Avi Load Balancer: Modernize and Secure Kubernetes Ingress for VKS on VCF
Source: VMware Blog
Modern Kubernetes Ingress Challenges
Modern Kubernetes applications leveraging VMware Kubernetes Service (VKS) demand agility, yet many enterprises still rely on multi‑vendor ingress solutions that create operational silos and drive up complexity. This fragmentation:
- Increases costs
- Reduces efficiency
- Obscures visibility into applications
- Leaves security gaps when bolt‑on protections are used
To address these challenges, organizations must adopt a unified ingress strategy that integrates performance, security, and automation at scale.
Note: The Kubernetes project announced the retirement of the Ingress NGINX Controller. This leaves many Kubernetes ingress installations without a supported path forward and gives customers only a few months to migrate to an alternative solution. While disruptive, the retirement can serve as a catalyst for modernizing Kubernetes ingress. To make this transition easier, we are introducing Avi Conversion Tool (ACT) to migrate NGINX ingress and annotations to the Avi Gateway API.
Avi for VMware Cloud Foundation (VCF) Customers
For VCF customers using VKS, VMware Avi Load Balancer (Avi) offers a superior, unified Kubernetes ingress solution—representing a major architectural improvement over legacy and open‑source technologies. It simplifies operations by removing the need for separate ingress tools and mitigates the risks associated with alternatives.
Why Legacy Solutions Fall Short
Traditional appliance‑based load balancing and legacy ingress solutions are ill‑equipped for modern, containerized microservices architectures. While they provide common services (load balancing, performance monitoring, application security) for traditional workloads, they struggle with:
- Dynamic application autoscaling
- Native integration with DNS, IPAM, and Web Application Firewalls (WAF)
This forces organizations into a fragmented, multi‑vendor approach, which:
- Increases operational complexity
- Hinders end‑to‑end observability (e.g., detecting latency or security violations)
- Limits automation, requiring product‑specific scripting and reducing flexibility/portability
Avi’s Unified, Software‑Defined Platform
Avi delivers a single platform that seamlessly integrates load balancing, ingress, security, and observability for container workloads.
Key benefits for VCF customers using VKS:
- Seamless integration with VKS on VCF – Direct tie‑in enables intelligent, automated application delivery for Kubernetes workloads.
- Automated load balancing and ingress – New Kubernetes services automatically provision Layer 4 load balancing and Layer 7 ingress—no manual steps required.
- Instant cluster awareness – Integration with the VKS Supervisor Cluster discovers and secures new workloads instantly, enforcing consistent networking and policies.
- Enterprise‑grade application delivery – Consolidated ingress with advanced capabilities such as WAF, Global Server Load Balancing (GSLB), and DNS/IPAM for resilient, multi‑site deployments.
- Unified operations for DevOps teams – Centralized automation, real‑time visibility, and rich telemetry simplify Day‑2 operations, allowing management of both containerized and VM‑based applications through a single model.
- Fortified web‑app security – Built‑in “immune system” with integrated WAF and Automated mTLS provides superior protection versus bolt‑on appliances.
Simplified Deployment and Lifecycle Management
Avi’s integration with VKS—via the Avi Kubernetes Operator (AKO)—offers a true “plug‑and‑play” experience, improving operational velocity and simplifying deployment and lifecycle management for Kubernetes applications on VCF.
- Embedded service – AKO runs as an embedded service on the vSphere Supervisor. Once Avi is licensed, customers can activate it with just a few commands.
- Automatic installation with VKS add‑on – The latest VKS add‑on release includes the AKO package, deploying the AKO agent instantly when new VKS clusters are created—eliminating manual Helm installations.
- Automated lifecycle management with compatibility checks – Using the official VKS AKO package ensures proper software‑lifecycle handling and compatibility, as the AKO version is tested against each VKS release. This integrated approach simplifies upgrades and prevents version conflicts.
Reduce MTTR with Real‑Time Application Visibility
Avi Analytics is a critical differentiator, revolutionizing troubleshooting for Kubernetes applications by providing deep, enterprise‑grade visibility on VCF.
Avi delivers unified analytics directly in the platform, encompassing:
- End‑to‑end latency tracking
- Micro‑service level metrics
- Real‑time traffic insights
- Automated anomaly detection
These capabilities empower operators to identify and resolve issues faster, dramatically reducing Mean Time To Recovery (MTTR).
For more information on deploying Avi with VKS, refer to the official VMware documentation or contact your VMware account team.
