Avi ALB SKU Migration from Basic to Standard in Azure Cloud

Products

VMware Avi Load Balancer

Issue/Introduction

Azure Cloud implementation of VMware Avi Load Balancer uses Azure Basic LB for various purposes such as Cluster VIP configuration, vsVIP placement and Public IPs. The creation of new ALB with basic SKU is already expired as of "March 31, 2025". the existing deployed ALB with basic SKU will stay till September 30, 2025 and after that data traffic will stop working. As a result, some customers require a migration path from Basic to Standard SKU ALB. This doc presents the steps to migrate to Standard ALB for Avi Resources.

Announcement by Microsoft
https://azure.microsoft.com/en-us/updates?id=azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer
Azure Upgrade Reference
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-basic-upgrade-guidance

This article explain how to migrate the Virtual Service (Private VIP & Public VIP) from Basic SKU ALB to Standard SKU ALB

Environment

Azure Cloud

Cause

How to migrate the Virtual Service (Private VIP & Public VIP) from Basic SKU ALB to Standard SKU ALB

Resolution

In Azure Cloud, we cannot directly upgrade the SKU.

To change the SKU type, migrate VSs from existing SEG (with basic SKU - standard_alb as false) to a new SEG with standard_alb as true. It will create new lbs with standard sku, with older config.

There are different workflows for Virtual Service migration depending on type of VsVIPs used:

Deployment of VS VIPs Configured with only Private IP Addresses
1.1 AKO based deployment Virtual Services with Private IP
Deployment of VS VIPs Configured with Public IP Addresses

Below are workflows for these use-cases:

1. VS VIP Configured with only Private IP Addresses:

Disable all Virtual services with Azure Cloud

Create a new SEG (clone) with knob use_standard_alb set to true (By default Basic SKU Load Balancer is used)

// By default "use_standard_alb" knob set to FALSE for 22.x and 30.x releases.

[admin:]: > show serviceenginegroup <New-ServiceEngineGroup-Name> | grep use_standard_alb
| use_standard_alb                        | False                                                   |

// How to enable "use_standard_alb" setting in Service Engine Group via CLI

[admin:]: > configure serviceenginegroup <New-ServiceEngineGroup-Name>
[admin:]: serviceenginegroup> use_standard_alb
[admin:]: serviceenginegroup> save

[admin:]: > show serviceenginegroup Default-Group | grep use_standard_alb
| use_standard_alb                        | True                                                    |

Migrate the VS to the new SEG (Update the new SEG in Virtual Service > Edit > Advance > Service Engine Group)

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/22-1/vmware-avi-load-balancer-configuration-guide/load-balancing-overview/virtual-services/migrating-virtual-services.html

Note (Optional): For scripted approach to change service engine group for large-scale Avi deployments within Azure Cloud, particularly those with a high number of Virtual Services, please refer the KB - Avi ALB Service Engine Group Changes for Virtual Services using script
Re-enable the VS, wait for the new Service Engines to come up in the new SEG, and network programming to finish.
Once all VSs up and data traffic running without any issue, you may delete the old SEs and SEG once the migration is complete.
Azure SKU migration for Private VIP supported with 22.x, 30.x version

1.1 AKO based deployment Virtual Services with Private IP

- Disable all Virtual services with Azure Cloud
- Create a new SEG (clone) with knob use_standard_alb set to true (By default Basic SKU Load Balancer is used) - as per above steps1
- Update the SE Group in the configmap and rebooting the AKO Pod migrates existing virtual services to the new SE Group, where the value of "use_standard_alb" is set to true.
- These steps enable the virtual services to be migrated to the new SEG.

Note: The virtual services with Private VIP will just move from one SEG to another with standard SKU, and there is no deletion/recreation of virtual services. Each virtual service should have the same VS VIP as they had before the migration.

2. Deployment with VS VIPs Configured with Public IP Addresses after upgrade to 30.2.4, 31.1.1-2p3 and 31.2.1

Disable all virtual services with Public VIP (Public IP) deployed in the Azure cloud.
Create a new SEG (clone) with knob use_standard_alb set to true (By default Basic SKU Load Balancer is used) - as per above steps1
For a new SE group creation with 31.x, the use_standard_alb knob set to true is the default setting.
Note down the VIP with Public VIP for the reference.
Login into Azure Cloud Portal: https://portal.azure.com

Search for "Public IP addresses" > Click on Virtual Service Public IP
Click on the Public VIP Name
Click on Tags (edit) link
Crucial Step: Remove / Delete Azure Tags (avi-ccid, avi-private-ip or avi-se) from Azure Public IPs.
Now Detach the Public IP address from the VSVIP's configuration. Public IP (VS VIP) addresses cannot be migrated across different Azure SKUs.

1. Controller UI > Application > VS VIPs > Edit (VS VIP with Public IP) > Edit (VIPs)

2. Select "None" from Auto-Allocate Public IP for VSVIP
3. Save
Upgraded Public IPs SKU from Basic to Standard SKU (manual customer action) from Azure Cloud Portal
Migrate the VS to the new SEG (Update the new SEG in Virtual Service > Edit > Advance > New Service Engine Group)

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/22-1/vmware-avi-load-balancer-configuration-guide/load-balancing-overview/virtual-services/migrating-virtual-services.html
Re-enable the virtual services and wait for the Service Engines to come up in the new Service Engine Group, and network programming to finish.
Attach new public IPs in VSVIP for the newly migrated virtual services (wherever applicable previously). The public IP address creation is to be done for the ones detached previously and has to be done only once virtual services have migrated to the new SEG and VIP has come up.

1. Controller UI > Application > VS VIPs > Edit (VS VIP with Public IP) > Edit (VIPs)
2. Select "Static" from "None" for VSVIP
3. Save
Once all VSs up and data traffic running without any issue, you may delete the old SEs and SEG once the migration is complete.
Note: It require to associate a NAT gateway with a Public IP address with Standard SKU or a prefix to the subnet of the Avi Controller is required for the outbound access.
Azure SKU migration for Public VIP supported with 30.x version. It is recommend to upgrade on 30.2.4-2p1 Patch version where cluster IP creation with standard SKU fixed.

Avi Controller Cluster VIP SKU Migration

For Cluster VIP SKU migration with Azure Cloud, please refer the KB Article - https://knowledge.broadcom.com/external/article?articleNumber=406417

Additional Information

Azure LB Upgrade Reference - https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-basic-upgrade-guidance

Issue: If Virtual Services are configured with Public IP and when these VS'es are migrated from Azure Load Balancer Basic SKU to Azure Load Balancer Standard SKU - data path traffic may be affected.

Fix: This issue has been fixed in Avi release 30.2.4, 31.1.1-2p3 and 31.2.1.

Refer to "AV-232896" in release notes

https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-load-balancer/31-1/vmware-avi-load-balancer-release-notes/Release-Note-Section-20627.html