NSX Cloud. Part 1 : Getting Started


NSX Cloud. Part 1 : Getting Started


In this article i will be reviewing VMware NSX Cloud offering (not be confused with VMware Cloud on AWS). NSX Cloud is ability to gain better visibility into public clouds workloads (AWS and Azure at the moment) by having single pane of glass for your network and security policies. Nowadays applications usually spread across multiple platforms and parts of it may reside on prem, while another part can be in the cloud. Obviously having separate management plane for your on prem and cloud works at some degree, but as amount of workloads and communications between them increases, management can easily go beyond control. Here is where NSX Cloud comes into play creating abstraction layer for you applications, regardless of placement and location, so you can better focus on network and security around them. To get started you will need the following components:

NSX-T Manager : This is eventually your control plane for networking and security

NSX-T Cloud Service Manager (CSM) (it is the same ova as NSX-T Manager, just have to indicate CSM during installation) : This is where you have visibility into inventory for your public accounts, which includes access to VNETs/VPCs and workloads

Public Cloud Gateway (PCG) : This is what talks back to on-prem NSX-T Manager (management and control planes). It serves as local control plane within each VPC/VNET, as well as providing discovery for inventory. It has agent running on it called Public Cloud Manager (PCM) which reads tags from VMs in the cloud and creates required objects and configuration in NSX-T manager which results in VM attachment to segments (logical switch ports)

NSX Tools (formerly called NSX Agent) : This gets installed on each workload in public cloud that has required specific tag (we will discuss it later) which essentially enforces datapath for NSX

AWS or Azure or both cloud accounts/subscriptions : This is essentially where you workloads will be running

Routing in place between your on prem location where NSX-T Manager and CSM reside and AWS/Azure. This can be either Expressroute for Azure, DirectConnect for AWS or regular IPSec VPN.
At least one VNET/VPC with minimum three subnets to place PCG interfaces : one for downlink, one for uplink, one for management. In case if HA deployment then it is recommended to place PCGs into multiple Availability Zones (AZs), so six subnets will needed

From network perspective required RTT should not exceed 150 ms between your VPC/VNET and on-prem environment. So you have to pick up closest region to you to avoid any issues related to latency

I won’t be covering installation of NSX-T Manager and cluster. This has to be configured in advance. Once this is in place next step is to install CSM

Let’s get started.

1) Deploy OVA selecting location of the file and click Next

2) Provide name for Virtual Machine and location. Click Next

3) Choose cluster and host for VM and click Next

4) Review details and click Next

5) Pick form-factor. Note Extra-Small is only suitable for PoC and demo purposes and should not be used in production. I’m going to pick Medium here. Click Next

6) Choose storage and click Next

7) Choose management network and IP settings . I will pick IPv4 with static allocation. Click Next

8) Customize the rest settings to include : root password, admin password

9) Indicate hostname. In role name choose NSX Cloud Service Manager

10) Fill the rest of the network settings : IP/Mask/Gateway/DNS/Domain Search List

11) Indicate NTP. It is recommended to have the same NTP server as NSX-T Manager. Enable SSH for troubleshooting purposes.

12) Click Finish and grab your coffee or tea (depending on what you prefer). Installation should start

13) Verify by logging into web page using IP address specified during installation


First part is done.In the next part we will be doing integration with NSX-T Manager and adding cloud accounts into the system. Stay tuned…

Author-  Nizami Mammadov CCIE#22247, VCAP-NV

Leave your thought here

Your email address will not be published.