VMware AVI

AVI (NSX Advanced Load Balancer) application delivery and AKO Kubernetes operations — 29 MCP tools.

Dual mode: Traditional AVI Controller management + AKO K8s operations in one skill.
Family: vmware-aiops (VM lifecycle), vmware-monitor (inventory/health), vmware-storage (iSCSI/vSAN), vmware-vks (Tanzu Kubernetes), vmware-nsx (NSX networking), vmware-nsx-security (DFW/firewall), vmware-aria (metrics/alerts/capacity).
| vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)

What This Skill Does

Category	Tools	Count
Virtual Service	list, status, enable/disable	3
Pool Member

list, enable/disable member (drain/restore traffic) | 3 | | SSL Certificate | list, expiry check | 2 | | Analytics | VS metrics overview, request error logs | 2 | | Service Engine | list, health check | 2 | | AKO Pod Ops | status, logs, restart, version info | 4 | | AKO Config | values.yaml view, Helm diff, Helm upgrade | 3 | | Ingress Diagnostics | annotation validation, VS mapping, error diagnosis, fix recommendation | 4 | | Sync Diagnostics | K8s-Controller comparison, inconsistency list, force resync | 3 | | Multi-cluster | cluster list, cross-cluster AKO overview, AMKO status | 3 |

Quick Install

CODEBLOCK0

When to Use This Skill

• - List, enable, or disable virtual services on AVI Controller
• Add, remove, drain, or restore pool members (maintenance windows, rolling deployments)
• Check SSL certificate expiry across all virtual services
• View VS analytics — throughput, latency, error rates, request logs
• Check service engine health and resource usage
• Troubleshoot AKO pods — status, logs, restarts
• Manage AKO Helm configuration — view, diff, upgrade values.yaml
• Validate Ingress annotations and diagnose why a VS wasn't created as expected
• Detect sync drift between K8s resources and AVI Controller objects
• Get a cross-cluster view of AKO deployments and AMKO status

Use companion skills for:

• - VM lifecycle, deployment, guest ops → INLINECODE0
• NSX segments, gateways, NAT → INLINECODE1
• DFW firewall rules, security groups → INLINECODE2
• K8s cluster lifecycle (Supervisor, TKC) → INLINECODE3
• Read-only vSphere monitoring → INLINECODE4

Related Skills — Skill Routing

User Intent	Recommended Skill
Load balancer, VS, pool, AVI, ALB, AKO	vmware-avi ← this skill
VM lifecycle, deployment, guest ops

vmware-aiops (uv tool install vmware-aiops) | | Read-only vSphere monitoring | vmware-monitor (uv tool install vmware-monitor) | | Storage: iSCSI, vSAN, datastores | vmware-storage (uv tool install vmware-storage) | | NSX networking: segments, gateways, NAT | vmware-nsx (uv tool install vmware-nsx-mgmt) | | NSX security: DFW rules, security groups | vmware-nsx-security (uv tool install vmware-nsx-security) | | Tanzu Kubernetes (Supervisor/TKC) | vmware-vks (uv tool install vmware-vks) | | Aria Ops: metrics, alerts, capacity | vmware-aria (uv tool install vmware-aria) | | Multi-step workflows with approval | vmware-pilot | | Audit log query | vmware-policy (vmware-audit CLI) |

Common Workflows

Maintenance Window — Drain a Pool Member

When taking a backend server offline for patching, you need to drain traffic gracefully before maintenance and restore it after:

1. 1. List pool members and health → INLINECODE13
2. Disable the target server (graceful drain) → INLINECODE14
3. Wait for active connections to drain (monitor analytics) → INLINECODE15
4. Perform maintenance on the server
5. Re-enable the server → INLINECODE16
6. Verify health status is green → INLINECODE17

AKO Ingress Not Creating VS

When a developer reports their Ingress isn't producing a Virtual Service, the typical debugging path is:

