Tag Archives: NSX 6

Network Virtualization with VMware NSX – Part 7

In my last blog Network Virtualization with VMware NSX – Part 6 we have discussed about Static and Dynamic routing. Here In the Network Virtualization with VMware NSX – Part 7 will be discus about Network Address Translation (NAT) and Load Balancing with NSX Edge Gateway.

Network Address Translation (NAT)

Network Address Translation (NAT) is the process where a network device assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

Three blocks of IP addresses are reserved for private use and these Private IP addresses cannot be advertised in the public Internet.

10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and  192.168.0 0 to 192.168.255.255.

The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.NAT1

Another exam is public Cloud™ where there are multiple tenant running their workload with Private IP address range. Hosts assigned with private IP addresses cannot communicate with other hosts through the Internet. The solution to this problem is to use network address translation (NAT) with private addressing.

NAT2NSX Edge provides network address translation (NAT) service to assign a public address to a computer or group of computers in a private network. NSX Edge service supports two types of NAT:- SNAT and DNAT

Source NAT (SNAT) is used to translate a private internal IP address into a public IP address for outbound traffic. The below picture depict that NSX Edge gateway is translating Test-Network using addresses 192.168.1.2 through 192.168.1.4 to 10.20.181.171. This technique is called masquerading where multiple Private IP Address are translating into Single host IP Address.

NAT3Destination NAT (DNAT) commonly used to publish a service located in a private network on a publicly accessible IP address. The below picture depict that NSX Edge NAT is publishing the Web Server 192.168.1.2 on an external network as 10.20.181.171. The rule translates the destination IP address in the inbound packet to an internal IP address and forwards the packet.

NAT4Configuring Network Address Translation (SNAT and DNAT) on an NSX Edge Services Gateway:-

1. Connect to vCenter Server through vSphere Web Client —> Click Home tab –> Inventories –> Networking & Security –> NSX Edges –> and Double Click NSX Edge.NAT5

2. Under NSX Edge router –> click Manage tab –> click NAT tab –> and click the green plus sign (+) and select Add DNAT Rule or Add SNAT Rule whichever you would like to add.NAT6

3. In the Add DNAT Rule dialog box, Select Uplink-Interface from the Applied On drop-down menu. Enter the Public IP address in the Original IP/Range text box and enter the destination Translated IP/Range. And select Enabled the DNAT rule check box and Click OK to add the rule.NAT7

4. click Publish Changes to add the rule.NAT8

5. Once rules pushed you can see one rule has been added to the rule list.NAT9

6. To test the Connectivity Using the Destination NAT Translation, putty to NSX Egde router with Admin account and run command  to begin capturing packets on the Transit-Interface.

debug packet display interface vNic_1 port_80 or debug packet display interface vNic_0 icmp

1st command will capture packets on interface 1 for TCP port 80 and 2nd command will capture packets on interface 0 for ICMP protocol.

Same way we can Add SNAT rules for outgoing traffic.

——————————————————————————————————

NSX Edge Load Balancer

Load Balancing is another network service available within NSX that can be natively enabled on the NSX Edge device. The two main drivers for deploying a load balancer are scaling out an application (Load is distributed across multiple backend servers) as well as improving its high-availability characteristics (Servers or applications that fail are automatically removed from the pool).LB1

The NSX Edge load balancer distributes incoming service requests evenly among multiple servers in such a way that the load distribution is transparent to users. Load balancing thus helps in achieving optimal resource use, maximizing throughput, minimizing response time, and avoiding overload. NSX Edge provides load balancing up to layer 7.

Note :- The NSX platform can be integrate load-balancing services offered by 3rd party vendors as well.

NSX Edge offers support for two types of deployment: One-arm mode (called proxy mode) and Inline mode (called transparent mode)

One-arm mode (called proxy mode)

The one-arm load balancer has several advantages and disadvantages. The advantages are that the design is simple and can be deployed easily. The main disadvantage is that you must have a load balancer per segment, leading to a large number of load balancers.

So when you design and deploy you need to see both the factors and choose which mode is fitting to your requirement.LB2

Inline mode (called transparent mode)

The advantage of using Inline mode is that the client IP address is preserved because the proxies are not doing source NAT. This design also requires fewer load balancers because a single NSX Edge instance can service multiple segments.
With this configuration, you cannot have a distributed router because the Web servers must point at the NSX Edge instance as the default gateway.

LB3Configuring Load Balancing with NSX Edge Gateway

1. Connect to vCenter Server through vSphere Web Client —> Click Home tab –> Inventories –> Networking & Security –> NSX Edges –> and Double Click NSX Edge.

2.  Under the Manage tab, click Load Balancer. In the load balancer category panel, select Global Configuration.

3. Under Load balancer global configuration –> Click Edit to open the Edit load balancer global configuration page, In the Edit load balancer global configuration page check the Enable Loadbalancer box and Click OK.LB4

4. Once Loan balancer has been Enabled, you can see the Green Tick mark for Enable Loadbalancer.LB5

5. Next We need to create Application Profiles, In the load balancer category panel, select Application Profiles –> Click the green plus sign (+) to open the New Profile dialog box.

