This section provides the configuration workflow to prepare your environment using the NSX Distributed Security for protecting the virtual machines.

Prerequisites

You have deployed the NSX Manager and configured the valid licenses.

Configuration Workflow

Preparing your virtual environment for the NSX Distributed Security involves two main steps:

  • Configure Compute Manager (vCenter)
  • Prepare vCenter cluster ( ESXi hosts) for the NSX Distributed Security

1: Configure Compute Manager (vCenter)

You must add vCenter Server as a compute manager on NSX-T to view all the vCenter Server host and cluster inventory. You can then leverage the available inventory to prepare ESXi hosts and clusters for NSX Security.

  1. From your browser, log in to the NSX Manager appliance at https://<nsx-manager-ip-address> using the admin credentials.

  2. Register NSX-T with vCenter Server from the System > Fabric > Compute Managers > Add Compute Manager. Add the vCenter Server as a compute manager.

    Add compute manager

  3. Validate NSX-T registration in the vCenter Server from the System > Fabric > Compute Managers page. Click Refresh and view the connection status.

    Refresh compute manager

After the vCenter Server registration is successful, you can view the configured vCenter Server host cluster inventory from the NSX Manager User Interface (UI). On the NSX Manager UI, go to System > Fabric > Nodes to view the inventory.

You can configure multiple vCenter Servers from the NSX Manager UI following these same steps for each of the vCenter Server.

2: Prepare the vCenter Cluster ( ESXi Hosts) for the NSX Distributed Security

NSX Distributed Security involves preparing vCenter Server compute cluster of NSX-T. NSX-T supports two host preparation modes as follows:

  1. Security Only - Distributed Security for VDS port groups:
    • Supports security for VMs connected to the native vCenter Distributed Virtual Port Groups (DVPG).
    • Supports vSphere 6.7 and vSphere 7.0 Update1 or later.
    • Does not support NSX-T networking for the workload within the NSX-T prepared vCenter Server cluster.
    • Workflow is supported only using the Quick Start wizard.
  2. Networking and Security - Distributed Security with NSX-T Networking:
    • Supports NSX-T networking and distributed security for the workload within the NSX-T prepared vCenter Server cluster.
    • If VLAN connected workloads need distributed security, then you must move the workload to the NSX-T VLAN segments from DVPG.
    • Workflow is supported using the Quick Start wizard or manually from the System > Fabric > Nodes menu.

Based on your environment, select the required deployment method. The NSX-T environment can have a mix of NSX Security only prepared clusters and NSX Networking and Security prepared clusters. More details on each of the deployment modes are covered later in this section.

2.1: Security Only Host Preparation - Distributed Security for VDS Port Groups

After you configure the compute manager, you can prepare clusters of ESXi hosts only for distributed security. The hosts in your cluster must share VDS.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Quick Start.
  3. On the Prepare Clusters for Networking and Security card, click Get Started.

    Quick start widget to quickly prepare clusters for security only

  4. Select the clusters that you want to install Distributed Security.
  5. Click Install NSX and then select Security Only.
  6. In the dialog box, click Install.

    The NSX host preparation begins to install required software modules on the ESXi hosts.

    The process takes a few minutes to complete. After the process is complete, the status changes to Success. The objects like transport node profile, transport zone, and distributed port groups are automatically created.

    Install process showing in-progress and completed status

  7. To view VDS with Distributed Security installed, do the following:
    1. Navigate to System > Fabric > Nodes.
    2. Select the Host Transport Nodes tab.
      Note: vSphere clusters prepared for Distributed Security are identified by the Security label.

Results

On the NSX Manager UI, go to Networking > Segments > Distributed Port Groups tab to view the DVPG inventory from the vCenter Server.

On the NSX Manager UI, go to Inventory > Virtual Machines to view the virtual machine inventory from all ESXi hosts.

What to do next

You can now start configuring your policy for the workloads hosted on DVPG on the prepared vCenter Server.

2.2: Networking and Security - Distributed Security with NSX-T Networking

After you configure the compute manager, you can prepare clusters of ESXi hosts for VLAN networking and distributed security together.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. On the Prepare Clusters for Networking and Security card, click Get Started.
  3. Select the clusters you want to prepare for NSX-T networking.
  4. Click Install NSX and then select Networking and Security.
    Quick Start install for Networking and Security both (VLAN based)
  5. Depending on your requirement, you can prepare the same cluster for both VLAN and Overlay networking or for one type of networking. With Overlay networking, each host switch is added with a TEP IP address, which is required for overlay networking.
    Prepare cluster for VLAN and Overlay networking
  6. View the Host Switch Configuration switch to know the target switches where the physical NICs and VMkernel adapters (if any) will be migrated to.
    This is the NSX-T recommended configuration. However, you can customize the settings for the cluster, even though it is an optional step.
    Note: A dotted line originating from a switch to a physical NIC indicates that it is an existing configuration on the host switch, which will be replaced by a firm line going to the same physical NIC.
  7. Even though NSX-T provides recommendations, you can still customize the configuration. To customize a switch, select the switch, and change the recommended configuration.
    1. Type: Switch over the host switch type.
    2. Transport Zone: Select a different transport zone that you want the host to be associated with.
    3. Uplink Profile: If needed, select a different uplink profile in place of the recommended uplink profile.
      Note: If you configure two VDS switches with the same configuration, the wizard recommends the same uplink profile for both the switches.
    4. Uplink to Physical NIC mapping: On a VDS switch, all uplinks configured on the VDS switch are mapped to the uplinks in NSX-T. On an N-VDS switch, uplinks are mapped to vmnics.
      A change to host switch type or uplink to vmnic mapping is reflected in the Host Switch Configuration network representation.
  8. Click Install.

    The NSX host preparation begins to install required software modules on the ESXi hosts.

    View the progress of installation on the Prepare Clusters for Networking and Security card. If installation on any of the host fails, retry installation by resolving the error.

    The process takes a few minutes to complete. After the process is complete, the status changes to Success.

  9. To view successfully prepared hosts, go to System → Fabric → Nodes → Host Transport Node.

Results

On the NSX Manager UI, go to the Inventory > Virtual Machines tab to view the virtual machine inventory from all the ESXi hosts.

Note: vCenter Server cluster prepared for Networking and Security does not support Security for workloads connected directly to the DVPG. If the DVPG VLAN connected workload needs security, you must move the workload to NSX VLAN segments (with the same VLAN) or move the workloads to the cluster prepared only for NSX Security.

For more information, see NSX-T Data Center Administration Guide.

What to do next

You can now start configuring your policy for the workloads hosted on the NSX segments on the prepared vCenter Server clusters.