Delivering Agile Kubernetes Ingress Services for VMware Tanzu

January 25, 2021 Andreas Zindel

VMware Tanzu eases the adoption of Kubernetes and supports modern applications with an automated application platform for container-based workloads. Since the application delivery components are among the most critical pieces of infrastructure needed to deliver enterprise-grade Kubernetes clusters, an ingress controller and services such as load balancing are typically deployed to enable external users to access the application.

However, enterprises quickly find that there is a significant “lab-to-production” gap when it comes to robust traffic management, app performance, observability, troubleshooting, and security. With that in mind, we are excited to announce the bundling of the VMware NSX Advanced Load Balancer by Avi Networks platform in the recently announced Tanzu Advanced Edition. VMware NSX Advanced Load Balancer helps deliver production-ready Kubernetes clusters that leverage VMware Tanzu with turnkey ingress, load balancing, web application security, and observability services. It enables teams to simplify operations with cloud native automation and central orchestration across multi-cloud environments.

Challenges with application services for Kubernetes

Common application services—such as local and global load balancing, network performance monitoring, and application security—that are used to deliver traditional applications need to be approached and implemented differently in container-based applications. Here are some of the networking challenges that can come up.

Multiple discrete solutions

Modern application architectures based on microservices have rendered appliance-based load balancing solutions obsolete. With the disaggregation of compute clusters, the ephemeral nature of containers, and the automation needs of modern apps, traditional load balancers are simply not suited. On the other hand, open source solutions offer programmability but require significant do-it-yourself effort on the part of DevSecOps teams. Enterprises find themselves cobbling together multiple point products for L4 load balancing; the ingress controller; WAF, DNS and IPAM; and observability; driving up the complexity of the deployment and increasing the failure domain.

Complex operations

With disparate solutions, IT faces more complex operations when it comes to managing and troubleshooting multiple independent components, each with their own management layers and integrations. The agility and flexibility that modern apps promise is often not fully realized due the operational challenges of networking.  

Lack of observability

When it comes to container-based applications, end-to-end visibility is especially important. Both application developers and operations teams need visibility into the interactions between end users and the application components deployed in the clusters, as well as the interactions between services within the cluster. Such visibility enables them to troubleshoot erroneous interactions, security violations, and any performance issues that are the result of latencies.

Partial automation

Application and networking services need to be API-driven and programmable without the constraints that hardware appliances introduce. Not only can multi-vendor solutions limit flexibility and portability across environments, but they require in-depth scripting knowledge for different products and provide only partial, if any, automation, leading to compromises among features, automation, and scale.

Both VMware Tanzu and VMware NSX Advanced Load Balancer offer full-stack modernization to simplify and accelerate the delivery of modern applications across multi-cloud environments.

Consolidated application networking services for VMware Tanzu

VMware NSX Advanced Load Balancer, which is built using cloud native principles, is a complete application delivery, observability, and application security platform that can be deployed in data centers or any public cloud. It integrates with container orchestration platforms to deliver comprehensive networking services for modern app deployments, and is included as a key capability in the VMware Tanzu Advanced edition. The software-defined platform can support applications running across on-prem, multi-cloud, multi-cluster, and multi-region environments.

To deliver comprehensive container services for both traditional and cloud native applications, Avi Kubernetes Services includes for north-south (ingress controller) traffic management, local and global server load balancing (GSLB), performance monitoring, dynamic service discovery, application security such as web application firewall (WAF), and DNS/IPAM integration.

Combining the necessary container networking components with central management and native Kubernetes integration provides operational consistency regardless of the on-prem, private cloud, or public cloud environments in which the clusters are deployed.

How VMware Tanzu clusters are deployed together with VMware NSX Advanced Load Balancer

The VMware NSX Advanced Load Balancer platform separates the control plane and data plane to provide a flexible architecture for container networking services. The Controller (control plane) is a central point of management and integration with Kubernetes deployments, and the Service Engines (data plane) deliver the networking services including load balancing, ingress, and app security. Separately for modern apps, the platform also includes a control plane component called Avi Kubernetes Operator (AKO) for communicating via APIs with the Controller in order to synchronize Kubernetes objects, and to configure the Service Engines to deliver ingress services. The VMware NSX Advanced Load Balancer platform can be used to deliver applications across multiple Tanzu clusters, with each cluster running its own instance of Avi Kubernetes Operator.

Once a new ingress service is created in a cluster, Avi Kubernetes Operator automatically:

  • Synchronizes with the Controller, which creates a virtual service
  • Allocates a VIP from IPAM
  • Publishes the FQDN to DNS
  • Designates service engines to host the newly created virtual service for ingress and routes
  • Updates this VIP and the hostname in the ingress object’s status field  

The Avi Kubernetes Operator architecture for containers

Multi-cluster Tanzu deployments made simple

To extend applications across multi-region and multi-availability zone deployments, VMware NSX Advanced Load Balancer’s Avi Multi-Cluster Kubernetes Operator (AMKO) is used.

Avi Multi-Cluster Kubernetes Operator runs in a pod in the Tanzu GSLB leader cluster. In conjunction with Avi Kubernetes Operator, Avi Multi-Cluster Kubernetes Operator facilitates multi-cluster application deployment. It maps the same application deployed on multiple clusters to a single GSLB service, extending application ingresses across multi-region and multi-availability zone deployments.

Since Avi Kubernetes Operator runs on all Kubernetes clusters as the ingress controller to facilitate the creation and management of virtual services, VIP, FQDN, and DNS, Avi Multi-Cluster Kubernetes Operator recognizes these new VIPs and hostnames in the status field of the ingress object. It then calls the controller APIs to create a new GSLB service with the new VIP on the leader cluster as well as to configure GSLB services and DNS/IPAM settings, which are synchronized across all the follower clusters automatically.

Closing the lab-to-production gap to deliver modern apps

Enterprises embarking on their modern apps journey need infrastructure that matches the cloud native characteristics of the apps themselves. Force-fitting legacy solutions or assembling multiple point products and open source solutions isn’t a winning strategy for production-ready Kubernetes deployments. Avi has helped global enterprises deliver their applications in data centers and across clouds with the benefit of simplified operations, faster deployments, and lower total cost of ownership. Enterprises such as Deutsche Bank were early adopters of containerized infrastructure, building robust PaaS platforms and dramatically reducing the time to market for new applications using VMware NSX Advanced Load Balancer and Kubernetes. Learn more about that organization’s experience and best practices in its customer success story.

The VMware NSX Advanced Load Balancer platform is built into the Tanzu Advanced edition and can serve as a single platform for all the application networking and security needs of your modern apps.

How VMware IT Runs Modern Applications Better and Faster
How VMware IT Runs Modern Applications Better and Faster

  by Varinder Kumar, Senior IT Director Manas Singh, IT Manager—Application Platforms, and Pervinder Sudan,...

VMware Tanzu RabbitMQ: A Curated RabbitMQ Experience from VMware Experts
VMware Tanzu RabbitMQ: A Curated RabbitMQ Experience from VMware Experts

VMware Tanzu RabbitMQ, a new enterprise version of the popular open source message broker enhanced by VMwar...

SpringOne at VMware Explore 2023

Learn More