Creating a Tier-1 Gateway and Segments in NSX+

Site B (nsxmanager-01b.corp.vmw) was onboarded after Site A (nsxmanager-01a.corp.vmw) in my previous posts. There is already an Edge cluster deployed and all ESXi hosts are prepped in this installation.

If you’ve ever configured a Tier-1 gateway and segments in NSX before, you’ll find the process almost identical in NSX+.

My goal in this series of posts it is to configure a T0, T1, segments, DFW and NAT rules to support a three-tier web app. There will also be some BGP configuration to allow for routes to be shared outside of the local NSX environment.

There is a three-tier app at Site B that is using NSX networking. The app consists of three web VMs, and app VM, a DB VM and a load balancer (LB) VM. All VMs are on different networks (the three web VMs are on the same network).

The app is arbitrarily named cda. There is a similar app at Site A named dist but most work in NSX+ will be with the cda app VMs in Site B.

app network172.32.1.0/24
db network172.32.2.0/24
lb network172.32.0.0/24
web network172.32.3.0/24
App VMscda-app-01
DB VMScda-db-01
LB VMscda-lb-01
Web VMScda-web-01
DNS Server192.168.110.10
NTP Server192.168.100.1

Traffic Flow:

  • HTTP/HTTPS (80/443), from any source to VMs on the lb network
  • HTTP (80), from VMs on the lb network to VMs on the web network
  • 8443/TCP, from VMs on the web network to VMs on the app network
  • 8080/TCP, from VMs on the app network to VMs on the db network
  • DNS (53), from VMs on any configured network to
  • NTP (123) from VMs on any configured network to

The core NSX infrastructure is already deployed at Site B. Originally, all necessary components were configured on the LM at Site B but this has all been torn down so it can be recreated in NSX+.

Once the T0 has been created at Site B, you can move on to creating T1s.

Ensure that you are in the Instance-specific view in NSX+ (not the Global view)

In the NSX+ UI, navigate to Networking Connectivity Tier-1 Gateways

Click the Add Tier-1 Gateway button. Complete the form as appropriate.

Be sure to pick the T0 from Site B in the Linked Tier-0 Gateway dropdown.

Note the different icons next to each option. The purple globe indicates that the T0 at Site B is managed by NSX+ while the orange datacenter next to the T0 at site A indicates that is is managed by the local NSX Manager at site B.

Click the Save button.

Click Yes

Expand Route Advertisement and enable the appropriate sources.

Click the Save button.

Click the Close Editing button.

Before continuing with the rest of the T1 configuration, I needed to create the segments to be used by the three-tier app at Site B.

Navigate to Networking Connectivity Segments.

Click the Add Segment button. Complete the form as appropriate.


In this example, I’m starting with configuring the app segment, Be sure to pick the correct gateway (T1-Dist-App at Site B for this segment).

Note: You should be aware that once you have selected a gateway, the only Traffic Type is Overlay and you cannot choose which transport zone is used (it will use the default overlay transport zone in this example). If you do not select a gateway, the default Traffic Type is VLAN and the default VLAN transport zone will be used. Also, with the Traffic Type set to Overlay, you have to specify a subnet. This is not a requirement when completing the same segment configuration on a local NSX manager.

Click the Save button.

Click No.

Repeat this for any more segments that are needed. For the three-tier app at Site B, this needs to be done for the db, lb and web segments.’

When the necessary Segments created, expand the Service Interfaces section of the T1 and click Set.

Click the Add Interface button. Complete the form as appropriate

Click the Save button. Click the Close button.

Repeat the above steps for any additional interfaces that are needed. For the three-tier app at Site B, interfaces for the lb, db and web networks are needed.

Leave a Comment

Your email address will not be published. Required fields are marked *