NSX 4.2 Multitenancy Series – Part 10: Integration with NSX Advanced Load Balancer

Posted on 10-04-2025 by Manish Jha

Welcome to part-10 of the NSX Multi-tenancy series. The last post of this series discussed distributed security in NSX VPC and how to implement gateway and distributed firewall policies.

This post discusses NSX VPC integration with NSX Advanced Load Balancer (ALB).

If you are not following along, I encourage you to read the earlier parts of this series from the below links:

1: NSX Multi-tenancy Introduction

2: Multi-tenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

5: NSX Virtual Private Cloud Overview

6: NSX VPC Networking

7: Creating NSX VPCs

8: Resource Sharing in NSX VPC

9: NSX VPC Security

The integration between NSX VPC and NSX Advanced Load Balancer allows application owners to provision load balancers on-demand in a self-service manner. To support NSX multi-tenancy, a new configuration option, “Enable VPC Mode” is introduced in the NSX cloud configuration in NSX ALB. The Enterprise Admin, with the role of System Admin in NSX ALB, configures the NSX cloud configuration with VPC mode and the Service Engine’s networks.… Read More

Using CA-signed Certificates with SAN Attribute in NSX 4.x – API Method

Posted on 08-04-2025 by Manish Jha

In my last post on the NSX SSL certificate rotation, I discussed the types of certificates in NSX and why you should use a certificate with a SAN attribute. The ability to generate a CSR with Subject Alternative Names was first introduced in NSX v4.2. Before NSX v4.2, creating certificates with SAN attributes was possible only through API. This post is focused on demonstrating the certificate generation and replacement procedure through API.

Step 1: Create Certificate Signing Request

Method: POST

URL: https://{nsx_mgr}/api/v1/trust-management/csrs

Headers: Accept: application/json, content-type: application/json

Authentication: Basic

Payload:

{
    "display_name": "<certificate-name>",
    "key_size": 2048,
    "algorithm": "RSA",
    "subject": {
        "attributes": [
            {
                "key": "CN",
                "value": "<nsx-mgr-vip-fqdn>"
            },
            {
                "key": "O",
                "value": "Cloud"
            },
            {
                "key": "OU",
                "value": "Network-Engineering"
            },
            {
                "key": "L",
                "value": "Toronto"
            },
            {
                "key": "ST",
                "value": "Ontario"
            },
            {
                "key": "C",
                "value": "CA"
            }
        ]
    },
    "is_ca": false,
    "extensions": {
        "subject_alt_names": {
            "dns_names": [
                "<nsx-mgr-vip-fqdn>",
                "<nsx-mgr01-fqdn>",
                "<nsx-mgr02-fqdn>",
                "<nsx-mgr03-fqdn>"
            ],
            "ip_addresses": [
                "<nsx-mgr-vip>",
                "<nsx-mgr01-ip>",
                "<nsx-mgr02-ip>",
                "<nsx-mgr03-ip>"
            ]
        }
    }
}

Method: POST

URL: https://{nsx_mgr}/api/v1/trust-management/csrs

Headers: Accept: application/json, content-type: application/json

Authentication: Basic

Payload:

{

"display_name": "<certificate-name>",

"key_size": 2048,

"algorithm": "RSA",

"subject": {

"attributes": [

{

"key": "CN",

"value": "<nsx-mgr-vip-fqdn>"

{

"key": "O",

"value": "Cloud"

{

"key": "OU",

"value": "Network-Engineering"

{

"key": "L",

"value": "Toronto"

{

"key": "ST",

"value": "Ontario"

{

"key": "C",

"value": "CA"

}

]

"is_ca": false,

"extensions": {

"subject_alt_names": {

"dns_names": [

"<nsx-mgr-vip-fqdn>",

"<nsx-mgr01-fqdn>",

"<nsx-mgr02-fqdn>",

"<nsx-mgr03-fqdn>"

"ip_addresses": [

"<nsx-mgr-vip>",

"<nsx-mgr01-ip>",

"<nsx-mgr02-ip>",

"<nsx-mgr03-ip>"

]

}

Step 2: Fetch the ID of the CSR

The CSR ID can be fetched from the response output of the previous API or using the GET call as shown below.

