Using VMware’s Avi for Horizon Load Balancing


Using VMware’s Avi for Horizon Load Balancing

If your organization already utilizes VMware’s vSphere and you have a need for load balancing in your infrastructure, you’re in luck. VMware incorporated Avi Networks’ load balancing software into their NSX solution. Formally called NSX Advanced Load Balancer, or NSX-ALB (but familiarly just known as “Avi”), this powerful L4-L7 load balancer is easy to deploy, powerfully efficient even across multi-site environments (including cloud) and, best of all, the licensing for the Avi Basic Edition comes with vSphere’s NSX licensing.

For this reason, many organizations are taking the opportunity to phase out their existing load balancers, such as F5 or Kemp, and make the switch to Avi. Not only does it cut costs and physical hardware ownership, it allows easier management and better visibility, as Avi connects directly to vCenter instances. Making the switch is relatively simple, thanks to both Avi and VMware’s extensive documentation, but I wanted to sum up the process here for those that may be interested. My experience with this process is mainly for a single site, balancing external and internal Horizon access, so that’s what I’ll cover, but Avi has support for multiple sites and network automation in addition to your load balancing needs, all extremely customizable.

Chart going from HTML Access through DMZ to Horizon

Figure 1: Avi topology for use with load balancing external and internal Horizon access

Installation and Configuration

The first step is to install the Avi appliance in your existing vCenter environment. There are two major components of Avi: the Controller, which will be the management appliance, and the Service Engines, which are additional appliances that do the actual work. These are normally automatically created via the Avi GUI during configuration, which requires linking the Controller to vCenter. Service Engines can also be manually created if needed. The Avi Controller can be set up in a high availability cluster with up to 3 Controller VMs. Here are the minimum VM requirements for both components:

VM requirements for vCPU, RAM, and StorageTable 1: VM requirements for Avi components

The Avi Controller OVA file is available in your VMware Downloads under NSX-Advanced Load Balancer and contains everything needed to install both the Controller and the Service Engines. In vCenter, you’ll right-click the cluster or datacenter where you want to install, select “Deploy OVF template,” then follow the prompts to install Avi. You’ll need a name for the appliance and a static IP address for management. Once installed, the Avi management GUI can be accessed by going to the IP address. Once logged in, you’ll see some initial setup screens to configure your admin password, DNS, email notification settings and multi-tenant site information. After the initial setup, you’ll see the Dashboard, which will eventually show any Virtual Services you’ve created, as in the example below:

VMW view of applications, virtual services

Figure 2: Example of Avi Dashboard

Next, you’ll want to head to the Infrastructure tab, select Clouds, select the Create button and select VMware vCenter/vSphere ESX to configure your environment. “Clouds” in Avi refers to available sites that will be connected, and can be an on-premise vCenter, an Azure Cloud instance, AWS, Linux Server, etc. For vCenter, you’ll need account credentials and the vCenter IP address. Once the Cloud is created, if everything is connecting properly, the Status will show green.

VMW view with Create dropdown, clicking VMware vCenter/vSphere ESX

Figure 3: How to create a Cloud in Avi

Setting Up Avi for Horizon

Once your initial link to vCenter is up, you’ll set up Avi for your Horizon environment. This includes creating all the components we’ll need for the Virtual Service, and then creating the Virtual Service itself. For the components, we’ll create a virtual IP (VIP), create a custom health monitor to monitor uptime of Horizon servers, create pools for the Horizon servers, create an SSL profile and install your SSL certificate. Once the Virtual Service is in place, the Avi Controller will automatically create Service Engines based on the parameters of that service.

First, you’ll need to create a virtual IP that your users will point to. This will be the front address that the user sees that Avi will then redirect to the load balanced servers. On the Applications tab, select VS VIPs and click Create. You’ll enter a name for the VIP and add the IP and DNS record for the IP.

Create VS VIP window

Figure 4: Creating a Virtual Service Virtual IP

Next, you’ll need to set up a custom health monitor to monitor the status of your Unified Access Gateways (UAGs), or your internal Horizon Connection Servers. Go to the Templates tab, select Profiles and then Health Monitors. Click Create to create a new monitor. Select your vCenter instance, and then name the health monitor and configure the rest of the settings. The Send Interval will be 30 seconds, with a Receive Timeout of 10 seconds. The Health Monitor Port will be 443, and you’ll add the following under Client Request Data and Response Code and click Save:

