Page 1 of 26 - Avi Networks...administrator configures and manages load-balancing services through OpenStack's Neutron service and Horizon dashboard. Neither …

Page 1 of 26

Avi Networks — Technical Reference (18.2)Installing Avi Vantage for OpenStack

Copyright © 2020 Avi Networks, Inc. Page 2 of 26

view onlineInstalling Avi Vantage for OpenStack

OverviewOpenStack

OpenStack is a set of software tools for building and managing cloud computing platforms for public and private clouds. OpenStack allows you to deploy virtual machines and other instances that handle different tasks for managing a cloud environment instantly. It makes horizontal scaling easy, which means that tasks that benefit from running concurrently can easily serve more or fewer users on the fly by just spinning up more instances. OpenStack provides Infrastructure as a Service (IaaS).

Avi Vantage

The Avi Vantage platform provides enterprise-grade distributed ADC solutions for on-premises as well as public-cloud infrastructure. Avi Vantage also provides built-in analytics to diagnose and improve the end-user application experience, while making operation easier for network administrators.

Avi Vantage is a complete software solution which runs on commodity x86 servers or as a virtual machine and is entirely enabled by its REST API.

OpenStack Integration

Avi Vantage integrates with OpenStack infrastructure components to provide centralized automation, monitoring, and management of application discovery and delivery.

Avi Vantage integrates with the following OpenStack services:

Keystone ? The Avi Controller uses Keystone API to authenticate any OpenStack user accessing Avi API. Also, when an OpenStack user logs in, the Avi Controller can also automatically import tenant/project and role information from Keystone to provide appropriate privileges on Avi Controller.Glance ? The Avi Controller uses Glance for storing Service Engine (SE) image.Nova ? The Avi Controller uses Nova API to automatically create and destroy application delivery Service Engines (Avi SEs) as needed to support high availability and guarantees performance.Neutron ? The Avi Controller uses Neutron API to plug Service Engines into right Neutron networks for receiving and sending the application traffic.Neutron LBaaS v2 ? You can either use the Avi Controller API or UI or CLI to directly configure load balancer instances. Optionally, the OpenStack administrators can install Avi LBaaS driver on the Neutron API servers and enable Avi Vantage as a provider for Neutron LBaaS API.Horizon ? OpenStack administrators can optionally install Avi Horizon dashboard extensions to expose full Avi UI directly embedded in Horizon dashboard. You can then configure load balancer instances and also access the full analytics of their applications.Heat ? OpenStack administrators can optionally install Avi Heat package on the Heat Engine servers to expose all Avi Controller API resource types for users to use in their heat templates. In contrast to LBaaS (v1 or v2) resource types, Avi Heat resource types expose significantly advanced features.

Avi Vantage's integration with OpenStack is shown as follows:

https://avinetworks.com/docs/18.2/installing-avi-vantage-for-openstack/



Deployment ModesAvi Vantage can be deployed into an OpenStack cloud in one of the following modes. These modes differ depending on whether the Avi Controller and Service Engines (SEs) are placed in the same OpenStack tenant, and whether Neutron LBaaS API or Avi Vantage API is used to create load balancers.

Single-tenant mode ? The Avi Controller and the SEs are deployed together in the same single tenant. The Avi Controller has administrator privileges within the tenant. Tenant users with administrator privileges within the tenant can install and manage Avi Vantage. Use this deployment mode if you do not have administrator privileges for the cloud.Avi-managed LBaaS mode ? The Avi Controller and SEs are installed in separate tenants. The Controller has administrator privileges for the cloud and can manage SEs that are in different tenants. A tenant administrator can log onto the Avi Controller to manage the infrastructure resources within the administrator's own tenant but cannot access the resources within other tenants. The tenant administrator can configure and manage load balancing services through the Avi Controller web interface or through the Avi REST API.OpenStack-managed LBaaS mode ? This mode is similar to the Avi-managed LBaaS mode, except that the tenant administrator configures and manages load-balancing services through OpenStack's Neutron service and Horizon dashboard. Neither the Controller web interface nor Avi API are used. This mode also requires installation of an LBaaS driver and SSL extension from Avi Networks.

Note: The Avi-managed LBaaS option is recommended for its ease of use and advanced feature accessibility.

