Avi GSLB on AWS - Brain-Dump! (Trevor's Guide)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone my name is trevor and uh today i've got what i think is an interesting one i spent some time the last few days experimenting a little bit with avi's gslb in aws and wanted to make a video covering everything i learned so uh it's going to be a long video i'm going to create sections if if you have specific things that you want to figure out i would recommend using the sections but this is meant to take somebody who has a very basic knowledge of amazon and a very basic knowledge of avi and what it is this is meant to provide all of the information you might need to get some gslb up and running across a couple of amazon regions let's get started today i've done away with powerpoint i'm going to be using a mirror board because i'm cool okay i can do uh awesome whiteboarding on the internet i don't have to do everything in powerpoint i'm a real engineer all right so anyway i'm going to walk you through the solution i have a diagram that i just want to give you a high level of kind of what gslb is how it works why it's important then i'm going to take you through all the steps that i went through the last few days i'm going to walk through how you set up avi and amazon on how you configure your vips to get the the bones in place for a gslb service i'm going to walk you through the amazon specifics of what you're going to need to get this up and running in your amazon environment i'm going to show you some useful dns troubleshooting tips that i learned during the setup that i think will be useful if you hit any issues in your environments and then at the very end i'll just comment on a few ways that you know gslb is a as a service and if you know anything about avi it's a application services fabric right we're providing load balancing layer 7 layer 4 services as well as laugh and dns based services and so one way to manage those services is via the avi controller directly but you know sometimes there there are other interesting ways to automate and consume something like gslb great example of this and and what i'll discuss later is tanzu service mesh so you can have avi function as a gslb for your service mesh and you can also have avi integrated directly with your kubernetes cluster using something called amko that's the agenda let's start with the solution so in my environment what i'm going to walk you through is a gslb setup now there are within the world of avi there are some things that have to happen i'm going to walk you through that the real important components from a data plane perspective anyway when it comes to gslb you know gslb is a way to route a client request to different infrastructures using dns as a control protocol so if you already know a little bit about load balancing and regular vips right tcp is the kind of control protocol for hitting a vip but dns can be used to do things like for example have a client resolve to a specific vip right so i have my usd 1vip and my usc west vip right and these are different ips but maybe i want to have users that are located on the east coast only be directed towards the west side and maybe i want east coast only directed towards the east site or maybe i would like to just have additional availability maybe i don't care where the users which data center the user is routed to but i just need to be able to protect against a full outage of a site so that's why you would need gslb generally this is for active active or dr type of use cases within environments and all it really is if you understand the concepts of vips and pools all gslb really is is an additional layer of dns on top of that so that way when the client goes to your website to whatever that services that you're hosting so maybe www.global.trevor.poc.demolabi.us that's a really long url i would recommend a shorter one that's the one that i'm using when a user hits that url you know when you hit donate a domain name the first thing you have to do is resolve dns right so um the flow of traffic is pretty straightforward you know if a client always has a dns server set it's usually their isp or maybe it's their corporate network right so that's going to hit their isp first saying hey who's who owns this domain in my environment and what i want to walk you through since this is about aws eventually this domain the poc.demoav.us domain route 53 is authoritative for that domain right so what we got to do to allow avi to control a domain is effectively delegate a subdomain so i'm delegating i'm basically pointing all traffic that is a trevor.poc.demolav.usurl towards avi so user types in their url they're going to hit route 53 via this delegation that i'll walk you through later um route53 is going to say hey actually i don't know what the a record to give you is for that url but you know who does know these two avi name servers which by the way the name servers these are actually virtual services that are configured in navi i'll walk you through that as well in a bit so you just configure virtual service and you make dns the protocol and and you do a couple configurations and now we can own that domain and respond with you know either ip so when this user resolves it's ultimately its dns request is going to be routed to one of the dns service engines and then that service engine is going to respond with one of the a records for the the vip so it's either going to respond with the east a record or the west a record effectively doing global server load balancing using dns as a control protocol by the way in my environment i'm running my app in us east1 and u.s west one so i've just got this little web app running that we'll do all the testing on however these don't have to all be in amazon you could have the app living on amazon and azure and google and your on-prem data center at the same time ravi will support any topology you throw at it it's one of the benefits of using a multi-cloud and fully agnostic solution like avi is that we can deploy all of the services in any cloud always um making it so that your your strategy changes aren't going to affect your ability to deliver global services and it's also going to allow you to deliver global services on any infrastructure from a public cloud to kubernetes to your on-prem data centers as well so that's the high-level solution now i think it would be good to walk you through avi and so i'm going to show you what i have in and i have two controllers i have a controller deployed in in a u.s east-west region and us east region again that's for availability you're generally going to want to have at least two controller clusters if you're doing gslb you can run it on one for like a test environment for sure but just for availability you know remember gslb you want to protect yourself against a full site going bye-bye and