VMware AVI

Author: Wei Zhou, VMware by Broadcom — [email protected] This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.

English | 中文

AVI (NSX Advanced Load Balancer) management and AKO Kubernetes operations tool — 29 tools across 10 categories.

Dual mode: Traditional AVI Controller management + AKO K8s operations in one skill.

Companion skills handle everything else:

Skill	Scope	Install
vmware-aiops	VM lifecycle, deployment, guest ops, cluster	uv tool install vmware-aiops
vmware-monitor	Read-only: inventory, health, alarms, events	uv tool install vmware-monitor
vmware-storage	Datastores, iSCSI, vSAN management	uv tool install vmware-storage
vmware-vks	Tanzu Namespaces, TKC cluster lifecycle	uv tool install vmware-vks
vmware-nsx	NSX networking: segments, gateways, NAT	uv tool install vmware-nsx-mgmt
vmware-nsx-security	DFW firewall rules, security groups	uv tool install vmware-nsx-security
vmware-aria	Aria Ops: metrics, alerts, capacity	uv tool install vmware-aria

PyPI Python License: MIT ClawHub

Quick Install

# Via uv (recommended)
uv tool install vmware-avi

# Or via pip
pip install vmware-avi

# China mainland mirror
pip install vmware-avi -i https://pypi.tuna.tsinghua.edu.cn/simple

# Verify installation
vmware-avi doctor

Capabilities Overview

What This Skill Does

CLI vs MCP: Which Mode to Use

Rule of thumb: Use CLI for cost efficiency and small models. Use MCP for structured automation with large models.

Architecture

User (Natural Language)
  |
AI CLI Tool (Claude Code / Gemini / Codex / Cursor / Trae)
  | reads SKILL.md
  |
vmware-avi CLI
  |--- avisdk (AVI REST API) ---> AVI Controller ---> Virtual Services / Pools / SEs
  |--- kubectl / kubernetes ---> K8s Cluster ---> AKO Pods / Ingress / Services

Configuration

Step 1: Create Config Directory

mkdir -p ~/.vmware-avi
vmware-avi init          # generates config.yaml and .env templates
chmod 600 ~/.vmware-avi/.env

Step 2: Edit config.yaml

controllers:
  - name: prod-avi
    host: avi-controller.example.com
    username: admin
    api_version: "22.1.4"
    tenant: admin
    port: 443
    verify_ssl: true

default_controller: prod-avi

ako:
  kubeconfig: ~/.kube/config
  default_context: ""
  namespace: avi-system

Step 3: Set Passwords

Create ~/.vmware-avi/.env:

# AVI Controller passwords
# Format: VMWARE_AVI_{CONTROLLER_NAME_UPPER}_PASSWORD
VMWARE_AVI_PROD_AVI_PASSWORD=your-password-here

Password environment variable naming convention:

VMWARE_AVI_{CONTROLLER_NAME_UPPER}_PASSWORD
# Replace hyphens with underscores, UPPERCASE
# Example: controller "prod-avi" -> VMWARE_AVI_PROD_AVI_PASSWORD
# Example: controller "staging-alb" -> VMWARE_AVI_STAGING_ALB_PASSWORD

Step 4: Verify

vmware-avi doctor    # checks Controller connectivity + kubeconfig + avisdk

CLI Usage

Virtual Service Management

# List all virtual services
vmware-avi vs list [--controller prod-avi]

# Check status of a specific VS
vmware-avi vs status my-webapp-vs

# Enable / disable a VS (disable requires double confirmation)
vmware-avi vs enable my-webapp-vs
vmware-avi vs disable my-webapp-vs

Pool Member Drain / Restore

# List pool members and health status
vmware-avi pool members my-pool

# Graceful drain (disable) — double confirmation required
vmware-avi pool disable my-pool 10.1.1.5

# Restore traffic (enable)
vmware-avi pool enable my-pool 10.1.1.5

SSL Certificate Expiry Check

# List all certificates
vmware-avi ssl list

# Check certificates expiring within 30 days
vmware-avi ssl expiry --days 30

Analytics and Error Logs

# VS analytics: throughput, latency, error rates
vmware-avi analytics my-webapp-vs

# Request error logs
vmware-avi logs my-webapp-vs --since 1h

Service Engine Health

vmware-avi se list
vmware-avi se health

AKO Troubleshooting

# Check AKO pod status
vmware-avi ako status [--context my-k8s-context]

# View AKO logs
vmware-avi ako logs [--tail 100] [--since 30m]

# Restart AKO pod (double confirmation)
vmware-avi ako restart

# Show AKO version
vmware-avi ako version

AKO Helm Config Management

# View current AKO Helm values
vmware-avi ako config show

# Show pending changes (diff)
vmware-avi ako config diff

# Helm upgrade (double confirmation + --dry-run default)
vmware-avi ako config upgrade

Ingress Diagnostics

# Validate Ingress annotations
vmware-avi ako ingress check <namespace>

# Show Ingress-to-VS mapping
vmware-avi ako ingress map

# Diagnose why an Ingress has no VS
vmware-avi ako ingress diagnose <ingress-name>

Sync Diagnostics

# Check K8s-Controller sync status
vmware-avi ako sync status

# Show inconsistencies between K8s and Controller
vmware-avi ako sync diff

# Force AKO resync (double confirmation)
vmware-avi ako sync force

Multi-cluster AKO

# List clusters with AKO deployed
vmware-avi ako clusters

# Cross-cluster AKO status overview
vmware-avi ako cluster-overview

# AMKO GSLB status
vmware-avi ako amko status

MCP Server

The MCP server exposes all 29 tools via the Model Context Protocol. Works with any MCP-compatible client.