The following table compares each deployment mode:



Single-tenant Mode

Avi-managed LBaaS Mode

OpenStack-managed LBaaS Mode

Require administrator privileges for cloud?

No Yes Yes

Managed by tenant user No Yes Yes

Automated tenant creation N/A Yes Yes

Advanced load-balancing features available

Yes Yes Limited

Analytics service Yes Yes Yes

Requires Avi LBaaS driver installation No No Yes

Requires Avi extension for Horizon dashboard

No NoYes (required for SSL offload and analytics)

Deployment PrerequisitesThe physical and software requirements differ depending on the deployment mode.

Software Requirements

The following table lists the software requirements:

Software Version

Avi Controller 18.2

OpenStack (and Neutron service)One of the following: Newton, Ocata, Pike, Queens. Also supports Rocky since 18.2.3 and Stein since 18.2.6.

Neutron extension for allowed-address-pair and/or port-security

Avi LBaaS driver 17.2

Avi SSL extension for OpenStack Horizon 17.2

The Avi Vantage image is available in qcow2 (QEMU Copy ON Write) format or raw image of the Controller and SEs. The SE software is embedded in the Controller image and does not require separate installation. In case of OpenStack generic cloud (with Avi Cloud Connector), the Avi Controller pushes qcow2 image for SE towards OpenStack Glance. In case of a no-access cloud, you need to download the qcow2 image for SE and then manually upload to OpenStack Glance.

Note: Installation of Avi Vantage into DevStack is supported only if the DevStack/Nova-launched VMs can run in Kernel-based Virtual Machine (KVM) mode, as opposed to Quick Emulator (QEMU) mode. Refer to the for DevStack KVM Guideinformation.

Protocol Ports used by Avi Vantage for Management Communication

In an OpenStack deployment, the Avi Controller and Avi Service Engines use the following ports for management. The firewall should allow traffic to these ports.

http://docs.openstack.org/developer/devstack/guides/devstack-with-nested-kvm.html



Traffic SourceTraffic Destination

Ports To Allow

Avi Controller

Avi Controller

TCP 22 (SSH)TCP 443 TCP 8443TCP 5054

Avi Service Engine

TCP 22

Management Net See section below the table.

Avi Service Engine

Avi Controller

TCP 22TCP 8443UDP 123

Management Net

TCP 22TCP 80 (optional)TCP 443TCP 5054 (if using the optional for remote management access)CLI shell

Ports used by the Controller for Network Services

The Controller may send traffic to the following UDP ports as part of the network operation:

TCP 25 (SMTP)UDP 53 (DNS)UDP 123 (NTP)UDP 162 (SNMP traps)UDP 514 (syslog)

The firewall should also allow traffic from the Controller to these ports.

Importing User Accounts from KeystoneUsing the Avi REST API, you can export user roles from Keystone into the Avi Controller and directly map to role names in the Controller. You need not recreate the accounts on the Controller. Here is an example:

"openstack_configuration":

{

....

"role_mapping": [

{"os_role": "admin",

"avi_role": "Tenant-Admin"},

{"os_role": "_member_",

"avi_role": "Tenant-Admin"},

{"os_role": "*",

"avi_role": "Application-Operator"}

],

....

}

https://avinetworks.com/docs/18.2//cli-installing-the-cli-shell/



The parameter is an ordered list, where each item specifies how a Keystone role (os_role) maps to a role in role_mapping

the Controller (avi_role). You can define a default mapping for any Keystone role by specifying the ? /* ? wildcard for the field. In the above example, roles administrator and member from Keystone are mapped to the role in os_role Tenant-Admin

the Controller. Further, any other role from Keystone is mapped to role on the Controller.Application-Operator

In the following example, only users with role are allowed to access the Controller:lbaas_project_admin

"openstack_configuration":

{

....

"role_mapping": [

{"os_role": "lbaas_project_admin",

"avi_role": "Tenant-Admin"}

],

....