so the best way to do that is going to be to have a controller at each site that way if this site goes bye-bye that we can still continue to operate and still continue to serve client requests via the obvi services that are deployed in your other region or data center or whatever your environment is now i'm going to walk you through some ov side setup okay okay so i am in an ivy controller in my east ivy controller actually is what i'm in right now um you can see i have a couple of virtual services i have two right my environment is very simple it only has two but you if this is a real world environment you probably have more than two vips i've got my web app this is going to be the app that i ultimately end up load balancing to and i'll show you real quick that this app is deployed at two sites so i have this is this actually a second obvi controller and you can see i've got that dvwa west and my dvwa east deployed and so these are two separate vips on two separate controllers that i'm going to load balance traffic between leveraging gslb okay now uh before you can get to this point where you're configuring vips i'll show you how i can figure these dips in a sec but before you can do any of that you're gonna have to set up a cloud connector okay in avi when you integrate with an environment you configure what's called a cloud connector so i have a cloud connector on both of my audi controllers i'll show you how to set that up i've got one connected to to us east and one connected to us west all right so let me show you what it looks like whenever you configure a cloud connector so it's pretty straightforward however um there's a few things that you got to do you give it a name that's easy and it's going to want you to specify a region right because amazon has a bunch of different data centers those are those are regions and you got to point it at a specific region that's the scope of the aws cloud all right now if you've set up avi with like a vcenter you might know that you need a service account uh to connect ivy and db center it's pretty much exactly the same with amazon you have two different ways you can scan it you can use a access user access and then a secret key so basically um this is where the kind of just using a regular amazon account with the right permissions you could put in the key and the secret and then authenticate the amazon avi uh api from avi that way what i've actually done is i've used an iam role so in amazon you can provide an iam role to a vm so if you create the appropriate role and you give that role to your avi controller you can just use this option i don't have to put any service accounts or anything amazon already has assigned the identity to the mayavi controller with the appropriate permission so it can call the amazon api all right at the bottom here i'm not doing any route 3 integration i'm not using any additional integrations there's a lot of integrations into various aws services navi that's not what i'm doing here i'm just doing basic gslb all right and then in my next i'll click next to show you in the network tab and everything so um here i've specified my vpc this is something i created in amazon you can use an existing vpc or you can create a new one as you're deploying this stuff depending on what your needs are and um i also defined an availability zone and then a subnet so this is for specifically for management the service engines have a management nick that connects back to the lobby controller so this that's what this is for um if you know much about avi and amazon a big benefit of having amazon that we can do a multi-az deployment so that way you can have service engines be available across multiple availability zones i'm not doing that because i don't want to but in production you may want to do that management it might not be so important but i would still do it on management if i could and it's very much important on the your data plane because an amazon region can go out anytime uh there's there's there's no sla to say that all regions and all sorry all availability zones in all regions are always going to be out forever that's not how cloud works sometimes you will have an easy outage so having a multi-az setup is important that's it you can reference a template service engine group in here as well i'm going to show you the service engine group for my amazon setting here in just a second you can add custom tags you can do it you can just do some other things but again i've just had a very basic setup and this is this is my environment this is for the management connection all right so i've got that set up now i'm going to go over to service engine group i'm going to show you the service engine group for one of the clouds and by the way that cloud setup if you're doing a multi-region deployment with multiple controllers you're going to set up the exact same thing in west leveraging that vpc that subnet all right so in the service engine group if you know much about avi in the service engine group and hobby when you uh when you have a cloud and a service engine group falls underneath a specific cloud type the service engine group is going to have different properties based on what makes sense for that cloud so because this service engine group is under an aws based cloud what you'll find is that i can do things such as determine what flavor of instance i would like to be deployed as my service engine right there's a lot of different instances in amazon that you can leverage and deploy service engines on top of so this is where you would determine the flavor of that instance so the size of your service engine that's you know related to how much packets you can process on the virtual load balancer and this is where you would make other normal service engine configuration changes another important one related to amazon is you can either so when the service engines are deployed they're going to need certain security groups applied to them and amazon there's security is on in your vpc so traffic is being denied and you have to have exceptions so that way the service engine can talk back to the components that it needs to for example it needs to talk back to the ivy controller it also needs to open up ports like if it's a if it's serving a vip or if it's serving uh dns i need to have port 53 open or port 80 open for my vip right so as i make changes to avi if you have these avi managed security groups obvi is actually going to be um automatically updating the security groups as you make configuration changes uh to load balancer those exceptions will be added into amazon so it's a very automated experience this is how i've done it and it was the easiest way to set it up however you don't have to do that you could consume existing security groups as well so if you have if you for some reason can't do the ivy managed option