You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge Appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces.
Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.
- DHCP: Not supported on uplink interfaces. See the note after this bulleted list.
- DNS Forwarder: Not supported on uplink interfaces.
- HA: Not supported on uplink interfaces, requires at least one internal interface.
- SSL VPN: Listener IP must belong to an uplink interface.
- IPsec VPN: Local site IP must belong to an uplink interface.
- L2 VPN: Only internal networks can be stretched.
The following figure shows a sample topology. The Edge Service Gateway uplink interface is connected to the physical infrastructure through the vSphere distributed switch. The Edge Service Gateway internal interface is connected to a logical router through a logical transit switch.
You can configure multiple external IP addresses for load balancing, site-to-site VPN, and NAT services.
NSX Edge supports two virtual machines for high availability, both of which are kept up-to-date with user configurations. If a heartbeat failure occurs on the primary virtual machine, the secondary virtual machine state is changed to active. As a result, one NSX Edge virtual machine is always active on the network. NSX Edge replicates the configuration of the primary appliance for the standby appliance. Two virtual machines are deployed on vCenter in the same resource pool and datastore as the appliance you configured. Local link IP addresses are assigned to HA virtual machines in the NSX Edge HA so that they can communicate with each other.
Prerequisites
- You must be assigned the Enterprise Administrator or NSX Administrator role.
- Verify that the resource pool has enough capacity for the Edge Services Gateway (ESG) virtual appliance to be deployed. See System Requirements for NSX Data Center for vSphere for the resources required for each size of appliance.
- Verify that the host clusters on which the NSX Edge Appliance will be installed are prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide.
- Determine if you want to enable DRS. If you create an Edge Services Gateway with HA, and DRS is enabled, DRS anti-affinity rules are created to prevent the appliances from being deployed on the same host. If DRS is not enabled at the time the appliances are created, the rules are not created and the appliances might be deployed on or moved to the same host.
Procedure
Results
What to do next
When you install an NSX Edge Appliance, NSX enables automatic VM startup/shutdown on the host if vSphere HA is disabled on the cluster. If the appliance VMs are later migrated to other hosts in the cluster, the new hosts might not have automatic VM startup/shutdown enabled. For this reason, when you install NSX Edge Appliances on clusters that have vSphere HA disabled, you must preferably check all hosts in the cluster to make sure that automatic VM startup/shutdown is enabled. See "Edit Virtual Machine Startup and Shutdown Settings" in vSphere Virtual Machine Administration.
Now you can configure routing to allow connectivity from external devices to your VMs.