NSX

VCF 9.0 to 9.0.1 Upgrade – Part 2

Sadaf

In the first part of the VCF 9.0 upgrade series, I walked through the process of upgrading the VCF Management Components — beginning with the Fleet Management Appliance and continuing through Aria Operations, Automation, Logs, and Network.
In this second part, we’ll shift focus to the core components of VMware Cloud Foundation, which form the backbone of every workload domain: vCenter Server, ESX hosts, NSX Managers, and Edge Clusters.

Since the core components have not yet been upgraded, the versions of the vCenter Server, NSX, and ESX hosts remain at 9.0.0, as shown in the screenshot below.

Continue reading “VCF 9.0 to 9.0.1 Upgrade – Part 2”

VCF 9.0 to 9.0.1 Upgrade – Part 1

Sadaf

Upgrading VMware Cloud Foundation (VCF) is not just about running the upgrade workflow — it’s about preparation. Before moving from version 9.0 to 9.0.1, several validation and readiness steps must be taken to ensure a smooth and error-free process. Before diving into the upgrade process, it’s essential to understand how lifecycle management in VCF is structured and the distinction between management components and core components.

VCF Operations serves as the central tool for managing the lifecycle of both Management and Core Infrastructure Components. It provides unified capabilities for downloading, staging, and applying patches or upgrades — whether you’re operating online or through an offline depot. While both component types can share the same depot, their upgrade scopes differ:

  • Management components (like SDDC Manager, Aria Suite, and NSX Managers) are maintained at the fleet level, allowing consistent operations across multiple VCF instances.
  • Core components (such as ESX hosts, vCenter, and NSX Edge Clusters) are managed per instance, ensuring control within each workload domain.

This separation allows administrators to plan and execute upgrades in a structured, non-disruptive way. However, it also raises an important question:

When performing an upgrade, which should be done first? The management components or the core components?

This article is part of a two-part series. In this first part, I’ll cover the upgrade of the VCF management components, and in the next one, I’ll focus on the core components. In both, we’ll outline what to verify, what to back up, and what dependencies to check before initiating your upgrade.

Continue reading “VCF 9.0 to 9.0.1 Upgrade – Part 1”

NSX SSL Certificate Replacement – Part 2

Shahrouz

In Part 1 of NSX SSL Certificate Replacement, the process of certificate template preparation and request has been explained. This blog post will teach you how to import and replace the generated certificate into NSX Manager. It is essential to verify the imported certificate before replacing it. I want to point out that if you are using a Virtual IP for your NSX management cluster, you should have generated the SSL certificate for the management cluster’s Virtual IP address.

https://miro.medium.com/max/1200/1*3Ntz8MAEObg_dW10I9-RfQ.png
Continue reading “NSX SSL Certificate Replacement – Part 2”

NSX SSL Certificate Replacement – Part 1

Shahrouz

NSX 4 installation comes with an out-of-the-box self-signed SSL certificate. For security and compliance reasons, most customers want to replace the default self-signed certificates with CA-signed certificates. In this two-part blog post, I’ll explain how to prepare your certificate infrastructure, request the certificate, and finally replace the SSL certificate. There are some very useful guides, like this one from VMware, but I will explain the whole certificate replacement process in the following blog posts.

https://miro.medium.com/max/1200/1*3Ntz8MAEObg_dW10I9-RfQ.png
Continue reading “NSX SSL Certificate Replacement – Part 1”

vSphere 8 – What’s New

Sadaf

I know many customers were waiting for the next release of VMware vSphere to realize the new capabilities and features. So there you go, Let’s check what’s new in vSphere 8!

VMware vSphere is the base solution on which most private cloud datacenters are running on. As VMware defines, vSphere 8 is the enterprise workload platform that brings the benefits of the cloud to on-premises workloads, supercharges performance through DPUs and GPUs, and accelerates innovation with an enterprise-ready integrated Kubernetes runtime.

In this post, I want to introduce the new and unique features that I found useful and interesting in vSphere 8.0!

Continue reading “vSphere 8 – What’s New”

My IT Journey!

Sadaf

I am thrilled to announce that I am starting a new position as a Senior Solution Engineer at VMware!