and you'd like to use an existing security group and apply that to your service engines you can do that as well and you can see we have the option to apply both a management security group and a data next security group using this model all right all right so that's the cloud the service engine group pretty basic so let's let's get into the gslb setup all right all right so as far as the bones the the fundamentals of what you need in your avi controllers one of the first things you're going to have to do is at each site that you want to be responding to dns requests so here i've got my two dns service engines right by the way as an aside you could put you could put the vip and the dns service on the same service engine there's no rule against that in fact in my environment that's what i've done i wouldn't recommend that for production it's nice to have a separate pool of capacity for dns requests so dns is pretty lightweight you usually configure you know one or two small service engines to respond to that unless you have a really high dns requirement but anywho the dns virtual service is one of the first things you got to create and that's got to exist at both sites because when the user tries to resolve traffic um at some point when they they're going to hit this delegated subdomain in my case the trevor and they're going to have to resolve against avi right avi needs to apply some intelligence and decide am i going to respond with my site a a record or my site b c d record like which record am i going to give back to the user so the user's request for dns eventually does have to hit avi right so that means that in the ivy controller you need to configure a virtual service that serves dns right it kind of makes sense you've probably if you're watching this video you might have configured a vip in avi a dns virtual service is a little bit different a dns virtual service you don't really need a pool you just need something that can respond to and serve a records let me show you how i've configured my dns service engine or sorry my dns virtual service but know that you would need to do this at both of your sites whenever you're configuring in your environments all right so i'm going to pop in here it's pretty simple all i've done is i've created the virtual service i've selected the network so i only have one subnet in my vpc so that's the only one i have available but you'll see a list of all the subnets that your service account can see within your given region or vpc okay so i'm going to deploy my vip to this private ip space in amazon i also my my solution here is a public solution so i'm actually responding to users out on the internet therefore i gave this an elastic ip which has a public ip address you don't got to do that you could keep it all private or maybe you have a use case where you need gslv for just internal corporate users or something like that so you don't need to have the elastic ip that's just how i'm doing my setup and so to configure your dns virtual service you you get an ip a vip and then uh you need to make the application profile system dns all right because i'm not doing a web app right i'm like you a common thing to do is http or https or ss or like a layer 4 vip i'm not i'm doing a dns vip that's going to be able to listen and respond on port 53 dns and i've also set this vip up to listen on both udp port 53 but also tcp port 53 there's a little flag up here you can switch to advanced and then from there you can do an override so basically this one dns virtual service will respond to both tcp dns requests but also to udp dns request that's that's the only reason i set that up okay that's actually all you need to configure it's listening on dns okay later we're going to come back and add static dns records to this virtual service however for now this is good so you you'll next next finish through your wizard again and unless you have a specific like service engine group you need to configure then you would want to set that up i did one other small change to my environment it's it's to use the vip as snat so there's a lot of health checking involved in these sort of dns things because you need to be able to know like if a vip goes down we don't want to respond with that record that a record anymore we need to take that out of the pool and so uh leveraging this use vip as snat allows me to health check the public ip um so what that does is just makes it so that way um my health checks work for my public use cases all but uh this this would be something you might need to engage especially for those public ip based use cases so anyway if you find your health checks failing that could be why all right so this all looks good so that's a proper setup dns vip you would want to do that at both avi and then you would also want to do that at any other sites you know i'm doing two sites maybe you have four sites six sites whatever you would set this dns responder up at each site that you want to resolve dns records right by the way you don't have to have a dns tier at every single site either you could have vips at a site and not have dns at that site like there's a lot of ways to mix and match a lot of ways to design this thing just just i wanted to say that part all right all right so here's i'm going to show you something next in navi that a lot of users uh miss okay i've configured my dns virtual service but because you know owning dns it could be potentially you know impactful it could be disruptive if done the wrong way you do need to tell avi and give it permission at an administrative level to start responding to requests on these service engines so i'm going to go into administration and then system nope settings yeah so in both of my controllers i also i'm going to need that that dns virtual service you created i'm telling you everybody forgets the step if it's not working this might be why yours isn't working you have to basically tell avi hey use this virtual service for dns right and i've already selected mine in the drop down you could have more than one dns virtual service there's absolutely no rule against that but if you don't have the dns virtual service turned on via this dns service flag here in avi it's not going to respond to records right so you got to have that turned on so let's say that you've got a dns virtual service in both your controllers and you've configured it appropriately you've got your cloud your aos cloud working your dns virtual service and mine has a public ip maybe yours is private that's okay there's one other step that we need to take before we can actually set up gslb in avi um pretty simple step but whatever so at some point you're gonna have to delegate a sub domain all right this is one of the more confusing parts so try to try to keep up here right um eventually you're going to have to delegate a subdomain