Welcome back!!! We are at Part 3 of the blog series on vSphere Supervisor networking with NSX and AVI. In the previous two articles, we discussed the architecture of vSphere supervisor and the different topologies of vSphere namespaces, multiple supervisor clusters, zonal supervisors and the current environment build details to activate the vSphere supervisor (starting with a single-zone supervisor). We will scale out the environment with additional vSphere clusters as we progress.
In this article, we will discuss the AVI onboarding workflow with NSX, activate vSphere supervisor, review the NSX and AVI objects that are created and revisit the supervisor topology that we discussed in Part 1.
If you missed the previous articles of this series, please check them out below:
Part 1: Architecture and Topologies
https://vxplanet.com/2025/04/16/vsphere-supervisor-networking-with-nsx-and-avi-part-1-architecture-and-topologies/
Part 2: Environment Build and Walkthrough
https://vxplanet.com/2025/04/17/vsphere-supervisor-networking-with-nsx-and-avi-part-2-environment-build-and-walkthrough/
Let’s get started:
Table of Contents
- 0.1 AVI onboarding workflow
- 0.2 Replacing default AVI Portal Certificate
- 0.3 Adding the private CA root / intermediate certificate to the Java certificate trust store in NSX
- 0.4 Activating vSphere Supervisor
- 0.5 Reviewing NSX objects
- 0.6 Reviewing AVI objects
- 0.7 Revisiting the vSphere Supervisor Topology
- 1 Share this:
- 2 Like this:
AVI onboarding workflow
AVI onboarding workflow is currently a 1:1 mapping with the NSX manager, meaning one AVI Load Balancer cluster for each NSX Manager cluster.
AVI onboarding to NSX is done via API, and this process will set AVI as the enforcement point in NSX so that NSX will use AVI as the LB instead of native-LB. This will be a PUT operation against the ‘/api/v1/infra/alb-onboarding-workflow’ endpoint with the below json body, let’s use Postman to do this:
The request header should have ‘X-Allow-Overwrite’ key set to True.
To confirm that AVI has been successfully added as an enforcement point in NSX, let’s perform a GET request to the ‘/api/v1/infra/sites/default/enforcement-points/alb-endpoint’ endpoint.
The key-value pair ‘status’ : ‘DEACTIVATE_PROVIDER” confirms that the operation is successful, and that AVI will be leveraged for load balancer services.
We will also see NSX Advanced Load Balancer (legacy name though) listed under the NSX App Switcher.
Replacing default AVI Portal Certificate
The default AVI portal certificate is self-signed without a SAN field, which cannot be used for vSphere supervisor integration. We will replace this with an internal CA signed certificate.
Let’s create the CSR from AVI console with the SAN fields updated with AVI VIP and individual node FQDNs.
We will present the CSR to the internal CA ‘VxPlanet-DC01-CA’ and upload the certificate as a chain in AVI.
