You can install multiple NSX Edge services gateway virtual appliances in a data center. Each NSX Edge Appliance can have a total of ten uplink and internal network interfaces. The internal interfaces connect to secured port groups and act as the gateway for all protected virtual machines in the port group. The subnet assigned to the internal interface can be a publicly routed IP address space or a NATed/routed RFC 1918 private space. Firewall rules and other NSX Edge services are enforced on traffic between interfaces.

Uplink interfaces of an ESG connect to uplink port groups that have access to a shared corporate network or a service that provides access layer networking.

The following list describes feature support by interface type (internal and uplink) on an ESG.
  • DHCP: Not supported on uplink interfaces. See the note after this bulleted list.
  • DNS Forwarder: Not supported on uplink interfaces.
  • HA: Not supported on uplink interfaces, requires at least one internal interface.
  • SSL VPN: Listener IP must belong to an uplink interface.
  • IPsec VPN: Local site IP must belong to an uplink interface.
  • L2 VPN: Only internal networks can be stretched.
Note: By design, DHCP service is supported on the internal interfaces of an NSX Edge. However, in some situations, you may choose to configure DHCP on an uplink interface of the edge and configure no internal interfaces. In this situation, the edge can listen to the DHCP client requests on the uplink interface, and dynamically assign IP addresses to the DHCP clients. Later, if you configure an internal interface on the same edge, DHCP service stops working because the edge starts listening to the DHCP client requests on the internal interface.

The following figure shows a sample topology. The Edge Service Gateway uplink interface is connected to the physical infrastructure through the vSphere distributed switch. The Edge Service Gateway internal interface is connected to a logical router through a logical transit switch.

The image is described in the surrounding text.

You can configure multiple external IP addresses for load balancing, site-to-site VPN, and NAT services.

NSX Edge supports two virtual machines for high availability, both of which are kept up-to-date with user configurations. If a heartbeat failure occurs on the primary virtual machine, the secondary virtual machine state is changed to active. As a result, one NSX Edge virtual machine is always active on the network. NSX Edge replicates the configuration of the primary appliance for the standby appliance. Two virtual machines are deployed on vCenter in the same resource pool and datastore as the appliance you configured. Local link IP addresses are assigned to HA virtual machines in the NSX Edge HA so that they can communicate with each other.

Prerequisites

  • You must be assigned the Enterprise Administrator or NSX Administrator role.
  • Verify that the resource pool has enough capacity for the Edge Services Gateway (ESG) virtual appliance to be deployed. See System Requirements for NSX Data Center for vSphere for the resources required for each size of appliance.
  • Verify that the host clusters on which the NSX Edge Appliance will be installed are prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide.
  • Determine if you want to enable DRS. If you create an Edge Services Gateway with HA, and DRS is enabled, DRS anti-affinity rules are created to prevent the appliances from being deployed on the same host. If DRS is not enabled at the time the appliances are created, the rules are not created and the appliances might be deployed on or moved to the same host.

Procedure

  1. Log in to the vSphere Web Client, and navigate to Home > Networking & Security > NSX Edges.
  2. Click Add, and then click Edge Services Gateway.
  3. Enter name, description, and other details of the ESG.
    Option Description
    Name

    Enter a name for the ESG as you want it to appear in the vCenter inventory.

    Make sure that this name is unique across all ESGs within a single tenant.

    Host Name

    Optional. Enter a host name that you want to display for this ESG in the CLI.

    If you do not enter a host name, the Edge ID that is created automatically is displayed in the CLI.

    Description Optional. Enter a description of the ESG.
    Deploy NSX Edge

    Optional. Select this option to create an NSX Edge Appliance virtual machine.

    If you do not select this option, the ESG will not operate until a VM is deployed.

    High Availability

    Optional. Select this option to enable and configure high availability on the ESG.

    • If you need to run stateful services on an ESG, such as load balancer, NAT, DHCP, and so on, you can enable HA on the edge. HA helps in minimizing the failover time to a standby edge when an active edge fails. Enabling HA deploys a standalone edge on a different host in a cluster. So, you must ensure that you have enough resources in your environment.
    • If you are not running stateful services on the ESG, and your ESG is used only for north-south routing, then enabling ECMP is recommended. ECMP uses a dynamic routing protocol to learn the next-hop towards a final destination and to converge during failures.