## Service Flow Insights, Real‑Time Anomaly Detection, and Detailed Security Event Visibility
Avi Analytics provides VCF admins and DevOps teams with:
- Real‑time anomaly detection
- Detailed security event visibility per pod, service, and client
This comprehensive view helps teams **troubleshoot faster**, **identify root‑cause issues**, **detect attack patterns and suspicious behaviors**, and **close visibility gaps** often present with open‑source ingress tools.
The ability to delegate Avi Analytics access to the DevOps team using granular **Role‑Based Access Control (RBAC)** reduces time spent on cross‑team triaging, thereby lowering MTTR.
---
### Future‑Proof Kubernetes Investments with Comprehensive Gateway API Support
Adopting the **Kubernetes Gateway API** is crucial for customers seeking a modern, flexible, and scalable traffic‑management solution. Gateway API delivers:
- Advanced routing capabilities
- Strengthened security
- Finer role‑based control
By embracing Gateway API support, organizations can future‑proof their infrastructure with a standardized, extensible foundation capable of meeting the demands of constantly evolving technologies and dynamic applications.
As mentioned earlier, the **Ingress NGINX Controller’s maintenance ends in March 2026**. Kubernetes users must migrate to new solutions soon, presenting an opportunity to modernize infrastructure and turn this forced migration into an architectural upgrade. Avi is **Gateway API ready today** and offers a powerful upgrade path, providing advanced operational and security features beyond what open‑source or traditional controllers deliver.
---
### Comprehensive Layer 4 and Layer 7 Ingress for Kubernetes Workloads
Modern Kubernetes workloads predominantly operate at the **API/HTTP (Layer 7)** level, requiring capabilities beyond basic **Layer 4 (L4)** load balancing. Avi, through **AKO**, provides a unified, enterprise‑grade solution:
- **Layer 7 (L7) Ingress** – AKO delivers essential L7 routing, enabling sophisticated traffic manipulation, host‑ and path‑based routing, TLS offload, and security functions like **Web Application Firewall (WAF)**.
#### Consolidated Ingress Solution
Avi extends far beyond basic ingress and L4 services, acting as a single, comprehensive platform offering:
- Ingress
- L4 Load Balancing
- WAF
- GSLB via **AMKO**
- DNS
- IP Address Management (IPAM)
This integrated approach eliminates the complexity and operational overhead associated with assembling multiple disparate solutions to achieve enterprise‑grade functionality. Avi is uniquely positioned as the **only load balancer offering out‑of‑the‑box L4 and L7 load balancing with native multi‑tenancy support**, which is critical for VCF automation.
---
### Ensure App Resiliency with Multi‑Cluster GSLB Support
The **Avi Multi‑Cluster Kubernetes Operator (AMKO)** brings enterprise GSLB capabilities into Kubernetes, essential for Disaster Recovery (DR), active‑active deployments, and application migration. AMKO allows developers to tie together multiple clusters. By using a **Global Virtual Service**, developers can gradually shift traffic via DNS from the old cluster to the new VKS cluster by manipulating weights or priorities through a Kubernetes **Custom Resource Definition (CRD)**—without involving GSLB or DNS teams.
**Avi’s GSLB provides:**
- Cross‑cluster traffic distribution
- Automated failover between AZs or datacenters
- Cluster‑ and site‑level health monitoring
- Global DNS‑based routing
- Service‑level load sharing across regions
- Migration of workloads between clusters, K8s flavors, and more
---
*All content and images are retained; formatting has been standardized for clarity and consistency.*Fortified Web App Security for VKS with Integrated WAF and Automated mTLS
Avi serves as the secure entry point for your VKS environment, simplifying the protection of the applications running within it. By providing a cohesive security approach with built‑in Web Application Firewall (WAF) and mutual TLS (mTLS) support, Avi ensures easier deployment and robust, consistent protection. This integrated model removes the complexities and potential security gaps associated with multiple point solutions. The resulting streamlined security delivers:
- Easier management
- Stronger defense for modern Kubernetes environments
- Compliance with standards such as PCI DSS, NIST, and GDPR
Avi’s Fully Integrated WAF Provides
- Application‑layer protection at cluster ingress
- OWASP Top 10 protection
- Bot detection
- DDoS protection
- Behavioral and signature‑based detection
- API protection capabilities
- Rate limiting
Avi Simplifies and Automates mTLS Across Services
- Central certificate lifecycle management
- Identity‑based trust between microservices
- Policy‑driven enforcement mechanisms
Useful Resources
-
Enterprise Strategy Group (ESG) Kubernetes Whitepaper – an unbiased analyst viewpoint:
-
Deliver Elastic Kubernetes Applications – whitepaper download:
-
Blog Post: Ingress NGINX Retired: Get an Architectural Upgrade with VMware Avi for Kubernetes
-
YouTube: 2 Geeks and a Load Balancer playlist