In series of blog posts we are going to walk through different steps to setup a NSX-T Data Center infrastructure. If you are new to NSX-T, please first go ahead and read the Introduction to VMware NSX. To get more insight on NSX-T architecture you can continue with NSX-T Architecture and Components post. Because we are using NSX-T 3.0 for the purpose of this implementation deep dive, you can also review What’s new in NSX-T 3.0 blog post.
Following are the required steps to build a solid NSX-T Data Center foundation. Please follow each step and we are going to update and complete this list regularly.
As part of vSAN Stretched or 2-Node cluster configuration, a witness appliance should be deployed and configured. This witness appliance will host witness components that is being used in split-brain failure scenarios. Witness component will act as a tie breaker and help vSAN cluster to satisfy the quorum requirements. Witness server could be installed as a dedicated physical ESXi host or an specialized virtual witness appliance can be used instead. The main reason of having witness as an virtual appliance is it does not require extra vSphere license to consume and eventually save some cost specially for smaller implementation like ROBO. The other reason behind using a virtual appliance is for multi-cluster environment like VCF stretched cluster implementation. Due to the reason of each vSAN cluster needs its own witness, then you can consolidate all of them on one physical host on a third site.
On April 7th 2020, VMware introduced next major release of its Network Virtualization & Security solution. NSX-T 3.0 introduces variety of new features which enhance the adoption of software-defined networking in private, pubic and hybrid-cloud environment.
Following are some of the new features and enhancements that are available in NSX-T 3.0 Datacenter;
Following the first blog post about deployment of vIDM, this post will cover how to configure vIDM and implement NSX-T Role Based Access Control (RBAC) with help of vIDM. As you might noticed, in NSX-T 2.5 and earlier release RBAC cannot be enabled without use of vIDM.
When you login to administration page with vIDM’s admin user account, dashboard would be the fist page you will land. Dashboard contains login information and applications which are used by users and analytics.
To start vIDM configuration click on Identity & Access Management. Here you can join vIDM to Active directory domain, add directory to sync with vIDM and define user attributes which get synchronized from directory service to vIDM.
On March 10th 2020, VMware released VMware Cloud Foundation(VCF) 4.0 along side a refresh on its other SDDC protofolio including vSphere 7.0, vSAN 7.0 and vRealize Suite 2019 latest release. By deploying VCF 4.0, you can take advantage of all the components that are included in the package and there are some features which only available with VCF 4.0. For example Kubernetes capabilities of vSphere 7 are only included as part of VCF 4.0 with Tanzu. Following you can find Bill of Materials(BoM) for VCF 4.0.
One of the new capabilities that have been added to VCF 4.0 is the possibility to use NSX-T in Management workload domains. Before VCF 4.0, Management workload domain had to use NSX-V as networking and security virtualization solution. NSX-T will also used as a defacto network and virtualization solution for VM and container workload. With use of NSX-T we have the option to bring up one NSX-T Management cluster that can serve many workload domains.
VCF 4.0 also supports latest update of vRealize Suite 2019 which includes;
vRealize Automation 8.1
vRealize Opertions 8.1
vRealize Log Insight 8.1
All the above products have the capability to operate based on container workloads beside normal VM workload. VCF SDDC Manage 4.0 together with vRealize Suite Lifecycle Manager 8.1 will automate the process of lifecycle management for both VCF core components and also vRealize suite components.
As it mentioned in Introduction to VMware NSX , NSX-T Datacenter is built on three integrated layers of components which are Management Plane, Control plane & Data plane. This architecture and separation of key roles enables scalability without impacting workloads.
NSX-T Management cluster which built from three-node NSX-T managers controller nodes. Management plane and control plane are converged on each node. NSX managers provides Web-GUI and REST API for management purposes. This is one of the architectural difference compared to NSX-V which had to integrate into vSphere Client & vCenter server. NSX Manager is also could be consumed by Cloud Management Platform(CMP) like vRealize Automation to integrate SDN into cloud automation platforms. NSX-T Manager can also connect to vSphere infrastructure through integration with vCenter Server(Compute Manager).
