VMware Cloud Director Basics with NSX-T: Difference between revisions

From Iwan
Jump to: navigation, search
m (clean up)
Line 58: Line 58:
There are plenty of good articles that will show you how to deploy the VMware Cloud Director appliance like [https://captainvops.com/2020/04/09/deploying-vcloud-director-v10-appliance/ this one] or [https://www.vxpert.in/vmware-vcloud-director-standalone-installation/ this one].  
There are plenty of good articles that will show you how to deploy the VMware Cloud Director appliance like [https://captainvops.com/2020/04/09/deploying-vcloud-director-v10-appliance/ this one] or [https://www.vxpert.in/vmware-vcloud-director-standalone-installation/ this one].  


=STEP 1) NSX-T configuration=
=STEP NSX-T configuration=


The deployment of NSX-T is also out of this article's scope, but it is important to know how to configure the VRF enabled Tier-0 Gateways.
The deployment of NSX-T is also out of this article's scope, but it is important to know how to configure the VRF enabled Tier-0 Gateways.

Revision as of 16:41, 17 March 2024

This article will explain how you can integrate NSX-T into VMware Cloud Director to provide Network and Security capabilities across different tenants. To integrate NSX-T with VMware Cloud Director, you also need to know a bit about VMware Cloud Director and how it is installed, configured, and typical use-cases.

Software Versions used in this article

Software Version
vCenter Server 7.0.1 (17005016)
ESXi 7.0.1 (16850804)
NSX-T 3.1
Cloud Director 10.2

Configuration Steps

  • STEP 1) NSX-T configuration
  • STEP 2) Add vCenter Server Instances to VMware Cloud Director
  • STEP 3) Add NSX-T Manager to VMware Cloud Director
  • STEP 4) Create Network Pools
  • STEP 5) Create External Networks (per tenant)
  • STEP 6) Create Provider VDCs
  • STEP 7) Create Organization and Organization VDCs (per tenant)
  • STEP 8) Create Edge Gateways (per tenant)
  • STEP 9) Create an Organization Virtual Data Center Network
  • STEP 10) Share Edge Gateways between Organization VDCs (of the same tenant)
  • STEP 11) Verify the Data Center Group Networks
  • STEP 12) Create Provider VDCs VM Placement Policies
  • STEP 13) Create several VMs that will simulate an application
  • STEP 14) Configure Distributed Firewall Rules on the applications

vSphere Deployment specifications

In this article, I will be working with a stretched vSphere (METRO) cluster, where I will have two Data Center Sites where all the vSphere Clusters are stretched across these sites. One vCenter Server will "manage" the management hosts (in the management vSphere Cluster) of the first and second Data Center. Another vCenter Server will "manage" the compute hosts (in the compute vSphere Cluster) of the first and second Data Center.

Because NSX-T will also be installed on the Management Cluster, we don't want this to interfere or impact the compute cluster in case of errors/mistakes.

Drawings-vSphere-Design.png

NSX-T Deployment specifications

Two NSX-T Manager Clusters will be deployed. One NSX-T Manager will provide network and security services to the management vSphere Cluster, and the other one will provide network and security services to the compute vSphere Cluster.

In this article, we will only work with the NSX-T environment that is working together with the compute cluster.

Drawings-NSX Manager-Design.png

VMware Cloud Director deployment

The deployment of the VMware Cloud Director appliance is out of scope for this article. There are plenty of good articles that will show you how to deploy the VMware Cloud Director appliance like this one or this one.

STEP 1» NSX-T configuration

The deployment of NSX-T is also out of this article's scope, but it is important to know how to configure the VRF enabled Tier-0 Gateways. There are plenty of good articles that will show you how to deploy NSX-T like this one.

Configure a Tier–0 Gateway with two VRF enabled Gateways

I have written an article on how to deploy VRF enabled Tier-0 Gateways here.

