vRealize Automation 7.3 introduces new NSX features

vRealize Automation 7.3 is out now and if you haven’t seen the release notes yet you should check them out on VMware’s website here. You could be forgiven for thinking that there wouldn’t be much to talk about in a point release, however vRA 7.3 is jam packed with new features and updates which will keep bloggers busy for a long time.

One area which has received some attention is vRealize Automation’s OOTB integration with NSX. If your not familiar with vRA + NSX integration you may want to hop over to my earlier post vRealize Automation + NSX = Awesome

This blog post will cover the new NSX feature updates in vRealize Automation 7.3.

vRA NSX Enhancements

Before I dive right into the detail, here is a list of NSX feature enhancements that came with vRA 7.3;

  • Reworked NSX Integration
  • New enhanced control of NSX-provisioned Load Balancers
  • Enhanced NAT Port Forwarding Rules
  • Day 2 NSX Security Group and Tag Management
  • NSX Edge Size Selection
  • High Availability automated for NSX Edge Services

Reworked NSX Integration 

If you were using NSX with an earlier version of vRealize Automation, following an upgrade to 7.3 you will notice an additional endpoint configured. vRA 7.3 now manages NSX as a separate endpoint and it is no longer configured within the vCenter configuration.

The new NSX integration no longer requires the vRO plugin like previous versions did. Instead vRA communicates directly with the NSX REST API bringing the benefits of a streamlined deployment no longer depending on vRO and the NSX vRO plugin. This provides easier troubleshooting and improved reliability due to a reduction in number of components required to integrate NSX with vRealize Automation.

Creating an NSX Endpoint

To view endpoints navigate to the Infrastructure > Endpoints > Endpoints

To create a new NSX endpoint click New > Network and Security > NSX this will open the NSX Endpoint configuration page.

Enter a Name and Description for the NSX endpoint. In the Address field enter the address for the NSX Manager, followed by the User Name and Password required to connect to it.

Select the Associations tab to associate the NSX endpoint with a vCenter Endpoint.

Click New to add a new association.

In the above example I select the vCenter endpoint that I want to use with NSX and Click Ok to save the change.

Enhanced Control of NSX-Provisioned Load Balancers

The next welcome feature allows for further customisation of NSX On-demand Load Balancers within the blueprint canvas. You can now customise;

  • Algorithms
  • Persistence settings
  • Port
  • Health Monitors
  • Transparent Mode
  • Connection Limits

Selecting the Customize radio button under Settings: allows you to edit these settings.

NSX Load Balancer Day 2 Operations

You can now make day 2 updates to NSX Load Balancers by editing the Virtual Servers on the Load Balancer. Day 2 updates allow you to make the following changes;

  • Add new Virtual Servers
  • Edit existing Virtual Servers including;
    • All Algorithm
    • Persistence settings
    • Health Monitors
    • Transparent Mode
    • Port
    • Connection Limits

In order to enable this feature you must first add the the Entitlement Action Reconfigure Load Balancer to your entitlement;

Find the NSX Load Balancer for your Deployment in the items tab, select it and then click on Reconfigure from the Actions drop down menu;

Reconfigure NSX Load Balancer

This will open a New Request allowing you to make changes to the Virtual Servers configuration on the NSX Load Balancer.

NSX LB Virtual Servers

You are able to edit the settings of the existing virtual server or you can add a new one. In this case I will add a second monitor for HTTPS. Click new to add this as a new Virtual Server.

By selecting the Customize radio button, the additional tabs are enabled allowing you to further customise settings.

Distribution Settings

Health Check Settings

Advanced Settings

Click Ok when you have finished making the required changes and then click Submit to begin processing the request.

Enhanced NAT Port Forwarding Rules

With vRA 7.3 you can now add NAT port forwarding rules during the blueprint design time. In order to use this feature an On-demand One to Many NAT network profile should be created using a Static IP Range.

