Cloud Computing

NSX Federation with Data Center Groups in VMware Cloud Director 10.5

In the latest version of VMware Cloud Director – 10.5there is now support for NSX Federation. This new feature allows service providers to provide common networking and security across different locations, each managed by separate regional NSX Manager instances within a single VMware Cloud Director environment.

Suppliers can register a NSX Global Manager in VMware Cloud Director (VCD) and use NSX Federation (global) constructs. In VCD, the feature is used by a new type of data center group – Universal – which can include organization virtual data centers (VDCs) from multiple network fault domains or, in other words, various local NSX managers.

With the ability to include up to 16 VDCs, supported by up to 4 NSX Manager instances in a single Universal DC group, organizations benefit from an enhanced, scalable and flexible VCD infrastructure. The VCD Provider Gateway, which can now be supported by an extended, multi-slot, NSX Federation Tier 0 gateway, defines the boundaries of this Universal DC group.

You only have a few minutes?

Watch this 7-minute demo for a quick overview of how providers and tenants can use and benefit from the VMware Cloud Director integration with NSX Federation.

Deep integration

The NSX Federation infrastructure must be configured in advance with a global NSX Manager cluster, and the respective local NSX Manager clusters must be added to Global as locations. The provider must register all local NSX Managers and their Global NSX Manager instance as infrastructure resources in the VCD. The integration also supports global configuration of segment profile templates.

If the provider wants to use NSX Federation to provide unified networking and security across all sites, one or more global Tier 0 gateways must be created to extend the different sites based on the desired network topology. Extended Tier 0 Gateways can be deployed in various fashions:

  • Tier 0 extended active-active gateway with primary and secondary locations
  • Extended active-active tier 0 gateway with all major locations
  • Extended active standby Tier 0 gateway with primary and secondary locations

It is important to note that the NSX Federation integration with VCD does not change how the provider’s virtual data centers (PVDCs) are defined. Each PVDC is supported by its separate local NSX Manager and its respective GENEVE network pool.

Provider Gateway, supported by a Global Tier-0

Providers have the option to select a Global NSX Manager when creating a Provider Gateway. This allows them to choose a Tier 0 global gateway, which can span across different locations. One of the main differences is that IP Spaces are the only IP address management method supported for “global” provider gateways.

The following rules apply to “global” provider gateways:

  • Any Edge Gateway can be connected to a “global” Provider Gateway.
  • An Edge Gateway created in a Universal DC group context must be connected to a “global” Provider Gateway.
  • The “global” Provider Gateway VDC scope must be a superset of the Universal DC group VDC scope.

Universal Data Center Group

Traditionally, VCD tenants can consume data center groups as logical objects containing a set of organization VDCs where security and networking are unified. In other words, the PVDCs (supporting these organization VDCs) had to be supported by the same network pool (NSX transport zone).

VCD 10.5 introduces the concept of universal DC group. VDCs that are part of such a group can be supported by PVDCs from different vCenters, data centers, and local NSX managers in the NSX federation concept. Local NSX Managers define the scope of the Universal DC group.

DC Group Universal Networking

Tenants can create and manage Edge Gateway and connected routed network components in a specific Universal DC group context.

An Edge Gateway defined in the context of the Universal DC group is backed by a global level 1 with a location scope corresponding to the mapping of the VDC to the local NSX Manager. Therefore, this Edge must be connected to the appropriate “global” provider gateway. This results in the NSX Federation architecture requirement that a Global Tier-1 scope be equal to or a subset of its upstream Global Tier-0 scope. Unlike local DC groups, scaling up/down for Universal DC Group Edge is not supported.

VCD only supports routed networks in the context of the Universal DC group. The network scope covers all VDCs of the Universal DC group. This again results in NSX Federation’s requirement that a global segment overlay extent always equals its attached level 1 or level 0 extent.

VCD only supports routed networks in the context of the Universal DC group. The network scope covers all VDCs in the DC group. This again results in NSX Federation’s requirement that a global segment overlay extent always equals its attached level 1 or level 0 extent.

DC Group Universal Edge Services

The default configuration of the Edge Gateway on its Tier 1 gateway slots mode and Edge cluster placement is based on the upstream Tier 0 global gateway slots mode and Edge cluster configuration. However, if it is necessary to change this default setting, it is possible to make the necessary changes from the VCD.

Supported Universal DC Group Edge services are analogous to standard Edge, excluding the following important services:

  • VPN services (IPSec and L2VPN)
  • BGP and static routes
  • Load Balancer

Non-distributed routing is automatically enabled on Universal DC Group Edge and cannot be changed.

Connecting external networks to a Universal DC Group Edge is not possible because the service interface cannot be established on an extended Tier 1 gateway. Additionally, the only supported DHCP mode is Relay.

DC Group Universal Security

Universal DC Group security can be used at the Edge Gateway and Distributed Firewall (DFW) levels.

Security objects, such as IPSets, static and dynamic groups, and application port profiles, are created as Global NSX managed entities and can be used in both security contexts (Edge Gateway and DFW) to the Universal DC group given. All security objects in universal DC groups are created in scope of the NSX Federation global region.

NSX Federation applies tags at the Local NSX Manager level. From this point of view, the tags of virtual machines connected to networks in a Universal DC Group context are managed in the same way as for the Local DC Group.

On a final note

Adding support for NSX federated environments in VMware Cloud Director allows providers and tenants to easily scale networking and security services across multiple network availability zones. This integration facilitates disaster recovery and business continuity plans by allowing workloads and applications to be effortlessly moved and replicated between data centers. It also streamlines the management of multi-site environments, improving the operational experience for providers and tenants.

If you haven’t already, check out my previous blogs about the new features in VCD 10.5 IP Spaces.

Stay updated by regularly checking this blog for the latest updates. You can also join us on Soft, Facebook, TwitterAnd LinkedIn.

Stay tuned for new demo videos and activation on Youtubeespecially our Featured Fridays Series.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button