again i'm doing it for route53 you can do it from any dns server you have it could be ad route 53 google dns azure dns we don't care for me it's r53 um so i'm gonna delegate this subdomain the trevor.poc subdomain um to avi well in order for avi to own that subdomain i just need to configure an ns record on obvi so if you go to your virtual service you can actually create dns records so i could create an a record i a lot of times i'll end up configuring a records and give it like a random ip so that way i can test out dns make sure that that it's working properly and and that the virtual service is responding but um i'm not going to set up my test a record right now what i'm going to show you is the ns record all right you got to get this part right all right so when you configure your ns record you need to configure the fqdn as whatever the subdomain you want avi to be authoritative for is again mine is trevor.poc.demojavy.us makes sense then for the ens record what i'm going to do is i'm going to have both of my virtual services be the be what's held inside the ns record for this fqdn so i've put the name my desired name for both these virtual services and also the ip where did this ip come from this ip came from the dns virtual services that you just configured so i'll show you for my for my second one right this is in my west region if i go to my west controller you'll see this ip address is the ip the public ip again you could use the private if you're doing a private use because i'm doing a public use case um this is the ip address that i have pasted in here right and vice versa for my uh my virtual cert my dns virtual service that i configured in the east okay so i just got to put those ips in here so that way avi knows what the ip is that is hosting the the ds responders here for this subdomain effectively okay so this is just a requirement and without this you'll you'll hit an error when you start configuring gslb so just make sure that this part is done again like like most of these initial setup steps this needs to be done on both sides okay so now i've got all the kind of bones in place my last step in avi there are some things i got to do in amazon and i want to show you all but the last step in avi is actually to set up gslb okay what that means is i'm going to tell avi what the gslb subdomain i wanted to be authoritative for is i'm going to link together my east and west avi controller so i'm going to kind of create a relationship between those so they can sync us lb configurations and they can see each other's inventories and stuff like that it'll make more sense but just just here's how it goes all right i'm going to configure this my first gslb site okay so gslb east you can see it's pulled ips these are the ips of my controller cluster all right so if i were to show you the ec2 instances that this controller is running on these are the private ips for that avi knows that and it just pulled them in already right i'm going to give my username and password for this again this is the user password for the ovi controller okay so i put that in uh i i've told it here what port again i'm really pointing this at itself right now so this this part is a little easier and then the subdomain remember it's trevor.poc.i demojavy.us okay so that's my subdomain and then client group iptype again i've told you a lot i'm doing a public use case uh so my clients are coming from public ip space but you could make it so that your clients are coming from private ap space whatever all right um this is good for my first site so i'm gonna save it and then i need to set the dns virtual service so all right cool typo so i save that and then i'm going to reference my dns virtual service again and i'm also remember that subdomain that i configured the ns record for before here it is so i'm going to say hey here's the sub domain you can add other dns virtual services and other subdomains that's totally chill i'm just using one right now cool so i've got my first gslb site configured all right it's my gslbeast i'm going to go ahead and add my west site now okay so i did gslb east i configured that on my east controller my ease controller is going to be the kind of primary for gslb the leader and now i'm talking about gslb west uh mine's an active member pretty much all mine are going to be and then so this is where you remember before when i created the first setup it knew the ips of the controller that's because i was basically creating gslb on for the east site on my east controller well now i'm on the east controller connecting it to the west controller so i need to have the ips of my west controller so you'll be able to see where i get those actually so let me i'm going to open another tab to the aws console all right so i'm going to show you kind of where i would get these ips in amazon but if you know the ips of your controllers you would just start plugging in your ips here i have three controllers configured in a cluster so i'm putting each individual ip but if you just had one controller for your setup or two then you would just put in two so i have controller these are my controllers controller one controller two and controller three so i just need to grab their private ips um so i i have amazon showing my private ips and so i can just copy and paste them but you you might need to adjust what amazon is listing um with this little settings button here depending on your aws console but anyway here's my three ips so i'm just going to put these in cool i got my so i've got my three ips in here and this is important right we're connecting these via the private ips because these are both hosted in internal aws ip space these don't need to go over the internet you know you don't want them to go over there why would you want this is how gslb stays in sync across the two sites we would not want that to go across the internet there's not a good reason for that so this will have ride the private ips of uh of the controllers all right this is good so i'm gonna do the same thing here i'm gonna save and set the dns virtual service okay cool so i've connected that between the two sites and now i'm going to do the same deal select my dns virtual service at my west site and then say hey this is the subdomain that we're using boom all right so now um now if i go to infrastructure gslb you're going to see i have two these two sites this one is currently the leader this other one is an active site you can see all the ips of the controllers in here how they're communicating port 443 the versions you know etc if they're in sync if they're not in sync the health of each site if one were to go down or the connectivity were severed you would see this health status change so this is it this is gslb is now in place okay um the very next thing i would do would be come into gslb services and