NAT Rules can be defined for;

  • a vSphere Machine Component, providing that component is not clustered.
  • or an NSX Load Balancer component

Support allows for multiple rules to be created and ordered.

vRA NAT Rules

If you do not see the NAT Rules tab then check the following;

  • An On-Demand One to Many NAT Network profile is used
  • IP addresses are not assigned using DHCP

The following are not supported for NAT Port forwarding rules;

  • NICs that are not in the current network
  • NICs that are configured to get IP addresses using DHCP
  • Machine clusters

Further to this you can now also update NAT Port forwarding rules using Day 2 actions.

The Change NAT Rules operation is not supported for deployments that were upgraded or migrated from vRealize Automation 6.2.x to this vRealize Automation release.

In order to allow this feature you must first add the following entitlement action to your entitlement;

  • Change NAT Rules – (Network)

From the Items tab select your deployment and expand it to view the child components. Select the NAT Network component, then select Change NAT Rules from the Actions menu;

Update NAT Rules

This opens a new request allowing you to add new rules, update existing rules and also update the rule order. To add a rule click New+ add the details then click OK. Click Submit to submit the request so that the changes can be applied.

vRA Day 2 Update NAT Rules

Day 2 NSX Security Group and Tag Management

Using vRA 7.3 you can add or remove existing NSX security groups or tags to a running application as part of a Day 2 operation.

In order to enable this feature you must first add the following entitlement action to your entitlement;

  • Change Security – (Deployment)

With this in place you can now select the Change Security action on a deployment item. Select the deployment you would like to change and select Change Security from the Actions menu;

In the left pane you can select the machine in the deployment that you want to change. In the right side you can select an already applied security group\tag and then remove it.

Click Add > Existing Security Group or Existing Security Tag from the menu.

Select the desired Security Group and click Ok. Click Submit to submit your request and apply the change.

WarningAt this time it is not possible to add On Demand Security Groups or Tags, however you are able to remove these if they are already assigned to the Blueprint.

NSX Edge Size Selection

With vRealize Automation 7.3 you can now specify the deployment size for NSX Edge Services Gateways (ESG) This is configurable per blueprint and is set using a custom property. The advantage of this is that we can now scale ESG’s deployed within a blueprint to meet the demands of the application deployed.

To specify the deployment size specify the following custom property with the desired corresponding value;

Custom Property Value Sizing
NSX.Edge.ApplianceSize compact For small deployments, POCs, and single service use.

·       CPU = 1

·       RAM = 512 MB

·       Disk = 512 MB

large For small to medium or multi-tenant deployments.

·       CPU = 2

·       RAM = 1 GB

·       Disk = 512 MB

quadlarge

 

For high throughput equal-cost multi-path routing (ECMP) or high performance firewall deployments.

·       CPU = 4

·       RAM = 1 GB

·       Disk = 512 MB

xlarge

 

For L7 load balancing and dedicated core deployments.

·       CPU = 6

·       RAM = 8 GB

·       Disk = 4.5GB (4GB Swap)

The custom property is assigned at the blueprint level and is applied to all ESG’s within the Blueprint.

High Availability Automated for NSX Edge Services

When deploying a Blueprint which utilises NSX as well as being able to determine the size of the deployed Edge Services Gateway you can also specify that the ESG is deployed using Edge high-availability mode. This is achieved by setting the following custom property at the Blueprint level.

Custom Property Value
NSX.Edge.HighAvailability true

You can verify that the NSX Edge Services Gateway was deployed in HA mode by examining the ESG settings in the vSphere Web Client.

HA enabled

Summary

vRA 7.3 provides an array of additional NSX features and functionality that offer greater control and flexibility to blueprints, both for the blueprint author and consumer. Additional day 2 actions offer consumers greater control over their deployments allowing them to make changes to On-demand NSX Load Balancers, NSX Security and NAT port forwarding rules. Blueprint authors can now also fine tune Edge Services Gateways by specifying their size and HA configuration using custom properties.

I hope that you have found this GavOnCloud Blog post useful !

Leave a Reply

Your email address will not be published. Required fields are marked *