After uv tool install vmware-avi, start the MCP server with one command (v1.5.15+):

# Recommended — single command, no network re-resolve
vmware-avi mcp

# With custom config path
VMWARE_AVI_CONFIG=/path/to/config.yaml vmware-avi mcp

Claude Desktop Config

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "vmware-avi": {
      "command": "vmware-avi",
      "args": ["mcp"],
      "env": {
        "VMWARE_AVI_CONFIG": "~/.vmware-avi/config.yaml"
      }
    }
  }
}

# Run without installing (requires PyPI access each launch)
uvx --from vmware-avi vmware-avi mcp

# Legacy entry point (still works, kept for backward compatibility)
vmware-avi-mcp

MCP Tools (29)

Common Workflows

1. Maintenance Window -- Drain a Pool Member

When taking a backend server offline for patching:

1. List pool members and health status

   vmware-avi pool members my-pool
   

2. Disable the target server (graceful drain)

   vmware-avi pool disable my-pool 10.1.1.5
   

3. Monitor analytics to confirm active connections are draining

   vmware-avi analytics my-vs
   

4. Perform maintenance on the server
5. Re-enable the server

   vmware-avi pool enable my-pool 10.1.1.5
   

6. Verify health status is green

   vmware-avi pool members my-pool
   

2. AKO Ingress Not Creating VS

When a developer reports their Ingress is not producing a Virtual Service:

1. Verify AKO is running

   vmware-avi ako status
   

2. Validate Ingress annotations

   vmware-avi ako ingress check <namespace>
   

3. Check sync status between K8s and Controller

   vmware-avi ako sync status
   

4. If annotations are wrong, diagnose the specific Ingress

   vmware-avi ako ingress diagnose <ingress-name>
   

5. If sync drift is detected, review the diff and force resync if needed

   vmware-avi ako sync diff
   vmware-avi ako sync force
   

3. SSL Certificate Expiry Audit

Expired certificates cause outages. Run periodic checks:

1. Check all certificates expiring within 30 days

   vmware-avi ssl expiry --days 30
   

2. Review which VS uses each expiring certificate (output includes VS mapping)
3. Plan renewal with the certificate team
4. After renewal, verify the new certificate is in place

   vmware-avi ssl list
   

Troubleshooting

"Controller unreachable" error

1. Run vmware-avi doctor to verify connectivity
2. Check if the controller address and port are correct in ~/.vmware-avi/config.yaml
3. For self-signed certs: set verify_ssl: false in config.yaml (lab environments only)

AKO Pod in CrashLoopBackOff

1. Check logs: vmware-avi ako logs --tail 50
2. Common causes: wrong controller IP in values.yaml, network policy blocking AKO to Controller, expired credentials
3. Fix config: vmware-avi ako config show to inspect, then Helm upgrade with corrected values

Ingress created but no VS on Controller

1. Validate annotations: vmware-avi ako ingress check <namespace>
2. Check AKO logs for rejection reason: vmware-avi ako logs --since 5m
3. Run sync diff: vmware-avi ako sync diff to see if the object is stuck

Pool member shows "down" after enable

Health monitor may still be failing. The member is enabled but unhealthy. Check the actual health status on the Controller side. Fix the backend service first, then the health status will auto-recover.

SSL expiry check shows 0 certificates

Verify the controller connection has tenant-level access. Certificates are tenant-scoped in AVI. The configured user may only see certs in their tenant.

AKO sync force has no effect

Force resync triggers AKO to re-reconcile all K8s objects. If the drift persists, the issue is likely in the K8s resource definition itself (bad annotation, missing secret). Use vmware-avi ako ingress diagnose to pinpoint the root cause.

Safety Features

Security Details

• Source Code: github.com/zw008/VMware-AVI
• Config File Contents: config.yaml stores controller addresses, usernames, and AKO settings. No passwords or tokens. All secrets stored exclusively in .env
• Webhook Data Scope: Disabled by default. No third-party data transmission
• TLS Verification: Enabled by default. Disable only for self-signed certificate environments
• Prompt Injection Protection: _sanitize() truncation + control character cleanup on all AVI API responses
• Least Privilege: Use a dedicated AVI service account with minimal permissions. AKO operations require only namespace-scoped kubeconfig access

Companion Skills

Troubleshooting & Contributing

If you encounter any errors or issues, please send the error message, logs, or screenshots to [email protected]. Contributions are welcome -- feel free to join us in maintaining and improving this project!

License

MIT