Follow these steps to deploy NSX Cloud using the NSX Cloud Marketplace image in Microsoft Azure using the Terraform scripts provided by NSX Cloud.

Prerequisites

  • Verify that you have access to the NSX Cloud Marketplace image in your Microsoft subscription.
  • Verify that you have accepted Microsoft Azure's Marketplace legal terms in the subscription where you are deploying NSX cloud appliances.
  • You must have Microsoft Azure CLI installed and configured on the system. This is required for authenticating and running Azure APIs that are used in the Terraform scripts.

    If possible, use the same system to run the Terraform scripts that you use to access your Microsoft subscription from. This ensure that your Microsoft Azure credentials can be used from within the system and you do not have share this information with a different system.

    Also, as a security recommendation, run these scripts on a Linux/Unix or macOS system that supports the Python crypt module.

  • Verify that you have binaries of Terraform 0.13 or higher on the system where you plan to run the Terraform scripts.
  • You must have Python 3.0 or higher installed on this system.

Procedure

  1. Download the Terraform scripts by logging in to your My VMware account and navigating to: Products > VMware NSX-T Data Center > Drivers and Tools > VMware NSX Cloud Scripts for Adding Public Cloud Accounts for NSX 3.1.1 > Go To Downloads > Download Now. For example, after you log in to your My VMware account, this link takes you to the Download page for Drivers and Tools.
  2. Extract the contents of the file named NSXCloudScriptsforAddingPublicCloudAccounts.tar.gz. The Terraform scripts and related files are in the folder NSXCloudScripts/cloud-native-deployment/azure/igw.
  3. Update the Terraform configuration files.
    1. In config.auto.vars, add the following information:
      Parameter Description
      subscription_id Provide the subscription ID for your Microsoft Azure account.
      location Specify the Microsoft Azure location that the NSX Cloud Management VNet will be deployed in.
      deployment_prefix

      This is the deployment name that will be prefixed to all auto-created entities. Ensure that this is unique for each Microsoft subscription_id and location.

    2. In credentials_nsx.auto.tfvars, add the following information:
      Parameter Description
      mgr_public_key_path This is the path to the public key to be applied to the NSX Manager appliance.
      csm_public_key_path This is the path to the public key to be applied to the CSM appliance.
      license_key

      This is the license key for NSX Manager. You must have the NSX Data Center Enterprise Plus license.
    3. Verify advanced configuration information, and update as necessary, in the file advanced_config.auto.tfvars:
      Parameter Description
      mgmt_vnet_address_space This is the address space for the newly deployed NSX Cloud Management VNet.
      mgmt_subnet_address_prefix This is the subnet for the NSX Cloud management appliances deployed in the NSX Cloud Management VNet.
  4. Run the following commands in the specified order:
    ~/terraform init This command collects all the modules required for deployment.
    ~/terraform plan This command displays the list of steps or a blueprint of the procedure involved in the deployment.
    ~/terraform apply This command executes the script.

    If something goes wrong during execution, you are shown the corresponding error messages. After you fix the errors, you can resume the deployment from where it stopped.