You cn see my configured VRF enabled Tier-0 Gateways here:

T0-VRF-BGP-01.png

My dedicated BGP neighbour configuration for Tenant-A:

T0-VRF-BGP-02.png

My dedicated BGP neighbor configuration for Tenant-B:

T0-VRF-BGP-03.png

On the "physical routing" side, the BGP neighbors are also active. The yellow marked output below is dedicated to Tenant-A, and the green is dedicated to Tenant-B.

vyos@Pod-100-Router:~$ show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 10.203.100.1, local AS number 65000 vrf-id 0
BGP table version 155
RIB entries 24, using 4416 bytes of memory
Peers 12, using 245 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd
root ##y##10.203.11.2     4      65001    8027    8042        0    0    0 02:07:12            5
root ##y##10.203.11.3     4      65001    8028    8042        0    0    0 02:07:22            5
root ##y##10.203.12.2     4      65001    8027    8041        0    0    0 02:07:12            5
root ##y##10.203.12.3     4      65001    8028    8042        0    0    0 02:07:21            5
root ##g##10.203.13.2     4      65001    8013    8035        0    0    0 3d01h04m            0
root ##g##10.203.13.3     4      65001    8012    8034        0    0    0 3d01h38m            0
root ##g##10.203.14.2     4      65001    8012    8032        0    0    0 3d01h04m            0
root ##g##10.203.14.3     4      65001    8012    8031        0    0    0 3d01h38m            0
10.203.106.2    4      65001   27854   27860        0    0    0 3d01h04m            8
10.203.106.3    4      65001   27841   27857        0    0    0 3d01h38m            8
10.203.107.2    4      65001   27861   27870        0    0    0 3d01h04m            8
10.203.107.3    4      65001   27848   27866        0    0    0 3d01h38m            8

Total number of neighbors 12
vyos@Pod-100-Router:~$

VMware Cloud Director configuration

Before we can use the NSX-T network and security services, we need to configure some basic things that will be explained below.

Log in to VMware Cloud Director:

LOG-IN-VCD-1.png

This is the screen when you log in to a blank VMware Cloud Director:

LOG-IN-VCD-2.png

STEP 2» Add vCenter Server Instances to VMware Cloud Director

Click on "Infrastructure Resources >> vCenter Server Instances " to add a vCenter Server:

ADD-VC-5.png

Add the vCenter Server details:

ADD-VC-1.png

As I don't have NSX-v I will disable this as I don't want to configure any NSX-v settings:

ADD-VC-2.png

I an not enabling "Tenant access" or want to "generate proxies":

ADD-VC-3.png

Review the summary screen:

ADD-VC-4.png

The vCenter Server is successfully added to Cloud Director:

ADD-VC-6.png

STEP 3» Add NSX–T Manager to VMware Cloud Director

Click on "Infrastructure Resources >> NSX-T Managers" to add an NSX-T Manager:

ADD-NSXT-1.png

Add the NSX-T Manager details:

ADD-NSXT-2.png

The NSX-T Manager is successfully added to Cloud Director:

ADD-NSXT-3.png

STEP 4» Create Network Pools

To make sure that Cloud Director can make use of the overlay networks that are offered by NSX-T, you need to configure a Network Pool:

Go to "Resources >> Network Pools" to add a new Network Pool:

ADD-NETWORK-POOLS-1.png

Specify a name:

ADD-NETWORK-POOLS-2.png

Select "Geneve backed":

ADD-NETWORK-POOLS-3.png

Select the NSX-T Manager:

ADD-NETWORK-POOLS-4.png

Select the "Transport Zone":

ADD-NETWORK-POOLS-5.png

Review the summary:

ADD-NETWORK-POOLS-6.png

The Network Pool is successfully added to Cloud Director:

ADD-NETWORK-POOLS-7.png

STEP 5» Create External Networks 〈per tenant〉

It would be best if you created an external network per tenant. This network (pool) specifies the network (IP address Pool) that is going to be used between your Tier-0 (in my case, the VRF enabled Tier-0) and the (Tier-1) Tenant Edge (Gateways) that are going to be created. The "transit" network between the Tier-0 and Tier-1 Gateways.

