VMware NSX Advanced Load Balancer - Overview
Load Balancing is Important
Load balancing is an important aspect of network mobility.
How is a network useful if you can't move around within it?
- Cellular networks lose their appeal if you drop connectivity every time you roam between towers
- Wi-Fi networks are designed to facilitate smaller-scale movements. Imagine if you had to sit still for your Wi-Fi to work
Network Movements also facilitate migrations between services - as a consumer of a network service, frequent cutovers occur without your knowledge:
- Infrastructure upgrades: Firewalls, routers, switches constantly need to be bumped up to higher speeds, and feeds
- Preventing outages: Network "Maintenance Mode"
As computer networks get more complex - SDN is important for the orchestration of these changes or "movements". A distributed, off-box, dedicated management and control plane is essential to tracking "customers" in a scalable fashion - but load balancing is special here.
Most of our consumed services today leverage load balancers to "symmetrify" network traffic to accommodate nodes that do not support them. This can solve a lot of problems large enterprises have:
- Need to scale firewalls past 2?
- Need to scale firewalls in any public cloud?
- Imperfect link balancing with ECMP hashing?
- Want to prefer an ISP over another, but use both?
These problems are all solvable by the right load balancer platform - but are infrastructure specific. Load balancers often solve application-specific problems, including:
- HTTP Transforms
- TLS Quality Enforcement / Consolidated Stack
- "Diet" Acceleration, e.g. HTTP Compression
Stateless apps work perfectly without some form of load balancer/ingress controller but still benefit greatly from a discrete point to ingest data as well.
NSX Advanced Load Balancer Differentiating Points
Avi Networks was founded in 2012 with the goal of providing a software load balancer designed from the ground up to leverage Software-Defined Networking (SDN) capabilities. Every aspect of the platform's design appears to eschew this - the company clearly wanted to perform a totally new platform without any need for maintaining legacy platforms. In 2019, VMware acquired Avi Networks and is rebranding the platform to "NSX Advanced Load Balancer".
Here are some clear differentiating points I have found with the platform so far:
- Enterprise (Web) Oriented - Some load balancing platforms, like Kemp Technologies and Loadbalancer.org focus on clear, common enterprise needs and executing as effectively as possible; instead of "boiling the ocean" with a more feature-complete platform. If this is you as a customer, you can expect significant cost and quality improvements due to this more narrow focus - but Service Providers and specialty customers may be turned off by this.
- This product is designed for self-service, with robust management plane multi-tenancy
- This is a VMware product, so Avi is diving head-first into providing high-quality Kubernetes support
- Offloaded Control Plane: So far, this is a big one for me personally. I'm continually amazed as to how much rich data can be extracted simply by offloading telemetry processing to a controller. Logging and Analytics do not impact data plane performance and have minimal impact on sizing/costs due to per Service Engine licensing
- Software-only Kitchen Sink: Few load balancing platforms can support all clouds, KVM, K8s, Cisco ACI, Mesosphere, Acropolis, and OpenStack with direct support. Usually, the best we can hope for with a KVM install is an ISO and a prayer. This is refreshing.
- Support for dynamic routing: The vast majority of load balancers on the market don't natively support this, and specific implementations like anycast or multi-site load balancing stand to benefit from this particular feature.
- Global Server Load Balancing (GSLB) allows an engineer to control which site traffic may route to with anycast DNS. This provides them the ability to perform application-level capacity management with multiple sites in one solution.
Design Elements
Controller
This is Avi's brain and the primary reason for using a platform like Vantage - the control and management planes are, by default, managed by an offboard controller. The following functions are available here, with no performance penalty to the data plane:
-
Central Configuration Management, all locations, all the time.
-
Configure BGP once
-
Configure routes once
-
Configure vIPs once
-
Configure hardening (logging, TLS settings, passwords) once
-
Monitoring of vIPs, if a service is down relocate it
-
Software Lifecycle Management
-
IP Address Management
-
Periodic monitoring for common issues
-
Per Virtual Service extensive Analytics (Avi Enterprise only). They are running ElasticSearch on-box to achieve this, it's pretty neat.
NB: Avi Release 20.1.4 has <900 Debian packages (based on bullseye/sid), so they are running a little lean but could do more cleanup. 20.1.5 is down to 820 - so they are working on this.
Service Engine
Generally, these components do work. Structurally, these appliances are running Debian bullseye/sid with load balancer processes as Docker images. They're running the same edition of FRRouting as NSX-T - with the same approximate OS edition.
Service Engines do:
- Report in to the AVI controller
- Perform actual load balancing functions
NB: Avi Release 20.1.5 is much leaner than prior releases, and SEs typically have a much more compressed install base. 515 Debian packages here - almost in line with NSX-T 3.1.2!
IPv6
- AVI Controller UI and vCenter/NSX-T Interaction have hard-coded IPv4 Constructs, 20.1.5 introduces preliminary support for IPv6, but VMware's NSBU is usually ahead of everyone else here. I'll be testing vCenter + IPv6 in a later post.
- AVI Controllers appear to pick up an IPv6 address via SLAAC
- This platform appears to have full data-plane support.
Deployment Methodology
Management/Control Plane
No orchestrator pre-sets will be used here - per the Avi NSX-T Integration Guide. The primary reason for my doing this is as a more thorough test of this platform - I'll be deploying 3 "Clouds":
- Layer 2 Cloud (Typical A/P Load Balancer Deployment)
- Layer 3 Cloud (MP-BGP Load Balancer Deployment)
- NSX-T Cloud (NSX-T Integrated Deployment)
Avi Vantage designates any grouping of infrastructure presets as a "Cloud", which can have its own tenancy and routing table. This construct allows us to allocate multiple infrastructures to each administrative tenant or customer. This access is decoupled from "Tenant", which is the parent for RBAC.
Data Plane Topologies
The Avi Vantage VCF Design Guide 4.1 indicates that service engines should be attached to a tier-1 router as an overlay segment. The primary reason for this has to do with NSX-T and Avi's integration - in short, the Avi controller invokes the NSX-T API to add and advertise static routes to each service engine to handle dynamic advertisement.