6. In the New Profile dialog box, Enter the Name –> Select Protocol Type (HTTPS)           –>  Select the Enable SSL Passthrough check box and click OK.LB6

7. Once Application Profile has been created you can see Profile ID and name under box.LB7

8. Next we have to Create a Server Pool. I am going to create a round-robin server pool that contains the two Web server virtual machines as members providing HTTPS.

9. In the load balancer category panel, select Pools –> Click the green plus sign (+) to open the New Pool dialog box.

10. In the New Pool dialog box, Enter the Server Pool Name in the text box –> Select Algorithm – ROUND-ROBIN –> And Below Members, click the green plus sign (+) to open the New Member dialog box, and add all web servers as members.LB8

11. Once all members has been added into Server Pool verify and Click OK.LB9

12. Once Pools has been added you can see the Pool ID, Pool Name with Configured Algorithm under the box.LB10

13. Next we need to Create a Virtual Server. select Virtual Servers –> click the green plus sign (+) to open the New Virtual Server dialog box.

14. In the New Virtual Server dialog box, select Enabled box –> Enter the Virtual Server name –> enter the IP Address of the Interface –> Select protocol (HTTPS) –> Port Number for HTTPS (443) –> Select the Pool name and Application Profile created earlier and Click OK.LB11

15. Once done you can see Virtual Server Name with all configured details under the box. LB12

That’s It 🙂 This is how we can configure NAT and Load balancer using NSX Edge.

Thank You and Keep sharing :)

—————————————————————————————————

Other NSX Parts:-

Network Virtualization with VMware NSX – Part 1

Network Virtualization with VMware NSX – Part 2

Network Virtualization with VMware NSX – Part 3

Network Virtualization with VMware NSX – Part 4

Network Virtualization with VMware NSX – Part 5

Network Virtualization with VMware NSX – Part 6

Network Virtualization with VMware NSX – Part 7

Network Virtualization with VMware NSX – Part 8

Network Virtualization with VMware NSX – Part1

Overview of VMware NSX

VMware NSX is a network virtualization platform that enables you to build a rich set of logical networking services such as Logical Switching, Logical Routing, Logical Firewall, Logical Load Balancer, Logical Virtual Private Network (VPN). NSX enables you to start with your existing network and server hardware in the data center. NSX adds nothing to the physical switching environment. NSX exists in the ESXi environment and is independent of the network hardware.

NSX is a software networking and security virtualization platform that delivers the operational model of a virtual machine for the network. Virtual networks reproduce the Layer2 – Layer7 network model in software. By virtualizing the network, NSX delivers a new operational model for networking that breaks through current physical network barriers and enables data center operators to achieve better speed and agility with reduced costs.

With VMware NSX, virtualization now delivers for networking what it has already delivered for compute and storage. In much the same way that server virtualization programmatically creates, snapshots, deletes and restores software-based virtual machines (VMs), VMware NSX network virtualization programmatically creates, snapshots, deletes, and restores software-based virtual networks.

NSX can be configured through the vSphere Web Client, a command line interface (CLI), and REST API.

An NSX-v deployment consists of a data plane, control plane and management plane:

nsx9

NSX Functional Services

NSX provides a faithful reproduction of network & security services in software. e.g.

NSX10

Preparing for Installation

NSX has the following requirements:

  • vCenter Server 5.5 or later
  • ESXi 5.0 or later for each server
  • VMware Tools

NSX requires below ports for installation and daily operations:

  • 443 between the ESXi hosts, vCenter Server, and NSX Manager.
  • 443 between the REST client and NSX Manager.
  • TCP 902 and 903 between the vSphere Web Client and ESXi hosts.
  • TCP 80 and 443 to access the NSX Manager management user interface and initialize the vSphere and NSX Manager connection.
  • TCP 1234 Communication between ESXi Host and NSX Controller Clusters
  • TCP 22 for CLI troubleshooting.

NSX Manager

The NSX Manager is the centralized management component of NSX, and runs as a virtual appliance on an ESXi host. Each NSX Manager manages a single vCenter Server environment. The NSX Manager requires connectivity to the vCenter Server, ESXi host, and NSX Edge instances, vShield Endpoint module, and NSX Data Security virtual machine. NSX components can communicate over routed connections as well as different LANs.

The NSX Manager virtual machine is packaged as an Open Virtualization Appliance (OVA) file, which allows you to use the vSphere Web Client to import the NSX Manager into the datastore and virtual machine inventory.

In the NSX for vSphere architecture, the NSX Manager is tightly connected to the vCenter server managing the compute infrastructure. In fact, there is a 1:1 relationship between the NSX Manager and vCenter and upon installation the NSX Manager registers with vCenter and injects a plugin into the vSphere Web Client for consumption within the Web management platform.

NSX Manager Components Plugin and Integration inside vSphere Web Client :-

NSX11

Note :- You can install the NSX Manager in a different vCenter than the one that the NSX Manager will be interoperating with. A single NSX Manager serves a single vCenter Server environment only.

