3V0-643

3V0-643 is the exam code for the VMware Certified Advanced Professional 6 – Network Virtualization Deployment Exam. I recently passed this exam and thought I’d write a short blog post about it.

About the exam

The exam preparation guide for this exam contains the following description:
” The 3VO-643 exam tests candidates on their skills and abilities in implementation of a VMware NSX solution, including deployment, administration, optimization, and troubleshooting.”

As you might have guessed, this is a lab-based exam. Meaning you connect to a remote lab environment and work your way through a number of scenarios. You will be doing actual deployment, administration, optimization, and troubleshooting of a live VMware NSX platform.

Exam prerequisites

There is no course requirement for VCAP6-NV. That being said, to achieve the VCAP6-NV certification you must hold a valid VCP6-NV certification which does have a course requirement.

VMware recommends candidates to take the VMware NSX: Troubleshooting and Operations [V6.2] course as a preparation for this exam. I did the NSX version 6.4 of that course and although the course itself was very valuable, I can not say that it was really relevant as preparation for the 3V0-643 exam.

Another VMware recommendation is that the candidate should have two years of experience deploying NSX. Experience is a good thing of course. I would say this depends very much on how much and in which way you work with NSX in your day-to-day job role. My two cents:

You can skip the recommended course, but be sure you know your NSX including basic NSX troubleshooting.
Experience with deploying and managing all components of NSX is a must. Remember that you can gain experience in a lab environment as well.

Exam preparation

If you’ve ever been doing a VMware Hands-on Lab, the exam’s interface will be familiar to you. The controls, menus, and layout of the exam interface are very similar if not identical to the ones in the hands-on lab environment. I recommend doing a couple of NSX hands-on labs just to get used to the interface. HOLs VMware’s free, high quality labs that offer a convenient way for you to try out all kind of VMware tech and solutions. So check them out.

As always with VMware exams, the exam blueprint is your friend. It clearly states what areas of NSX (all) and scenarios you should prepare for. For 3V0-643 I would say the exam blueprint is spot on. On the exam I was faced with questions and scenarios linked to all of the objectives in the exam blueprint.

An important thing to keep in mind is that at the time of this writing the 3V0-643 lab environment is still based on vSphere 6.0 and NSX version 6.2. You should take this into account as you prepare for the exam.

Do your hands-on training in a NSX 6.2 environment. Build a nested lab with vSphere 6.0/NSX 6.2 if necessary. There are differences between the 6.2 and 6.4 UIs. If you’re not familiar with the 6.2 way of doing things you end up spending a lot of precious time navigating around in the (slow) vCenter UI trying to find things.
Study the NSX version 6.2 official documentation. It’s not meaningful to study anything else than version 6.2 documentation for this exam.
Study and practice all the objectives that are listed in the exam blueprint. Make sure you are comfortable accomplishing all of the objectives before you consider taking this exam.

What to expect?

23 questions/scenarios to be completed within 205 minutes. All of this in an outdated and slow vSphere 6.0/NSX 6.2 remote lab environment. It wasn’t the most exciting experience to be honest. The scenarios and problems you need to solve on the other hand were realistic and quite fun. It’s a mixture of tasks and objectives. One scenario you’ll complete with a couple of mouse clicks or commands, while the next will take you more than 30 minutes to complete.

Time is an issue. In my experience 205 minutes is not a lot of time. You easily end up with time pressure. You should be able to accomplish the objectives relatively fast. There is not much time for clicking around, finding your way, or thinking for that matter. Knowing beforehand how to accomplish objectives is key.
Time is not an issue. Don’t get stuck. You can skip questions and come back to them later if there’s time left. Correctly answered questions add to your score. Focus on that instead of getting stuck trying to answer a question and running out of time. This is especially true when you’re early on in the exam. Also, know that you can pass this exam even when you run out of time.

