The vCloud Networking and Security upgrade process can take some time, especially when upgrading ESXi hosts, because hosts must be rebooted. It is important to understand the operational state of vCloud Networking and Security components during an upgrade, such as when some but not all hosts have been upgraded, or when NSX Edges have not yet been upgraded.

To upgrade vCloud Networking and Security to NSX 6.2.x, you must upgrade the NSX components in the following order:

  • vShield Manager

  • Host clusters and virtual wires

  • vShield App

  • vShield Edge

  • vShield Endpoint

VMware recommends that you run the upgrade in a single outage window to minimize downtime and reduce confusion among vCloud Networking and Security users who cannot access certain vCloud Networking and Security management functions during the upgrade. However, if your site requirements prevent you from completing the upgrade in a single outage window, the information below can help your vCloud Networking and Security users understand what features are available during the upgrade.

vCenter Upgrade

If you are using vCenter embedded SSO and you are upgrading vCenter 5.5 to vCenter 6.0, vCenter might lose connectivity with vShield Manager. This happens if vCenter 5.5 was registered with vShield using the root user name. Starting in NSX 6.2, vCenter registration with root is deprecated. As a workaround, re-register vCenter with vShield using the administrator@vsphere.local user name instead of root.

If you are using external SSO, no change is necessary. You can retain the same user name, for example admin@mybusiness.mydomain, and vCenter connectivity will not be lost.

vShield Manager Upgrade

During:

  • vShield Manager configuration is blocked. The vShield API service is unavailable. No changes to the vShield configuration can be made. Existing VM communication continues to function. New VM provisioning continues to work in vSphere, but the new VMs cannot be connected to vShield virtual wires during the vShield Manager upgrade.

After:

  • All vShield configuration changes are allowed.

Host Cluster Upgrade and Virtual Wires

As part of the host cluster upgrade, new VIBs are installed on the hosts.

In NSX, virtual wires are renamed logical switches.

During:

  • Configuration changes are not blocked on NSX Manager.

  • Upgrade is performed on a per-cluster basis. If DRS is enabled on the cluster, DRS manages the upgrade order of the hosts.

When some NSX hosts in a cluster are upgraded and others are not:

  • NSX Manager configuration changes are not blocked. Additions and changes to logical networks are allowed. Provisioning new VMs continues to work on hosts that are not currently undergoing upgrade. Hosts currently undergoing upgrade are placed in maintenance mode, so VMs must be powered off or evacuated to other hosts. This can be done with DRS or manually.

vShield App Migrated to NSX Distributed Firewall

As part of the host cluster upgrade, the vShield App configuration is migrated to Distributed Firewall.

During:

  • While the migration is in progress, existing filters continue to work.

  • Do not add or change filters while the migration is in progress.

After:

  • Inspect each migrated section and rule to ensure it works as intended.

  • After the migration, remove vShield App via the Service Deployment page in NSX.

vShield Edge Upgrade

vShield Edges can be upgraded without any dependency on host upgrades. You can upgrade a vShield Edge even if you have not yet upgraded the hosts.

Caution:

If you are using a vCloud Director version earlier than 8.10, do not upgrade NSX Edge.. See Determine Whether to Upgrade vShield Edge in a vCloud Director Environment.

During:

  • On the vShield Edge device currently being upgraded, configuration changes are blocked.

  • Packet forwarding is temporarily interrupted.

  • Additions and changes to logical switches are allowed.

  • Provisioning new VMs continues to work.

After:

  • Configuration changes are not blocked. Any new features introduced in the upgrade to NSX will not be configurable until NSX Controllers are installed and all host clusters have been upgraded to NSX version 6.2.x.

  • L2 VPN must be reconfigured after upgrade.

  • SSL VPN clients must be reinstalled after upgrade.

vShield Endpoint Migrated to Guest Introspection

In NSX 6.x, vShield Endpoint is renamed Guest Introspection. After you have upgraded NSX Manager, if you navigate to Networking & Security > Installation > Service Deployments the Guest Introspection service will display an Upgrade link. When you upgrade from vCloud Networking and Security to NSX, the Guest Introspection virtual appliance and the host agent for Guest Introspection are deployed on each host in the cluster where Guest Introspection is enabled.

During:

  • There is a loss of protection for VMs in the NSX cluster when there is a change to the VMs, such as VM additions, vMotions, or deletions.

After:

  • VMs are protected during VM additions, vMotions, and deletions.