Go to "Cloud Resources >> External Networks" to create an external network:

ADD-EXTERNAL-NETWORKS-1.png

Select "NSX-T Resources":

ADD-EXTERNAL-NETWORKS-2.png

As this is an external network for my Tenant-A give it a name related to Tenant-A:

ADD-EXTERNAL-NETWORKS-3.png

Select the Tenant-A VRF enabled Tier-0 Gateway:

ADD-EXTERNAL-NETWORKS-4.png

Specify a "gateway" IP address that will be configured on the downlink interface of the VRF enabled Tier-0 Gateway for Tenant-A:

ADD-EXTERNAL-NETWORKS-5.png

Specify a network pool, for the amount of the (Tier-1) Tenant Edge (Gateways)you are planning to add:

ADD-EXTERNAL-NETWORKS-6.png

Verify if the pool is configured correctly:

ADD-EXTERNAL-NETWORKS-7.png

Review the summary:

ADD-EXTERNAL-NETWORKS-8.png

The External Network for Tenant-A is successfully created:

ADD-EXTERNAL-NETWORKS-9.png

Also, create an External Network for Tenant-B with like I did below:

Select "NSX-T Resources":

ADD-EXTERNAL-NETWORKS-10.png

As this is an external network for my Tenant-B give it a name related to Tenant-B:

ADD-EXTERNAL-NETWORKS-11.png

Select the Tenant-B VRF enabled Tier-0 Gateway:

ADD-EXTERNAL-NETWORKS-12.png

Specify a "gateway" IP address that will be configured on the downlink interface of the VRF enabled Tier-0 Gateway for Tenant-B:

ADD-EXTERNAL-NETWORKS-13.png

Specify a network pool, for the amount of the (Tier-1) Tenant Edge (Gateways)you are planning to add:

ADD-EXTERNAL-NETWORKS-14.png

Verify if the pool is configured correctly:

ADD-EXTERNAL-NETWORKS-15.png

Review the summary:

ADD-EXTERNAL-NETWORKS-16.png

The External Network for Tenant-B is successfully created:

ADD-EXTERNAL-NETWORKS-17.png

STEP 6» Create Provider VDCs

It would be best if you created a Provider VCD.

Go to "Cloud Resources >> Provider VDCs" to add a new Provider VCD:

CREATE-PVDC-1.png

Specify a name:

CREATE-PVDC-2.png

Select a vCenter Server:

CREATE-PVDC-3.png

Select a Resource Pool (vSphere Cluster in my case):

CREATE-PVDC-4.png

Select the Storage Policy:

CREATE-PVDC-5.png

Select the NSX-T Manager and Network Pool:

CREATE-PVDC-6.png

Review the summary:

CREATE-PVDC-7.png

The Provider VDC is now successfully added:

CREATE-PVDC-8.png

STEP 7» Create Organization and Organization VDCs 〈per tenant〉

You now need to Organization and Organization VDCs for each Tenant. I will create two Organizations one for each Tenant. Inside the Organization I will create multiple Organization VDCs per tenant:

Drawings-VCD-overview.png

Go to "Cloud Resources >> Organizations" to add a new Organization:

CREATE-OVDC-1.png

Specify the Organization name for Tenant-A:

CREATE-OVDC-2.png

Review the Organization creation:

CREATE-OVDC-3.png

Specify the Organization name for Tenant-B:

CREATE-OVDC-4.png

Review the Organization creation:

CREATE-OVDC-5.png

Go to "Cloud Resources >> Organization VDCs" to add a new Organization VDC:

CREATE-OVDC-6.png

Specify a name for the first Organization VDC for Tenant-A. This Organization VDC will be bound to a vSphere STRETCHED cluster.

CREATE-OVDC-7.png

Select "Tenant-A" as the Organization:

CREATE-OVDC-8.png

Select the Provider VDC:

CREATE-OVDC-9.png

Select an allocation model (I am using Pay-as-you-go):

CREATE-OVDC-10.png

Specify the Pay-as-you-go details:

CREATE-OVDC-11.png

Select the Storage Policy and I enabled thin provisioning (as this is a nested lab):

CREATE-OVDC-12.png

Select a network pool:

CREATE-OVDC-13.png

Review the summary:

CREATE-OVDC-14.png

The Organization VDC is now created:

CREATE-OVDC-15.png

Specify a name for the second Organization VDC for Tenant-B. This Organization VDC will be bound to a vSphere STRETCHED cluster.