Conclusion

In my opinion passing 3V0-643 is an accomplishment. This lab-based NSX exam will thoroughly test your ability to successfully deploy, manage, optimize, and troubleshoot all aspects of a NSX platform. All that under time pressure.

A certification alone doesn’t make you a subject matter expert, but it’s probably fair to say that you know a thing or two about NSX when you pass 3V0-643.

Last but not least it would be great if VMware would update the exam’s lab environment to for instance vSphere 6.5/NSX 6.4, but I doubt that will happen. My guess is that we’ll see NSX-T exams instead, but time will tell.

Site-to-site IPsec VPN with NSX

With NSX Data Center for vSphere establishing site-to-site IPsec VPN connections is done on the Edge instances. One X-Large ESG instance supports up to 6000 IPsec tunnels which gives you an idea about scalability.

In this exercise I’ll show you how to configure a site-to-site IPsec VPN connection between two sites that are both using NSX Edge instances. This native NSX scenario is probably the easiest and most straightforward, but it’ll hopefully give you an idea of what the IPsec VPN configuration process looks like.

Diagram

As always let’s start with a picture of what we’re trying to achieve:

NSX IPSEC.png

The goal is simple. These two organisations want to establish a secure communications channel over the Internet so that specific logical networks at each site can communicate with each other. More specifically, in this scenario the two VMs in the diagram should be able to communicate with each other.

For this exercise I already deployed the NSX Edges and the DLRs. I also configured routing between ESG and DLR on each site. We will just focus on configuring the site-to-site IPsec VPN tunnel in this article.

Configuring the Edges

Under the “Manage” tab of the ESG click on “VPN” and choose “IPsec VPN”. To start adding a new IPsec configuration click the green plus sign.

Skärmavbild 2018-10-30 kl. 20.35.02

Let’s briefly touch upon the form here.

Enabled – Wether this IPsec VPN is active or not.
Enable perfect forward secrecy (PFS) – Enabled by default. Ensures each new cryptographic key is unrelated to any previous key.
Responder Only – When enabled the IPsec VPN will never initiate a connection.

Name – A name for the IPsec VPN.
Local Id – This is the IP address assigned to the ESG’s uplink interface.
Local Endpoint – When using pre-shared key fo authentication this can the same as “Local Id”.
Local Subnets – The IP subnets on this side that will be part of the IPsec VPN
Peer Id – A unique ID for the peer site. When using pre-shared key for authentication this can be anything although it is recommended to use the public IP address/FQDN of the remote endpoint. When using certificates for authentication this is the common name (CN) in the peer’s certificate.
Peer Endpoint – This is the IP address of the remote endpoint.
Peer Subnets – The subnets on the remote site that should be part of the IPsec VPN.

IKE Version – Internet Key Exchange version. Used to set up a security association (SA).
Digest Algorithm – The authentication algorithm to use.
Encryption Algorithm – The encryption algorithm to use.
Authentication – This can be either pre-shared key (PSK) or certificate.
Diffie-Hellman Group – The key exchange algorithm.
Extension – Aadditional parameters we can add to the IPsec VPN.

Using the IP information in the diagram above, the IPsec VPN configuration for organisation A’s ESG looks like this:

Skärmavbild 2018-11-03 kl. 12.53.45.png

And for organisation B’s ESG it looks like this:

Skärmavbild 2018-11-03 kl. 13.31.04.png

Please note that in my environment the uplink interfaces of both ESGs connect to the same L2 segment, configured with IP subnet 10.2.128.0/24.

Establishing the IPsec tunnel

With the IPsec configurations in place we can now move on with the tunnel establishment.

Start the IPsec VPN service on both edges:

Skärmavbild 2018-11-03 kl. 13.34.13.png

Let’s verify that the IPsec tunnel got established. Mark the IPsec VPN and click on “Show IPsec Statistics”:

Skärmavbild 2018-11-03 kl. 19.54.29.png

Channel status looks good. We can click on “View Details” to get some more state information. As you see not much is going on at this point. We have established an IPsec tunnel, but it’s not being used.