Using CA-signed Certificates with SAN Attribute in NSX 4.x – GUI Method

Posted on 08-04-2025 by Manish Jha

Introduction

In this post, I will discuss replacing NSX self-signed certificates with CA-signed certificates with a Subject Alternative Name (SAN) extended attribute.

Note: This article applies to NSX v4.2 and higher versions. For NSX version >= 4.0/4.1, refer to the next post of this series.

What is a SAN attribute, and why should I use it?

A Subject Alternative Name is an extension used in digital certificates that allows a single certificate to secure multiple domain names, subdomains, or IP addresses. Think of it as a way to tell your web browser, “This certificate is valid for more than just one website.” Instead of providing separate certificates for each domain/machine, a single SAN certificate can cover numerous domains, simplifying maintenance and boosting security.

In a typical NSX deployment, you deploy 3 NSX Manager nodes and configure a VIP address. Each NSX node comes with an out-of-the-box, self-signed SSL certificate. Also, when you configure a VIP address, NSX automatically configures a self-signed certificate for the VIP.… Read More

NSX 4.2 Multitenancy Series – Part 9: NSX VPC Security

Posted on 01-04-2025 by Manish Jha

Welcome to part-9 of the NSX Multi-tenancy series. The last post of this series discussed how resources are shared with a VPC from the default space and the project’s space.

In this post, I will discuss distributed security in NSX VPC.

If you are not following along, I encourage you to read the earlier parts of this series from the below links:

1: NSX Multi-tenancy Introduction

2: Multi-tenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

5: NSX Virtual Private Cloud Overview

6: NSX VPC Networking

7: Creating NSX VPCs

8: Resource Sharing in NSX VPC

When the Project/VPC Admin creates a VPC, a default security group is also created with it. This group follows the naming convention “PROJECT-<project_name>-VPC-<vpc-name>-default”.

Members of this security group can be viewed by clicking the View Members button. This group contains subnets and VMs created inside the VPC.

All members of the VPC’s default group are automatically added as members of its parent project’s default group.… Read More

NSX 4.2 Multitenancy Series – Part 8: Resource Sharing in NSX VPC

Posted on 29-03-2025 by Manish Jha

Welcome to part-8 of the NSX Multi-tenancy series. The last post of this series discussed how NSX VPC is created and how subnets are carved out from the allocated IP blocks.

In this post, I will discuss how resource sharing works in VPC.

If you are not following along, I encourage you to read the earlier parts of this series from the below links:

1: NSX Multi-tenancy Introduction

2: Multi-tenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

5: NSX Virtual Private Cloud Overview

6: NSX VPC Networking

7: Creating NSX VPCs

When a VPC is created, a default share is created automatically in the parent project. This share contains the private and external IP blocks, Tier-0 gateway, and edge cluster, which the VPC can consume.

The public block is created in the default space by the Enterprise Admin and shared to the project/vpc. A private IP block is created and shared by the Project Admin.… Read More

NSX 4.2 Multitenancy Series – Part 7: Creating NSX VPC’s

Posted on 24-03-2025 by Manish Jha

Welcome to part-7 of the NSX Multi-tenancy series. The last post of this series discussed how networking works in NSX VPC and the concept of subnets.

In this post, I will demonstrate how to create an NSX VPC and setup networking for the project workloads.

If you are not following along, I encourage you to read the earlier parts of this series from the below links:

1: NSX Multi-tenancy Introduction

2: Multi-tenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

5: NSX Virtual Private Cloud Overview

6: NSX VPC Networking

To recap from the previous post, a VPC can have public and private subnets for workload connectivity.

The Enterprise Admin creates public subnets in the default space and allocates them to the Project, which can then be consumed by the NSX VPC. Also, the Enterprise Admin whitelists the approved subnets for advertising them to the northbound routers. … Read More

NSX 4.2 Multitenancy Series – Part 6: NSX VPC Networking

Posted on 23-03-2025 by Manish Jha

Welcome to part-6 of the NSX Multi-tenancy series. The last post of this series discussed NSX VPC architecture and its use cases and the benefits that it provides.