CREATE-OVDC-16.png

Select "Tenant-B" as the Organization:

CREATE-OVDC-17.png

Select the Provider VDC:

CREATE-OVDC-18.png

Select an allocation model (I am using Pay-as-you-go):

CREATE-OVDC-19.png

Specify the Pay-as-you-go details:

CREATE-OVDC-20.png

Select the Storage Policy and I enabled thin provisioning (as this is a nested lab):

CREATE-OVDC-21.png

Select a network pool:

CREATE-OVDC-22.png

Review the summary (screenshot is not provided).

The Organization VDC is now created:

CREATE-OVDC-23.png

OPTIONAL: Create "the other "local/non-stretched" Organization VDCs the same way I did above:

CREATE-OVDC-24.png

STEP 8» Create Edge Gateways 〈per tenant〉

With Cloud Director, you can also create the Tier-1 Gateways that is bound to an Organization VDC. These are called "Edge Gateways" inside Cloud Director.

These Edge Gateways will be connected to the VRF enabled Tier-0 Gateways like I have illustrated on the figure below:

Drawings-VCD-overview-NSX-T.png

Go to "Cloud Resources >> Edge Gateways" to add a new Edge Gateway:

CREATE-EDGE-GW-1.png

Select the Organization VDC where the Edge Gateway (Tier-1 Gateway) will be dedicated to:

CREATE-EDGE-GW-2.png

Specify a name:

CREATE-EDGE-GW-3.png

Select the (external)network pool that was created that is going to use as a "transit" subnet between the VRF enabled Tier-0 Gateways and the new Edge Gateway (Tier-1 Gateway):

CREATE-EDGE-GW-4.png

When you have a dedicated Edge Cluster for the Tier-1 Gateways, you can choose the second option; in my case, I am using the same Edge Cluster that I specified in the External Network.

This means that my Tier-0 Gateway and its corresponding VRF Enabled Gateways will all be configured on one Edge Transport Node Cluster:

CREATE-EDGE-GW-5.png

Leave the allocated IP addresses default:

CREATE-EDGE-GW-6.png

Review the summary:

CREATE-EDGE-GW-7.png

The (first) Edge Gateway for Tenant-A is now created successfully:

CREATE-EDGE-GW-8.png

Create another Edge Gateway for Tenant-B, Select the Organization VDC where the Edge Gateway (Tier-1 Gateway) will be dedicated to (This time dedicated to Tenant-B):

CREATE-EDGE-GW-9.png

Specify a name:

CREATE-EDGE-GW-10.png

Select the (external)network pool that was created that is going to use as a "transit" subnet between the VRF enabled Tier-0 Gateways and the new Edge Gateway (Tier-1 Gateway):

CREATE-EDGE-GW-11.png

Select the NSX-T Edge (Transport Node) Cluster:

CREATE-EDGE-GW-12.png

Leave the allocated IP addresses default:

CREATE-EDGE-GW-13.png

Review the summary:

CREATE-EDGE-GW-14.png

The (second) Edge Gateway for Tenant-B is now created successfully:

CREATE-EDGE-GW-15.png

When I take a sneak peek at the NSX-T Manager GUI, I can see that the Edge Gateways are created in the form of a Tier-1 Gateway on the NSX-T Manager:

CREATE-EDGE-GW-16.png

STEP 9» Create an Organization Virtual Data Center Network

Now I will create the Guest Networks that I want to use that will be connected to the Edge Gateways (Tier-1 Gateways).

Go to "Cloud Resources >> Organization VDCs." Click on the arrow/link of the first Organization VDC to "impersonate" the Organisation Administrator for this specific tenant (ORGANIZATION-VDC-TENANT-A).