We can also view the IPsec VPN status at the edge instance CLI by issuing the “show service ipsec” command:

Skärmavbild 2018-11-03 kl. 20.14.30.png

Testing communication

At this point organisation A’s virtual machines connected to “LS Web” should be able to reach organisation B’s virtual machines connected to “LS Web” and vice versa. Let’s try it out.

Open a SSH or console session to one of the VMs and ping the virtual machine at the other site:

Skärmavbild 2018-11-03 kl. 23.16.52.png As you can see I’m pinging 172.16.1.20 from 172.16.0.20 and receiving replies.

Looking once more at the tunnel state, we can now see packets have been sent and received. It works!

Conclusion

Nothing really fancy here. Good old IPsec VPN doing its thing but on top of NSX components. Site-to-site IPsec VPN is an important component of any enterprise network platform and it’s good to see NSX Data Center for vSphere delivers the functionality as well as making it easy to configure.

Equal Cost Multi-Pathing in NSX Data Center

By deploying multiple ESG appliances and enabling Equal Cost Multi-Path (ECMP) on the Distributed Logical Router (DLR), NSX Data Center provides scalability and redundancy for northbound traffic in our SDDC.

Setting up ECMP in NSX Data Center is fairly easy. Let me show you.

The diagram

A high level overview of the NSX infrastructure for this excercise.

NSX ECMP.png

The goal in this exercise is to provide two equal cost routes on he DLR for northbound traffic. For this we are going to deploy two ESG appliances, configure dynamic routing between these and the DLR, and then finally enable ECMP.

Let’s get started!

Deploying the ESG appliances

Create the first ESG appliance.

Skärmavbild 2018-10-05 kl. 20.25.32.png

Add two interfaces: One connected to a VLAN-backed port group leading to the physical network, the other one connected to the logical transit switch leading to the DLR.

Skärmavbild 2018-10-05 kl. 20.33.12.png

Don’t forget to configure a default gateway pointing to the next hop on the physical network.

Once deployed we can go ahead and deploy the second ESG appliance in the same way.

Skärmavbild 2018-10-05 kl. 20.40.54.png

Create the same interfaces as on “Edge-01”. Use unique IP addresses though. 😉

Skärmavbild 2018-10-05 kl. 20.45.17.png

Configure dynamic routing on the DLR

There won’t be much multi-pathing going on without a working routing process between the DLR and the ESGs so let’s make sure that is in place first.

Starting with the DLR. We first need to add an uplink interface that connects the DLR to the transit switch:

Skärmavbild 2018-10-05 kl. 21.03.55

We’ll be doing dynamic routing using BGP in this exercise so navigate to the DLR’s “Routing” tab and set the router ID:

Skärmavbild 2018-10-05 kl. 21.11.15

Next navigate to “BGP”, set a private ASN (64 512 – 65 534), and enable BGP:

Skärmavbild 2018-10-05 kl. 21.19.14.png

While we’re here we also add our two future BGP neighbors. Click the green “plus” sign under “Neighbors” to add the first BGP neighbor:

Skärmavbild 2018-10-06 kl. 10.47.57.png

Now what’s all of this?
First we need to specify the IP address of our BGP neighbor (Edge-01 in the above screen). Next we have a forwarding address (data plane) which is the IP-address configured on the DLR’s uplink interface (2ESG in my case). The protocol address is used for the BGP peering/neighbor relationship which can be any unused IP address in the transit network (192.168.100.0/24 in my case). Finally we supply the remote ASN which is the private ASN of the BGP neighbor (65501 in my case).

Click “OK” and then add the second BGP neighbor (Edge-02). We use the same protocol address as for the first neighbor (one protocol address per uplink). Also type the same remote ASN as for the first BGP neighbor. Once done it should look something like this:

Skärmavbild 2018-10-05 kl. 21.49.06.png

The last thing we need to configure on the DLR is “Route Redistribution”.

