/ Technical

Install an NSX Edge (and a logical router)

So, you want to be the guy who installs an NSX Edge for the first time and does not spend a whole week (or more) to do it?

Here are some tips to make the installation easier.

Version Note: for ESXi 6.0 and higher

Getting started

You’ll have to find the different IP addresses that you are able to use:

Your IP block can be found at your control panel, Hosts and Clusters,

Click on the right arrow over your cluster's name

Provider-Network

Select your provider network. A new screen will appear, select Advanced VLANS and click on all.

IP-list

You'll see every available IP and also the ones which are reserved for network functionalities.

IP-Block

Do not use the first or the four last IP addresses, and remember to write down the gateway address, it'll be used later.

Create or edit Logical Switches

Go on Networking & Security on the NSX interface. Select logical switches on the left panel.

Click on the green plus sign to create a logical switch.

Give them meaningful names to avoid misleading during your installation. Use names like dev-transit-network or dev-db.
Make sure they use unicast, this will ensure that traffic between machines will be handled by the host "behind the scene" and machines won't be able to sniff packets from other machines.

Logical switches are the room in which your machines will talk to each others, one machine can't talk to another if they are not in the same (there is a good noise isolation in this house.) So feel free to create as many rooms as you have interactions between your machines.

Machines in the same room will be able to talk to each others, for a better granularity, you'll have to manage their interactions in the Firewall section that we will cover in a few moment.

Create your Gateway

Go on Networking&Security -> NSX Edges. Click on the green plus sign. Let's create our Edge.

  1. Name and description: Give it a name, a meaningful one will be appreciated.

Creation-Gateway

  1. Settings: We'll add the admin user and define a strong password.

Gateway-admin-panel

  1. Configure deployment: We need to choose a cluster and a data bank. Never use local storage for performance purpose. Depending of the size of your architecture, you'll have to choose a size for the deployment. You can use standards settings.

Gateway-deployment

  1. Configure interfaces: It's time to choose the interfaces, we'll start with external one, i.e. the one which will be connected to the Internet. Click on the green plus sign.

    • Give it a name, as like "to-internet".
    • Choose uplink for the type.
    • Click on the blue "select" on the connected to line. Using the distributed portgroup, choose the one called VM Network. It's the one that link your NSX to your physical host.
    • Click on the green plus sign.
    • In Primary IP address, write down one of the IP given by your provider. Secondary IP is to be used for load balancing. Subnet must contain the Gateway service given by your provider.
    • Click on OK.

Gateway-Network-connected

  • You may add an interface to link the Edge to the router. Click again on the green plus sign.

    • Give a good name, as like "to-router".
    • Choose internal type.
    • Click on Select on the connected line, in the Logical Switch tab, select your "environment-transit-network".
    • Click on the green plus sign for the IP address.
    • On the primary IP address, you may use a private subnet like 192.168.0.1 or 10.10.0.1, with a subnet prefix of 24.
    • Click on OK.
  1. Default Gateway: Tick Configure default gateway. vNIC is the one linked to the Internet. The Gateway IP is the one given by the provider.

Gateway-edge

  1. Firewall and HA: Tick the Configure Firewall default policy. Select Deny for Default Traffic Policy. Enable Logging.

Gateway-FW-HA

  1. Ready to complete: Here you can see the summary of your configuration, it let you check if you made some typo or omissions.

Gateway-Summary

Distributed Router

Click again on the green plus sign on the NSX Edges page.

  1. Name and description: Give a meaningful name, as always.

Logical-Router-Creation

  1. Settings: We now choose and admin name and define a strong password. You can tick SSH box in order to connect to your router with SSH (you may create a firewall rule later)

Logical-Router-Admin

  1. Configure deployment: Choose a storage, avoid local storage.

Logical-Router-Deployment

  1. Configure interfaces: Here you'll have to manage the HA interface. It's juste an heartbeat for the host. Just give it the Network you use to communicate with the host. No IP address is intended.
    We now have to configure our interface to talk with the Edge we'd created.

Logical-Router-interface

  • After giving it a name (i.e. to-edge), choose uplink and use the transit-network you configured on the Edge.
    • Using the green plus sign, use an IP address in the range of the one we used for the Edge too. Here we'll use 10.10.0.2/24 (we gave 10.10.0.1/24 for the Edge).
    • We can either create other tiers for our router to connect with. It'll be the other internal subnets used by our architecture.
    • For the exemple, let's create a SSH subnet (if you want to use an SSH jump box).
      • For the name, I'll let you guess... okay, "to-ssh".
      • The subnet can be whatever you want, but try to stay reliable, if you decide of a convention, stick with it. Think to the other guy who will have to troubleshoot your work.
  1. Default gateway: As our router is just for routing purpose, don't use this feature. Our Edge will do.

  2. Ready to complete: Check if everything is correct and continue.

I think we need to talk about connectivity... (OSPF protocol between Edge and router)

We have our main components, but they can't really talk to each other.

