The single-node Enterprise Edge is the simplest edge deployment, without vSAN for storage. Use an external/integrated router/firewall for networking, and at least two 1Ggps/10Gbps links to connect to TOR switches. For VDS, create 3 port groups and trunk the VDS uplink.
Infrastructure and Networking
The single-node Enterprise Edge is the simplest form of edge deployment that does not leverage vSAN for storage. An external or integrated appliance such as a router or firewall is expected to provide the networking services and routing for the edge site. Plan for at least two 1G/10Gbps links to the top of the rack (TOR) switch to connect the Enterprise Edge to the upstream appliance.
For vSphere Distributed Switch (VDS) configuration, create the three port groups (minus vSAN) and configure the VDS uplink as a trunk. If the TOR switch supports EtherChannel and 802.3ad, construct an LACP link aggregation group (LAG) in VDS and add the physical uplinks to the LAG from the host. Then configure the EtherChannel on the TOR switch and allow the corresponding edge VLANs. If the TOR switch does not support EtherChannel, bypass LACP and NIC Teaming configurations and simply configure the vmnics as DVS uplinks.
The reference network design is provided above with the following requirements:
Use two NICs per host to connect to the top of rack (TOR) switch.
If the TOR switch supports EtherChannel, configure LACP for the uplinks in VDS and enable NIC Teaming and Failover for port groups (VLANs). This is optional.
The upstream network device will serve as the DHCP server and default gateway for the three networks and advertise the network prefixes to the data center.
TKG Management Cluster in the data center must have connectivity to ‘TKG WL’ VLAN to configure the workload clusters.
Internet access for the pods in the TKG workload clusters.
Workload Cluster
The Kubernetes clusters running in TKG are placed in ‘TKG WL’ VLAN and should be allowed outbound Internet access through a proxy or locally via a security appliance. The workload cluster requires WAN connectivity for connection to Tanzu Mission Control and Aria Operations for Applications (formerly Tanzu Observability).
Integrated SD-WAN
For a single node edge site, the main purpose of an integrated SD-WAN appliance is to consolidate networking and computing into the Enterprise Edge and remove the switch and firewall. The VMware SD-WAN virtual appliance accomplishes that by serving as the layer 3 switch and default gateway for the workload VLANs, and functions as the edge router and firewall to build VPN connections, propagate routes, and secure the workloads.
The reference design is provided with the following design considerations:
The VMware SD-WAN appliance should be the default gateway for all workloads deployed. Optionally it can also function as the local DHCP, DNS, and NTP server.
The SD-WAN VNF will connect to the upstream WAN links and establish overlays across them to the data center and other edge sites. Dynamic tunnels to other SD-WAN devices and the associated routes can be disabled from the VMware SD-WAN Orchestrator.
All port groups configured on the Enterprise Edge should be connected to the SD-WAN virtual appliance to enable workloads to utilize its networking services.
All external traffic flows from the Enterprise Edge, including the VMkernel flows, will be forwarded through the SD-WAN virtual appliance. The management VMkernel adapters – i.e., vmk0 should leverage the appliance as its next hop for connectivity to the vCenter and other services.
VMware SD-WAN does not support jumbo frames as of Release 5.0. The maximum IP MTU supported for packets sent across the overlay without fragmentation is 1500.
The VMware SD-WAN VNF can be deployed by following these steps:
Provision the SD-WAN appliance with network adapters connected to all the depicted port groups. By default, GE3 and GE4 are configured to be WAN interfaces.
Activate the SD-WAN VNF and configure all interfaces to be routed – GE1 and GE2 are by default switch ports.
Enable Cloud VPN and configure the SD-WAN Hub as its VPN hub. The Hub cluster must be deployed in the data center before deploying the edges.
Migrate the vmk0 interface on the host to leverage SD-WAN and set its next hop to the SD-WAN appliance IP address.