In a multiple NSX-T Data Center environment, only the NSX Manager which deployed NSX Edge VM can use it for routing and Inter TEP communication. None of the other NSX Managers registered to the same vCenter Server can use it for routing and Inter TEP communication. The other NSX Manager instances consider the NSX Edge VM as a regular VM. This scenario can cause traffic performance issues on the NSX Edge VM.
Problem
- NSX Manager-1 and NSX Manager-2 are registered to the same vCenter Server (compute manager).
- NSX Manager-1 deployed the NSX Edge VM.
- NSX Manager-2 prepared the ESXi host.
- From vSphere Web Client, you perform vMotion of NSX Edge VM to an ESXi host prepared by NSX Manager-2. NSX Manager-2 did not deploy the NSX Edge VM.
- NSX Manager-1 does not recognize NSX Edge as an inventory VM. So, NSX Manager-1 does not apply any DFW rules on it.
After moving the NSX Edge VM to the new ESXi host:
- NSX Manager-2 categorizes NSX Edge as a regular VM and not as an NSX Edge VM. If there are any DFW rules configured, NSX Manager-2 applies any DFW rules on the NSX Edge VM.
See a sample output,
https://<NSX Manager-2>/api/v1/fabric/virtual-machines { “host_id”: “59ac4c38-56b1-4b82-a131-dd9ad119f53d”, “source”: { “target_id”: “59ac4c38-56b1-4b82-a131-dd9ad119f53d”, “target_display_name”: “10.172.17.133”, “target_type”: “HostNode”, “is_valid”: true }, ….. “type”: “REGULAR”, “guest_info”: { “os_name”: “Ubuntu Linux (64-bit)“, “computer_name”: “vm” }, “resource_type”: “VirtualMachine”, “display_name”: “mgr2_edge1", “_last_sync_time”: 1663802733277 },
Cause
As NSX Manager-2 exclude list does not filter out NSX Edge VM, it is considered as a regular VM and not as a NSX Edge VM. So, DFW rules or any third-party firewall rules configured for workloads are applied to the NSX Edge VM too. This scenario might cause traffic disruption.