}

Metadata instead of config_drive for Avi SEsIn some OpenStack environments, support is either absent or not installed properly. Also, under certain config_drive

conditions, you may not allow Avi SEs to use , as VM can prevent SE migration while configuring.config_drive

The Avi Vantage OpenStack configuration option uses metadata instead of for SE VMs. You can enable Avi config_drive

Vantage to use metadata by disabling .config_drive

CLI to Disable Config_drive

: > configure cloud Default-Cloud<br> : cloud> openstack_configuration<br> : cloud:openstack_configuration> no config_drive<br> : cloud:openstack_configuration> save<br> : cloud> save

Deploying Single-Tenant ModeThis section provides the steps for deploying Avi Vantage into an OpenStack cloud in single-tenant mode.



1. 2. 3. 4.

1. 2.

3.

1.

In single-tenant mode, the Avi Controller and SEs are installed in the same tenant, and have member privileges for that tenant. The member privilege grants the Avi Controller full access to the tenant so that it can automatically spin-up and spin-down an SE. Each tenant is responsible for installing and operating Avi Vantage.

Deployment Process

The following are the procedure to install single-tenant:

Upload the Controller Image. Add the Avi Controller qcow2 or raw image into the tenant from Glance.Create a management network for the Avi Controller and SEs.Create a security groupDeploy an Avi Controller instance and assign a floating IP address to itPerform Initial Controller Setup. Use the setup wizard to perform initial configuration of the Controller.

Uploading the Controller Image

The following are the steps to upload the Controller image:

Copy the Avi Vantage Controller image onto your hard drive.Log into the OpenStack tenant account on the Horizon dashboard.Navigate to > .Project ImagesClick on and fill out the form.Create Image

Creating Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

The following are the step to create management network:

On the Horizon dashboard, navigate to > .Network NetworksClick on and follow the wizard's instructions. For instance,Create Network

Network name: avi-mgmtDHCP: Enabled

Connect the network to your Neutron router.a. Navigate to > .Network Routersb. On the in the router list, click on to add an interface to the network.Name column Routerc. Click on the tab, then click on .Interfaces Add Interface

Creating Security Group

A security group is required to allow the Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed.

For ingress traffic, the group must allow ports.theseFor egress traffic, the group can allow all ports.

Note: The Controller automatically creates a security group for the SEs.

The following are the steps to create a security group (in this example, ) to allow management traffic:Avi-mgmt-sg



1. 2.

1. 2.

1.

On the Horizon dashboard, navigate to > , and click on .Project Access & Security Create Security GroupsAdd rules as shown in the following example, where 192.168.10.0/24 is the management network.

Deploying Controller and Assigning it a Floating IP

The following are the steps to deploy an Avi Controller instance:

Flavor ? Deploy the same flavor that was chosen in the previous steps.Network ? Use to attach the Controller to the management network.avi-mgmt

Security group ? Use to allow management traffic.avi-mgmt-sg

Enable .config-drive

The following are the steps to assign a floating IP address to the Controller:

On the Horizon dashboard, navigate to > > .Project Compute Access & SecurityAssign the floating IP address:

If floating IP address is not available, click on .Allocate IP to ProjectIf a floating IP address is available, you can associate it with the Avi Controller instance.

Performing Initial Controller Setup

This section shows the steps to perform initial configuration of the Avi Controller using its deployment wizard. You can change or customize settings following initial deployment using the Avi Controller?s web interface.

Note: While the system is booting up, a blank web page or 503 status code may appear. In this case, wait for 5 to 10 minutes; then follow the instructions for the setup wizard.

Configure basic system settings, such as,



1.

Administrator accountDNS and NTP server informationEmail and SMTP information



1.

2.

3.

Set the to as shown in the image below.Infrastructure Type OpenStack

Specify the OpenStack settings.Provide the tenant user credentials (username, password). If you are using Keystone V3 and want to provide a user in the non-default domain, then use the notation in the field as shown user@domain-name Usernamebelow.

If you create a username as a Keystone v3 user in a domain named , then explicitly specify test default

while logging into the Avi Controller. If the domain name is not specified, Keystone looks test@testdomain

for a domain with UUID and not the name . Since no domain with a UUID of testdomain testdomain

exists, Keystone fails, thereby returning the error as .testdomain invalid user/password

Use the full value in the field. Avi Vantage determines the Keystone API version Keystone Auth URLautomatically. When the auth URL is a secure URL (HTTPS), the system will display an option to either allow or disallow self-signed certificates. You should disable that checkbox in a production environment, since OpenStack services should use proper, trusted certificates.Enable the option.Keystone Auth



3.