CREATE-TENANT-NET-1.png

Now you are logged in as an Organisation Administrator for this specific tenant (ORGANIZATION-VDC-TENANT-A):

CREATE-TENANT-NET-2.png

Go to "Data Centers >> Networks >> Networks" to add new Guest VM Networks:

CREATE-TENANT-NET-3.png

Select the "Scope." In my case, I am only creating a network (for now) that is bound to a specific VDC, and not shared across other VDCs (yet):

CREATE-TENANT-NET-4.png

Select "Routed" as we are attaching this network to the created Edge Gateway (Tier-1 Gateway) for Tenant-A that we created in the previous steps:

CREATE-TENANT-NET-5.png

Select the Edge Gateway (Tier-1 Gateway) for Tenant-A that we created in the previous steps:

CREATE-TENANT-NET-6.png

Specify the gateway address that will be configured on the Edge Gateways (Tier-1 Gateway) downlink. This will be the gateway IP address for your Guest VMs that will be connected to this network:

CREATE-TENANT-NET-7.png

Specify a network pool for this network. This is Cloud Directors' internal IPAM tool to assign IP addresses to the Guest Virtual Machines when they are created on the network you are creating now:

CREATE-TENANT-NET-8.png

Specify DNS details, if you have any:

CREATE-TENANT-NET-9.png

Review the summary:

CREATE-TENANT-NET-10.png

Repeat the previous steps to also create the APP and DB networks for Tenant-A (ORGANIZATION-VDC-TENANT-A):

CREATE-TENANT-NET-11.png

Repeat the previous steps to also create the WEB, APP and DB networks for Tenant-B (ORGANIZATION-VDC-TENANT-B):

CREATE-TENANT-NET-12.png

When I look at the NSX-T GUI, I can now see that the "linked segments" on the Tier-1 Gateways have been increased to 3. this means that the networks we just created using Cloud Director have been added to NSX-T (as a Segment) and are attached to the Tier-1 Gateway:

CREATE-TENANT-NET-15.png

While being in "Organization Tenant mode, go to "Data Centers >> Virtual Datacenter" and click on another Organization VDC (ORGANIZATION-VDC-TENANT-A-DCA or ORGANIZATION-VDC-TENANT-A-DCB).

CREATE-TENANT-NET-13.png

Go to "Data Centers >> Networking >> Networks," and review that this network section is empty as we have configured our networks in another Organization VDC (ORGANIZATION-VDC-TENANT-A-DCA or ORGANIZATION-VDC-TENANT-A-DCB).

CREATE-TENANT-NET-14.png

STEP 10» Share Edge Gateways between Organization VDCs 〈of the same tenant〉

To "share" the networks that I just created with another Organization VDC (the one that was just empty), I need to create a Data Center Group.

The figure below illustrates how this will look like:

Drawings-Data-Center-Groups.png

Create Data Center Groups

Configure Compute Provider Scope

Before a Data Center Group can be configured, I need to specify a "Compute Provider Scope."

Go (back) to the Cloud Director administration panel and go to "Infrastructure Resources >> vCenter Server Instances " to edit the vCenter Server:

CREATE-DC-GROUP-1.png

Configure the Compute Provider Scope:

CREATE-DC-GROUP-2.png

Review the Compute Provider Scope:

CREATE-DC-GROUP-3.png

Create Data Center Groups

Go back to the "Organization VDC administration" screen and go to "Networking >> Data Center Groups" to add a Data Center Group:

CREATE-DC-GROUP-4.png

Select the "primary" Organization VDC:

CREATE-DC-GROUP-5.png

Give the Data Center Group a name:

CREATE-DC-GROUP-6.png

Select the remaining Organization VDCs that you want to form a group with:

CREATE-DC-GROUP-7.png

Review the summary:

CREATE-DC-GROUP-8.png

The new Data Center Group is successfully created:

CREATE-DC-GROUP-9.png

Assign an Edge Gateway to a Data Center Group

Click on the Data Center group you have just created, and go to Edge Gateway. Select "Add Edge":

CREATE-DC-GROUP-10.png

Select the Edge Gateway (Tier-1 Gateway) that is created before:

Important

When you add the Edge Gateway to a Data Center Group, this means all the networks that were created on this Edge Gateway in another Organization VDC are now automatically added to the other Organization VDCs that are part of this Data Center Group

CREATE-DC-GROUP-11.png

The Edge Gateaway is added to the Data Center Group successfully (for Tenant-A):

