NSX deployment
The following information provides an introduction to VMware® NSX™ deployment details for VMware Cloud Foundation deployment architectures in IBM Cloud VPC.
NSX deployment architectures for VMware Cloud Foundation
An overview of consolidated architecture is shown in the following diagram. The consolidated architecture deployment uses the management domain NSX components for the workloads as well.
Standard architecture follows the same principles, but deploys dedicated NSX managers and NSX edge nodes for the VI workloads domain and uses dedicated TEP and Tier-0 gateway uplink subnets for the workload domain hosts and edge nodes. All NSX managers are deployed on the management domain.
VMware vSphere distributed switch deployment
In the VMware Cloud Foundation architecture for IBM Cloud VPC, each IBM Cloud bare metal server has two PCI interfaces and one vSphere Distributed Switch with two uplinks.
When you create IBM Cloud bare metal server VLAN interfaces for NSX components that are attached to a VPC subnet, your Distributed Switch must contain a port group that matches the used VLAN IDs.
Each physical host has a redundant 100 Gb network connection for network access to IBM Cloud VPC. The 100 Gb bandwidth is shared by the network interfaces that are on the bare metal server.
The high availability for physical network connectivity is handled by IBM Cloud, which manages the aggregation. The multiple PCI interfaces, as seen in VMware Cloud Foundation deployment, do not add redundancy, but are required in VMware Cloud Foundation deployments and they are up the uplink migrations from vSphere Standard Switch to vSphere Distributed Switch.
NSX manager deployment
NSX Manager Node hosts the API services, the management plane, and the agent services. It provides a graphical user interface (GUI) and REST APIs for creating, configuring, and monitoring NSX Data Center components, such as logical switches, gateways, and firewalls. It also provides a system view and it is the management component of NSX Data Center. For high availability, VMware Cloud Foundation deploys a management cluster of three NSX Manager virtual machines (VMs) and a virtual IP.
A VLAN interface is provisioned for each NSX manager in the management subnet (vpc-mgmt-subnet) of the VPC. This VPC subnet is designated for VMware management components of your solution. If you deploy the NSX managers on the same
VPC subnet in a zone, and you plan to use the NSX internal network load balancer, you need an extra VLAN interface for this virtual IP (VIP). All created VLAN interfaces are allowed to float, which means that they can be vMotioned between
the ESXi hosts. The following table summarizes the required VLAN interfaces in IBM Cloud VPC.
| Interface name | Interface type | VLAN ID | Subnet | Allow float | NSX interface | Distributed port group name |
|---|---|---|---|---|---|---|
vlan-nic-nsx-0 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Manager 1 | pg-mgmt |
vlan-nic-nsx-1 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Manager 2 | pg-mgmt |
vlan-nic-nsx-2 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Manager 3 | pg-mgmt |
vlan-nic-nsx-vip |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Manager VIP | pg-mgmt |
When the initial NSX Manager is deployed into the host and cluster, you must register the vCenter as the compute manager to facilitate the deployment of other NSX Managers. You can use the Public Gateway that is attached to the management subnet to download updates for the NSX Managers through SDDC manager.
The principles for deploying NSX managers for consolidated and standard VMware Cloud Foundation deployment are the same.
Host transport nodes
For NSX, each ESXi host must be set as a Transport Node so that it becomes capable of participating in an NSX Data Center overlay or NSX Data Center VLAN networking. Cloud builder and SDDC manager handle the deployment in VMware Cloud Foundation. VPC Bare Metal Server VLAN interfaces are prepared for the TEP vmks in the hosts.
The following table lists the required VLAN interfaces for NSX VMKs for each host. These interfaces are always local to the host and do not need to move, but are allowed to float to facilitate the use in NSX pools. They are provisioned on the
vpc-tep-subnet.
| Interface name | Interface type | VLAN ID | Subnet | Allow float | VMkernel adapter | Distributed port group name |
|---|---|---|---|---|---|---|
vlan-nic-tep-pool-<1> |
vlan |
1614 | vpc-tep-subnet |
false |
vmk10 |
none - set in NSX profile |
vlan-nic-tep-pool-<2> |
vlan |
1614 | vpc-tep-subnet |
false |
vmk11 |
none - set in NSX profile |
Host TEP VLAN ID is defined in the host transport profile.
The previous table shows the naming and numbering principles. The actual deployment subnet or distributed port group names might vary.
In the standard architecture, the VI workload domain deployment uses new VPC subnets and new VLAN IDs are used.
| Interface name | Interface type | VLAN ID | Subnet | Allow float | VMkernel adapter | Distributed port group name |
|---|---|---|---|---|---|---|
vlan-nic-tep-pool-<1> |
vlan |
1614 | vpc-tep-subnet |
false |
vmk10 |
none - set in NSX profile |
vlan-nic-tep-pool-<2> |
vlan |
1614 | vpc-tep-subnet |
false |
vmk11 |
none - set in NSX profile |
vlan-nic-wl-tep-pool-<1> |
vlan |
1634 | vpc-wl-tep-subnet |
false |
vmk10 |
none - set in NSX profile |
vlan-nic-wl-tep-pool-<2> |
vlan |
1634 | vpc-wl-tep-subnet |
false |
vmk11 |
none - set in NSX profile |
The previous table shows the naming and numbering principles. The actual deployment subnet or distributed port group names might vary.
