mTLS, LB as a default gateway, GSLB, DNS, and other L4-L7 services.
Multi-cloud load balancing — Intelligent traffic routing across multiple sites and across private or public clouds.
Application performance monitoring — Monitor performance and record and replay network events like a Network DVR.
Predictive autoscaling — Application and load balancer scaling based on real-time traffic patterns.
Self-service — For application developers with REST APIs to build services into applications.
Cloud connectors — VMware, SDN controllers, OpenStack, AWS, GCP, Azure, Linux Server Cloud, OpenShift/Kubernetes.
Distributed application security fabric — Granular app insights from distributed service proxies to secure web apps in real time.
Application security — Positive security model and learning mode for web application firewall (WAF).
SSO / Client Authentication — SAML 2.0 authentication for back-end HTTP applications.
Automation and programmability — REST API based solution for accelerated application delivery; extending automation from networking to developers.
Application analytics — Real-time telemetry from a distributed load balancing fabric that delivers millions of data points in real time.
Centralized management and upgrade — Policy-based management and ability to selectively upgrade data plane with flexible upgrade.
Automation — Ansible, Terraform, Swagger, Python SDK, Go SDK.
Monitoring — LogInsight, vRNI, Splunk, Cisco Tetration, Cisco AppDynamics, Graphite, Datadog, Logstash, Elasticsearch, InfluxDB, Syslog, Prometheus, Zabbix.
IPAM/ DNS — Avi DNS, Azure DNS, Azure DNS Private Zones, AWS Route 53, Infoblox.