CREATE-DC-GROUP-12.png

For Tenant-B you need to follow the same steps as above, but then you need to use the Tenant-B Organization VCDs and Edge Gateways with the below figure as a result:

CREATE-DC-GROUP-13.png

STEP 11» Verify the Data Center Group Networks

Now its time to see if the networks that were created in the "ORGANIZATION-VDC-TENANT-A" VDC are also added to the "ORGANIZATION-VDC-TENANT-A-DCA" and "ORGANIZATION-VDC-TENANT-A-DCB" VCD:

CHECK-DC-GROUP-NET-1.png

Review the "ORGANIZATION-VDC-TENANT-A" networks:

CHECK-DC-GROUP-NET-2.png

Review the "ORGANIZATION-VDC-TENANT-A-DCA" networks:

CHECK-DC-GROUP-NET-3.png

Review the "ORGANIZATION-VDC-TENANT-A-DCB" networks:

CHECK-DC-GROUP-NET-4.png

STEP 12» Create Provider VDCs VM Placement Policies

When you look specifically at the "ORGANIZATION-VDC-TENANT-A" VDC, this is a VDC that is tied to a stretched vSphere Cluster.

When you want to place Virtual Machines on DC-A or DC-B, you can do two things:

  1. Use the "ORGANIZATION-VDC-TENANT-A-DCA" VDC (local to DC-A)
  2. Use the "ORGANIZATION-VDC-TENANT-A-DCB" VDC (local to DC-A)
  3. Use the "ORGANIZATION-VDC-TENANT-A" VDC (stretched between DC-A and DC-B) with the use of VM Placement Policies

How to achieve method #3, I will explain this in the section below.

This is also illustrated in the figure below:

Drawings-Placement-Policies.png

First, log in to the vCenter Server and go to the VM/Host Groups vSphere Cluster settings:

Create a Host Group 〈in vCenter Server〉

Create 2 host groups, one for DC-A and the other for DC-B and place the hosts corresponding to the correct site in the correct group:

ADD-PLACEMENT-GROUP-NET-1.png

Create a VM Group 〈in vCenter Server〉

Create 2 VM groups, one for DC-A and the other for DC-B and place the VMs corresponding to the correct site in the correct group:

ADD-PLACEMENT-GROUP-NET-2.png

Create a VM to Host Rule 〈in vCenter Server〉

Create a VM/Host rule, one for DC-A and the other for DC-B, and make sure that you specify that the VMs in the VM Group for DC-A must run on the Hosts in Host Group for DC-A. Do the same for DC-B.

ADD-PLACEMENT-GROUP-NET-3.png

When you have done this, go to "Infrastructure Resources >> vCenter Server Instances " and click on "Refresh" to make sure Cloud Director detects the Groups and Rules.

ADD-PLACEMENT-GROUP-NET-4.png

Create VM Placement Policies 〈in the Provider VDC〉

Go to "Cloud Resources >> Provider VDCs" to edit the Provider VCD:

ADD-PLACEMENT-GROUP-NET-5.png

Go to "Cloud Resources >> Provider VDC >> PROVIDER-VDC >> Policies >> VM Placement" to add a new Placement Policy:

ADD-PLACEMENT-GROUP-NET-6.png

Leave this default and click next:

ADD-PLACEMENT-GROUP-NET-7.png

Specify a name:

ADD-PLACEMENT-GROUP-NET-8.png

Select the "rule" you just created in vCenter Server corresponding to DC-A:

ADD-PLACEMENT-GROUP-NET-9.png

Review the summary:

ADD-PLACEMENT-GROUP-NET-10.png

The Placement Policy for DC-A is created successfully:

ADD-PLACEMENT-GROUP-NET-11.png

Follow the same steps to create another Placement Policy for DC-B:

ADD-PLACEMENT-GROUP-NET-12.png

STEP 13» Create several VMs that will simulate an application

To test the networks you just added, you need to create Guest Virtual Machines. I have done this in the next section:

Create several VMs that will simulate an application 〈Web App and DB〉

I have pre-created a 3-Tier vAPP that was based on an OVF. This is out of scope for this article.

