VMware NSX 6.1.3 Released Today

For all of you that have been patiently waiting for NSX 6.1.3 so you can upgrade to vSphere 6, your wait is over!  VMware has relaeased NSX 6.1.3 today and it is now live for download.  On top of support for vSPhere 6 it also includes a number od security and bug fixes details can be found in the release notes.

NSX vSphere 6.1.3 introduces the following features:

  • Dynamic routing protocols are supported on sub-interfaces.
  • ECMP and Logical Firewall are supported at the same time with logical routing.

[Read more…]

VMware vSphere 6 & NSX – Planning on upgrading to vSPhere 6 and in an environment with NSX?

So vSphere 6 launched last week and you want to kick the tires in your lab.  Hopefully before you install you head on over to VMware and check out the Interoperability Matrixes. I’ve been reading posts online about folks jumping in with both feet and just straight out upgrading to vSphere 6.  Of course I may have been one of those people myself.

I being who I am got all excited over the vSphere 6 release and all the new features it offers cracked open the upgrade guide and went all in with the vSphere 6 migration utility and migrated my vCenter 5.5 server to vCenter 6.  That’s half the battle right.  Get through the migration and everything will be golden.  Not quiet.  After the migration, (which went fairly smooth by the way) I launched the vSphere web client and went to login and noticed I was not able to login as myself.  Luckily the administrator@vsphere.local account was able to login with no issues.  I then started poking around and noticed I no longer had a link for Networking and Security.

[Read more…]

vRealize Autoamtion – vCAC 6.1 – Creating a One to One NAT Network Profile

One-to-One NAT environments allow you to perform both SNAT and DNAT for all machines provisioned behind and NSX Edge Gateway.  For each machine provisioned onto the One-to-One NAT network an External IP is added to the Edge gateway for the NAT translation.  The External IP is assigned from the External Network Profile that is assigned to the One-to One NAT Network Profile.  Although the One-To-One NAT network will use NAT translation to communicate with the upstream networks (North – South) it is routed to other networks connected to the same NSX Edge Gateway.  When deploying a multi-tier application that has multiple network tiers attached to an NSX Edge Gateway all the back-end networks are routable so it’s important no to re-use IP space across different Network Profiles.

 

In the below diagram there are three Multi-Machine apps.  Each one has three web servers, two app servers, and two database servers.  The database servers are on a private network, no NAT translation to the upstream networks.  The App servers are using a One-to-Many NAT network where they are using SNAT to get access to the upstream network, and the Web Servers are using DNAT for both inbound and outbound traffic.  You will notice that each of the Multi-Machine Apps are using the same Up address on the backend, however the IP’s assigned to the NSX Edge Gateway’s external interfaces are different.  Notice for the One-to-One NAT that there is an equal number of external IP address.  Lao notice in this scenario where we are using both One-to-One and One-To Many the external IP’s are on the same subnet.  They all should come from the same External Network Profile that the related to the network that the NSX Edge Uplink interface is provisioned to.

[Read more…]

vRealize Automation – vCAC 6.1 – Creating a Private Network Profile

Private networks have no upstream (North – South) NAT or routing when they are deployed.  They are networks attached to the deployed NSX Edge Gateway that have East – West routing to other netowrks attached to the same NSX Edge Gateway and that is it.  Due to this unlike the other NSX related Network Profiles we can create the Private Network Profile does not need to have an External Network Profile attached to it.  It’s simply a range of IP’s to be used for the machines provisioned on to the network.

In the below diagram the  blue network will be my private network.  Machines placed on the blue network will only be able to communicate with machines placed on the orange or green network and not anything upstream.  I can also limit it’s communications further by using security policies which we will discuss as a separate topic

[Read more…]

vRealize Automation – vCAC 6.1 – Creating a One to Many NAT Network Profile

When configuring a NAT Network Profile you have two options.  You can configure a one-to-one or a one-to-many.  Here we are going to walk through creating a one-to-many NAT Network Profile.  One-to-many NAT network are networks that do source NAT only.  This will allow any machine provisioned onto the network to communicate out of the network under one IP address, however there is no NAT translation configured to come into the network for any services.  When you use a one-to-many NAT network profile in a Multi-Machine Blueprint an NSX Edge Gateway will be deployed, however routing will not be enabled and a Source NAT rule and relevant firewall rules will be created. NAT network get IP address from a pool of IP’s that will be reused over and over again for each deployment.  The nature of NAT let’s us reuse the IP’s because the different apps being deployed will all communicate using unique IP address on the outside of the provisioned Edge Gateway.  Although I am using a class C network in my example I really don’t need to.  If I will never have more than six machines on the NAT network I could use a /29 network if I wanted to, but for simplicity I used a class C and assigned a fairly large range……just in case 😉

 

In the below diagram I’m going to represent the orange network as a one-to-many NAT network.  All machines provisioned behind the router will get an IP address from the NAT Pool and all will SNAT to the upstream network as the external IP address of the router.  The external IP is assigned from the External Network Profile that is assigned to the NAT Network Profile.

[Read more…]