Below are the frequently asked questions about the most common scenarios concerning the use of NSX within the Hosted Private Cloud ecosystem.
Topics:
Migration
What is the end-of-life date for NSX-v?
VMware decided to initiate the end of life (EOL) of NSX-v in January 2022. OVHcloud has been granted an extension of support until January 15, 2025.
How are IPs managed during the migration?
In the migration guide, you can find out how to move your existing IP from your NSX-v platform and route it to the IP attached to the Tier-0 section.
When an NSX-T virtual data center is delivered, we deploy and configure a new IP Block for NSX Tier-0 (T0) that we dedicate to VIP. You can route the IP block to this VIP.
For vDC migration, you need to upgrade your datastore to a global version. Can I reverse this configuration?
The global datastore is managed via the OVHcloud Control Panel or API. This allows you to globalize your data store, which will be visible from your new vDC. It allows you to make a vMotion "Compute" and not a vMotion "Storage" of the virtual machines.
It is not possible to exit this mode. You will need to order a new datastore and apply a vMotion to globally release it.
Can the IP migration be done IP per IP or by IP block?
The IP migration is done by block. You change the next stop of the IP block, and the global block is transitioned to the NSX part.
Does this migration interrupt the services supported by NSX? If so, how long?
This will depend on the services used. For example, if you use IPSEC tunnels and public IPs, you will need to move your workloads and reconfigure the IP block you had on your NSX-v infrastructure to your NSX-T infrastructure. If you use NSX-v for firewalling, you can have the configuration on the two environments. Downtime depends on the complexity of your environment.
Is it possible to have NSX-v and NSX-T on the same infrastructure during the transition phase?
It is possible to get NSX-T if you order a new virtual data center in your Hosted Private Cloud. Within the same infrastructure, you will have two virtual data centers, one with NSX-v and the other with NSX-T. Please note that ordering the new vDC will automatically trigger the refund mechanism for the coming month.
Can we use "migration coordinator" for the migration between NSX-v and NSX-T?
This tool requires very strong administration rights on the environment; the Professional Services team can validate the execution and the duplication. In this tool, it is important to note that many elements are not supported (options, existing rules in NSX-v). The reproduction phase would require lots of adaptation on your part, so it is not a recommended tool for migration at OVHcloud.
During the migration phase, will we have to pay double for our platform for one month?
OVHcloud will refund 1 month of hosts and NSX management fees on the next invoice following the order of your new vDC (1 month is considered 30 days). Enterprise customers will not be affected by this scenario.
If an NSX-v migration has been planned to a third-party pfSense solution, should we restart with a request to create a new virtual data center without NSX-v? Can this be done on the existing virtual data center?
In this case, you don't have to order a new vDC, but make sure to disable all your NSX-v features so OVHcloud can disable the component.
What do I do with my Veeam and Zerto replication options? Are they still compatible with NSX?
Yes, but you will have to reconfigure them after migrating your virtual data center.
Configuration
How can I protect my virtual machines directly exposed on the internet with a Public IP?
Secure your traffic with the NSX Distributed Firewall (North/South or East/West security), or use one of the Gateway Firewalls (North/South security).
The "Edit" button in NSX for a Tier-0 is disabled. How do I configure the public gateway?
It is not possible by default. The Tier-0 Gateways are each hosted in a different host, HA (High Availability) is activated, and a virtual IP (VIP) is configured between the two Edges to maintain service continuity. The HA section is already preconfigured by OVHCloud.
Can I configure an active-active Tier-0 Gateway to have double bandwidth ("guaranteed" 10+10=20Gb/s and "theoretical" 25+25=50Gb/s)?
No, it is not possible by default; the configuration is managed by OVHcloud and is active/passive with a VIP (10 Gbps guaranteed bandwidth).
How can I add Public IPs?
Additional public IPs can be added via "next hop" routing by specifying the VMware Hosted Private Cloud environment as a resource, and in next hop the public virtual IP (VIP) of the Tier-0 (T0).
Can IP address blocks be used/distributed between two VMware data centers in the same Hosted Private Cloud?
IP address blocks are dependent on the VMware Hosted Private Cloud environment and not on the virtual data center. Therefore, it is possible to use the same IP address block between several virtual data centers (without any modifications).
NOTE: If you have several virtual data centers, a block of public IPs routed on the virtual IP (VIP) of your Iter-0 (T0) cannot be used in a VM Network of another virtual data center. It is attached to the VIP and no longer to the VM Network.
Can I configure High Availability (HA) on the NSX Edge?
No, NSX Edge management is carried out by OVHcloud in Active Passive mode.
Currently, we have 300 edges and about 5000 simultaneous RDPs. Will the average configuration "4 vCPU / 8 GB RAM / 200 GB" hold for flows?