4.

5.

In window, select a . In this deployment, it should be the same tenant into which the Avi Management Network tenantController is deployed. Choose the management network created previously.



4.

5.

6.

In window, select an Avi Vantage user role as the default user role.Keystone Role Mapping

If an Avi Vantage user logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To disallow access for any user who does not have a role that is defined on the Controller, skip this option.In window, select to import from tenants Keystone and click on Virtual Service Placement Settings Import Tenants

. Then, in the window, click on .Next Support Multiple Tenants No



6.

7.

a. i.

ii.

b.

You can configure tenant settings by navigating to > > . The following window Administration Settings Tenant Settingsis displayed:

Click on Edit. The window is displayed:Tenant Settings Config

IP Route Domain ? This options allows you to select tenant's IP route domain.Per tenant IP route domain ? If you select this option, each tenant gets its own routing domain that is not shared with any other tenant.Share IP route domain across tenants &mdash' If you select this option, all tenants share the same routing domain.

Service Engines Context ? This option controls the ownership of Service Engines. Service Engines can either be exclusively owned by each tenant or owned by the administrator and shared by all tenants. When Service Engines are



b.

i. ii.

owned by the administrator, each tenant can have either read access or no access to their Service Engines. You can select one of the following options:

Service Engines are managed within the tenant context, not shared across tenants.Service Engines are managed within the provider context, shared across tenants. ? If you select this option, you need to select access rights of the tenant to Service Engine by selecting either Tenant has Read Access to

or options.Service Engines Tenant has No Access to Service Engines

Integrating Neutron SDN Plugin

Avi Vantage integrates with the following Neutron SDN plugins to provide VIP placement and floating IP (FIP) association to VIP.

Nuage SDN

During cloud configuration, select the checkbox and provide the VSD host, port and Integration with Nuage VSDauthentication details.



If you are creating a new cloud, the wizard looks as follows:

Note: The Neutron SDN plugin is supported only till Avi Vantage version 18.2.6.

Contrail SDN

Using the Avi UI

During cloud configuration, select the checkbox and provide the endpoint URL of Contrail VNC API-Integration with Contrailserver. The Keystone credentials from the OpenStack configuration will be used to authenticate with the API-server service.

Note: Contrail-Interface-IP is handled gracefully by Avi Vantage. So, creating and editing the cloud should be left intact while integrating Contrail SDN under Network Settings.

If you are creating a new cloud, the wizard looks as follows:



If you are editing an existing cloud, the cloud editor looks as follows:



Using the Avi CLI

{%cli%}

configure cloud oscontrail

cloud> vtype cloud_openstackcloud> openstack_configurationcloud:openstack_configuration>cloud:openstack_configuration> privilege write_accesscloud:openstack_configuration> username admincloud:openstack_configuration> password xxxyyyzzzcloud:openstack_configuration> admin_tenant admincloud:openstack_configuration> mgmt_network_name avi-mgmtcloud:openstack_configuration> region RegionOnecloud:openstack_configuration> use_keystone_authcloud:openstack_configuration> import_keystone_tenantscloud:openstack_configuration> no use_admin_urlcloud:openstack_configuration> auth_url http://172.16.11.50:5000/v2.0cloud:openstack_configuration> no neutron_rbaccloud:openstack_configuration> contrail_endpoint http://10.10.10.100:8082cloud:openstack_configuration> role_mapping os_role * avi_role Tenant-Admin New object being createdcloud:openstack_configuration:role_mapping> savecloud:openstack_configuration> savecloud> save {%endcli%}

Deploying Avi-managed LBaaS ModeThis section provides the steps for deploying Avi Vantage in an OpenStack cloud in Avi-managed LBaaS mode.



Avi-managed LBaaS mode provides tenant users with the advantages of Avi Vantage, without the need to deploy or maintain Avi Vantage. Instead, the cloud administrator deploys and manages Avi Vantage. The Avi Controller and SEs in the administrative tenant are shared by other tenants. Users of those tenants are able to secure and optimize their applications using the Avi Vantage resources that reside in the administrative tenant.