      ECMP configuration can substantially increase bandwidth by load-balancing traffic over multiple paths and providing fault tolerance for failed paths. In this configuration, data plane outage is limited to only a subset of the traffic. You also have the option of enabling HA on each ESG to provide a faster failover rather than relying on vSphere HA. In an ECMP configuration too, you must ensure that you have sufficient resources in your environment.

      You can enable ECMP on the edge while doing the global routing configuration, and not while deploying the edge in your network.

  4. Specify the CLI settings and other settings of the ESG.
    Option Description
    User Name Enter a user name that you want to use for logging in to the Edge CLI.
    Password Enter a password that is at least 12 characters and it must satisfy these rules:
    • Must not exceed 255 characters
    • At least one uppercase letter and one lowercase letter
    • At least one number
    • At least one special character
    • Must not contain the user name as a substring
    • Must not consecutively repeat a character 3 or more times.
    Confirm password Reenter the password to confirm.
    SSH access

    Optional. Enable SSH access to the Edge. By default, SSH access is disabled.

    Usually, SSH access is recommended for troubleshooting purposes.

    FIPS mode

    Optional. By default, FIPS mode is disabled.

    When you enable FIPS mode, any secure communication to or from the NSX Edge uses cryptographic algorithms or protocols that are allowed by FIPS.

    Auto rule generation

    Optional. By default, this option is enabled. This option allows automatic creation of firewall rules, NAT, and routing configuration, which control traffic for certain NSX Edge services, including load balancing and VPN.

    If you disable automatic rule generation, you must manually add these rules and configurations. Auto rule generation does not create rules for data-channel traffic.

    Edge control level logging Optional. By default, the log level is info.
  5. Configure the deployment of the NSX Edge Appliance.
    1. Select the size of the appliance depending on your environment.
      Appliance Size Description
      Compact

      Suitable only for laboratory or PoC environments.

      Large

      Provides more CPU, memory, and disk space than Compact, and supports a larger number of concurrent SSL VPN-Plus users.

      Quad Large

      Suitable when you need a high throughput and a high connection rate.

      X-Large

      Suitable for environments that have a load balancer with millions of concurrent sessions.

      See System Requirements for NSX Data Center for vSphere for the resources required for each size of appliance.

    2. Add an NSX Edge Appliance, and specify the resource details for the VM deployment.
      For example:
      Option Value
      Cluster/Resource Pool Management & Edge
      Datastore ds-1
      Host esxmgt-01a.corp.local
      Resource Reservation System Managed

      See "Managing NSX Edge Appliance Resource Reservations" in the NSX Administration Guide for more information on Resource Reservation.

      If you enabled HA, you can add two appliances. If you add a single appliance, NSX Edge replicates its configuration for the standby appliance. For HA to work correctly, you must deploy both appliances on a shared datastore.

  6. Configure interfaces of the ESG.
    1. Specify the name, type, and other basic interface details.
      Option Description
      Name

      Enter a name for the interface.

      Type

      Select either Internal or Uplink. For High Availability to work, an Edge appliance must have at least one internal interface.

      Connected To

      Select the port group or the logical switch to which you want to connect this interface to.

    2. Configure the subnets of the interface.
      Option Description
      Primary IP Address

      On an ESG, both IPv4 and IPv6 addresses are supported. An interface can have one primary IP address, multiple secondary IP addresses, and multiple non-overlapping subnets.

      If you enter more than one IP address for the interface, you can select the primary IP address.

      Only one primary IP address is allowed per interface and the Edge uses the primary IP address as the source address for locally generated traffic, for example remote syslog and operator-initiated pings.

      Secondary IP Addresses

      Enter the secondary IP address. To enter multiple IP addresses, use a comma-separated list.

      Subnet Prefix Length

      Enter the subnet mask of the interface.

    3. Specify the following options for the interface.
      Option Description
      MAC Addresses

      Optional. You can enter a MAC address for each interface.

      If you change the MAC address using an API call later, you must redeploy the Edge after changing the MAC address.

      MTU

      The default value for uplink and internal interface is 1500. For trunk interface, the default value is 1600. You can modify the default value, if necessary. For sub-interfaces on the trunk, the default value is 1500. Make sure that the MTU for the trunk interface is equal to or more than the MTU of the sub interface.

      Proxy ARP

      Select this option if you want the ESG to answer ARP requests intended for other virtual machines.