Skärmavbild 2018-10-05 kl. 21.55.32.png

Enable route redistribution for BGP. Also add BGP to the route redistribution table and configure it to learn connected routes.

Configure dynamic routing on the ESGs

With BGP configured on the DLR we move over to to our ESGs.

Just like on the DLR we need a router ID on our ESGs. Starting with “Edge-01” go to the “Routing” tab and configure the the router ID:

Skärmavbild 2018-10-06 kl. 10.55.51.png

Next we configure the BGP which is almost identical to the way we configure BGP on the DLR.

Skärmavbild 2018-10-06 kl. 10.59.54

Enable BGP and type a private ASN for the ESG AS (65501 in my case). We might want to enable “Default Originate” so that the ESG will advertise a default gateway to the DLR. Otherwise we’ll have to configure a default gateway on the DLR manually.

We continue with adding the DLR as a BGP neighbor:

Skärmavbild 2018-10-06 kl. 16.54.30.png

Here things look slightly different compared to the DLR. No protocol address and no forwarding address are needed. Why not?
With the DLR the control plane and the data plane are separate from each other. What this means is that the forwarding address lives in the data plane, which is a distributed plane (ESXi hosts). The protocol address on the other hand is tied to the DLR control VM. The ESG is a central component where data plane and control plane both reside in the ESG appliance.

Next configure BGP route redistribution the same way as we did on the ESGs.

Skärmavbild 2018-10-06 kl. 16.56.40.png

Before we move on with the second ESG, let us just check that we have a working BGP neighbor relationship between the DLR and Edge-01 at this point.

Open the console of the DLR control VM and log in. Issue the “show ip bgp neigbors summary” command. At this point we should see one established BGP neighbor relationship:

Skärmavbild 2018-10-07 kl. 09.40.31.png

Next type “show ip route bgp”. Here we should see one (or two if default originate was enabled) BGP derived routes in the routing table:

Skärmavbild 2018-10-07 kl. 09.44.17

If everything looks as expected we can go ahead and configure BGP on Edge-02. The configuration steps are identical to the ones we did on Edge-01.

With Edge-02 configured and peered with the DLR, the BGP neighbor table on the DLR should now show two BGP neighbor relationships:

Skärmavbild 2018-10-07 kl. 09.55.10.png

ECMP

What we’ve built so far gives us better availability. When Edge-01 goes down, the BGP process on the DLR will after some time, depending on the configured “keep alive” and “hold down” timers, use the routes advertised by Edge-02 instead and traffic starts flowing again.

But with this setup we only have one active path from the DLR to the edge and beyond. To activate multi-pathing we simply need to enable ECMP on the DLR.

Head over to the DLR management and click the “Routing” tab > “Global Configuration” and start ECMP.

Skärmavbild 2018-10-06 kl. 19.43.24.png

At the DLR console issue the “show ip route bgp” command once again. We’ll notice a difference:

Skärmavbild 2018-10-07 kl. 10.10.25.png

We now have two BGP routes for every destination. Each of the Edge’s route advertisements end up as equal cost routes in the DLR’s routing table. The DLR will now use both these paths simultaneously. It does this by using a (non-configurable) hashing algorithm based on source and destination IP address.

Conclusion

Multiple ESG appliances combined with ECMP provides scalability and availability for northbound traffic. If your SDDC grows the size where a dedicated Edge cluster becomes best practice design, ECMP should be considered. Up to 8 equal paths (8 ESG appliances) can be provisioned to make sure the necessary bandwidth and redundancy are available to this critical part of the NSX infrastructure.

NSX: Bridging between VXLAN and VLAN

After you prepared your vSphere clusters for VXLAN you’re eager to start building your SDDC network. You provision some logical switches, a distributed logical router and maybe even an edge services gateway. Before you know it you are doing full-fledged network virtualization. It’s simple enough, right?