Note: Although you can use an existing tenant instead of creating a new one, it is recommended to create a new tenant for easy maintenance.

Performing OpenStack-managed LBaaS Mode Deployment

To begin, perform all the steps mentioned in . These steps are required for OpenStack-Deploying Avi-managed LBaaS Modemanaged LBaaS mode.

Installing Avi LBaaS Driver

Installing/Upgrading LBaaS Driver using Script

Avi Networks provides a script for installing or upgrading the LBaaS plugin driver v2. The script makes the necessary OpenStack configuration changes automatically. Download the Avi LBaaS driver installation package (avi_openstack_package.tar.gz) from the Avi Networks portal website ( ).https://portal.avinetworks.com

Notes:

You can also install the LBaaS driver alone without the virtual environment files along while installing the script. (For more information and instructions, refer to .)LBaaSv2 Driver

An account with root privileges for the Neutron API server is required. This account is different from the account used by the Controller to access the OpenStack infrastructure.

The following are the steps to install Avi LBaas Installation: 1. Copy the package onto the OpenStack Neutron API host. 2. Log into the Neutron API server. 3. On the OpenStack Neutron API server, back up . 4. Unzip and untar the driver neutron.conf

package: . 5. Run the Avi LBaaS installation script. To install LBaaSv2 tar -xzf avi_openstack_package.tar.gz

driver, specify the option to the following install command.--v2

Note: If you are installing only the driver without the virtual environment files, refer to .LBaaSv2 Driver

[root@sivacos openstack_lbplugin(keystone_admin)]# ./install.sh --aname my_lbaas --aip 10.10.22.44 --auser admin --apass avinetworks

12/06/2016 13:58:37 INFO: logging initialized

12/06/2016 13:58:37 WARNING: Using auth_url IP 10.130.128.110 as keystone IP

12/06/2016 13:58:37 INFO: OS distribution: Fedora

12/06/2016 13:58:38 INFO: Neutron process check...OK

12/06/2016 13:58:38 INFO: neutron path '/usr/lib/python2.7/site-packages/neutron'...OK

12/06/2016 13:58:38 INFO: neutron_lbaas path '/usr/lib/python2.7/site-packages/neutron_lbaas'...OK

12/06/2016 13:58:43 INFO: Local: Avi Controller '10.10.22.44' check using provided credentials...OK

12/06/2016 13:58:44 INFO: Local: Avi Controller cloud 'Default-Cloud' check...OK

--> Install SeLinux module 'avi_lbaas'? (y/n)y

12/06/2016 13:58:49 INFO: SeLinux module Install in progress...

12/06/2016 13:59:05 INFO: SeLinux module 'avi_lbaas' install...OK

12/06/2016 13:59:05 INFO: Horizon Load-Balancer tab already enabled

12/06/2016 13:59:37 INFO: Horizon HTTP server restart...OK

--> Configure Neutron Server with Avi LBaaS provider 'my_lbaas' with driver 'avi'? (y/n)y

12/06/2016 13:59:46 INFO: Neutron Avi LBaaS configure provider 'my_lbaas'...OK

https://portal.avinetworks.com

https://avinetworks.com/docs/18.2/lbaas-v2-driver/

https://avinetworks.com/docs/18.2/lbaas-v2-driver/



1. 2.

3. 4. 5. 6. 7. 8.

1. 2. 3. 4.

12/06/2016 13:59:46 INFO: Neutron Avi LBaaS driver 'avi' setup...OK

12/06/2016 13:59:58 INFO: neutron-server restart...OK

12/06/2016 13:59:58 INFO: Neutron Avi LBaaS configuration setup...OK

12/06/2016 13:59:58 INFO: Refer '/tmp/openstack_lbplugin/avi_os_setup.log' for install log

To upgrade the existing driver, if any, specify the option to the above install command.--update

[root@sivacos openstack_lbplugin(keystone_admin)]# ./install.sh --aname my_lbaas --aip 10.10.22.44 --auser admin --apass avinetworks --update