configure a gslb service however there's some steps that i'm going to take on the amazon side here in just a second but to just show you sans amazon with no sub domain delegation to show you this working remember i i have two virtual services dns-01 and then i also have this virtual service which is just a very basic vip listening on port 80 and 443 load balancing to two web servers and i have that in both sites so if i wanted this now that i've got all my obvi side stuff in place if i wanted to you know string this service and this service together using gslb all i would do is go to you see how i can have this new tab gslb services i can go to that tab and this is where i create a gslb domain so i'm going to do an advanced setup so this is going to be my app name my full app name and that's just what i'm naming the virtual service but i'll put global in here and again see this this subdomain is being this is an option here because this is what the one that i configured in that previous gslb config i'm health monitor all right so i'm not going to tell you what all these are but you obviously you would want your dns service engine to be health checking your vips right because if the dns virtual service engine is health checking your vips you'll know if a vip goes offline for some reason and when that happens the dns would service engineers would stop responding with the record that corresponds with that virtual service so that's why health checks are important so you can do different things with health check i'm going to make my http because i know it's an http application and it should be responding to that via the health check remember when i did the make use vip as snat earlier this is also why i did that so i could control where the health check was coming from so this looks pretty good um and so all you really do when you configure a gslb service is you set up an fqdn and then you create a pool and the pool will reference some some vips or ips if you're not using avi vips but i'm using aviv so um down here right i'll i have to create my two pool members but um you could just put an ip in so let's say you're below bouncing to something that's not on avi but you still want avi to do gslb you could put in an ip or an fqd in here but because my vip is on avia i'm able to take advantage of the the full end to end integration so my pool members it's pretty easy i'm going to select which site i'm going to select which virtual service so this is where i'm going to say hey i want the pool member to of my gslb domain to be the east virtual service and the west virtual service so i've configured the east virtual service west is being configured right now and then the only other thing i'm changing again i've said it a few times my setup is using public ips i want the dns record to respond with the public ip not the private ip so that is why i've done it this way all right but you have control over that and this is it i only have two but again you could add a lot of different pool members you can give them different weights with this ratio flag here there's a lot of settings that we can do to customize this even further like for example i'm using round robin but you can do site persistence and you can do geo-based routing topology based routing which which basically means that you can more intelligently respond to the requests based on other variables or behavior that you want but for me i'm doing just uh round robin all right all right so i've configured this if i wait just a second i'll even go into this so you can see when you first configure it's usually red but i always go to the events tab so that way i can see when the pools are going up or going down you can see that these ones came up a little bit after turning it on this is where those health checks i configured come into play we're doing some health checks to make sure that the app is good before we make everything green and and gravy and we start routing traffic to it you can see all my stuff is up now my main virtual service is now green so everything's good again if you want to if if these are red check out this tab it's probably because the health check's failing all right cool i've got a gslb vip so what i'm going to do is this i i'm going to show you how to validate that this is actually working all right i'm using a very simple tool called dig all right i i've been i use the crap out of dig when i'm setting up gslb all right dig is a simple command i can dig something and then i can if i just did an ns lookup directly or i just dig something directly it's going to use the dns server i have set on my mac here so it's going to use the dns configured for this mac that i'm i'm on however uh what i'm to test this to make sure the gslb is working what i can do is dig and i can do dig at right and i'm going to dig my dns vip because remember now that i have that dns service created as soon as i configure this and this is online what should happen is that this vip this dns virtual service should now start responding with the the different a records for my apps right so i'm doing a dig at 44 dot um you know the ip that i have here that on on the internet and then um the fqdn that i'm going to dig for is my app name the global app name that i just created again the reason i'm doing this is because if i just tried to hit this url directly if i don't have my domain delegation set up it's not going to work and so this is just a way to validate gslv is actually working i can see that my query went out i did get an answer that the answer that i'm getting right now is that ip and if i keep digging over and over again i'm going to be flipping between my two sites right this is again i'm one user but imagine every one of these requests is a different user trying to connect my app right now i'm routing that user to a totally different data center using these dns responses as a control mechanism right so i'll take us back to the board here i am digging this right i'm digging this vip and it's round rob and responding hey first go to this site to access the web app hey then go to this site to access the web app so now i'm load balancing traffic across not just servers but across entirely different data centers so there's scale benefits to that obviously there's availability benefits to that and this is how you design multi-cloud stuff so okay so i validated that this is working um and i've gotten the full gslb up and configured in avi uh walked you through how to set this up i didn't walk you through this vip and how i can figure that but just for you to see how i configure that vip again it's a it's the same idea i gave it a public ip i configured all these various settings and then i just said hey here's my pool listen on 80 and 443 this is a basic virtual service google how to set it up you'll figure it out it's pretty easy okay um