To make it easier I created 3 ansible playbook. I could have had this into one but I wanted to keep it separted. It contains the minimal needed for the setup. The floating IP playbook can easily add more IPs if needed, if you are running an SE into diff port group.
By default, Avi Service Engines (SEs) do source NAT-ing (SNAT) of traffic destined to back-end servers. Due to SNAT, the application servers see the IP address of the SE interfaces and are unaware of the original client’s IP address. Preserving a client’s IP address is a desirable feature in many cases, for example, when servers have to apply security and access-control policies. Two ways to solve this problem in Avi Vantage are:
X-Forwarded-For — limited to HTTP(S) application profiles only TCP Proxy Protocol — limited to TCP traffic on L4 application profiles only Both of the above require the back-end servers to be capable of supporting the respective capability.
A third and more generic approach is for the Service Engine to use the client IP address as the source IP address for load-balanced connections from the SE to back-end servers. This capability is called preserve client IP, one component of Avi Vantage’s default gateway feature, and a property that may be set on/off in application profiles.
Until Avi Vantage release 18.2.6, selecting Enable IP Routing with Service Engine option is a prerequisite for selecting the Preserve Client IP Address option in any application profile.
However, starting with Avi Vantage version 18.2.6, enabling IP Routing is not mandatory to select Preserve Client IP Address. <snip>
|
Important
|
More info at Avi KB |
We do have already some info on what we will do when we have out avitools up and running on the main repo Page.
curl -O https://raw.githubusercontent.com/avinetworks/avitools/master/run.sh
We will create the docker folder. From a Linux Box /opt/docker will be mapped to /opt/avi therefore when you docker exec it takes you right inside the folder.
mkdir /opt/edd mv run.sh /opt/ chmod +x run.sh ./run.sh -v 22.1.3 -c bash -d /opt/edd -b docker exec -it avitools bash
Once you go into the container, you will see the content of the /opt/avi which is what belongs into the mydocker folder.
Let’s run the update to get the latest ansible and terraform.
pip3 uninstall ansible pip3 install --force-reinstall ansible ansible-core /usr/bin/python3.8 -m pip install --upgrade pip pip list
once you are in the avi tools container git clone the repo
git clone https://github.com/itlinux/avi_floating_seg_l4
Then edit each of the yaml file to setup the IP to be used for your desire floating option. Then edit the creds.yml to ender the username and pass file.
|
Note
|
The password file is encrypted therefore we need to create a new one. |
ansible-vault create pass
The command above will prompt you for a password, do not put the same password of your controller. This password is only used to decrypt the vault.
Add the variable needed (pass) which is in the creds.yml location. So this will make it a little more secure.
pass: "62KxfU__xydnxylfdajfdsnayxlandljfdo"
ansible-playbook seg.yml --ask-vault-pass ansible-playbook preserve_client_ip_l4_profile.yml --ask-vault-pass ansible-playbook floating_ip.yml ---ask-vault-pass
I have built an OVA with docker which has the avitools already running.