Sizing will depend on the services you enable or consume on your edges (firewall or load balancing). Today, the Edge servers are Medium in size. The maximums and sizing are available on the Broadcom website.
I have just created a cluster, and I would like to configure it for NSX in the API. How do I do this?
Use this call after you have retrieved the cluster ID you have just created:
Can I use the OVHcloud API to configure and use my NSX Edge API?
Yes, it is possible to do this. Below is an example of the API calls that you would use within the /dedicatedCloud universe.
Retrieve the Edge ID:
For example, you can test resilience by simulating the failure of one of the cluster's Edge nodes:
Do you carry out backups of the NSX-T configurations, including manual customer configuration?
Yes, OVHcloud performs backups. This backup is not intended for restoration in the event of incorrect operation, but for support in the event of an incident involving the various NSX-T controllers.
Management/Miscellaneous
Why is the NSX management interface created via a separate https://nsxt.pcc-xxx-xxx-xxx-xxx.ovh.us endpoint?
The NSX interface is independent and not linked to the vSphere interface. This is why we have created a dedicated endpoint to reach it.
Is it possible to do Border Gateway Protocol (BGP)?
It is impossible to do public BGP (peer with OVHcloud internet routers). However, it is possible to do BGP (private) with a vRack via a Tier-0 gateway or a VRF level 0 gateway, or in an IPsec tunnel via a Tier-0 only.
Is NSX-T BGP compatible across IPSEC?
Yes, through a VRF.
Is it possible to have multiple edge clusters?
Today, only one NSX-T Edge cluster is deployed.
Is it possible to connect an NSX Edge router between two Hosted Private Cloud environments?
Yes, it's possible via the vRack, for example, or via the public network and the Edge Cluster VIPs.
Can we use the Advanced Load Balancer (AVI) or the IDS/IPS Gateway?
No, these features are not included.
Can we use distributed IDS/IPS?
No, distributed IDS/IPS for vDefend and Gateway IDS/IPS for vDefend are not available today.
Does vRack work with NSX-T?
Yes, the vRack works with NSX-T. You can access it in the same way from VLAN port groups in vSphere or from VLAN segments in NSX-T.
Will the NSX Edge cluster have access to the OVHcloud vRack?
The NSX Edge cluster is compatible with an OVHcloud vRack. You can add your virtual data center that carries NSX-T in the vRack of your choice. Find more information on this page.
What is the change regarding the BGP Autonomous System (AS)?
It is possible to position different private AS numbers according to Tier-0 gateways or VRF level 0 gateways.
Is it possible to have the delivery of a vDC NSX-T in a managed VMware vSphere managed from 2016? Will there be problems during the delivery?
Yes, it is possible; there are no constraints currently.
Gateway
Can we put a virtual firewall in front of the Tier-0 in the same managed vSphere?
You can completely disconnect the public interface of the T0 and interconnect them via a private network or a security appliance exposed live on the internet. Note that there is an integrated firewall in T0 that can be configured via the NSX interface, Gateway Firewall.
What is the difference between a Tier-0 and a Tier-1 gateway?
In VMware design, a Tier-1 is always attached to a Tier-0. Flows pass through a Tier-0 to go to the external network. All elements that need to remain inside (locally) the managed vSphere platform are routed by the Tier-1.
How can I add another Tier-0 Gateway?
It is currently not possible to add a new Tier-0 Gateway. Depending on your needs, you can create a virtual Tier-0 instance called VRF. This VRF will not be able to connect to the internet.
Is it possible to connect to the Edge via SSH to perform diagnostics or packet capture?
No, this is not possible for Tier-0 or Tier-1 information. There are troubleshooting tools in NSX.
What is the maximum number of interfaces (connected segments) on a Tier-1 Gateway?
This information depends on the version of NSX in production on the infrastructure. The maximum values are on the Broadcom website.
How much bandwidth will the edge-node cards have, knowing that the Tier-0 (T0) will be shared?
This will depend on which services are enabled (Load Balancer, NAT, Firewall, etc.). The speed and maximum are dependent on the NSX version and available on the Broadcom website.
Support/Assistance
For those using Professional Services, what are the differences between support packs?
All packs are based on a day/hour count, e.g., 1 day = 8 hours, 2 days = 16 hours, and so on. The approach is the same for all packs with a discovery phase, but the duration of the pack will depend on the complexity of the environment and the maturity of your current managed offer. This will be explored with the Professional Services team in a first evaluation call.
Will you provide training and documentation to improve NSX-T skills?
Please see our Getting Started with NSX guide and our other documentation for VMware on OVHcloud.
Go further
For more information and tutorials, please see our other NSX support guides or explore the guides for other OVHcloud products and services.