User Input: GET /favicon.ico HTTP/1.0

Figure 5: Settings for the Avi custom health monitor

The next step is to create an SSL profile and install your SSL certificate. Go to the Templates tab, then SSL/TLS Profile and select Create. Select Application Profile, and then create a name for the Profile. The Type will be Application, Accepted Versions will be TLS 1.2, and you will Enable SSL Session Reuse. For the Ciphers, you will select the following from the list and click Save:

Cyphers checked in settings

Figure 6: Ciphers needed for a Horizon SSL Profile

To install your SSL certificate, select SSL/TLS Certificates at the top. Here, you’ll have the option to create a Root/Intermediate CA, Application Certificate or Controller Certificate. For Horizon, you’ll want to upload your Root CA, and SSL certificate as an Application Certificate. For Type, you’ll select Import, and then you’ll have the option to Upload your Certificate and Key files in the PEM format. (Note that if your certificate is in PFX format, it will need to be converted to PEM with the KEY extracted using openssl or something similar.) Once the information is entered, click Validate and make sure the certificate has a green status.

New Certificate (SSL/TLS): showing green

Figure 7: Importing an application SSL certificate

Next, we’ll create a pool that includes all the servers you want to load balance. In this case, we’re using UAGs, but you can create a second pool to load balance your internal Connection Servers as well. Go to the Applications tab and select Pools. Make sure the vCenter Cloud is selected, then click Next and then Create Pool. Here on the Settings tab, you will create a pool name, select Passive Health Monitor and enter the custom health monitor you created, and select your Load Balance option. With Horizon, the preferred load balancing method is Least Connections.

Settings: Server port 443, graceful disable 1, load balance lease connections, passive health monitor checked

Figure 8: Avi pool settings for Horizon UAGs

Select Enable SSL and select the SSL profile that you created earlier for Horizon. Click Next to go to the Servers tab. This is where you’ll add the servers to the pool using FQDN or IP address. After the servers are entered, click Next and then Next again through the Advanced tab, and then Save.

Adding servers to pool

Figure 9: Add servers to the pool

Now we are ready to create the virtual service using all the above components. Navigate to Applications, Virtual Services and select Create Virtual Service. Select Advanced Setup. Create a name for the virtual service, and then select the VIP you created in the VS VIP box. Use the Application Profile “System-HTTP-Horizon-UAG.”

Settings: VS VIP is UAG, App profile is System-HTTP-Horizon-UAG

Figure 10: Settings for the Avi virtual service

 In the Service Port section, click Switch to Advanced and enter the following service ports:

Service ports 443 to 443, 5001 to 5005

Ports 20001 to 20005, 30001 to 30005

Figure 11: Service ports for Avi virtual service

In the Pool and SSL Settings sections, you’ll select the Pool we created earlier, and the SSL Profile and applicable SSL certificates. Hit Next through the next two pages and then Save the configuration. If all goes well, the virtual service will have a status of green and begin creating the Service Engines. If not, the status will be red and hovering over the status will show the current error.

Error message reading State: Down, Reason: Pools belonging to this Virtual Service are down.

Figure 12: Example of virtual service error message

Clicking on the virtual service will show you an analytics dashboard with information about the traffic.

Trend line view of the virtual service

Figure 13: Virtual service analytics dashboard

Once the Service Engines have been created, you may need additional configuration for their NICs and IP addresses. They’ll need static IPs for management, and static IPs in your Horizon subnet for accessing the UAGs via the DMZ or the Connection Servers via the LAN. The Service Engines can be edited by going to the Infrastructure tab, then selecting Cloud Resources and then Service Engine. Additional NICs may need to be added via vCenter settings.

Default-Cloud health setting

Figure 14: Service engines in Avi

Once load balancing in Avi has been tested and is working properly, you are now safe to disable any other load balancing solutions and switch DNS to your new virtual IP, if applicable. After cutover, virtual services can be easily monitored for traffic and efficiency levels. Avi is a powerful solution, combining load balancing and network automation that offers easy management, while still allowing you to customize as much as you need for your environment.

Read more about Avi and its capabilities on the following pages:

If you want to work with us on your VMware needs, or any other IT-specific projects, feel free to reach out!

More About the Author

Lindsey Saunders

Curator Consultant
Using VMware’s Avi for Horizon Load Balancing If your organization already utilizes VMware’s vSphere and you have a need for load balancing in your infrastructure, you’re in luck. ...
A Quick and Easy Way to Get Active Directory Counts When investigating an existing domain for a potential upgrade or clean-up, it’s necessary to gauge the number of Active Directory (AD) ...

See more from this author →

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK


Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Geschäftsführer: Mel Stephenson

Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072


Love our blog? You should see our emails. Sign up for our newsletter!