VMware NSX 6.1 for vSphere – Deploying an Edge Gateway

Caution: Articles written for technical not grammatical accuracy, If poor grammar offends you proceed with caution ;-)

So far we have deployed (2) Logical Switches and (1) Distributed Logical Router and deployed a VM on to each logical switch.  Our VM’s can communicate with each other across the Distributed Logical Router, but they can’t communicate to anything else.  What we now need to do is deploy an Edge Gateway that we will configure to communicate upstream to the physical network and downstream to the logical network.  Where we could technically just connect the Distributed Logical Router upstream to your physical network, it’s not really a best practice approach and it’s not a supported approach when integrating with vCAC.

Deploying an NSX Edge Gateway

1. Open the vSPhere web client, then open Networking & Security and select NSX Edges from the Left menu and then click the green +.
2. When the dialog opens choose Edge Services Gateway as the install type, give it a name, and input the fqdn hostname then click Next.
   
   
3. Next set the username and password for the appliance.  Optionally Enable SSH, HA, & auto rule generation for the router.  Auto rule generation is pretty handy to enable.  When you enable other NSX Edge services such as IPSec VPN, L2 VPN, Load Balancing, etc the needed rules for those services will be auto created for you.  When finished click Next.
4. Next select the datacenter for the NSX Edge, then select the appliance size of the Edge you would like to deploy (Reference below), make sure the Deploy NSX Edge box is checked and then click the green + under NSX Edge Appliance.Compact – 1 vCPU, 512Mb Memory, 512MB Storage
   Large – 2 vCPU, 1GB Memory, 512MB Storage
   X-Large – 6 vCPU, 8GB, 4.5GB w/4GB Swap Storage
   Quad Large – 4 vCPU, 1GB Memory, 512MB Storage
5. Next Select the Cluster/Resource Pool, Datastore, Host, and Folder to which the Edge Gateway will be deployed and then select ok.
   *Note – In the MoaC lab all routers are deployed into a management cluster and not the consumer clusters within the environment.|
6. Click Next
7. Next click the green + to configure the NSX Edges Interfaces.
8. Next assign a name to the interface on the Edge Gateway, select the type Uplink, then select change to assign the DvPortGroup you would like to connect the routers uplink to. This should be a trunked in network or vLAN that is configured as a Distributed Portgroup.  In the MoaC lab we created a network that is only avbailable between the uplink of the NSX Edge Gateway and our physical router.  It is a vLAN network, but no other devices exist in it.  Once you select the network click the green + to configure it’s IP information.
9. Click the green +, then input the IP address for this interface on the router then click the OK button next to the IP address.  Assign the bits of subnet for the network you are connecting to. (Although I used a 24-bit subnet mask I could have used a 29-bit because in the MoaC it is an isolated network between the Edge Gaeway and two Physical router routers).  When finished select OK.
10. Click OK.
11. Click Next.
12. Ensure Configure Default Gateway is Checked then input the IP address of the upstream router for the network your router interface is connected to in the Gateway IP field and click Next.
13. Optionally select Configure Firewall default policy.  I prefer to use this option and configure the default traffic policy to deny.  If you selected an HA deployment you must also specify Management IP’s for each router.  These are not used for management, only for HA and they should be on a /30 network range.
14. Finally click Finish to deploy the NSX Edge.
15. If you recall we built the bottom half of this diagram when we configured our Distributed Logical Router.  In this article we configured the top half essentially deploying an NSX Gateway and connecting it to our physical Network.  This still doesn’t help us get connectivity between our virtual machines connected to the logical switches to the physical network unless we connect the Distributed Logical Router to the  Edge Gateway we just deployed.
16. Test your skills and see if you can figure out how to tie them together.  I will cover cover this in my next post.