      This option is useful, for example, when you have the same subnet on both sides of a WAN connection.

      Send ICMP Redirect Select this option if you want the ESG to convey routing information to the hosts.
      Reverse Path Filter

      By default, this option is set to enabled. When enabled, it verifies the reachability of the source address in packets being forwarded.

      In enabled mode, the packet must be received on the interface that the router might use to forward the return packet.

      In loose mode, the source address must appear in the routing table.

      Fence Parameters

      Configure fence parameters if you want to reuse IP and MAC addresses across different fenced environments.

      For example, in a cloud management platform (CMP), fencing allows you to run several cloud instances simultaneously with the same IP and MAC addresses isolated or "fenced".

      The following table shows an example of two NSX Edge interfaces. The uplink interface attaches the ESG to the outside world through an uplink port group on a vSphere distributed switch. The internal interface attaches the ESG to a logical transit switch to which a distributed logical router is also attached.
      Table 1. Example: NSX Edge Interfaces
      vNIC# Name IP address Subnet Prefix Length Connected To
      0 Uplink 192.168.100.30 24 Mgmt_VDS-HQ_Uplink
      1 Internal 192.168.10.1* 29 transit-switch
      Important: NSX 6.4.4 and earlier supports multicast on a single uplink interface of the ESG. Starting with NSX 6.4.5, multicast is supported on a maximum of two uplink interfaces of the ESG . In a multi-vCenter deployment scenario, if an NSX Edge is at version 6.4.4 or earlier, you can enable multicast only on a single uplink interface. To enable multicast on two uplink interfaces, you must upgrade the Edge to 6.4.5 or later.
  7. Configure the default gateway settings.
    For example:
    Option Value
    vNIC Uplink
    Gateway IP 192.168.100.2
    MTU 1500
    Note: You can edit the MTU value, but it cannot be more than the configured MTU on the interface.
  8. Configure the default firewall policy.
    Caution: If you do not configure the firewall policy, the default policy is set to deny all traffic. However, the firewall is enabled on the ESG during deployment, by default.
  9. Configure ESG logging and HA parameters.
    1. Enable or disable logging on the NSX Edge Appliance.

      By default, logs are enabled on all new NSX Edge appliances. The default logging level is Info. If logs are stored locally on the ESG, logging might generate too many logs and affect the performance of your NSX Edge. For this reason, you must preferably configure remote syslog servers, and forward all logs to a centralized collector for analysis and monitoring.

    2. If you enabled high availability, configure the following HA parameters.
      Option Description
      vNIC

      Select the internal interface for which you want to configure HA parameters. By default, HA automatically selects an internal interface and automatically assigns link-local IP addresses.

      If you select ANY for interface but there are no internal interfaces configured, the UI displays an error. Two Edge appliances are created but since there is no internal interface configured, the new NSX Edge remains in standby and HA is disabled. After an internal interface is configured, HA is enabled on the NSX Edge appliance.

      Declare Dead Time

      Enter the period in seconds within which, if the backup appliance does not receive a heartbeat signal from the primary appliance, the primary appliance is considered inactive and the backup appliance takes over.

      The default interval is 15 seconds.

      Management IPs

      Optional: You can enter two management IP addresses in CIDR format to override the local link IP addresses assigned to the HA virtual machines.

      Ensure that the management IP addresses do not overlap with the IP addresses used for any other interface and do not interfere with traffic routing. Do not use an IP address that exists somewhere else on your network, even if that network is not directly attached to the appliance.

      The management IP addresses must be in the same L2/subnet and must be able to communicate with each other.

  10. Review all the ESG settings before deploying the appliance.

Results

After the ESG is deployed, go to the Hosts and Clusters view and open the console of the NSX Edge virtual appliance. From the console, make sure that you can ping the connected interfaces.

What to do next

When you install an NSX Edge Appliance, NSX enables automatic VM startup/shutdown on the host if vSphere HA is disabled on the cluster. If the appliance VMs are later migrated to other hosts in the cluster, the new hosts might not have automatic VM startup/shutdown enabled. For this reason, when you install NSX Edge Appliances on clusters that have vSphere HA disabled, you must preferably check all hosts in the cluster to make sure that automatic VM startup/shutdown is enabled. See "Edit Virtual Machine Startup and Shutdown Settings" in vSphere Virtual Machine Administration.

Now you can configure routing to allow connectivity from external devices to your VMs.