1. 1. Check AKO is running → INLINECODE18
2. Validate Ingress annotations → INLINECODE19
3. Check sync status → INLINECODE20
4. If annotations are wrong → vmware-avi ako ingress diagnose <ingress-name> (shows what's wrong and suggests fix)
5. If sync is drifted → review diff vmware-avi ako sync diff and force resync if needed

SSL Certificate Expiry Audit

Expired certificates cause outages. Run periodic checks across all controllers:

1. 1. Check all certificates → INLINECODE23
2. Review which VS uses each expiring cert → output includes VS mapping
3. Plan renewal with the certificate team

Usage Mode

Scenario	Recommended	Why
Local/small models (Ollama, Qwen)	CLI	~2K tokens vs ~8K for MCP
Cloud models (Claude, GPT-4o)

Either | MCP gives structured JSON I/O | | Automated pipelines | MCP | Type-safe parameters, structured output | | AKO troubleshooting | CLI | Interactive log tailing, Helm diff output |

MCP Tools (29)

Category	Tools
Virtual Service (3)	INLINECODE24, vs_status, INLINECODE26
Pool Member (3)

pool_members, pool_member_enable, pool_member_disable | | SSL Certificate (2) | ssl_list, ssl_expiry_check | | Analytics (2) | vs_analytics, vs_error_logs | | Service Engine (2) | se_list, se_health | | AKO Pod (4) | ako_status, ako_logs, ako_restart, ako_version | | AKO Config (3) | ako_config_show, ako_config_diff, ako_config_upgrade | | Ingress Diagnostics (4) | ako_ingress_check, ako_ingress_map, ako_ingress_diagnose, ako_ingress_fix_suggest | | Sync Diagnostics (3) | ako_sync_status, ako_sync_diff, ako_sync_force | | Multi-cluster (3) | ako_clusters, ako_cluster_overview, ako_amko_status |

CLI Quick Reference

CODEBLOCK1

Full CLI reference: see INLINECODE53

Troubleshooting

"Controller unreachable" error

1. 1. Run vmware-avi doctor to verify connectivity
2. Check if the controller address and port are correct in INLINECODE55
3. For self-signed certs: set verify_ssl: false in config.yaml (lab environments only)

AKO Pod in CrashLoopBackOff

1. 1. Check logs → INLINECODE57
2. Common causes: wrong controller IP in values.yaml, network policy blocking AKO→Controller, expired credentials
3. Fix config → vmware-avi ako config show to inspect, then Helm upgrade with corrected values

Ingress created but no VS on Controller

1. 1. Validate annotations → INLINECODE59
2. Check AKO logs for rejection reason → INLINECODE60
3. Run sync diff → vmware-avi ako sync diff to see if the object is stuck

Pool member shows "down" after enable

Health monitor may still be failing. Check the actual health status on the Controller side — the member is enabled but unhealthy. Fix the backend service first, then the health status will auto-recover.

SSL expiry check shows 0 certificates

Verify the controller connection has tenant-level access. Certificates are tenant-scoped in AVI — the configured user may only see certs in their tenant.

AKO sync force has no effect

Force resync triggers AKO to re-reconcile all K8s objects. If the drift persists, the issue is likely in the K8s resource definition itself (bad annotation, missing secret). Use vmware-avi ako ingress diagnose to pinpoint the root cause.

Setup

CODEBLOCK2

All tools are automatically audited via vmware-policy. Audit logs: INLINECODE63

Full setup guide, security details, and AI platform compatibility: see INLINECODE64

Audit & Safety

All operations are automatically audited via vmware-policy (@vmware_tool decorator):

• - Every tool call logged to ~/.vmware/audit.db (SQLite, framework-agnostic)
• Policy rules enforced via ~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels)
• Destructive operations (vs_toggle disable, pool_member_disable, ako_restart, ako_config_upgrade, ako_sync_force) require double confirmation
• INLINECODE73 defaults to --dry-run mode — user must explicitly confirm to apply
• View recent operations: INLINECODE75

License

MIT — github.com/zw008/VMware-AVI