VAPP-NET-1.png

When you click on the vApp, you will see the networks that this vAPP is using.

VAPP-NET-2.png

Review the Network Diagram:

VAPP-NET-3.png

Review the Virtual Machines that are in the vAPP and select the first VM (Web01):

VAPP-NET-4.png

Verify the available networks:

VAPP-NET-5.png

Verify the NIC settings and select the created WEB network for the WEB01 Guest VM that is part of this vAPP.

VAPP-NET-6.png

Verify the NIC settings:

VAPP-NET-7.png

Make sure that VM Guest Customization is enabled. This is needed to make sure the IP address is assigned from the custom Cloud Director Pool.

VAPP-NET-8.png

When the VM is stopped, make sure you Power on the Guest VM using the "Force Recustomization" option.

VAPP-NET-9.png

STEP 14» Configure Distributed Firewall Rules on the applications

You can configure the "Distributed Firewall" within this Data Center Group.

Go to the "Organization VDC administration" screen (ORGANIZATION-VDC-TENANT-A) and go to "Networking >> Data Center Groups >> General."

You will see that by default, the "Distributed Firewall" is not active.

ENABLE-SEGMENTATION-1.png

When you click on active, you activate this.

ENABLE-SEGMENTATION-2.png

Once you have activated the Distributed Firewall, you will see in the NSX-T Manager GUI that a new Security Policy with a new Distributed Firewall Rule is created dedicated to the Data Center Group.

ENABLE-SEGMENTATION-3.png

Lessons learned

Wenn playing around with Cloud Director and NSX-T, a few things are worth mentioning here.

Configure Route advertisement on the Edge Gateway 〈Tier–1 Gateway〉 through VMware Cloud Director

There is a setting that you can enable "Dedicate External Network" on the Edge Gateway (Tier-1 Gateway) you create.

EDGE-ROUTE-CONFIG-1.png

When you enable this setting, you will configure "Routing Settings" on the Edge on the Edge Gateway (Tier-1 Gateway.

Important

You can only enable this setting on ONE single Edge Gateway (Tier-1 Gateway. From a theoretical point of view, when network advertisement could be done on multiple Edge Gateways (Tier-1 Gateways), the same networks could be advertised, causing a routing conflict.

EDGE-ROUTE-CONFIG-2.png

Once you enable "Dedicate External Network" you will see the additional routing sections:

EDGE-ROUTE-CONFIG-3.png

I have configured three networks (172.16.10.0/24, 172.16.20.0/24, and 172.16.30.0/24) to be advertised.

EDGE-ROUTE-CONFIG-4.png

We can verify this setting in the NSX-T Manager by looking at the corresponding Tier-1 Gateway routing settings.

EDGE-ROUTE-CONFIG-5.png

An output of the routing table of the "external router" is provided below:

B>* 172.16.10.0/24 [20/0] via 10.203.11.2, eth1.11, 00:01:49
  *                       via 10.203.11.3, eth1.11, 00:01:49
  *                       via 10.203.12.2, eth1.12, 00:01:49
  *                       via 10.203.12.3, eth1.12, 00:01:49
B>* 172.16.20.0/24 [20/0] via 10.203.11.2, eth1.11, 00:00:46
  *                       via 10.203.11.3, eth1.11, 00:00:46
  *                       via 10.203.12.2, eth1.12, 00:00:46
  *                       via 10.203.12.3, eth1.12, 00:00:46
B>* 172.16.30.0/24 [20/0] via 10.203.11.2, eth1.11, 00:00:46
  *                       via 10.203.11.3, eth1.11, 00:00:46
  *                       via 10.203.12.2, eth1.12, 00:00:46
  *                       via 10.203.12.3, eth1.12, 00:00:46

Configure Edge Gateway Firewall 〈Tier–1 Gateway〉 through VMware Cloud Director

When you configure an Edge Gateway (Tier-1 Gateway) from Cloud Director, the default Gateway firewall setting is set to "DENY."

In the figure below I have changed this to "ALLOW":

EDGE-FW-CONFIG-2.png

Verify if the firewall rule is now set to allow:

EDGE-FW-CONFIG-1.png