Documentation

Skip to end of metadata
Go to start of metadata

This page describes how to configure the NSX integration for Systems Administrators.

NSX compatibility and licenses

  • In Abiquo 3.8.5+, the NSX plugin(s) will require separate licenses
  • Abiquo 3.8.2+ supports NSX version 6.1.x and version 6.2.x
  • To use the firewall and load balancer functionality, the Advanced edition or higher is required
  • Abiquo supports only one vCenter when working with NSX
  • You will need a vCenter user with permission to use the NSX

NSX blueprints

Abiquo has plugins to support the following NSX blueprints for virtual datacenter networking:

  1. Gateway using ESG router
    • The NSX gateway plugin creates a single ESG for use as router
    • Maximum 9 VXLANs
    • Initial version does not support firewalls for load balancers
  2. ECMP using DLR and ESG
    • The ECMP plugin creates a DLR and multiple ESGs as configured
    • Initial version does not support load balancers

Configure the VMware NSX integration

To configure the NSX integration do these basic steps for all plugin types:

  1. For an existing platform, on the Remote Services for the datacenter, install and load Cloud Provider Proxy remote service webapp
  2. Obtain a vCenter user with permission to use the NSX
  3. Check that the vCenter is managing all hosts because the NSX integration uses vCenter to manage the hosts
    • If a host is not registered, the plugin will not work
    • Abiquo does not validate this configuration
  4. Add the IP of the vCenter to the NSX
  5. We recommend that you use a host that is not managed by Abiquo to deploy the Edge appliances. This host is defined in Abiquo configuration properties through the VMware cluster
  6. Abiquo will supply a jar that connects to the vCenter and outputs the IDs for you to configure in the Abiquo properties
    1. The jar can also be used to check that the Abiquo properties are properly configured

Then do the specific steps for each plugin type as described in the guides linked below

  1. Set Abiquo configuration properties for the integration and for the enterprise defaults (optional step for ECMP)
  2. For ECMP, set enterprise properties in Abiquo
  3. Create devices to define the NSX integration for the plugin type

See:

Description of the Abiquo NSX integration

These notes describe the Abiquo NSX integration for the Systems Administrator.

DHCP

In the Gateway plugin, the NSX edge acts as the DHCP server for the virtual machines, and has a DHCP static binding for each VM IP address. In the ECMP plugin, the DHCP server is at the same level as the DLR.

  • Abiquo does not use OMAPI to connect to the DHCP
  • Virtual machines must have port UDP 68 open for DHCP connection
  • Abiquo static routes are supported
  • Chef is not supported because the NSX DHCP does not support setting the required vendor-encapsulated-options

Abiquo synchronization

It is not necessary to synchronize the NSX integration elements. Abiquo synchronization in NSX only applies to configurations that conform to Abiquo specifications with 1 x routing rule, identifier in comment field, and so on

The user should not make changes to the Abiquo configuration directly in the NSX because Abiquo may not recognise the changed configuration

Firewalls in the Abiquo NSX integration

Notes about the implementation of firewalls in the Abiquo NSX integration

  1. Abiquo creates global firewall rules and applies them to logical switches, and then specifies individual virtual machines
  2. If no firewall is used, all traffic is allowed
    1. If a firewall is used, all traffic is denied by default
    2. The DHCP servers send the lease to the clients through port UDP-68
    3. You must allow this traffic or the VM won't get its IPs after a reboot
    4. Abiquo creates a default rule that allows traffic to UDP-68
  3. The global firewall rules are identified by the name of the firewall and the name of the VDC
  4. Firewalls apply to the logical switch, not an individual vNIC
    1. The NSX API does not expose methods to access the ESXi API to obtain vNIC details
  5. All traffic through all logical switches is filtered by the firewall
  6. All rules are always evaluated in order
  7. Rules apply globally to all VMs connected to the same logical switch, even to those that don't have the firewall assigned
    1. Abiquo configures the source and destination IPs so as to guarantee the rules will only apply to the right virtual machine
      1. Abiquo creates a global firewall rule section with the VM name
      2. Abiquo creates rules as IN or OUT with origin or destination IP as appropriate
      3. Abiquo creates rules for each IP
  8. Do not change anything created by Abiquo directly in the NSX
    1. E.g. Abiquo uses the comments section to identify the firewall 
  9. Abiquo does not support firewalls applied to load balancers
    1. In a future version, Abiquo will use Edge firewalls to apply to load balancers

Load Balancers in the Abiquo NSX integration

In Abiquo 3.8.5, load balancers are only available through the NSX Gateway plugin.

  1. Load balancers can have private and public IP addresses
    1. The NSX integration assigns Private IPs from the range reserved by properties
      1. The platform does not manage these IPs
    2. The NSX integration assigns Public IPs from the Edge range with a connection to the outside world
  2. For each routing rule, and each load balancer address, we create a virtual server to listen on that address/portIn
  3. The platform only allows one routing rule to limit problems identifying load balancers in synchronization
    1.  You can use multiple load balancers for incoming traffic to multiple ports
  4. Abiquo does not support firewalls assigned to load balancers in this first version
    1. By default, Abiquo will explicitly permit traffic to virtual servers until firewalls are implemented

External and public networks in the Abiquo NSX integration

To enable users to work with external and public networks in the Abiquo NSX integration

  1. Create external and public networks in the NSX
  2. Create the same networks in Abiquo
    1. On the Create network dialog, select the device that defines the NSX
  3. Remember that VMs using these networks must allow UDP connections to port 68 to obtain their IP addresses

Related pages

  • No labels