My name is Sadaf, I am originally Iranian, but I live in Sweden! I am a double VCIX, vExpert, and vSAN specialist with more than ten years of experience in Information Technology!

In this post, I want to share my journey with you, especially for women who want to start their career in IT but are hesitant because they are afraid of not being accepted or judged in this man-dominant field! I just forgot! Heh! I am also an expert at being judged and bullied but never get surrendered, thanks to my non-relevant bachelor’s! But you know what? I could do it, so can you!

I have studied Business Administration, but my path crossed with IT when I was on an internship about 12 years ago!

I was part of the sales engineering team responsible for helping customers get certified in the Information Security Management System(ISMS)/ISO 27001.

Continue reading “My IT Journey!”

NSX-T Distributed Firewall – Part 2

Sadaf

In the first part of NSX-T Distributed Firewall, I explained the importance of embracing NSX-T DFW. In this post, I review how you can create and apply firewall rules to implement Micro-segmentation. To create firewall rules, first you need to define a Policy section which basically contains one or more firewall rules. A policy in NSX-T DFW can be defined as stateful or stateless. In the case of being stateless, you need to define the rules in both directions. Otherwise, the reverse traffic is not allowed to pass. On the other hand, in the default stateful mode, when you define a rule it will apply bidirectionally.

Then you need to define the rules under the policy section which evaluates the criteria of a traffic flow. DFW rules determine whether the traffic should pass or get dropped based on the protocol and ports.

Continue reading “NSX-T Distributed Firewall – Part 2”

NSX-T FQDN/URL Filtering

Sadaf

NSX-T Distributed Firewall (DFW) is one of the most comprehensive solutions to provide micro-segmentation from layer 4 to layer 7. It can monitor all the East-West traffic on your virtual machines and build a Zero-trust model. To leverage the DFW, vNIC of virtual machines need to connect to NSX-overlay segment, NSX VLAN backed segments or vDS port group supported from vSphere 7.0. The benefit of using DFW is that firewall rules apply at the vNIC level of virtual machines. In this way, traffic does not need to traverse to a physical firewall to get identified if the traffic can pass or drop, which is more efficient. This article will focus on using DFW to enforce L7 (FQDN/URLs) filtering.

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZKbXr1N2xyg1LZSgLbAcyotp7o28mhU6gnA&usqp=CAU

You can give internet access to a VM or a user who login to a VM by Identity Based Firewall or even take one step further and control which specific URL/URLs are allowed to get accessed.

Continue reading “NSX-T FQDN/URL Filtering”

NSX-T Distributed Firewall – Part 1

Sadaf

Before jumping to NSX-T Distributed Firewall (DFW) concept and rule creation, I want to point out why this solution is important and what security issues can be addressed by using this powerful solution. Building a zero trust model security has been the biggest concern of network and security teams. In traditional data centers, high-level segmentation is built, which could help to prevent various types of the workload from communicating. But the main challenge of the legacy security model is data centers facing a lack of lateral prevention communication system between workloads within a tier. In other words, traffic can traverse freely inside a network segment and access the crucial information until it reaches the physical firewall to get dropped. In addition, implementing different layers of security and firewalls would cause complexity and cost.

NSX-T Distributed Firewall (DFW) is a hypervisor kernel-based firewall that monitors all the East-West traffic and could be applied to individual workloads like VM and enforce zero-Trust security model. Micro-segmentation logically divides department or set of applications into security segments and distribute firewalls to each VM.

Continue reading “NSX-T Distributed Firewall – Part 1”

Finalizing NSX-T Management Cluster Deployment

Sadaf

In the previous articles, we deployed first NSX-T Manager and then we added vCenter Server as Compute Manager in NSX-T Web UI. In this post we are going to finalize NSX-T Management cluster. In production environment for high availability and performance reasons, it is recommended to have three NSX-T Managers in the cluster. Second and third NSX-T Managers should be added from NSX-T Web UI. To deploy additional NSX-T manager appliances, go to System menu and choose Appliances and click on “ADD NSX APPLIANCE”.

Continue reading “Finalizing NSX-T Management Cluster Deployment”