this is there to reference in the gslb config and because you have to have something responding to your web requests dns without a without an application to resolve to at the end doesn't do us a whole lot of good all right so now let's look at the aws setup i'll talk talk about iam some networking and security stuff and how to do the domain delegation also how to just get an iv controller up and running in amazon all right so uh first of all i'm not going to talk walk you through how to go to the amazon marketplace and configure an iam role like i i this video would be even more long than it's going to be already so just read this document please it's very good document um that's all i can say you know i spend i i spend a lot of time looking up this document reading the document and then just copying and pasting answers to questions that if somebody would take the 10 minutes required to read this document everything's going to be a lot easier for you when you deploy on amazon so read the document follow the prerequisites it's it goes from top to bottom it's not going to jump around on you just just read it and you'll have a controller deployed if you already know about amazon uh what you need to do is just deploy an obvi controller so in the marketplace i just search ivy networks uh you're going to see that we have obvious controllers there available for you to go ahead and deploy so it it maybe just go ahead and deploy the controller here check the sizing to figure out what the instance type you need to deploy in amazon will be again that's documented but this is how uh you could deploy the controller right just right through the amazon marketplace all right so that is how you deploy an ivy controller however there are some things that you need from a kind of prerequisite perspective so i'm going to take to my u.s east one and this this stuff is in the dock so one of the most commonly made mistakes as people are configuring this our either ports and protocols are blocking traffic between the service engines or the vips and the controllers so if you're having issues check that and also the identity so specifically we have to walk through the iam roll setup so there's another document referenced here for how to set up the roles we tell you i'm telling you don't freak out scroll down in the document before you call me okay because you're going to call me asking me oh i don't know about i am how do i set this up see right here this is how you do it it walks you through step by step how to do it in both the cli and if you hate cli's and you want the gui hey we'll do it there for you too um so just read the document please i'm not an iam expert all right but i know how to read a document all right and i think you should know how to do that too so um you got to set up the iem role and again you either will assign that role to an account or those roles to an account with the various permissions or you'll assign those to your your actual controller vms so i have mine assigned to my controller vms let me see if i can show you that yeah you see how this i got my iam roll right attached to this controller that's what allows me to do the integration so easily because whenever i have the i the appropriate permission configured i am roll attached and i configure my cloud i don't have to really provide a service account or anything the identity is already tied to the controller vm because i i assign it to the controller vm right so anyway make sure that that's good i also configured a vpc in amazon you could set this on top of an existing bbc or a new vpc the only thing i'll say is if you're new to amazon or you're you're trying to figure out amazon as you're deploying avi on it um some things that were helpful for me were one i had to set up a vpc peering between my east west region so that way my my controllers can communicate to one another since i configured a brand new vpc i also had to configure my vpc but i had to configure subnets within my vpc so i can figure out a vbc i configured a subnet i also had to configure an internet gateway okay and i had to attach that to my vpc so that way i could get access in and out of the internet from this environment and in addition to that i also had to configure some routes so whenever you configure a route let me see if i can find my route table here all right so here's my route table i also again you have to configure in amazon by default in a brand new vpc i have to create a default route and point it at my internet gateway to make that work all right so these are just some things that i had to do to get my environment working i'm not like an amazon expert there's a lot of people that are way better at it than me so i thought i'd give you these kind of basics like getting the connectivity to your public ips it does take some steps it's not just there if you're creating your first vpc hopefully you got an existing vpc with all the required stuff in place but if not you might have to think around with your routes you might have to create an internet gateway and you might have to set up a peering between regions if you're doing a multi-region deployment like me i i have appearing configured between my east and west region vpcs okay that might have been confusing if you don't know a lot about cloud networking so sorry this part this part if you need help with this part unlike iam i will help you you can call me if you have questions about the vpc networking that's interesting i am not i'm not going to help anybody set up im rules though sorry um all right so so i got am networking security a little bit right so in in amazon so in amazon there's nyx virtual nics like in any type of virtual system here and those nics um so i'm in my ec2 instance this is an ec2 instance in amazon everything looks the same in amazon so it might be hard for you to figure out which page amounts of times i mean in ec2 instance and i'm inside of a specific instance and you'll see that this instance has some ips i can look at all these stuff but i i here's what i want to see my e and i's so i have a avi management interface and i have an avi data interface um these interfaces have different security requirements right so there might be different security groups applied to management that are applied to data um when i say security group i'll go into for example my data security group or my data eni you need to be looking at the en the security group attached to the eni not just assuming that the one applied to the ec2 instance is right for the whole ec2 instance um all right sorry i'm talking too much but here's the security group point is inbound rules in amazon you might need to create some exceptions avi will automate some of this for you if you choose to let it but if you don't then you have to do this stuff manually same with outbound rules there are some things