This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.
In this blog post, we will walk through the configurations steps to enable NSX Virtual Private Cloud (VPC) for our VCF 9 environment and demonstrate how to consume a VPC with your workloads.
I want to give a special shoutout to Dimitri Desmidt, who works in our Technical Marketing team and has been instrumental in helping me better understand NSX VPCs and how they work!
Here are some additional NSX VPC Resources that might be of interests if you would like to learn more:
Requirements:
- VCF 9.0 environment deployed
- VLAN allocated for NSX T0 Uplink (e.g. VLAN 70)
- BGP or Static Routing
Step 1 - Login to your NSX Manager and navigate to System->Fabric->Hosts->(select vSphere Cluster)->Action->Activate NSX on DVPGs which will enable the VDS to accept traffic from NSX Edge and thus allowing us to select shared VLAN for both NSX and ESX Host Tunnel Endpoint Protocol (TEP).
Step 2 - Login to your vCenter Server and select the vCenter Inventory Object and then switch to the Network view and click on Networks->Network Connectivity to use the new simplified network connectivity configuration workflow which includes NSX Edge deployment.
Step 3 - Select the Centralized Connectivity Gateway mode, as it is the required mode for enabling vSphere Supervisor and VCF Automation, which we will configure in a future blog post.
Step 4 - Specify a name for your Edge Cluster and select the Medium form factor, which is the smallest size if you plan on enabling vSphere Supervisor. Click on the Add button to begin configuring your 1st NSX Edge Node.
Fill in all required fields for your NSX Edge Node and ensure you can select the Uplinks checkbox. If you can not, you probably missed Step 1. You can leave the remainder configuration as default and then click Apply to save the configuration.
To reduce re-entering the same information again, when adding your 2nd NSX Edge Node, select the 1st NSX Edge Node and click Clone which will allow you to just specify the hostname and IP Address, which is a very welcome UX improvement!
Lastly, decide whether you want to use pre-generated credentials for your NSX Edge or if you prefer to specify your own credentials, I chose the latter.
Step 5 - Here we define VPC connectivity which is effectively configuring an NSX T0, provide a name and then select Active/Standby, as it is the required mode to enable vSphere Supervisor and VCF Automation.
For routing, if you have BGP go ahead and select that and populate the required fields based on your environment. For my initial setup, I am using static routing, so these instructions may or may not be applicable for you.
Next, we need to add an uplink for each of our NSX Edge which will come from our VLAN 70 network. While you can define two interfaces, for simplicity purposes you only need one for each NSX Edge. In my example NSX Edge 01 will have 172.30.70.2 and NSX Edge 02 will have 172.30.70.3
The last input will be your VPC External IP Blocks, which is a CIDR block where addresses will be allocated for external connectivity. In my example, I am using 31.31.0.0/16 and for Private Transit Gateway Block, this is the CIDR block that will be used for communication between VPCs and I am using 10.10.0.0/24 but you can change it based on your own requirements.
Finally, you can finish off the wizard and the NSX Edges should begin deploying ...
Note: If you are using the MS-A2 or any other AMD Ryzen-based CPU, you will need to apply the following workaround, which is a PowerCLI script that will remediate the NSX Edge or else they will continue to loop and the deployment will not finish
If everything was deployed and configured successfully, you should see green for all status checks as shown in the screenshot below.
Step 6 - Lets now create our first VPC and a couple of subnets to verify workload connectivity.
In the Network inventory view, select Virtual Private Clouds and in the Summary view, click ADD VPC to begin the workflow.
Provide a name for your VPC and optionally, a Private VPC CIDR, which will enable you to create VPC Subnet that are private within the VPC. In my example, vpc-01 will have a Private CIDR of 172.26.0.0/16
Step 7 - Next, we will create a couple of VPC Subnets by right clicking on the VPC that we just created from the previous step and select the New Subnet action.
The first will be a public subnet named vpc-01-pub-subnet-01 which will have DHCP enabled, will allocate addresses from our VPC External IP Block (e.g. 31.31.0.0/16)
The second subnet named vpc-01-priv-subnet-02 which will also have DHCP enabled, will allocate addresses from the VPC Private CIDR (e.g. 172.26.0.0/16)
Step 8 - If you are using static routing and we want to allow a route out to the external world, we need to create a default route to our T0 gateway (e.g. 172.30.70.1)
Login to NSX Manager and navigate to Networking->Connectivity->Tier-0 Gateways->(Edit selected T0)->(Expand Routing)->Static Routes->Set
Add label of default and Network of 0.0.0.0/0 and click on Next Hop.
Enter your VLAN 70 (T0 Uplink) Gateway and then save the configuration.
Step 9 - Create an NSX VIP for our NSX Edge Nodes, which can be useful if you need to create additional static routes. Navigate to Networking->Connectivity->Tier-0 Gateways->(Edit selected T0)->HA VIP Configuration and select all NSX Edge Node interfaces and then specify an IP Address from VLAN 70 that will act as your VIP (e.g. 172.30.70.5/24). If you need to create static routes to access your VPC External IP Block, you will create a route to one of the NSX Edge Node interfaces or if you have an NSX Edge VIP created, then the address will be the VIP.
Step 10 - Lets now deploy a couple of VMs and place each in the vpc-01-pub-subnet-01 and vpc-01-priv-subnet-02 subnets.
From the screenshot above, Photon-01 VM has obtained a DHCP address of 172.26.0.3, which has been allocated from our VPC Private CIDR block.
From the screenshot above, Photon-02 VM has obtained a DHCP address of 31.31.0.67, which has been allocated from our VPC External IP Block.
If you have BGP configured, you should be able to ping Photon-02 address (31.31.0.67) from a system that is allowed to access these workload networks. If you are doing static routing like myself, then you need to add a route to reach 31.31.0.0/16 network via NSX Edge VIP (e.g. 172.30.70.5), which I have already performed on my MikroTik router.
Lastly, to connect to Photon-01 VM since it is using a Private VPC CIDR, we can simply right click on the VM and select the Assign External IP action and the desired network interface on the VM.
To see the assigned IP Address from the VPC External IP Block, select the subnet under the VPC and navigate to Configure->External IPs to view the address. In this example, it has recieved 31.31.0.1 and you should now be able to connect assuming you have the proper routing (BGP/Static Routes) in place.
Nice