An HCX Service Mesh provides the HCX services configuration for a Site Pair. This section describes the procedure for creating a Service Mesh for a vSphere-based HCX Site Pair.

Note: To create a service mesh between a vSphere-based HCX site and a non-vSphere site, see Create a Service Mesh for Non-vSphere Site Pairs.

Adding a Service Mesh initiates the deployment of HCX Interconnect virtual appliances on both of the sites. A Service Mesh is always created at the source site.

Prerequisites

Creating a Service Mesh requires:

  • A connected Site Pair.

  • A valid Compute Profile at the HCX source and HCX destination site.

  • Virtual Switches (for Network Extension) and Network Profiles selected in each Compute Profile must span across all hosts in every selected deployment cluster. If these objects do not span all hosts, it is possible that the appliances will be deployed in a host missing the needed networks. In this case, the Service Mesh deployment can fail or services may not function properly.

Procedure

  1. Log in to the HCX Manager:
    https://hcx-ip-or-fqdn
  2. From the HCX Console, navigate to Interconnect > Service Mesh.
    Created Service Mesh configurations are listed.
  3. Click Create Service Mesh:
    Shows the Create Service Mesh button highlighted in the HCX Manager Interconnect > Service Mesh screen.
  4. Select a site pair:
    1. From the drop-down menu, select a site. The paired site is automatically populated.
    2. Click Continue.
  5. Select Compute Profiles:
    1. Click the Select Source Compute Profile drop-down menu and select a Compute Profile.
    2. Click the Select Remote Compute Profile drop-down and select a Compute Profile.
    3. Click Continue.
  6. Select the services to be activated, and click Continue.
    The HCX services available for activation are based on your selections in the source and remote site Compute Profiles, and based on the service entitlements for each site. In cases where the source and remote sites have been activated with different entitlements, the Service Mesh can inherit entitlements from either site. For more information, see Understanding Service Inheritance.

    List of services to enable with a unique icon for each service. Selected services display a green check mark.

  7. (Optional) Override the default Uplink Network Profile:

    By default, the HCX interconnect uses Uplink Network Profiles defined in the Compute Profile for the source and the destination sites. You can override the default.

    As an example, an override can be useful in Cloud Director-based deployments where an uplink network that deviates from a common configuration is created for an Organization to consume during the Service Mesh creation.

    1. Click the Select Source Site Uplink Network Profile drop-down.
    2. Select one or more networks. Click Close.

      The HCX Service Mesh can use up to three HCX Uplinks, adding network path failover and improving overall resiliency for HCX services. Multiple HCX Uplinks are not aggregated for increased throughput capacity. The following specific behaviors apply:

      • HCX attempts to load balance traffic on the Network Extension (HCX-NE) appliance based on characteristics of the flow and the performance of the uplinks.

      • HCX does not load balance migration traffic on the Interconnect (HCX-IX) appliance. Additional uplinks might or might not be used.

    3. Click Select Destination Site Uplink Network Profile, and repeat the selections.
    4. Click Continue.
  8. Configure the Network Extension appliances deployed per switch or Transport Zone.

    As an example, advanced configuration can be useful when deploying Network Extension appliances to extend high volume source networks.

    1. In Advanced Configuration - Network Extension Appliance Scale Out, review the default Extension appliances per Network Container.
      If the destination site is not registered with NSX, HCX only displays VDS entries.
    2. For each entry, set the number of Network Extension appliances that HCX deploys when it activates the Service Mesh configuration.

      Extended network service can be carried by a single (standalone) Network Extension appliance at each site, or an HA group that consists of two Network Extension appliances at each site. For example, to create two standalone Network Extension appliances and one HA group for a container entry, set the scale-out number to 4 (2 + 1 x 2 = 4) in the Service Mesh.

      The default setting is 1. This setting restricts the Service Mesh to deploying one Network Extension appliance.

      Note:

      You must configure the Network Extension Appliance limit in the Compute Profile at both the source and remote sites to equal or exceed the number of scale-out appliances set in the Service Mesh.

      For the system resource considerations, see System Requirements.

    3. Click Continue.
  9. (Optional) Configure HCX Traffic Engineering features:

    1. To create multiple transport tunnels for directing the HCX traffic to a destination site, check Application Path Resiliency.

      Enabling Application Path Resiliency (APR) creates up to eight transport tunnels between each Interconnet and Network Extension appliance uplink interface IP address pair between sites. If a few tunnels fail, there is no impact in the data traffic as only one transport tunnel out of eight is used always to provide secure data transfer across the Wide Area Network (WAN) or Internet connection.

      Application Path Resiliency forwards traffic over one tunnel at a time and does not load balance across multiple paths.

      Note:

      To view the available tunnels after completing the Service Mesh configuration, navigate to Interconnect > Service Mesh > View Appliances and expand the HCX-WAN-IX appliance.

      Important: For additional dynamic tunnel requirement, the source Interconnect (IX) and Network Extension (NE) appliances uses a random source UDP port in the 4500 – 4628 range and target UDP port as 4500 to create a different flow for each subsequent tunnel. The reverse tunnel originated by target IX/NE appliances have source port as UDP 4500 and destination ports from same random ports used by source appliances for the forward direction in the range 4500 – 4628.

      Ensure the firewall settings on either side allow for that connectivity.

    2. To dynamically manage the TCP segment size and optimize the transport performance for the HCX Network Extension service traffic, check TCP MSS Clamping.

      This option is available only after activating the HCX Network Extension service.

    3. To reassemble Network Extension input packets into larger ones before delivery to the workloads, check Generic Receive Offload.
    4. To activate or deactivate transport encryption for Network Extension data between site pair, check or uncheck Encryption for Network Extension Services.
      By default this option is checked. Deactivating, or unchecking, this box is available only on Uplink networks that have been verifed as secure in the Network Profile configuration.
    5. To activate or deactivate transport encryption migration traffic between Site Pairs, check or uncheck Encryption for Migration Services.
      By default this option is checked. Deactivating, or unchecking, this box is available only on Uplink networks that have been verifed as secure in the Network Profile configuration.
    6. To manage the bandwidth consumed for migrations across all uplink networks, use the up and down arrows to change the bandwidth setting.

      This option is available only after activating the HCX WAN Optimization service.

      Note:

      It is a best practice to retain the default setting of 10000 Mb/S.

  10. Review Topology Preview:
    1. Review the selected clusters, resources, and networks.
    2. Click Continue.
  11. Ready to Complete:
    1. To view a summary of the Service Mesh selections, click the here link.
    2. Name the Service Mesh.
      The Service Mesh name has a limit of 50 characters.
    3. To create the service mesh, click Finish.
    HCX begins deploying the appropriate appliances and displays a topology view of the Service Mesh. To monitor the progress of the Service Mesh deployment, select Tasks, and expand the operation.

What to do next

After the Service Mesh configuration is complete, verify the underlay network performance for each Uplink Network. The underlay network performance must meet the minimum requirements for HCX services. See Understanding HCX Transport Analytics.

If you are migrating guest workloads using OS Assisted Migration, download and install the Sentinel software on each guest workload. See Sentinel Management.

If it is necessary to edit an existing Service Mesh, such as activating or deactivating services and overriding uplinks, select Interconnect > Service Mesh > Edit. The editing workflow includes a preview screen, listing the changes and describing the impact of those changes on related services prior to finishing the procedure. You can select to complete or cancel the update.