that i needed to allow i pretty much just allow everything outbound though um okay so i think that's it so now i want to show you the important part like these parts i'm hoping that people watching this might have enough basic amazon knowledge to clunk their way through deploying the controllers and deploying the service engines for their load balancing however um the real important thing when it comes to avg slb if you're using route 53 is going to be to do the the domain delegation all right i talked about this a little bit earlier this is when i go into route 53 and route53 in my environment has this zone poc.demoav.us so i need to create two a records because i have two sites but if you had three sites you might create three four or five however many a records you need i only need two and then by the way people call these glue records co-worker of mine joey calls these glue records um anyway this is just how you delegate a subdomain in route 53 and it's actually pretty similar for ad as well ad they'll like have a little wizard to create the ns record for you but this this idea of you need an a record for each one of the dns virtual services and then you need an ns record and your dns provider pointing your subdomain at that dns service it might be easier if i just freaking show you and shut the hell up right my route 53 has a bunch of different zones i'm going to take us into that uh poc subdomain that i'm using i'm using the public one by the way i need it to be public because i'm working with public users so in my environment i've got three records configured to do the domain delegation i have this record trevor ns1 and trevor ns2 right and the ips for these these ips might look familiar to you these are the ips that are the public ip of my dns virtual service so i have an a record pointed at each one of my virtual services that are hosting the dns service and then i have my ns record effectively saying hey route53 anything that has the trevor dot trevor.pock.demobi.us tag go ahead and any requests for that send them to these two name servers because these two name servers know what the hell's up with that sub domain right to create these records you just click create record and you create either the a record or the ns record you create these records and then when you create these records what should happen is that now as i query uh you know trevor.poc.demo aubie.us route53 will know that these are authoritative for that therefore obvious authoritative for therefore avi can start controlling which users get routed to which data center based on that dns response all right so this domain delegation is there already in my environment so i should i'll live a little dangerously here i should be able to already hit this that i because i have my my delegation set up let's see if it works yeah it's already working so i'm actually already hitting that virtual service because all of my stuff is in place here now um that that's kind of it like if you're just trying to set it up and you didn't make any mistakes you and you're following along you you might be working as well if you've got those ns records and all the amazon components and the office components up and running i'll say this about this solution this is the hardest part getting these initial components in place and i understand there's a number of steps to make that happen but once it's up the actual continued operation of it is pretty simple so i would encourage you to keep that in mind if you got thrown off during the setup remember once it's there it's there and you have the service across your various data centers all right um i think what i'd like to do now is teach you a little bit about an awesome tool called dig and i'm gonna use dig to um show you how i would troubleshoot and validate that route53 has delegated the subdomain correctly i'm going to start by querying an amazon server for this domain and then i'm going to walk through the whole the full dns request to show you uh how how you could validate that this is working so i'm gonna use dick again this time i'm actually gonna dig an amazon server and i'm gonna dig that full domain poc.demo avi us and i'm going to say ns right this is a flag that's optional at the end the at flag is optional too by the way but ns this is going to say hey tell me what ns records are on this dns server for this record all right so what's responded here i put i typed that in you see these four records these are all the name servers for that subdomain looky there that's the exact same thing so this is the expected response right um if you're getting a different response than you would expected then there might could be something hooked up in your dns request so i'm actually now going to do the same thing except now i'm going to add this i'm going to say okay cool you knew the poc.demobi.us and who were the name servers for that but mr super smart amazon name server in the united kingdom do you know who the ns servers are for this domain trevor.poc.demobi.us interesting you can see i made the request and lo and behold actually it did respond to say hey these servers are authoritative i'm gonna go down remember these are my are the records that this was responding with but this is the record i was querying and this is how i validate that i did that delegation correctly that indeed this trevor.demobility.us that the source of truth are my avi uh name servers now right a final test here would be to dig uh with my full i'm gonna take ns off because i'm just gonna dig an a record but i'm gonna dig that same server but now i'm going to do my global url again the global url you know after i got all my other components in place that's the app the name of the app that i can figure out global right so i'm going to dig amazon for this sub domain so what i'm hoping happens is amazon says like the the path follows this logic where i query my client is creating amazon amazon's going to say well actually since that's a trevor subdomain we're going to want you to ask avi so then the client will say okay cool i'm going to ask avi it's going to query one of the two dns servers and then the then what should happen in a round robin fashion it should respond with either the first record or the second record as a final step here i'll just dig um and and this is this is kind of like the ultimate test is is that the full dns chain is working so i'm gonna dig the full domain and i should get a response yeah you can see i've gotten a response and that's one of my virtual service ips um interestingly enough i don't know if i had analytics turned on in my environment i don't think that i did but what's very interesting is if you would like to log these dns responses you totally can so the way the same way avi's analytics help you troubleshoot an application it can also help you troubleshoot dns records