OSPF from Edge

  • Double-click on your Edge
  • Click on manage and select routing.
  • Over the global configuration, you'll see your Default gateway and under it, the dynamic routing, let's click on modify.
  • Select the router interface.
  • Publish your changes.

OSPF-config-Edge

  • Now, on the left panel, select OSPF.
  • On the upper right, click on modify.
  • Tick the activation box, and activate the default source.

OSPF-Edge-conf

  • Click on the green plus sign to create a new zone. Use something you'll remember, you'll reuse it a little bit later. For this exemple, I'll use 50.

OSPF-Edge

  • Then you'll map your zone with the interface.
  • Click on the green plus sign.
  • Choose the to-router interface and map it with our newly created zone. Defaults settings are good enough.

OSPF-Area-link-router

OSPF from the router

  • Double-click on your router, click on manage and select routing. Everything must be blank for now.
  • Click on modify on the dynamic routing section, select the "to-edge" interface, activate logging and proceed.

OSPF-Router-config

  • On the left panel, select OSPF.
  • Click on modify on the upper right corner.
  • Tick the Activate option.
  • For the protocol address, use an address in the subnet of your Edge/router. I used .1 for my Edge, .2 for my router.
    So let's say we'll use the same subnet and .3 for the protocol address. Transfer address is the one used by my router to connect to my Edge, so I'll use .2.

OSPF-Router-protocol

  • Now, define a zone again, we'll stick with our 50.
  • And we now map it on "to-edge" vNIC.

OSPF-Router-area

  • Don't forget to publish your modifications.

Just a few more steps

DNS configuration

  • Go on the Edge management page.
  • Select Settings in the upper panel, and configuration on the left one.
  • Find DNS Configuration, and click on change.
  • Tick the Enable DNS service and fill up the IP address of your favorite DNS provider (it can also be given by your host provider). For our example, we'll use Google public DNS -> 8.8.8.8 and 8.8.4.4. Activate logging and click on OK.

DNS-Configuration

  • Now, DNS requests will be forwarded to the Edge, to the DNS server you've specified.

Firewall rules

NSX allow you to work with objects, for easy and readable configuration.

Creating Objects

Go in Networking&Security, on the bottom of the left panel, you'll find NSX managers, click on it.

NSX-Manager

Here, you'll find your NSX manager, with an IP address. Click on it.

NSX-Manager-selection

Go on Manage, and select Grouping Objects. Here you'll find all the objects you can interact with, and create new ones. Let's create a new security group.

Security-object-selection

Click on the green plus sign, imagine you want to manage this new Virtual Machine called "testing.machine".

  1. Name: Give a name for your group, for our example, let's say we will name it "testing machines".

Security-Group-Name

  1. Dynamic Membership: Here, you can choose how the membership will be applied. You can define as many criteria as you want. And for membership, you can ask to match any of them or all of them to be more restrictive. If I want to create a specific rule for a database witin the dev environment, I'll specify that all criteria must be met and make two criteria, one for the VM name "testing" and one with VM name "machine" and I'll call my VM "testing-anything-machine" or "testing.something.machine" or anything that will contain "testing" and "machine" in its name. As they must be all matched to trigger the membership, if your VM is called "test machine" it won't be included.

Security-Group-Dynamic-Membership

  1. Include members: You can force members integration for your object, or security groups. But let's stay simple and finish this object.

  2. Exclude members: It's the same as the one below, and the title is self explanatory.

  3. Ready to complete: That's it, let's check if there is any typo and we can move on.

Security-Group-Summary

Let's make our firewall rule

For better comprehension of your work, I strongly encourage you to dispatch your rules between folders. But remember that each packet will trigger each rules until it find one that will apply.
Example
If you have a rule that allow SSH communication as rule 5, and another rule that block it at rule 10, each SSH packet will first trigger the rule 5, and will never reach rule 10.

  1. Create a folder

    • In the Network&Security section, click on Firewall.
    • Click on the folder icon at the end of your default line
      Firewall-New-Section
  2. Create a rule
    Click on the green plus sign on your new line to create a new rule

  3. Define a name
    Give a name to your rule. Click on the plus sign in the name section.

Firewall-Name

  1. Define Source
    Here, we want to control interactions between our testing machine, and other testing machine within our environment.

Firewall-Source

  1. Define destination
    The same as source for our example.

Firewall-Destination

  1. Define service
    Let's imagine I want to block every ICMP request for IPv4.

Firewall-Service

  1. Action to take
    Here you may choose if you want to allow, block or reject the packet.

Firewall-Allow

  1. Define scope
    all your rules will have a local effect on the router, as they as they are the local area. But you can push your firewall rules over the Edge (i.e. if you want outside connectivity with SSH)

Firewall-Summary

Congratulations, you now have the basics to run an NSX environment and manage interactions between its objects !

Install an NSX Edge (and a logical router)
Share this