  5. Follow these steps to change the passwords generated for NSX Manager and CSM by the Terraform scripts.
    1. After the scripts run successfully, make a note of the following passwords for NSX Manager and CSM:
      • admin_password
      • root_password
      These passwords are displayed on the screen at the end of the deployment. You can also find these passwords in the file NSXCloudScripts/cloud-native-deployment/azure/igw/terraform.tfstate, under the section "outputs", for example: 
        "outputs": {
    "csm": {
      "value": {
        "admin_password": "<pwd>",
        "admin_username": "nsxadmin",
        "private_ip": "<private IP>",
        "public_ip": "<public IP>",
        "root_password": "<pwd>"
      },
    "mgrs": {
      "value": [
        {
          "admin_password": "<pwd>",
          "admin_username": "nsxadmin",
          "private_ip": "<private IP",
          "public_ip": "<public IP>",
          "root_password": "<pwd>"
        },
    2. In Microsoft Azure, navigate to the Network Security Groups created for NSX Manager and CSM, named <deployment_prefix>-nsx-mgr-sg and <deployment_prefix>-nsx-csm-sg, and add the following temporary inbound "allow" rule for SSH:
      Priority Name Port Protocol Source Destination Action
      1010 AllowInboundRuleSSH 22 TCP Any Any Allow
    3. Log in to the NSX Manager appliance using your private key and change the password generated by the Terraform scripts: 
      $ ssh -i <nsx_mgr_key> nsxadmin@<NSX Manager public IP address>
WARNING: Your password has expired. 
You must change your password now and login again!
Changing password for nsxadmin.
(current) UNIX password: <Enter mgr_admin_pwd from the Terraform scripts>
New password: <Enter new password conforming to NSX-T Data Center password complexity>
Retype new password:
passwd: password updated successfully
    4. Log in to CSM using your private key and change the password generated by Terraform scripts: 
      $ ssh -i <nsx_csm_key> nsxadmin@<CSM public IP address>
WARNING: Your password has expired. 
You must change your password now and login again!
Changing password for nsxadmin.
(current) UNIX password: <Enter csm_admin_pwd from the Terraform scripts>
New password: <Enter new password conforming to NSX-T Data Center password complexity>
Retype new password:
passwd: password updated successfully
  6. Log in to the CSM appliance using the new password you have set and run the following NSX CLI command to join CSM with the NSX Manager cluster: 
    join <nsx-manager-ip-address & port(optional)> cluster-id <nsx-manager-cluster-id> username <username> password <password> thumbprint <nsx-manager-api-thumbprint> csm-username <csm-username> csm-password <csm-password>
    You can run the NSX CLI command get cluster status from any NSX Manager node to get the cluster-id. You can get the NSX Manager thumbprint by running the get certificate api thumbprint command on the specified NSX Manager. See the NSX-T Data Center CLI reference for details on CLI commands.
    Note: If the NSX Manager node that you joined the CSM appliance to is lost, you can either run this NSX CLI command to join CSM with one of the other healthy NSX Manager nodes, or you can redeploy the lost NSX Manager node using its image file named, <deployment_prefix>nsx-mgr-image and CSM will automatically rejoin this node when this node is back online. See Redeploying NSX Manager from nsx_mgr_image in Microsoft Azure in the NSX-T Data Center Administration Guide for details.

Results

The scripts deploy the following in your Microsoft Azure subscription:
  • A VNet to host the NSX Cloud management appliances. This VNet is named <deployment_prefix>-nsx-mgmt-vnet.
  • An Availability Set in which the three nodes of the NSX Manager cluster are deployed. This Availability Set is named <deployment_prefix>-nsx-aset.
  • Microsoft Azure Resource Group named <deployment_prefix>nsx-mgmt-rg.
  • The following resources for the each of the NSX Manager nodes and for the CSM appliance:
    1. VMs named <deployment_prefix>nsx-csm for CSM, and <deployment_prefix>nsx-mgr0, <deployment_prefix>nsx-mgr1 and <deployment_prefix>nsx-mgr2 for the NSX Manager cluster.
    2. OS Disk for each VM.
    3. Network interface (NIC) for each VM.
    4. Public IP address for each VM.
    5. Data disk for each VM.
  • Network Security Groups for NSX Cloud management components that allow connectivity for these appliances.
    • <deployment_prefix>-nsx-mgr-sg:
      Table 1. Inbound Rules for NSX Manager deployed using the Terraform scripts
      Priority Name Port Protocol Source Destination Action
      1000 AllowInboundRuleAPI 443 TCP Any Any Allow
      Table 2. Outbound Rules for NSX Manager deployed using the Terraform scripts
      Priority Name Port Protocol Source Destination Action
      100 AllowOutboundRuleAPI Any TCP Any Any Allow
    • <deployment_prefix>-nsx-csm-sg:
      Table 3. Inbound Rules for CSM deployed using the Terraform scripts
      Priority Name Port Protocol Source Destination Action
      1000 AllowInboundRuleAPI 443 TCP Any Any Allow
      Table 4. Outbound Rules for CSM deployed using the Terraform scripts
      Priority Name Port Protocol Source Destination Action
      100 AllowOutboundRuleAPI 80,443 TCP Any Any Allow
    Note: Consider updating the Source field of these auto-created network security groups to a restricted set of CIDRs from which you want to access NSX Manager and CSM. The default Any is not safe.
  • A Microsoft Azure Recovery Service Vault with a vault policy to perform a recurring backup of all three NSX Manager nodes and the CSM appliance. The vault policy is named <deployment_prefix>-nsx-vault and the default backup schedule is set to: daily recurring at 11PM UTC.

    See Managing Backup and Restore of NSX Manager and CSM in Microsoft Azure in the NSX-T Data Center Administration Guide for details on restore options.

What to do next

Deploy PCG in a VNet