vCloud Director 8.10 supports NSX Edge 6.x, which allows you to upgrade vShield Edge to NSX Edge. If you are using an earlier version of vCloud Director, NSX Edge 6.x is not supported, and you should not upgrade NSX Edge.

About this task

You can upgrade vShield Edge to NSX Edge in two ways, using NSX, or using vCloud Director.

To upgrade Edge using vCloud Director, see Upgrade vCenter Server Systems, Hosts, and NSX Edges in the vCloud DirectorInstallation and Upgrade Guide.

Attention:

If you are using vCloud Director earlier than 8.10, do not upgrade NSX Edge.

Prerequisites

  • Verify vShield Manager has been upgraded to NSX Manager.

  • Understand the operational impact of the NSX Edge upgrade while the upgrade is in progress. See Operational Impacts of vCloud Networking and Security Upgrades.

  • Verify that there is a local segment ID pool, even if you have no plans to create NSX logical switches.

  • Verify the hosts have enough resources to deploy additional NSX Edge Services Gateway appliances during the upgrade, particularly if you are upgrading multiple NSX Edge appliances in parallel. See the System Requirements for NSX for the resources required for each NSX Edge size.

    • For a single NSX Edge instance, there will be two NSX Edge appliances of the appropriate size in the poweredOn state during upgrade.

    • Starting in NSX 6.2.3, when upgrading an NSX Edge instance with high availability, both replacement appliances are deployed before replacing the old appliances. This means there will be four NSX Edge appliances of the appropriate size in the poweredOn state during upgrade of a given NSX Edge. Once the NSX Edge instance is upgraded, either of the HA appliances could become active.

    • Prior to NSX 6.2.3, when upgrading an NSX Edge instance with high availability, only one replacement appliance is deployed at time while replacing the old appliances. This means there will be three NSX Edge appliances of the appropriate size in the poweredOn state during the upgrade of a given NSX Edge. Once the NSX Edge instance is upgraded, usually the NSX Edge appliance with HA index 0 becomes active.

  • If you have L2 VPN enabled on an NSX Edge you must delete the L2 VPN configuration before you upgrade. Once you have upgraded, you can reconfigure L2 VPN.

Procedure

  1. In the vSphere Web Client, select Networking & Security > NSX Edges.
  2. For each NSX Edge instance, double click the edge and check for the following configuration settings before upgrading.
    1. Click Manage > VPN > L2 VPN and check if L2 VPN is enabled. If it is, take note of the configuration details and then delete all L2 VPN configuration.
    2. Click Manage > Routing > Static Routes and check if any static routes are missing a next hop setting. If they are, add the next hop before upgrading the NSX Edge.
  3. For each NSX Edge instance, select Upgrade Version from the Actions menu.

    If the upgrade fails with the error message "Failed to deploy edge appliance," make sure that the host on which the NSX edge appliance is deployed is connected and not in maintenance mode.

Results

After the NSX Edge is upgraded successfully, the Status is Deployed, and the Version column displays the new NSX version.

If an Edge fails to upgrade and does not rollback to the old version, click the Redeploy NSX Edge icon and then retry the upgrade.

NSX Edge firewall rules do not support sourcePort, so vShield Edge version 5.5 rules containing sourcePort are modified during the upgrade as follows.

  • If there are no applications used in the rule, a service is created with protocol=any, port=any and sourcePort=asDefinedInTheRule.

  • If there are applications or applicationGroups used in the rule, these grouping objects are duplicated by adding the sourcePort to them. Because of this, the groupingObjectIds used in the firewall rule change after the upgrade.

User firewall rules in NSX Edge 6.x do not generate internal IPSets and applicationSets based on input from REST APIs. Instead they will be retained in the raw format. During upgrade, the internally generated IPSet and applicationSets are used to create rules with raw data. The internal groupingObjects will no longer appear in the user firewallRules

What to do next

Reconfigure any L2 VPN configurations. See L2 VPN Overview in the NSX Installation Guide.