In this post, I will walk you through how networking works inside an NSX VPC.

If you are not following along, I encourage you to read the earlier parts of this series from the below links:

1: NSX Multi-tenancy Introduction

2: Multi-tenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

5: NSX Virtual Private Cloud Overview

VPC Networking Overview

In an NSX Project, each VPC has its own set of networking and security policies. Subnets within an NSX VPC represent independent layer 2 broadcast domains.

The Enterprise Admin creates and allocates IP address blocks (public & private) to the project. These IP blocks are consumed by the workloads in VPC. The application owners do not need to have a thorough understanding of the subnets or know how to create CIDRs for project workloads because the NSX platform handles this automatically.… Read More

NSX 4.2 Multitenancy Series – Part 5: NSX Virtual Private Cloud (VPC) Overview

Posted on 22-03-2025 by Manish Jha

Welcome to part-5 of the multi-tenancy series. The last post of this series discussed distributed security in NSX Projects and how to implement DFW rules to allow inbound/outbound connection for the project workloads. In this post, I will discuss NSX Virtual Private Clouds (VPCs).

If you are not following along, you can read the earlier parts of this series from the below links:

1: NSX Multitenancy Introduction

2: Multitenancy Design Models

3: Creating NSX Projects

4: Distributed Security in NSX Project

NSX Virtual Private Clouds (VPCs)

NSX VPC is an abstraction layer that makes it easier to create self-contained virtual private cloud networks within an NSX Project so that networking and security services may be used in a self-service model.

This feature allows each tenant to define its own subnets, networking services, and firewall rules (DFW/Gateway). This simplifies network and security management, giving users a self-service model similar to public cloud environments. … Read More

NSX 4.2 Multitenancy Series – Part 4: NSX Projects Distributed Security

Posted on 20-03-2025 by Manish Jha

In the last post of this series, I discussed how to create NSX Projects and apply RBAC and Quota policies to them. I also touched base briefly on the project’s security (DFW) aspect.

In this post, I will discuss the project’s security in greater detail.

If you are not following along, you can read the earlier parts of this series from the below links:

1: NSX Multitenancy Introduction

2: Multitenancy Design Models

3: Creating NSX Projects

One of the key purposes of the Project feature is to allow security policy management to be delegated to the project admin to avoid the danger of rules being applied to the wrong virtual machines.

When an NSX project is created by the Enterprise Admin, the system generates default Distributed & Gateway firewall rules to regulate the default behavior of east-west and north-south traffic for the VMs in the NSX project. The firewall rules in a project apply only to the VMs created in that project and don’t impact VMs created in other projects or the default space.… Read More

NSX 4.2 Multitenancy Series – Part 3: NSX Projects

Posted on 20-03-2025 by Manish Jha

Welcome to part-3 of the NSX Multi-tenancy series. Parts 1 & 2 of this series were theoretical and mainly focused on multi-tenancy architecture and design models. This part focuses on hands-on, with topics such as creating NSX projects, applying RBAC policies, and creating networking constructs within the project.

If you are not following along, you can read the earlier parts of this series from the below links:

1: NSX Multitenancy Introduction

2: Multitenancy Design Models

Environment Details

This is a full-fledged NSX deployed environment based on the design documented here; thus, I am not covering the implementation details again.

The lab is deployed as per the below BOM

Component	Version
VMware ESXi	8.0 Update 3d
vCenter Server	8.0 Update 3d
vSAN	8.0 Update 3d
VMware NSX	4.2.1.2
Backbone Router	vYOS 1.5
AD + DNS Server	Windows Server 2022

I am using the multi-tenancy with shared provider tier-0 gateway design for this post, where tenants will share the tier-0 gateway and the edge clusters from the provider.… Read More

Spread the Love

Spread the Love

Introduction

Spread the Love

Spread the Love

Spread the Love

Spread the Love

VPC Networking Overview

Spread the Love

NSX Virtual Private Clouds (VPCs)

Spread the Love

Spread the Love

Environment Details

Spread the Love