VCP6-CMA Study Guide – Section 3: Create and Administer Cloud Networking

Objective 3.1: Explain NSX Integration with vRealize Automation

Manage network services from within vRealize Automation

• Network profiles are used to map networks in vRA to port groups in vSphere (for example)
• Create a network profile from the vRealize Appliance, logged in as a fabric administrator
• Go to Infrastructure -> Reservations -> Network profiles
• Click New Network Profile and select the appropriate type (External, NAT, private, routed – all are created at time of provisioning except External which is a pre-existing vSphere port group)
• Give the profile a name and configure the subnet mask (and optionally, DNS details and gateway)
• Click IP Ranges tab and add a range of IP addresses for that profile to consume by using New Network Range button
• Fill out a name and a start and end IP address for the range, click OK
• A CSV file may also be used to define a large range of IP addresses

Configure NSX Integration

• Prerequisites include an existing NSX Manager instance associated to a vCenter Server and a vSphere endpoint instance
• Also credentials for the NSX Manager (Infrastructure -> Credentials -> New Credentials) and NSX plug-in into Orchestrator
• Login to the vRealize Appliance as an IaaS administrator
• Edit the vSphere endpoint in Infrastructure -> Endpoints
• Select “Specify manager for network and security platform”
• Add the IP address or DNS name of the NSX Manager appliance
• Select the NSX Manager credential set previously added
• Run a data collection from the Infrastructure -> Compute Resources section in vRealize Appliance (ensuring the network discovery is enabled)
• Before you consume NSX services, you must run the Enable Security Policy Support for Overlapping Subnets Workflow in vRealize Orchestrator, using the NSX Manager endpoint previously used as the input parameter for the workflow.
• After you run this workflow, the Distributed Firewall rules defined in the security policy are applied only on the vNICs of the security group members to which this security policy is applied

Configure IaaS for Network Integration

• Configuration requires steps in this order:-
  • Configure the Orchestrator endpoint in IaaS
  • Create a vSphere instance integrated with NSX (see above)
  • Run the Enable Security Policy Support for Overlapping Subnets Workflow (see above)
  • Create a network profile (see above)
  • Add or amend an existing reservation, click on the Network tab
  • Select an external network in the Network Paths list
  • Select the transport zone, security group and routed gateway

Objective 3.2: Configure and Manage vRealize Automation Networking

Identify the available NSX for vSphere Edge network services

• NSX Edge Services include:-
  • Dynamic Routing (Provides the necessary forwarding information between layer 2 broadcast domains, thereby allowing you to decrease layer 2 broadcast domains and improve network efficiency and scale. NSX extends this intelligence to where the workloads reside for doing East-West routing. This allows more direct virtual machine to virtual machine communication without the costly or timely need to extend hops. At the same time, NSX also provides North-South connectivity, thereby enabling tenants to access public networks.)
  • Firewall (Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols)
  • Network Address Translation (Separate controls for Source and Destination IP addresses, as well as port translation)
  • DHCP (Configuration of IP pools, gateways, DNS servers, and search domains)
  • Site-to-Site Virtual Private Network (VPN) (Uses standardized IPsec protocol settings to interoperate with all major VPN vendors)
  • L2 VPN (Provides the ability to stretch your L2 network)
  • SSL VPN-Plus (SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway)
  • Load Balancing (Simple and dynamically configurable virtual IP addresses and server groups)
  • High Availability (High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable)
  • Multi-Interface Edge

Configure DHCP/NAT/VPN/Load Balancer

• Configuration of NSX is done from the vSphere Web Client
• Uses a plugin under the Networking & Security button
• Go to NSX Edges and create an Edge Gateway for the services
• Provide CLI username and password for appliance
• Enable SSH and HA if required
• Pick datacenter, appliance size (compact, large, X-Large, Quad-large)
• Choose cluster and datastore for Edge appliance deployment
• Configure NIC and which VDS you want to attach the appliance to
• Configure IP addresses and subnet, MTU size (1600 for VXLAN, remember)
• Services are configured by double clicking on the Edge appliance and going to the Manage tab

Sub-allocate IP Pools

• IP Pools are created and edited under the NSX Edge Gateway object in the vSphere Web Client. Look under the Manage tab, then click Pools and the add button. Configure the pool as appropriate

Add static IP addresses

• Static IP addresses are created under the Edge Gateway Manage tab, the DHCP and bindings. Click the add button and add VM or MAC binding as needed.
• Interface, VM Name, VM vNIC interface, Host name and IP address are required fields.

Configure syslog

• The syslog server is configured by logging into the NSX Manager appliance management interface, Manage Appliance Settings button and fill out the Syslog server under General settings.
• IP address, port number and protocol (TCP/UDP) are required