Table of Contents
VMware Cloud Director relies on the NSX network virtualization platform to provide on-demand creation and management of networks and networking services. NSX-V has been a building block of VCD infrastructure for quite a long time. With the release of NSX-T Datacenter, VMware clearly mentioned that NSX-T is the future of software-defined networking, and as a result customers slowly started migrating from NSX-V to NSX-T.
NSX-T 2.3 was the first version of NSX-T which VCD (9.5) supported, but the integration was very basic and there were a lot of functionalities that were not available and it was stopping customers from using NSX-T full-fledged with VCD. NSX-T 2.5 added more functionalities in terms of VCD integration, but it was still lacking some features.
With the release of NSX-T 3.0, the game has changed and NSX-T is more tightly coupled with VCD and thus customers can leverage almost all functionalities of NSX-T with VCD.
In this post, I will demonstrate the process of NSX-T 3.1 integration with VMware Cloud Director (VCD)10.2.
Let’s look at the high-level design of the architecture first before jumping into deployment.
- The first SDDC is Management SDDC which hosts management components like vCenter, VCD Cells, and NSX-T managers, etc.
- The second SDDC is Compute SDDC, which gets hooked into VCD and hosts tenants’ workload.
Note: NSX-T manager of Compute SDDC usually sits in Management SDDC, but Edge VM’s are deployed in Compute SDDC itself.
Lab Topology
Before I start the deployment, let me show you a quick tour of my lab.
I am running vSphere 7.0 and NSX-T 3.1 in my environment.
- There are 4 ESXi hosts in Compute SDDC and each host is configured with 4 NIC’s. 2 of the physical NICs are attached to regular vSphere VDS and carry datacenter traffic (Management, vMotion & vSAN). The other 2 NIC’s are connected to N-VDS and carry all the overlay traffic.
- Hosts are configured for NSX-T and ready to be used as transport nodes.
- 2 edge nodes are deployed and configured for NSX-T and are placed in an Edge cluster.
- Tier-0 gateway is deployed and interfaces are configured for uplink connectivity. Also, T0 is BGP peering with my upstream router.
- Compute SDDC vCenter has been integrated with VCD.
NSX-T Registration with VCD
Integrating NSX-T with VCD starts with registering the NSX-T instance with VCD.
NSX-T registration is done under Home > Resources > Infrastructure Resources > NSX-T Managers.
To register NSX-T, provide NSX-T connection url and NSX-T admin credentials.
Create NSX-T Backed Geneve Network Pool
The below slideshow shows how to create a Geneve network pool that is backed by an NSX-T overlay transport zone.
Create External Network
The External Network is the network created by the Service Provider to allow virtual machines in an organization to access the outside world (Internet). In the case of NSX-T, the external network is bound to a pre-created T0 gateway in NSX-T
Create PVDC, Org & Org VDC
A Provider VDC provides resources to organization VDCs and can be created after External Network creation. Provider VDC is a collection of compute, memory, and storage resources from the vCenter Server instance that relies on the NSX-T Data Center for network resources.
PVDC Creation Workflow
Org & OVDC Creation Workflow
Tenant Gateway (T1) Creation and External Network Connection
Note: Tenant OVDC Gateway (T1) can be provisioned only by the service provider.
Create Routed Org Network and connect it to the Tenant Gateway
Routed Org network is attached to the T1 gateway and it provides outside connectivity to tenant workloads. Below are the steps of creating and configuring the org network for north bound connectivity.
Note: Tenant creates Routed Org networks by logging into their org and navigating to Home > Networking > Networks.
Refer to the below slideshow for the org network creation workflow.
Once the Routed Org network is created, there are 2 additional tasks:
1: Allow firewall for outside connectivity: By default, the firewall is set to deny all traffic. Either edit this rule to allow traffic or create a new rule and set traffic to allow through the firewall.
To create/edit the firewall rule, click on the edge gateway and select firewall under services, and click on Edit Rules.
Change action from Deny to Allow.
2: Create SNAT rule for Internet Access: Internal IP address of routed org network needs to be mapped to external IP address (from external network pool) in order to provide internet connectivity for tenant workloads.
Refer to the below screenshots for how to create the SNAT rule.
And that concludes this post.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing 🙂