VMware has announced new update to per-CPU licensing model. Ok don’t panic VMware is not going to bring back vRAM licensing model but they added new CPU related license type. Effective from April 2nd 2020, building a server with a processor which has more than 32 cores needs additional license. According to VMware’s website, “Under the new model, one CPU license covers up to 32 cores in a single CPU”. This means, additional license requires to be purchased for every 32 physical CPU cores! So if there is a single-CPU server with up to 32 physical cores, as before, 1 license should be purchased. But if there is single-CPU server with 64 cores, 2 licenses needed because as it said before every license covers a single CPU with up to 32 cores. To get a better view of this change, take a look at below image from VMware.
Fortunately for those who are going to buy servers and VMware licenses till April 30th 2020, there is “Free per CPU licensing” program. According to VMware website, “Any existing customers who purchase VMware software licenses, to be deployed on a physical server with more than 32-cores per CPU, prior to April 30, 2020 will be eligible for additional free per-CPU licenses to cover the CPUs on that server”.
VMware Cloud Foundation(VCF) is VMware’s integrated SDDC platform for private and hybrid cloud infrastructures. This software package integrates VMware’s Compute, Storage and Network Virtualization solutions with a centralized automated lifecycle management tool call SDDC Manager. The core components of VCF are vSphere (Compute), vSAN (Storage) and NSX (Network & Security). VMware vRealize Suite can also be optionally added to VCF to increase the capability of SDDC infrastructure with performance & capacity Management and cloud management. Since VCF 3.8 beside running normal virtual machine workloads, you can also run containers with use of VMware Enterprise PKS.
To start implementing VCF at least seven ESXi hosts is needed, four for Management Workload Domain(WLD) which hosts infrastructure components of SDDC and another three host for running actual infrastructure WLD. These nodes can be vSAN ready nodes or you can take advantage of DellEMC’s VxRAIL platform and run more integrated Hyper-converged(HCI) platform. The Management WLD brought up with use of special virtual appliance call Cloud Builder. This awesome tool brings up four first nodes in management cluster alongside Platform Service Controllers(PSC), vCenter Servers, NSX manager & controllers and vRealize Log Insight. After the initial bring up process VCF infrastructure management will be done through SDDC Manager.
VMware Identity Manager(vIDM), formerly known as VMware Workspace Portal, is VMware Workspace ONE’s identity & authentication component. vIDM aims to mainly achieve two goals increasing security and improve productivity by providing Single Sign-On(SSO). Beyond providing SSO to mobile users in End-User Computing(EUC) and Bring Your Own Device (BYOD) scenarios, vIDM can be used to provide SSO for different VMware products like vRealize suite and NSX. For instance, Configuring Role-Based Access Control (RBAC) in NSX-T Datacenter is only possible through vIDM.
vIDM can be installed on Windows (2008R2, 2012, 2012R2 and 2016) or as an Virtual appliance on Linux (SUSE Linux Enterprise 11). In this post, I am going to describe how to deploy VMware Identity Manager as a virtual appliance and in following post, I’ll describe initial configuration of vIDM.
VMware NSX is a network
virtualization and security platform and it is part of VMware’s Software Define
Datacenter (SDDC) architecture. VMware NSX has emerged as VMware acquisition of
a company call Nicira in 2012 which had a solid product on Software Defined
Network (SDN). The product comes in four different forms;
NSX Data Center
NSX Hybrid Connect
NSX Data Center itself comes
in two different flavors, NSX-V which mainly designed to work in VMware vSphere
environments and NSX-T, formerly known as Multi-Hypervisor, which offers
network virtualization and cyber-security features for multi-hypervisor,
container-based and multi-cloud environments like AWS or Azure cloud services.
Software-Defined networking delivers L2 to L7 network functions in software and
allowing virtualization and cloud administrators to provision required services
on hypervisor level.