vSphere with Tanzu - NSX Advanced Load Balancer 22.1

I have previously written about how to deploy the NSX Advanced Load Balancer (aka Avi Vantage) and configured it for use with vSphere with Tanzu.

As things move quickly in tech I wanted to do a refresh of this, as there has been a change in the Avi UI and in the vSphere workload management setup.

This post will focus on the deployment and initial configuration of the Avi load balancer, in an upcoming post we will take a look at the vSphere with Tanzu setup.

I will use the latest version available of Avi (22.1.1) in this post, please make sure you verify the compatibility between the Load balancer and the solution you'll use it for.

From the latest vSphere with Tanzu release notes the NSX Advanced Load Balancer version mentioned is 20.1.7. If you want official confirmation on the compatibility you should consider contacting VMware support

The official documentation describes the compatibility for integrating with different Ecosystems

Lab environment

In this post we'll work with a vSphere environment, based on vCenter and ESXi on the 7.0 Update 3f version.

The networks in play here, and where we'll see stuff being deployed are as follows:

Subnet VLAN GW Comment 160 Management network (vCenter, ESXi, Avi controller) 161 Frontend/load balancer network (Avi VIPs) 162 Workload network (Load balanced workloads/web servers)

There's routing between these networks and also to the outside world. No firewall rules exists between these.

A simple drawing of the network would be something like the following

Network topology

There's also DHCP services available in all of the networks with a scope in each network with the IP range 192.168.16x.100-192.168.16x.199

There's one exception with regards to the networks in use, and that concerns my DNS server which is served from a different network. The three networks mentioned above have access to the DNS services on this server


The deployment of the NSX Advanced Load Balancer is done with the Avi controller and the software is downloaded from the Avi Pulse portal or from MyVMware. Note that you'll need to have entitlements in place for getting access to the download.

In this post we'll deploy the controller to a vSphere environment so we'll download the OVA and deploy that in vCenter.

We'll not go through the process of deploying an OVA/OVF template to vCenter as this is pretty straight forward. The only configuration done is to provide the details of the management network for the controller.

Network details for the OVA template

After importing the OVA we can power it and wait for the initial boot. Note that it might take a few minutes before the controller is ready to be configured

Intial configuration

When we visit the controller IP address for the first time (again note that it will take a few minutes before it's ready) we'll have to provide details for the admin account, more specifically which password we want to set

Avi admin account

After this we'll provide a passphrase, which are used for exports and backups, and the DNS settings

Initial DNS config

The next part concerns the SMTP capabilities, which in our case we'll skip

And we have some multi-tenancy capabilities which we'll leave with the defaults

Initial config Multi-tenancy

Note that the initial config wizard has an option for configuring the Default cloud after completing the initial wizard. In our case we'll not select this

Setup default cloud

Avi configuration

After completing the wizard we're ready to proceed with a couple of additional configuration steps


The first thing we'll do is to set up the correct license. By experience I really recommend that you change this first thing (if you're not planning on purchasing the Enterprise with Cloud services license) as it could be a real pain to do it later on when Avi is in use. I've previously blogged about that here.

License screen

We'll use this Avi instance for vSphere with Tanzu, so we'll select the Essentials tier to change from the default Enterprise tier (the controller comes with an 30-day eval of the Enterprise tier)

Essentials license tier

Verify that the license tier has changed

License tier changed


The next step will be to change the Avi controller web server certificate. We'll do this because we need this later on when we'll configure vSphere with Tanzu in an upcoming post

Create certificate

In this post we'll create a self-signed certificate, but in a production environment we should use a Enterprise CA signed certificate. We'll fill the certificate wizard with a common name

Create certificate wizard - common name

And we'll make sure that we have the IP of the controller as a Subjecte Alternate Name (SAN)

Create certificate wizard - SAN

After completing the wizard, verify that the certificate has been created

Certificate created

To change the controller certificate we'll go to the Administration tab and the Access settings and select the Pencil icon to edit

Access settings

We'll remove the default certificates and add in our newly created, and we'll also enable Basic Authentication. I have had a few issues with vSphere with Tanzu when Basic Auth was disabled. Note that Basic Authentication might be a security concern.

Changed Access settings

After changing the certificate wait a minute and reload your browser to accept the new certificate

Default cloud setup

Now we'll head over to the Infrastructure tab to start configuring our Default-cloud. Note that if you'll use Avi for vSphere with Tanzu or with the Avi Kubernetes Operator (AKO) you have to keep the Default-cloud and configure that.

If you, like we've done in this post, didn't setup the cloud with the Initial config wizard we'll need to convert the Default-cloud cloud type from the "No Orchestrator" type to VMware vCenter/vSphere

Change cloud type

After confirming the cloud type change we'll be presented with a wizard for configuring the cloud. In this setup we'll set the Service Engine group to the Default-group, we'll select DHCP as the default for our networks.

Configure cloud

In the same wizard we'll also set our vCenter credentials. Note that I'm using a specific account for this setup. The permissions needed can be found here. A new feature in Avi 22 is the ability to use a Content Library for storing the Service Engine images, but this is an Enterprise feature so we'll not use this in our setup.

Cloud vCenter settings

Before the last cloud configuration settings can be done we need to hit Save & Relaunch.

After the wizard relaunches, we'll select the correct Port group for the management network and we will also select DHCP as the default. Hit Save when finished.

Set management network

Networking setup

After adding the credentials and connecting to vCenter the Avi controller will discover, amongst other things, the vSphere networks. We'll configure the ones that we'll be using later on in our vSphere with Tanzu setup

Cloud networks

In our setup we'll mostly use DHCP so we'll verify that our networks has this selected

DHCP enabled

If you're not using DHCP this is where you would configure the Static IP pools. In our setup there's one set of resources that we need to provide an IP pool for and that is for the Virtual Services.

In this example we will have the Virtual services on the "Frontend" network, so we will find this in our Network list and configure it.

Configure frontend network

For the configuration we will hit Add subnet and this let's us enter the details of the subnet and the pool of addresses we want to use. We could use the same pool for both the Virtual services and the Service Engines, but in this case we will only use it for the VIPs

Add static IP pool for VIPs

After we've added the Static IP pool and hit Save the configured subnet should be visible on the Network page

Network configured

Now we will create an IPAM profile to tell the controller which network it should use for the VIPs. Profiles are created on the Templates tab

IPAM profiles

New IPAM profile wizard

And finally we'll add the IPAM profile to the cloud configuration

Add IPAM profile to cloud config

Lastly, we'll take a look at routing.

VRF and Routing

Because of how Avi works in our setup, with the Service Engines and the workloads on different networks, we need to provide a route between them. In my simple setup I'll just add in a default route by setting the as the subnet, and I'll use the Frontend gateway as the Next hop

Add static route


This concludes the configuration of the NSX Advanced Load Balancer. In the next post we will make use of this in our vSphere with Tanzu setup.

This page was modified on September 14, 2022: Added topology img