Automate Avi LB Service with Ansible

Avi Networks load balancing platform offers fantastic automation capabilities, which allow us to automate the load balancing service via some popular Infrastructure as Code tools like Ansible and Terraform. Today, I will demonstrate the Day 1 automation using Ansible (version 2.8.5) in this blog.

[root@code1 ~]# ansible --version
ansible 2.8.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

The link below lists all available Ansible modules for Avi LB automation:

Avi have developed a role called avisdk to package all Avi Ansible modules, which eases our lives further. To install this Avi avisdk Ansible role, just run the CLI below:

pip install avisdk

In this blog, we will automate the local load balancing configuration which we configured manually in my other blog: Build Load Balancing Service in VMC on AWS with Avi Load Balancer – Part2.

In summary, we are going to:

  • Create an HTTP Health Monitor (sddc01-vs02-hm01).
  • Create an Application Persistence profile (sddc01-vs02-persistence01) based on HTTP cookie.
  • Create a local load balancing pool (sddc01-vs02-pool01) with 2 pool members. The pool member health status will be checked with the newly created health monitor and the session persistence associated with this pool is based on the cookie persistence profile which we defined in the previous step.
  • Create an HTTP application profile (sddc01-vs02-profile-http01) which enables the compression and HTTP to HTTPs redirect.
  • Create an SSL profile (sddc01-vs02-profile-ssl01) which only allows securer ciphers and TLS 1.1 and 1.2.
  • Create a local load balancing service which leverages the newly created HTTP application profile and SSL profile to distribute the traffic to the load balancing pool sddc01-vs02-pool01.

The completed Ansible playbook is as below:

- hosts: localhost
  connection: local
    username: admin
    password: Password
    api_version: 18.2.5
    vs_name: sddc01-vs02
    vs_serviceport01: 443
    vs_serviceport02: 80
    pool_name: sddc01-vs02-pool01
    pool_member01_hostname: centos01
    pool_member02_hostname: centos02
    httpprofile_name: sddc01-vs02-profile-http01
    healthmonitor_name: sddc01-vs02-hm01
    cookie_name: sddc01-vs02-cookie01
    persistence_name: sddc01-vs02-persistence01
    sslprofile_name: sddc01-vs02-profile-ssl01
    - avinetworks.avisdk
    - name: Create HTTP Health Monitor
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{api_version}}"
        state: present
        name: "{{ healthmonitor_name }}"
          http_request: 'HEAD / HTTP/1.0'
            - HTTP_2XX
            - HTTP_3XX
        receive_timeout: 4
        failed_checks: 3
        send_interval: 10
        successful_checks: 3
        is_federated: false
    - name: Create an Application Persistence setting using http cookie
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{api_version}}"
          always_send_cookie: false
          cookie_name: "{{ cookie_name }}"
          timeout: 15
        name: "{{ persistence_name }}"
        persistence_type: PERSISTENCE_TYPE_HTTP_COOKIE
        server_hm_down_recovery: HM_DOWN_PICK_NEW_SERVER
    - name: Create local load balancing pool
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{ api_version }}"
        name: "{{ pool_name }}"
        state: present
        application_persistence_profile_ref: '/api/applicationpersistenceprofile?name={{ persistence_name }}'
          - '/api/healthmonitor?name={{ healthmonitor_name }}'
          - ip:
              addr: "{{ pool_member01 }}"
              type: V4
            hostname: "{{ pool_member01_hostname }}"
          - ip:
              addr: "{{ pool_member02 }}"
              type: V4
            hostname: "{{ pool_member02_hostname }}"
    - name: Create an HTTP application profile
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{ api_version }}"
        state: present
            compressible_content_ref: '/api/stringgroup?name=System-Compressible-Content-Types'
            compression: true 
            remove_accept_encoding_header: true 
            type: AUTO_COMPRESSION
          connection_multiplexing_enabled: true 
          disable_keepalive_posts_msie6: true 
          disable_sni_hostname_check: false 
          enable_fire_and_forget: false 
          enable_request_body_buffering: false 
          enable_request_body_metrics: false 
          fwd_close_hdr_for_bound_connections: true 
          hsts_enabled: false 
          hsts_max_age: 365 
          hsts_subdomains_enabled: true 
          http2_enabled: false 
          http_to_https: true 
          httponly_enabled: false 
          keepalive_header: false 
          keepalive_timeout: 40000 
          max_bad_rps_cip: 0 
          max_bad_rps_cip_uri: 0 
          max_bad_rps_uri: 0 
          max_keepalive_requests: 100 
          max_response_headers_size: 48 
          max_rps_cip: 0 
          max_rps_cip_uri: 0 
          max_rps_unknown_cip: 0 
          max_rps_unknown_uri: 0 
          max_rps_uri: 0 
          post_accept_timeout: 30000 
          respond_with_100_continue: true 
          secure_cookie_enabled: false 
          server_side_redirect_to_https: false 
          spdy_enabled: false 
          spdy_fwd_proxy_mode: false 
          ssl_client_certificate_mode: SSL_CLIENT_CERTIFICATE_NONE 
          ssl_everywhere_enabled: false 
          use_app_keepalive_timeout: false 
          websockets_enabled: true 
          x_forwarded_proto_enabled: false 
          xff_alternate_name: X-Forwarded-For 
          xff_enabled: true
        name: "{{ httpprofile_name }}"
    - name: Create SSL profile with list of allow ciphers and TLS version
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{ api_version }}"
        name: "{{ sslprofile_name }}"
          - type: SSL_VERSION_TLS1_1
          - type: SSL_VERSION_TLS1_2
        send_close_notify: true
          compatibility_rating: SSL_SCORE_EXCELLENT
          performance_rating: SSL_SCORE_EXCELLENT
          security_score: '100.0'
    - name: Create a virtual service
        controller: "{{ controller }}"
        username: "{{ username }}"
        password: "{{ password }}"
        api_version: "{{ api_version }}"
        name: "{{ vs_name }}"
        state: present
          max_concurrent_connections: 1000
        ssl_profile_ref: '/api/sslprofile?name={{ sslprofile_name }}'
        application_profile_ref: '/api/applicationprofile?name={{ httpprofile_name }}'
          - '/api/sslkeyandcertificate?name={{ certificate_name }}'
          - ip_address:
              addr: "{{ vs_vip }}"
              type: V4
            vip_id: 1
          - port: "{{ vs_serviceport01 }}"
            enable_ssl: true
          - port: "{{ vs_serviceport02 }}"
        pool_ref: '/api/pool?name={{ pool_name }}'

When we run the playbook, we can get all configurations completed in just 30 seconds which normally requires at least half hour.

Health Monitor:

Session Persistence:

Load Balancing Pool:

HTTP Application Profile:

SSL Profile:

Virtual Service:

This is the end of this blog. Thank you very much for reading!

2 thoughts on “Automate Avi LB Service with Ansible

  1. Pingback: Build Load Balancing Service in VMC on AWS with Avi Load Balancer – Part1 – InsidePacket

  2. Pingback: Build Load Balancing Service in VMC on AWS with Avi Load Balancer – Part 1 - VMware Cloud Community

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s