Edge transport nodes and gateway cluster
In addition to NSX Managers, the NSX gateway cluster and NSX Edge nodes are required in an NSX deployment. The Edge Nodes are specific service appliances that are dedicated to running centralized network services. They cannot be distributed to the ESXi hypervisors, such as Network Address Translation or north-south traffic between NSX Geneve Segments and VPC subnets. NSX Edge Nodes are transport nodes that run local control plane daemons and forwarding engines that implement the NSX data plane.
VM form factor Edge Nodes are used in this architecture. Edge Nodes can be grouped in one or several clusters, representing a pool of capacity. NSX gateways, Tier-0 (also referred as T0) and Tier-1 (also referred as T1) can be hosted in the same or different gateway clusters. Also, in this architecture, a single gateway cluster is created for all T0 and T1 gateways. A T0 gateway provides north-south connectivity and connects to a VPC subnet. A T1 gateway connects to one T0 gateway, and it provides northbound connectivity to the NSX segments attached to it.
The following table summarizes the requirements for a Medium Form Factor Edge environment, which is the starting size for production workloads.
| Attribute | Medium edge node |
|---|---|
| NSX Edges | 2 VMs |
| Number of vCPUs | 4 |
| Memory | 8 GB |
| Disk | 200 GB |
| Network - Management | vpc-mgmt-subnet |
You can change the size of the edge node in the deployment variables.
As for the other NSX components, VLAN interfaces must be created in IBM Cloud VPC for connectivity. The following table lists the required VLAN interfaces for Edge Nodes.
| Interface name | Interface type | VLAN ID | Subnet | Allow float | NSX interface | Distributed port group or segment name |
|---|---|---|---|---|---|---|
vlan-nic-nsx-edge-1 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Edge 1 Mgmt | pg-mgmt |
vlan-nic-nsx-edge-2 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Edge 2 Mgmt | pg-mgmt |
vlan-nic-edge-tep-pool-1 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 1 TEP 1 | none - set in NSX profile |
vlan-nic-edge-tep-pool-2 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 1 TEP 2 | none - set in NSX profile |
vlan-nic-edge-tep-pool-3 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 2 TEP 1 | none - set in NSX profile |
vlan-nic-edge-tep-pool-4 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 2 TEP 2 | none - set in NSX profile |
Edge TEP VLAN ID is defined in the edge transport profile.
This action provides the base for each NSX edge. NSX T0 gateway needs its own VLAN interfaces for its uplinks.
The previous table shows the naming and numbering principles. The actual deployment subnet or distributed port group names might vary.
In the standard architecture, the VI workload domain deployment uses new VPC subnets and new VLAN IDs are used.
| Interface name | Interface type | VLAN ID | Subnet | Allow float | NSX interface | Distributed port group or segment name |
|---|---|---|---|---|---|---|
vlan-nic-nsx-edge-1 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Edge 1 Mgmt | pg-mgmt |
vlan-nic-nsx-edge-2 |
vlan |
1611 | vpc-mgmt-subnet |
true |
NSX Edge 2 Mgmt | pg-mgmt |
vlan-nic-edge-tep-pool-1 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 1 TEP 1 | none - set in NSX profile |
vlan-nic-edge-tep-pool-2 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 1 TEP 2 | none - set in NSX profile |
vlan-nic-edge-tep-pool-3 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 2 TEP 1 | none - set in NSX profile |
vlan-nic-edge-tep-pool-4 |
vlan |
2713 | vpc-tep-subnet |
true |
NSX Edge 2 TEP 2 | none - set in NSX profile |
vlan-nic-nsx-wl-edge-1 |
vlan |
1631 | vpc-wl-mgmt-subnet |
true |
NSX Edge 1 Mgmt | pg-wl-mgmt |
vlan-nic-nsx-wl-edge-2 |
vlan |
1631 | vpc-wl-mgmt-subnet |
true |
NSX Edge 2 Mgmt | pg-wl-mgmt |
vlan-nic-edge-wl-tep-pool-1 |
vlan |
2733 | vpc-wl-tep-subnet |
true |
NSX Edge 1 TEP 1 | none - set in NSX profile |
vlan-nic-edge-wl-tep-pool-2 |
vlan |
2733 | vpc-wl-tep-subnet |
true |
NSX Edge 1 TEP 2 | none - set in NSX profile |
vlan-nic-edge-wl-tep-pool-3 |
vlan |
2733 | vpc-wl-tep-subnet |
true |
NSX Edge 2 TEP 1 | none - set in NSX profile |
vlan-nic-edge-wl-tep-pool-4 |
vlan |
2733 | vpc-wl-tep-subnet |
true |
NSX Edge 2 TEP 2 | none - set in NSX profile |
The previous table shows the naming and numbering principles. The actual deployment subnet or distributed port group names might vary.