Note :- Each NSX virtual appliance includes VMware Tools. Do not upgrade or uninstall the version of VMware Tools included with a NSX virtual appliance.

Deploy NSX Manager Virtual Appliance :-

1. Download the NSX Manager Open Virtualization Appliance (OVA) from https://my.vmware.com/web/vmware/downloads.

NSX22. Under Networking & Security section click Download Product for VMware NSX.

NSX33. Select your Version and click Go to Downloads.

NSX44. On the Download VMware NSX for vSphere 6.X Window click Download Now to start downloading of the NSX Manager Open Virtualization Appliance (OVA) file.

5. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location accessible to your vCenter server and ESXi hosts.

6. Log in to the vSphere Web Client where do you want to Import/Run the NSX Manager.

7. Right-click the Cluster/Host where you want to install NSX Manager and select Deploy OVF Template.

NSX158. If this is the first time you are deploying an OVF file, It will ask you to download the Client Integration Plug-in. Click on Download the Client Integration Plug-in link to download and install. (Close all browser before installation and once completed Log in to the vSphere Web Client again and navigate to the host where you were installing NSX Manager.)

NSX169. On the Select Source window Click Browse to locate the folder on your computer that contains the NSX Manager OVA file, Select the OVA click Open and click Next.

NSXM2

NSXM310. It will take few seconds to validate the OVA. Once validated click Next to continue

NSXM411. Review the OVF template details and click Next.

NSXM612. Click Accept to accept the VMware license agreements and click Next.

NSXM713. Name the NSX Manager and select the location for the NSX Manager that you are installing and Click Next.

NSXM814. Select Storage and Click Next.

NSXM915. On the Setup networks page, confirm that the NSX Manager adapter has been mapped to the correct host network and click Next.

NSXM1016. On the Customized template page, specify the Passwords, Network Properties, DNS, NTP and SSH and Click Next.

NSXM1117. On the Ready to complete page, review the NSX Manager settings, Check the Power On after Deployment and click Finish.

NSXM12The NSX Manager is installed as a virtual machine in the inventory. Once deployment of NSX manager finished we need to Log In to the NSX Manager Virtual Appliance and Configure the NSX Manager.

Log In to the NSX Manager Virtual Appliance:-

1. Open the Web browser window and type the Name/IP address assigned to the NSX Manager. For example, https://nsxmanager.vdca550.com (In my case). Accept the security certificate. The NSX Manager login screen appears.

2. Use User name admin and the password you set during installation. If you had not set a password during installation, type default as the password and Click Log In.

NSXM133. Below is Home Screen of the NSX Manager. As you can see from here we can Manage Appliance Settings, Manage vCenter Registration, Backup and Restore of NSX Manager, and Upgrade NSX Manager Appliance.

NSXM144. Click on the View Summary to View and Configure the NSX Manager.

NSXM155. Click on the Mange Tab. From General Setting you can configure Time (NTP) and Syslog server Settings. Click Edit to enter the details and click ok.

NSXM16Time (NTP) Settings:-

NSXM17Syslog Server Settings:-

NSXM186. Click on Network. You can Review/Edit NSX Manager Network Settings and DNS Server settings for NSX Manager. Click on Edit to Edit the settings and click OK.

NSXM20

NSXM197. Click on SSL Certificates option to configure the SSL Certificate for NSX Manager.

8. Click on Backups and Restore option to take or scheduled Back of NSX manager Data.

NSXM21Note :- Currently there is no option to have multiple NSX managers for redundancy, So Backup is very critical for NSX Manger. In the case of NSX Manager failure you need to Deploy New NSX Manger and Restore the configuration from last backup.

9. To Upgrade your NSX Manager Appliance to latest version Download the Upgrade bundle from VMware website first and then from Upgrade Option in NSX Manager you can Upgrade to latest version. Click Upgrade in the Upgrade NSX Management Service –> Click Browse to select the Upgrade bundle and Click Upgrade to start the upgrade.

NSXM23

NSXM2410. Last and Important Option is NSX Management Service. Click on NSX Management Service –> Under vCenter Server Section click Configure to Register vCenter Server with NSX Manager. Enter vCenter Server Name, User Name and Password and Click OK to Add/Register vCenter Server with NSX Manager.

NSXM2511. Once vCenter Server registration done with NSX Manager We can connect to vCenter Server and verify that Networking & Security Icon under Inventories List.

NSXM2612. Click on the Networking & Security to open up the NSX Home page.

NSXM27And now we are all set to start the use of NSX features.

In the Next Part will discuss Installing and Configuring NSX Components …Please leave your Questions/Comments/Suggestions..Thank you !! 

Other NSX Parts:-

Network Virtualization with VMware NSX – Part 1

Network Virtualization with VMware NSX – Part 2

Network Virtualization with VMware NSX – Part 3

Network Virtualization with VMware NSX – Part 4

Network Virtualization with VMware NSX – Part 5