12/06/2016 14:04:08 INFO: logging initialized

12/06/2016 14:04:08 WARNING: Using auth_url IP 10.130.128.110 as keystone IP

12/06/2016 14:04:08 INFO: OS distribution: Fedora

12/06/2016 14:04:08 INFO: Neutron process check...OK

12/06/2016 14:04:09 INFO: neutron path '/usr/lib/python2.7/site-packages/neutron'...OK

12/06/2016 14:04:09 INFO: neutron_lbaas path '/usr/lib/python2.7/site-packages/neutron_lbaas'...OK

12/06/2016 14:04:19 INFO: Local: Avi Controller '10.10.22.44' check using provided credentials...OK

12/06/2016 14:04:20 INFO: Local: Avi Controller cloud 'Default-Cloud' check...OK

12/06/2016 14:04:23 INFO: SeLinux module 'avi_lbaas' already installed

12/06/2016 14:04:23 INFO: Horizon Load-Balancer tab already enabled

12/06/2016 14:04:54 INFO: Horizon HTTP server restart...OK

--> Configure Neutron Server with Avi LBaaS provider 'my_lbaas' with driver 'avi'? (y/n)y

12/06/2016 14:05:03 INFO: Neutron Avi LBaaS configure provider 'my_lbaas'...OK

12/06/2016 14:05:04 INFO: Neutron Avi LBaaS driver 'avi' setup...OK

12/06/2016 14:05:16 INFO: neutron-server restart...OK

12/06/2016 14:05:16 INFO: Neutron Avi LBaaS configuration setup...OK

12/06/2016 14:05:16 INFO: Refer '/tmp/openstack_lbplugin/avi_os_setup.log' for install log

Deployment Process

The following is the procedure to deploy Avi-managed LBaaS mode:

Create a tenant for the Controller and SECreate multiple flavors of the Avi Vantage image, with different resource allocations to fit different sizes of user tenant, if required.Upload the Controller Image into the tenant from Glance.Create a management network for the Avi Controller and SEs.Create a security group to allow Avi management traffic.Deploy an Avi Controller instance and assign a floating IP address to it.Perform Initial Controller Setup. Use the setup wizard to perform initial configuration of the Controller.Controller Cluster IP.

Creating a Tenant for the Controller and SEs

The following are the steps to create a tenant for the Controller and SEs:

Log into the OpenStack Horizon dashboard with an account that has cloud administrator privileges.Navigate to > .Identity ProjectsClick on and follow the wizard's instructions.New ProjectTo deploy Avi Vantage, use the following settings:a. Specify a project name (for instance, "avi-tenant?).b. Click on the tab.Project Members



4.

1. 2.

3.

c. Add a user account to and assign the admin role to the account.Project Membersd. Click on the tab and modify the maximum resources. These settings allow for three Avi Controllers (for Quotaredundancy), up to 1000 SEs and some other managerial instances, if required as shown below.

Creating Multiple Flavors of Controller Image

The following are the steps to create multiple flavors of Avi Vantage:

In the Horizon dashboard, navigate to > > and click on .Admin System Flavors Create FlavorCreate an appropriate flavor for Service Engine. Refer to to check minimum and Service Engine Sizing guiderecommended resources required for Service Engine.Create appropriate flavor for Controller. Refer to to check minimum and recommended Controller Sizing guideresources required for Controller.



1. 2. 3.

1. 2.

3.

a. b. c.

1.

2.

1. 2. 3. 4.

You can manually configure the flavor if you want to use flavors other than the recommended flavor using .CLI

Note: The OpenStack flavour name should be specified and not the flavor ID or UUID.

Uploading Controller Image

The following are the steps to upload Controller image:

Copy the Avi Vantage Controller qcow2 image onto your hard drive.In the Horizon dashboard, navigate to > .Project ImagesClick on and fill out the form. Use at least these resource allocations.Create Image

Creating Management Network

A management network is required for communication between the Avi Controller and the SEs. An existing network can be used but a dedicated management network is recommended.

The following are the steps to create management network:

On the Horizon dashboard, navigate to > .Network NetworksClick on and follow the wizard's instructions. For instance, specify the values as follows:Create Network

Network name: avi-mgmtDHCP: Enabled

Connect the network to your Neutron router.

