Creating a Tier-0 Gateway in NSX+

Site B (nsxmanager-01b.corp.vmw) was onboarded after Site A (nsxmanager-01a.corp.vmw) in my previous posts. There is already an Edge cluster deployed and all ESXi hosts are prepped in this installation.

If you’ve ever configured a Tier-0 gateway in NSX before, you’ll find the process almost identical in NSX+.

My goal in this series of posts it is to configure a T0, T1, segments, DFW and NAT rules to support a three-tier web app. There will also be some BGP configuration to allow for routes to be shared outside of the local NSX environment.

There is a three-tier app at Site B that is using NSX networking. The app consists of three web VMs, and app VM, a DB VM and a load balancer (LB) VM. All VMs are on different networks (the three web VMs are on the same network).

The app is arbitrarily named cda. There is a similar app at Site A named dist but most work in NSX+ will be with the cda app VMs in Site B.

app network172.32.1.0/24
db network172.32.2.0/24
lb network172.32.0.0/24
web network172.32.3.0/24
App VMscda-app-01
DB VMScda-db-01
LB VMscda-lb-01
Web VMScda-web-01
DNS Server192.168.110.10
NTP Server192.168.100.1

Traffic Flow:

  • HTTP/HTTPS (80/443), from any source to VMs on the lb network
  • HTTP (80), from VMs on the lb network to VMs on the web network
  • 8443/TCP, from VMs on the web network to VMs on the app network
  • 8080/TCP, from VMs on the app network to VMs on the db network
  • DNS (53), from VMs on any configured network to
  • NTP (123) from VMs on any configured network to

The core NSX infrastructure is already deployed at Site B. Originally, all necessary components were configured on the LM at Site B but this has all been torn down so it can be recreated in NSX+.

In the NSX+ UI, on the Global page, you can see that there is a single instance with two sites.

Switch from the Global view to the Instance view.

Click on the Networking tab. Navigate to  Connectivity Tier-0 Gateways.

Click the Add Tier-0 Gateway button and start completing the form as appropriate.

Be sure to set the Location correctly as this will determine which local NSX manager the T0 is realized on. If you have multiple local NSX managers onboarded, you don’t want to find the T0 on the wrong one.

Click the Save button.

Click Yes.

Before continuing on with the configuration in NSX+, you can check the local NSX manager UI to make sure that the T0 has been created.

Note the small NSX+ bubble next to the name. This is a very quick way of knowing that this T0 is managed by NSX+. It’s also letting you know that you won’t be able to modify this T0 outside of NSX+.

Back in NSX+, under Interfaces on the T0 page, click Set.

Click the Add Interface button. Complete the form as appropriate.

The Location and Edge Node values will be filtered to EPSG Site B in this example since that is where the T0 was created.

Click the Save button.

Click the Close button.

And again, back in the local NSX manager UI, you can validate that the interface has been configured:

One interesting point here, note that the MTU is 8940. There is no MTU configured in NSX+ (on the T0 or globally). This is taken from the global MTU setting on the LM.

Back in NSX+, expand the BGP section and complete the form as appropriate.

Under Route Aggregation, click Set.

Click the Add Prefix button. Complete the form as appropriate.

Click the Add button.

Click the Apply button.

Under BGP Neighbors, click Set.

Click the Add BGP Neighbor button. Complete the form as appropriate.

Click the Save button.

Click the Close button.

Under Route Re-Distribution, click Set.

Click the Add Route Re-Distribution button. Enter an appropriate name.

Click Set under Route Re-Distribution. Enable route re-distribution for the appropriate sources.

Click the Apply button.

Click the Add button.

Click the Apply button.

Click the Close Editing button.

Leave a Comment

Your email address will not be published. Required fields are marked *