Installing Avi Vantage in Amazon Web Services

This guide describes how to install an Amazon Web Services (AWS) EC2 instance of Avi Vantage.

Readers may find these articles useful:

1. About Avi Vantage

Avi Vantage consists of the Avi Controller and multiple Avi Service Engines (SEs). The Avi Controller analyzes traffic and, based on real-time analytics, can scale out / scale in SEs to load-balance traffic that may vary over time.

2. Deployment Prerequisites

Knowledge of AWS VPC

Knowledge of AWS VPC (Virtual Private Cloud) is required for configuring your network space (e.g., availability zone, subnets of Controller and SEs).

All IP addresses (e.g., Controller management IP, SE management IP, virtual service IPs, and server IP addresses) need to be planned and configured accordingly.

3. Credential Method

When deploying Avi Vantage within Amazon Web Services (AWS), the installation wizard prompts for input of credential information. You are not required to enter AWS Secret and Access key credentials. The credentials can be entered in either of the following forms:

  • Identity and Access Management (IAM) roles: A set of policies that define access to resources within AWS. The roles and the policies that define their access are defined in JSON files. This method does not require an AWS account key. Instead, the role and policy files must be downloaded from Avi Networks and installed using the AWS CLI. (Download links for the role and policy files, and the required AWS CLI syntax, are provided in this article.) After setting up the IAM roles, return to this article to install the Avi Vantage EC2 instance. Use this method if you don’t want to enter AWS credentials.
  • AWS customer account key: A unique authentication key associated with the AWS account. If using this method, continue reading.

4. Protocol Ports Used by Avi Vantage for Management Communication

In an AWS deployment, the Avi Controller and Avi Service Engines use the following ports for management. The firewall should allow traffic for these ports.

Traffic Source Traffic Destination Ports To Allow
Avi Controller Avi Controller TCP 22 (SSH)

TCP 8443

TCP 5054

Avi Service Engine TCP 22
Management Net See section below the table.
Avi Service Engine Avi Controller TCP 22

TCP 8443

UDP 123

Management Net TCP 22

TCP 80 (optional)

TCP 443

TCP 5054 (if using the optional CLI shell for remote
management access)

4.1 Ports Used by the Controller for Network Services

The Controller may send traffic to the following UDP ports as part of network operation:

  • TCP 25 (SMTP)
  • UDP 53 (DNS)
  • UDP 123 (NTP)
  • UDP 162 (SNMP traps)
  • UDP 514 (Syslog)

The firewall also should allow traffic from the Controller to these ports.

5. Installation

To install Avi Vantage in AWS, deploy an EC2 instance of the Avi Controller; then run the Avi Controller setup wizard.

5.1 Deploying an EC2 Avi Controller Instance

    1. Access Amazon Web Services (AWS) using https://aws.amazon.com and log in using your AWS credentials.
    2. Go to the Avi Vantage page on AWS Marketplace here. Avi Vantage on AWS Marketplace

 

  1. Click Continue to start the AMI deployment process. You can either perform a 1-Click launch or a Manual Launch via the EC2 console, API, or CLI. The subsequent screenshots below go through the Manual (EC2 Console) installation process.
    AVI AWS AMI
  2. Based on deployment scale considerations, choose an appropriate instance type. Amazon defines its EC2 instance types here. The following table lists the minimum requirements for the VMs on which the Avi Controller and Avi SEs are installed.
    Component Memory vCPUs Disk
    Avi Controller 24 GB 8 64 GB
    Service Engine 2 GB 2 10 GB

  3. For the Avi Controller, Avi recommends the following Instance Types:
    Deployment Size Virtual Service Scale Instance Type Memory vCPUs Disk (Minimum)
    Small 100 m4.2xlarge 32 GB 8 64 GB
    Medium 1000 c4.4xlarge /
    m4.4xlarge
    30 GB /
    64 GB
    16 / 16 64 GB
    Large 5000 c4.8xlarge /
    m4.10xlarge
    60 GB /
    160 GB
    32 /
    40
    64 GB

    Refer to the section Disk Capacity Allocation on the Avi Controller Sizing KB for recommended hard disk size.