But then you realize you still have other virtual workloads and possibly all kind of physical equipment residing on that other network: The VLAN-based network.

Of course this is (hopefully) not the way you rollout VXLAN in your SDDC. Just like any other major change in your network (logical or physical) some kind of planning is required here. You should at least create a solid design for the VXLAN structure, the IP subnets, IP routing, and how it all connects and propagates to the physical network before you start implementing VXLAN. Things might get really complicated if you don’t.

But even with all the planning in the world you still might end up with workloads and equipment that for various reasons are stuck on VLANs. On top of that, some of these workloads require to be on the same L2 segment as the virtual workloads that you planned on migrating to VXLANs. This can be a short term (transitioning etc) or a long term requirement.

A helping hand

NSX Bridge One component of NSX-V that comes in handy in a situation like this is the L2 bridge. The L2 bridge has a number of use cases including:

Migration: Physical to virtual, or virtual to virtual without requiring re-IP.
Connectivity: Physical workloads not suitable for virtualization can maintain connectivity with virtual workloads inside of NSX.
Service insertion: Transparent integration of any physical appliance such as a router, load balancer or firewall into NSX.

There are some prerequisites and limitations:

L2 bridging requires a distributed logical router with a control VM
The VXLAN network and VLAN-backed port groups must be on the same distributed virtual switch and use the same physical NICs.
VLAN-backed port group must be configured with a VLAN ID (between 1 and 4094).
Don’t use a L2 bridge to connect a logical switch to another logical switch, a VLAN network to another VLAN network, or to interconnect data centers.
You can’t use a Universal logical router to configure bridging and you cannot add a bridge to a universal logical switch (cross-vCenter NSX objects).
A logical router can have multiple bridging instances, however, the routing and bridging instances cannot share the same VXLAN/VLAN network. Traffic to and from the bridged VLAN and bridged VXLAN cannot be routed to the bridged network and vice versa.
The recommended maximum is 500 bridging instances per distributed logical router. A number you’ll hopefully never need.

Configuring a L2 Bridge

The L2 bridge is configured with a couple of clicks over at the distributed logical router. Yes, a couple of API calls does the trick too.

At the DLR click the Manage tab and then Bridging. Click the green plus sign to add a bridge:

Skärmavbild 2018-09-08 kl. 19.48.50.png Type a name for the bridge and select a logical switch (VXLAN) and a distributed virtual port group (VLAN-backed). Click OK and don’t forget to publish your changes.

That’s all there is to it. You’re now bridging between a VXLAN and a VLAN.

Conclusion

VXLAN-VLAN bridging is not necessarily something you want to do over a long period of time as it adds some complexity to your environment. That being said, there are scenarios (mentioned above) where the L2 bridge is the right solution and it’s good to know that setting this up in NSX-V is a breeze.

VMware NSX 6.4.2 Released

nsx VMware has released NSX Data Center for vSphere 6.4.2 and it comes with some nice improvements.

Multicast routing is the big one in this release of course. It’s good to see that once again more NSX components can be managed/used with the vSphere Client (H5). Interesting as well is the addition of two new administrative roles: Network Engineer and Security Engineer.

Here’s a list of all that’s new:

Networking and Edge Services

Multicast Support: Adds ability to configure L3 IPv4 multicast on Distributed Logical Router and Edge Service Gateway through support of IGMPv2 and PIM Sparse Mode.
Default Limit of MAC identifiers: Increases from 2048 to 4096
Hardware VTEP: Added multi PTEP cluster capability to facilitate environments with multiple vCenters

Security Services

Context-Aware Firewall: Additional Layer 7 Application Context Support (EPIC, MSSQL, BLAST AppIDs)
Firewall Rule Hit Count: Monitor rule usage and easily identify unused rules for clean-up
Firewall Section Locking: Enables multiple security administrators to work concurrently on the firewall
NSX Application Rule Manager: Improved scale to 100 vNICs per session, further simplifying the process of creating security groups and whitelisting firewall rules for existing applications.