Navigate to > .Network RoutersIn the column in the router list, click on the router to add an interface to the network.NameClick on the tab; then click on .Interfaces Add Interface

Creating Security Group

A security group is required to allow the Avi Controller and SEs to exchange management traffic. The group specifies the protocol ports for which traffic will be allowed. For ingress traffic, the group must allow ports.these

For egress traffic, the group can allow all ports.

Note: The Avi Controller automatically creates a security group for the SEs.

The following are the steps to create a security group (in this example, ) and to allow management traffic:Avi-mgmt-sg

Navigate to > and click on .Project Access & Security Create Security Groups

Add rules as shown in the following example, where is the management network.192.168.10.0/24

Deploying Controller and Assigning it a Floating IP

The following are the steps to deploy an Avi Controller instance:

Flavor: Deploy or bigger.avi_ctrl.small

Network: Use to attach the Controller to the management network.avi-mgmt

Security group: Use to allow management traffic.avi-mgmt-sg

Enable .config-drive



1.

1.

The following are the steps to assign a floating IP address to the Controller:

On the Horizon dashboard, navigate to > > . Assign the floating IP address.Project Compute Access & Security

If no floating IP address is available, click on .Allocate IP to ProjectIf a floating IP address is already available, associate it with the Avi Controller instance.

Performing Initial Controller Setup

This section shows how to perform initial configuration of the Avi Controller using its deployment wizard.

You can change or customize settings following initial deployment using the Avi Controller?s web interface.

Configure basic system settings:Administrator accountDNS and NTP server informationEmail and SMTP information



1.

2. 3.

4.

Set the infrastructure type to . OpenStackSpecify OpenStack settings,

Tenant user credentials (username, password).IP address of Keystone server.Enable the .Keystone Auth option

In the window, select a tenant. In this deployment, it should be the same tenant into which the Management NetworkAvi Controller is deployed. Choose the management network created previously.



4.

5.

6.

7.

In the window, select an Avi Vantage user role to use as the default user role.Keystone Role Mapping

If an Avi Vantage user logs in with valid Keystone credentials, but with a role that does not have the same name as any of the user roles defined on the Controller, the default role is assigned to the user. To instead disallow access by any user who does not have a role that is defined on the Controller, leave the selection empty (None).

In the window, select to import from tenants Keystone and click on Virtual Service Placement Settings Import Tenants. Then, in the window, click on .Next Support Multiple Tenants Yes

In window, select the following settings. * Per tenant IP route domain. * Service Engines are managed Tenant Settingswithin the provider context, shared across tenants. * Tenant has Read Access to Service Engines.



7.

8.

9.

10.

Navigate to > > .Infrastructure Service Engine Group Default-Cloud

Click on checkbox and click on the edit icon.Default-Group

Ensure that compact placement is selected and maximum number of Service Engines is high enough to meet Note:the needs of all tenants.

To verify installation, navigate to > . Click on , and then click on the button. Infrastructure Clouds Default-Cloud StatusIf the status is green, installation is successful.



1. 2. 3. 4. 5. 6. 7. 8. 9.

Installing Valid Certificate on Avi Controller

This section gives steps for replacing the Avi Controller's self-signed certificate with one signed by a Certificate Authority (CA). The Avi Controller requires a CA-signed certificate to access the Avi Controller through the Horizon dashboard.

Log into Avi Controller's web interface.Navigate to > .Templates SecurityClick on .CreateClick on to create it.Controller CertificateClick on the button to import the new certificate and key.ImportClick on the button and select the certificate from your system.Upload FileEnter or or upload the file.Key(PEM) PKCS12Enter the .SSL/TLS PassphraseAfter uploading the new certificate and key, configure the Avi Controller to use them. a. Navigate to > > .Administration Settings Access Settingsb. Click the edit icon.c. Select the imported certificate and click on .Save

Related ArticlesUpgrading Avi Vantage SoftwareUpgrades in an Avi GSLB EnvironmentHow to Clean up OpenStack Tenants and User-created Objects in Avi ControllerWhat are the effects of changing user credentials in OpenStack cloud configuration?

Documents

Page 1 of 26 - Avi Networks...administrator configures and manages load-balancing services through OpenStack's Neutron service and Horizon dashboard. Neither …