One of the most common use cases for introducing NSX is Micro Segmentation, the ability to secure network traffic flows between VM’s and also from VM’s to physical machines and infrastructure.
I see this alot in my day to day job as an NSX consultant, I would say that 60-70 % of projects start off with the deployment of just Micro Segmentation and then build up from there.
Setting up Micro Seg only in NSX-V wasn’t particularly difficult but it wasn’t obvious either, the same can be said for NSX-T in releases prior to 3.0, in fact the setup for Micro Seg only was a lot more complex in previous releases.
With NSX-T 3.0 the setup can be simplified greatly by using the in built wizard. You can still configure it manually and in some cases it may be best to do so, I will cover this deployment method in the Next Post and in a future post I’ll cover how to move from a Micro Seg only build to a full deployment based on this wizard method and the manual method.
But this post is about how to quickly setup a Micro Seg only environment using the wizard so lets get on with it.
I currently have a simple 3-Tier app deployed on my vSphere 7.0 cluster, the app consists of 5 VM’s, Two Web, Two App and One DB server.
These are connected to VLAN backed Distributed Port Groups on my vDS the VLANs are configured as follows.
- Web – VLAN 110
- App – VLAN 120
- DB – VLAN 130
The diagram below shows a simple representation of the setup.
The plan is to deploy a Micro Seg only NSX-T 3.0 build on the hosts in the cluster, to do so we also need to migrate our VM’s to NSX-T VLAN Segments.
This is different to how NSX-V did things as no change was needed to the networks.
From your NSX-T Manager go to System, Get Started then on the ‘Prepare Clusters for VLAN Micro-Segmentation’ box click GET STARTED.
Select the cluster that you want to prepare and click NEXT
Now we need to map our Physical Network Adapters to the uplinks in the Uplink profile. What Uplink profile? I hear you say!
If yours is a new deployment then you probably haven’t created an Uplink profile yet, however even if you have you can’t use it as part of this wizard. Instead the system is using the default profile ‘nsx-default-loadbalance-uplink-hostswitch-profile’. This profile is built into the system as part of the product and comes with 4 x Uplinks. You can’t edit this profile but for the wizard driven deployment its fine to use it even though we are only mapping two NICs to it.
From the ‘Select VDS’ drop-down menu select the vDS you wish to use.
If the hosts were earlier than 7.0 then we can only use an N-VDS as vDS is only available for 7.0 hosts.
With the vDS selected select the ‘VDS Uplinks’ drop-downs and map your vDS Uplinks then click NEXT
We are supposed to also be able to use an N-VDS for 7.0 hosts as well as the vDS but I can only assume you’d need to manually configure that ahead of time as it’s not an option I have in my wizard, I tested this with the hosts not part of a vDS and it still defaulted to a vDS deployment, in any rate I doubt many people will use an N-VDS for 7.0 hosts.
If you are using an N-VDS you can migrate your Host VMKernels but this is currently not supported from the vDS configuration.
You will then see the ‘Preparing Clusters’ dialogue.
For a better view of the progress go to System, Fabric, Nodes.
If you click on the ‘NSX Configuration’ Column link you can see further details of the Installation Progress.
Once complete the status will change to ‘Success’ and ‘Node Status’ will show as Up.
With that we are done with the host configuration.
The next step is to setup our segments and migrate our VM’s to them but before that lets take a quick look at what just happened.
What just happened?
It’s a good thing to understand what the wizard just did, not only so you know how the system is configured but also if you plan on doing this manually it’s a good way to learn what you need to set up to be able to do that.
The wizard uses built in objects to configure the hosts, if you take a look at the ‘Transport Zones’ you can see the two default ones, by clicking the ‘Transport Node Members’ on the ‘nsx-vlan-transportzone’ you can see that our two cluster hosts have been added.
If you click on the ‘nsx-vlan-transportzone’ on the ‘Overview’ page you can see that the ‘Switch Name’ is ‘nsxHostSwitch’
By going to System, Fabric, Profiles, Transport Node Profiles we can see that a new Profile has been created, this can be renamed and edited but we’ll cover that in another post.
Configure Segments and Migrate VMs
Next we need to create our Segments Web, App and DB.
Go to Networking, Segments and click ADD SEGMENT
Enter the ‘Segment Name’, select the ‘Transport Zone’ which will be ‘nsx-vlan-transportzone’ enter the ‘VLAN’ then scroll down.
Finally since there is nothing further we need to configure click NO.
Repeat for the other Segments
The final step is to migrate our VM’s to the new segments we can do this on each individual VM but it’s simpler to do it in bulk.
Go to your vCenter, select the ‘Networking’ tab and select the vDS.
What you will see is the NSX-T segments appear on the vDS as Distributed Port Groups. An important thing to note here is that the NSX-T Port Groups cannot be edited from vCenter as they are managed by NSX-T. You can see this if you click on the ellipsis next to the port group.
Note the lack of the ‘Edit Settings’ option.
Right click the old Port Group and select Migrate VMs to Another Network
Select the appropriate NSX-T Segment, note that the NSX Segments have an ‘N’ icon and show the ‘NSX Port Group ID’
Select the VM’s to migrate and click NEXT
We can now see our VM’s have been migrated to the NSX-T Segment.
Repeat for the remaining Segments.
The next step would be to configure your Distributed Firewall Rules buts thats a whole different post coming soon.