NSX User Interface

VMware NSX – Functionality Updates for vSphere Client (HTML): The following VMware NSX features are now available through the vSphere Client: TraceFlow, User Domains, Audit Logs, Events & Tasks. For a list of supported functionality, please see VMware NSX for vSphere UI Plug-in Functionality in vSphere Client.

Operations and Troubleshooting

Authentication & Authorization: Introduces 2 new roles (Network Engineer and Security Engineer). Adds ability to enable/disable basic authentication.
NSX Scale Dashboard: Provides visibility into 25 new metrics. Adds ability to edit usage warning thresholds and filter for objects exceeding limits.
NSX Controller Cluster Settings: Specify common settings (DNS, NTP, Syslog) to apply to NSX Controller Cluster.
Support for VM Hardware version 11 for NSX components: For new installs of NSX 6.4.2, NSX appliances (Manager, Controller, Edge, Guest Introspection) are installed with VM HW version 11. For upgrades to NSX 6.4.2, please see Upgrade Notes for further details.

You can find the full release notes over here.

Updating my lab to 6.4.2 using the Upgrade Coordinator was a breeze. 🙂

A simple NSX-V load balancer lab

Skärmavbild 2018-08-21 kl. 21.19.57 Recently I had to do a quick demo on the NSX-V logical load balancer. Setting up the NSX components in a small lab for such demo is a pretty straight-forward process. I thought I’d walk you through setting this up in case you want to play around with the logical load balancer or any of the other NSX components yourself.

The NSX-V logical load balancer in a nutshell

The NSX-V logical load balancer enables high availability service and distributes network traffic (L4 and L7) among multiple servers. Incoming requests are evenly distributed between backend servers that are grouped together in a pool.

It comes with configurable service monitors that perform health checking on backend servers. If one of the backend servers becomes unavailable, the service monitor marks that server as “DOWN” and stops distributing requests to it. When the backend server is available again, the service monitor marks it as “UP” and incoming requests are once again distributed to the server.

The NSX-V logical load balancer has all the functionality you can expect from a modern load balancer. There’s variety of features and two deployment models (inline vs one-armed), but they are beyond the scope of this simple lab. I recommend you have a look at the Logical Load Balancer chapter of the NSX Administration Guide for detailed documentation on the NSX-V logical load balancer.

The Lab Environment

Let’s have a look at a small diagram showing the environment we’re going to build:

NSX-V Load Balancer PoC.png

Two virtual machines are connected to the “Web Tier” logical switch. The “Web Tier” uses IP subnet 172.16.1.0/24 as defined by the Distributed Logical Router (DLR). The DLR and the Edge Services Gateway (ESG) connect using the “Transit” logical switch. The “Transit” VXLAN uses the tiny 172.16.0.0/29 subnet. The ESG also acts as the gateway for the virtual network with its connection to the physical network.

The logical load balancer is a component of the ESG. Its job in this lab will be to distribute incoming web requests between the two web servers.

For this guide I assume NSX-V 6.4 is installed and configured and that your vSphere cluster is prepared for VXLAN.
We need to reserve four IP addresses on the physical network’s subnet to be used by the ESG. For this lab we also need Internet access from the physical network as well as access to a DNS server.

We don’t need a lot of resources for this lab. A single physical ESXi 6.5/6.7 host running a nested vSphere environment will do the job.