    For added resiliency and redundancy, the Avi Controller can be deployed as a 3-node cluster. [See Overview of Avi Vantage High Availability.] In this case, a separate VM is needed for each of the 3 Avi Controller nodes. The requirements are the same for each node.

    At the time of this writing, Avi supports only 1 data vNIC per SE.

    The below example shows a choice of 4 CPUs and 16 GB memory.

    m4_xlarge_instance

  4. Select the appropriate VPC from the Network pull-down list and select the network from the Subnet pull-down list. This is the subnet in which the Controller will get the IP for the management NIC. Also, select the Enable termination protection option.
    VPC_optionsNote: If installing with an IAM role instead of an AWS customer account key, select IAM role if you have created as explained in Credential Method. In this example we have used the IAM Role "AviController-Refined-Role."
  5. In the Size (G/B) field, enter 64 to allocate 64 GB to the Avi Controller instance, and go to the "Next:Tag Instance" option.Storage
  6. Enter a name for this Avi Controller instance.Tag_instance
  7. Create a security group that allows traffic through the firewall, to allow management communication between the Avi Controller and the Avi Service Engines
    (SEs)Security_group
  8. (Optional) Select SSD as the storage type. (This enhances the responsiveness of the Avi Controller web interface.) SSD
  9. Review your EC2 instance, and click Launch. Review_instance_launch
  10. Key pair settings:

    • If you don't have key pair, create new key pair. After downloading the key pair, change the permissions to "400" (chmod 400 ".pem") to do SSH.
      New_key_pair
    • If you have key pair, select a key pair for AMI authentication.
      Existing_key_pair

  11. The deployment status of the Avi Controller EC2 instance into AWS is displayed. When the instance is ready (status "running"), you can access the instance using a private or public IP address. Wait for all checks to pass before setting up the Controller. running_instance

5.2 Setting Up the Avi Controller Instance

After deploying an EC2 instance of the Avi Controller, use a browser to navigate to the Avi Controller’s management IP address (10.144.137.13 for our case as shown in the previous steps) to start the setup wizard.

        • Configure basic system settings:
          • Administrator account
          • Network DNS and NTP server information
          • Email and SMTP information

AVI_setup

Fig2

email_SMTP_settings

        • Select Amazon Web Services as the infrastructure type:

aws-install-ctlrsetup-infra-262

        • Enter AWS account settings:
          • Access credentials are needed by the Avi Controller to communicate with AWS API. Enter the access key and secret access key.AWS_credentials
          • (Optional) Proxy Host and Proxy Port: Complete these fields if there is a custom proxy between your corporate network and AWS.AWS_proxy
          • If using an IAM role, instead select Use AWS IAM Roles.IAM
          • Configure SE Management Network. This is the subnet in which the Controller will place the management VNIC of SEs. The management network of SE should be reachable from Controller management IP.
            Note: While creating virtual service, make sure to select a VIP subnet that has reachability to the SE's management subnet.

SE management nw

This completes the installation process. The Avi Controller is now ready for deploying virtual services.

A Note on Instance Types for the Avi Service Engines:

Avi Service Engines are deployed on AWS automatically by the Avi Controller, as required for the virtual services that have been configured.

Avi SEs can be run on various Instance Types. This can be configured under the “Service Engine Group” -> Advanced setting.

On a per-instance-type basis this AWS table shows the maximum number of network interfaces, as well as the maximum number of IPv4 and IPv6 addresses per interface.

The below table shows the maximum SSL TPS performance achievable on some EC2 instance types.

Instance Type SSL TPS Performance
c4.large 2,400
c4.xlarge 4,900
c4.4xlarge 19,000

Notes :

  1. Currently Avi uses 1 data vNIC for all data traffic. This is apart from the 1 vNIC used for control-plane communication with the Avi Controllers and other Service Engines.
  2. SSL performance (TPS - transactions per second) has been measured with 1 virtual service configured (HTTPS, EC certificate) and GET requests for a 128-byte payload without session reuse. More details regarding Service Engine performance can be found here.

.

Updated: 2017-09-20 06:30:56 +0000