so just keep in mind dig is a great tool but also once you if you want to validate the request is actually getting to avi and you turn on all of your significant and non-significant logs you'll see those requests come in this way also i think that's it i mean i i showed you a little bit about digg i should talk to you about amazon networking and security a little bit very brief uh but i i talked that enough to hopefully get it to where you can configure the subdomain and do the gslb i talked to you about how the obvious setup um i'm gonna close it out on a on a real simple one because all i need to do is add a little box to my drawing right right now there there's the management plane for my setup is my obvi controller right if i want to configure a new application a new gslb app i would go to gslb services in my primary gslb controller i would click create i would do advanced setup and then i could keep creating services all day long with this trevor.poxsub domain by the way that's why you want to delegate the subdomain is because now you have the freedom to just make a bunch of global apps in avi without having to have a new dns request quest or sorry new dns record created in some outside system every time you can publish these global applications non-stop here so the hard part is kind of setting it up and the publishing of the apps is actually pretty simple you just keep posting api calls or going to the gui and configuring them now we love it when customers automate this stuff that's highly recommended however some customers don't want to build their own automation pipelines for this sort of thing some customers maybe are using another management system that will automate the global publishing of services for them right so i i do most of my work in the gui or in the avi api however if you wanted to get out of this model where the control mechanism is the ivy controller what you could do is something like this where there's actually two options option a and i'm not going to draw this option out but option a would be something called amko right so an amko this is a kubernetes based solution and in amko you have a kubernetes cluster so like maybe this is an eks cluster or some tkg cluster deployed in a public cloud right i could actually plug my kubernetes clusters into avi and make it so that way when a kubernetes operator is you know defining their like yaml manifest there's a little tag that they could put on their uh their web pods to say hey this is a gslb tagged pod and by doing that and leveraging something that we call amko in kubernetes and tying your cluster to avi but you can also have your kubernetes environment publish these globally available fqdns that load balance across sites so this is if you're trying to do multi-cloud application development this is a way to publish a global url that all your users can access and have that go to the various sites and you can stack that on top of using avi as an ingress controller to do even more site-based routing to different urls uris to do different application services and persistence down at your individual sites so amko is very cool if you're trying to find a way to automate the gslb and ingress via just the kubernetes api however if you're not maybe you are thinking a little higher level and you um have have adopted kubernetes already and you're you're looking for maybe um a different solution that will allow us to create and automate the creation of these gslb urls and the access of the various services via those urls another really awesome way to control and configure the gslb services is leveraging something called tanzu service mesh tsm so tanzu service mesh now has an integration with avi so i can plug tanzu service mesh into my avi controllers and by doing so tangible service mesh has this feature called a gns a global namespace when i configure my gns i can also specify a tag and an fqdn as i'm provisioning my gns and what's going to happen is any clusters any kubernetes clusters that are controlled by the by the service mesh if you create a pod and you tag the pod with the correct selector so you know maybe that selector is front end because front end is definitely a part of your app that you might want to scale across multiple clouds or it's web or something like that or if maybe the tag is global or something you know whatever you decide to make it but your operators can consume that tag to again have their uh pods added and managed in low balanced tube so it's a cool way to manage it right because again this this management method via tsm or amko either or it's a little more automated it gives your developers the power to publish these globally available apps and do gslb use cases and things like that without them having to route everything through some central lb admin it certainly there is going to be environments where you you decide to automate the provisioning of gslb in avi and there's definitely going to be environments where customers are manually configuring gslv services maybe those are environments where there's not a high you know rate of change in churn however in high change environments very much would consider something like automating this via our the apis and sdks and tools that are available or leveraging if your kubernetes user especially leveraging tsm or amko to automate the publishing of your gslb services okay was this video too long probably was it confusing hopefully not um i hope this was helpful to somebody i feel like i kind of was able to explain how to set this up again i think there's a there's a number of steps to get the infrastructure in place for this gslb type of thing because it is just a globally available thing like that's you know it's it's kind of gotta have a bunch of different um places and footprints to to to scale across the globe however um once you get this setup in place you have it in place you can add fqdns you can you can customize it and learn more to fulfill your various use cases um but the configuring additional services is becomes pretty easy once you have these base components and the delegations and all the other requirements in place so hope this was useful hope somebody learned something i learned a lot setting this up because i'm not an amazon user i'm more familiar with gcp uh right now so i learned a lot about amazon route53 and i also learned a lot about gslb in general and how to troubleshoot it hope you did too if you have questions about anything other than iam let me know and in the meantime happy global server load balancing happy multi-cloud applications happy developer uh fun developer stuff okay um we'll see y'all that's all i got to say bye ah

Info

Channel: Trevor Spires

Views: 261

Rating: undefined out of 5

Keywords:

Id: 5dqVF2oCwuc

Channel Id: undefined

Length: 59min 6sec (3546 seconds)

Published: Mon Oct 18 2021