Building the NSX infrastructure

We start by creating the two logical switches “Web Tier” and “Transit”. The default settings for the switches are fine for this lab:

Skärmavbild 2018-08-13 kl. 20.19.10.png

Next we deploy the distributed logical router:

Skärmavbild 2018-08-13 kl. 20.24.02.png

At the “Configure interfaces” step we create and configure two interfaces: An uplink interface we’ll call “2ESG” which connects to the “Transit” logical switch and an internal interface that we’ll call “2WebTier” which connects to the “Web Tier” logical switch. We configure the interfaces using the IP addresses from the diagram above:

Skärmavbild 2018-08-13 kl. 20.32.18.png

The DLR’s default gateway is the IP address of the ESG’s internal interface, accessed via the “2ESG” interface:

Skärmavbild 2018-08-13 kl. 20.38.45.png

Once the DLR is deployed we go to its settings and configure DHCP relay. The DHCP relay server in this lab is the IP address of the ESG’s internal interface (we’ll configure a DHCP server on the ESG in a moment). We also need to enable a DHCP relay agent on the DLR’s “2WebTier” interface:

Skärmavbild 2018-08-13 kl. 20.52.10.png

Now it’s time to deploy the Edge Services Gateway appliance:

Skärmavbild 2018-08-13 kl. 20.55.05.png

We choose a compact appliance size and configure the ESG with two interfaces: An uplink interface we call “2Physical” which connects to a VLAN backed port group on the distributed switch as well as an internal interface we call “2DLR” which connects to the “Transit” logical switch.

We’re going to configure four IP addresses on the “2Physical” interface: One primary IP address and three secondaries. One of the secondaries will be used as the VIP address of the load balancer. The other two will be used for NAT:

Skärmavbild 2018-08-13 kl. 21.40.50.png

The default gateway for the ESG resides on the physical network. In my environment it’s at 10.0.1.1 and reached using the “2Physical interface:

Skärmavbild 2018-08-13 kl. 21.53.03.png

So let’s setup the DHCP server on the ESG. We do this under the “DHCP” tab of the ESG. We need to configure a DHCP pool and enable the DHCP service. Don’t forget to configure a primary name server. The “Web Tier” servers need one.

Skärmavbild 2018-08-13 kl. 21.58.55.png

Finally we need to let the ESG know how to reach the “Web Tier” subnet. We do this by adding a static route under “Routing”:

Skärmavbild 2018-08-21 kl. 19.52.38.png

Now the ESG knows that it should use the DLR to reach the “Web Tier” subnet.

Deploying the Virtual Machines

Now that the NSX infrastructure is in place we’ll continue with the deployment of our two virtual machines in the “Web Tier” VXLAN.

In this lab we use VMware’s Photon OS which is an open source minimal Linux container host optimized for vSphere. Download the OVA for vSphere 6.5 or newer and deploy two virtual machines from it. Make sure to connect both to the “Web Tier” logical switch.

Skärmavbild 2018-08-16 kl. 22.01.26.png

Once booted, the DHCP server on the ESG should have assigned IP addresses to the VMs. Take a note of the IPv4 addresses as we need them for our NAT rules:

Skärmavbild 2018-08-19 kl. 16.27.43.png

Configuring NAT

NAT rules are defined on the ESG under the “NAT” tab. First of all we want to provide Internet access to our “Web Tier” virtual machines so we can patch the OS and pull the NGINX container. For this we have to create a source NAT (SNAT) rule that looks like this:

Skärmavbild 2018-08-16 kl. 22.19.32.png

The primary IP address of the ESG “2Physical” interface (10.0.1.240) is used to represent any IP address from the “Web Tier” subnet (172.16.1.0/24) on the physical network.
Don’t worry about protocol for this lab.

As we also want to SSH into our virtual machines from the physical network, we need to create two destination NAT (DNAT) rules. One for each server. For my web-1 virtual machine the DNAT rule looks like this:

Skärmavbild 2018-08-16 kl. 22.27.53.png

IP address 10.0.1.242, one of the secondary IP addresses of the ESG’s “2Physical” interface, is translated to web-1’s IP address (172.16.1.50).
Don’t forget to create one more DNAT rule for the web-2 virtual machine using one of the other secondary IP addresses of the ESG’s “2Physical” interface (I chose 10.0.1.241 for example).

Installing the Web Servers

With the NAT rules in place we should be able to SSH into our virtual machines from the physical network:

ssh root@10.0.1.242

The default root password on the Photon OS OVA is “changeme” which we’ll have to change after first login.

We can now test if our SNAT rule is working by querying and installing available OS updates. Do this on both machines:

tdnf update

When it’s done updating reboot the servers:

reboot

After reboot, SSH back into the virtual machines to enable and start the Docker engine:

systemctl enable docker
systemctl start docker

Next pull the NGINX docker container:

docker pull nginx

We want the NGINX server to use an “index.html” that is stored outside of the docker container. Create an “index.html” on each of the servers:

mkdir -p ~/docker-nginx/html
vi ~/docker-nginx/html/index.html

Copy and paste this into index.html on web-1:

<h1>This is web-1</h1>

And paste this into index.html on web-2:

<h1>This is web-2</h1>

Set the following permissions on the html directory (never do this in production):

chmod 755 ~/docker-nginx -R

We can now run the container. On each of the virtual machines issue the following command:

docker run --name docker-nginx -p 80:80 -d -v ~/docker-nginx/html:/usr/share/nginx/html nginx

With the containers up and running we should be able to access the web servers from the physical network. In my case I browse to http://10.0.1.242 and hit web-1’s “index.html”

Skärmavbild 2018-08-18 kl. 20.05.16

Make sure this works on both web servers before moving on.

Configuring the Logical Load Balancer

The web servers are up and running. It’s time to enable high availability service and start load balancing.

We start by defining a new server pool we’ll call “web-pool”. On the ESG click the “Load Balancer” tab and choose “Pools”. Add a new pool:

Skärmavbild 2018-08-18 kl. 22.02.43.png

Add our two virtual machines to the pool. Notice that you can specify vCenter/NSX objects (which require VMware Tools or ARP/DHCP Snooping) as well as IP addresses. The Photon OS virtual machines are running open-vm-tools meaning we can pick virtual machine objects for these servers.

The other thing we need to specify here is the service monitor. Choose “default_http_monitor” which by default executes a “HTTP GET” to the servers in the pool every 5 seconds.

Head over to “Virtual Servers”. Here we configure our virtual IP (VIP) and tie it to our server pool:

Skärmavbild 2018-08-18 kl. 22.30.32

Give the virtual server a name and enter the last available secondary IP address of the ESG’s “2Physical” interface (10.0.1.243 in my case). Select the pool that we just created as the default pool.

Finally enable the load balancer service under “Global Configuration”.

Testing the Logical Load Balancer

It’s time to test the load balancer. Open a web browser and navigate to http://VIP_IP. In my case http://10.0.1.243. You should now hit one of the web server’s “index.html”:

Skärmavbild 2018-08-19 kl. 17.11.37.png

Now reload the page in your browser.

Skärmavbild 2018-08-19 kl. 17.14.31.png

Voilà! The load balancer sent the request to the next available server in the pool which in my case was web-1.

Every time you reload the web page you will end up on the next available server in the pool. This is the intended behavior when using the Round Robin load balancing algorithm.

Let’s stop the NGINX container on one of the virtual machines:

docker stop docker-nginx

Now reload the web page a couple of times. Instead of a timeout every other time the load balancer keeps sending the requests to the only healthy server left in the pool.

Start the NGINX container again:

docker start docker-nginx

Keep reloading the web page in your browser and you’ll notice that it doesn’t take many seconds before the load balancer picks up the server and start sending requests to it again.

Conclusion

NSX-V, a key component of the VMware vSphere SDDC, delivers a very competent load balancer that is easy to install and configure.
In this short exercise we kept things really simple. There are more things to consider in a production environment, but building a lab like this hopefully gives you some idea of the concepts and components involved configuring a NSX-V logical load balancer.