All configurations made from the Global Manager are made in Policy mode. Manager mode is not available in NSX Federation.

See NSX Manager for more information about the two modes.

Configuration Maximums

An NSX Federation environment has the following configuration maximums:
  • For most configurations, the Local Manager cluster has the same configuration maximums as an NSX Manager cluster. Go to VMware Configuration Maximums tool and select NSX.

    Select the NSX Federation category for NSX in the VMware Configuration Maximums tool for exceptions and other NSX Federation-specific values.

  • For a given location, the following configurations contribute to the configuration maximum:
    • Objects that were created on the Local Manager.
    • Objects that were created on the Global Manager and include the location in its span.

    You can view the capacity and usage on each Local Manager. See View the Usage and Capacity of Categories of Objects.

Feature Support

Service insertion (Network Introspection) is only supported in an NSX Federation environment in which a Global Manager (GM) has been deployed under the following conditions:
  • All service-insertion related configuration such as partner service registration, deployment and consumption, is done from a Local Manager (LM).
  • Only objects configured on the LM are used with service insertion. This includes groups, segments, and any other constructs. Service insertion cannot be applied to workloads connected to a stretched/global segment defined from the GM, or any segment connected to a logical router created from the GM. Groups created from the Global Manager should not be used within service insertion redirection polices.
Important:
  • NSX Federation locations must run on environments where administrators have full control of the underlay fabric.
  • NSX Federation does not support Local Manager or Global Manager hosted on VMware Cloud on AWS (VMC on AWS), Azure VMware Solution (AVS), Google Cloud VMware Engine (GCVE), Oracle Cloud VMware Solution (OCVS), or Alibaba Cloud VMware Service (ACVS).
Table 1. Features Supported in NSX Federation
Feature Details Related Links
Tier-0 Gateway
  • 3.0.1 and later: Active-active and active-standby
  • 3.0.0: Active-active only
Add a Tier-0 Gateway from Global Manager
Tier-1 Gateway Add a Tier-1 Gateway from Global Manager
Segments Layer 2 Bridge is not supported. Add a Segment from Global Manager
Groups Some limitations. See Security in NSX Federation. Create Groups from Global Manager
Distributed Firewall Draft of the security policies are available on Global Manager. This includes support for auto and manual drafts. Create Drafts In Global Manager
Firewall Exclusion List Available in 4.0.1.1 and later. Manage a Firewall Exclusion List
Time Based Firewall Rules Available in 4.0.1.1 and later. Time-Based Firewall Policy
Gateway Firewall Create Gateway Policies and Rules from Global Manager
Network Address Translation (NAT) Tier-0 Gateway:
  • Active-active: You can configure stateless NAT only, that is, with action type Reflexive.

  • Active-standby: You can create stateful or stateless NAT rules.

Tier-1 Gateway:
  • You can create stateful or stateless NAT rules.

Stateless NAT rules are pushed to all locations in the gateway's span unless scoped to one or more locations specifically.

Stateful NAT rules are also pushed to all locations in the gateway's span or to the specific location selected. However, stateful NAT rules are realized and enforced only on the primary location.

Configure NAT/DNAT/No SNAT/No DNAT/Reflexive NAT
DNS See Add a DNS Forwarder Service
DHCP and SLAAC
  • DHCP Relay is supported on segments and gateways.
  • DHCPv4 server is supported on gateways with DHCP static bindings configured on segments.
  • IPv6 addresses can be assigned using SLAAC with DNS Through RA (DAD detects duplicates within a location only).
Using objects created on Global Manager in a Local Manager confiiguration Most configurations are supported. For example:
  • Connecting a Local Manager tier-1 gateway to a Global Manager tier-0 gateway.
  • Using a Global Manager group in a Local Manager distributed firewall rule.
These configurations are not supported:
  • Connecting a Local Manager segment to a Global Manager tier-0 or tier-1 gateway.
  • Connecting a load balancer to a Global Manager tier-1 gateway.
Network Monitoring
  • Expanded communication monitoring between Local Manager and Global Manager.
  • Traceflow across NSX instances in the same Federation.
LDAP Authenticate Global Managerusers using a directory service such as Active Directory over LDAP or OpenLDAP. Integration with LDAP
Backup and Restore
  • Backup with FQDN or IP is supported.
Backup and Restore in NSX Federation
vMotion between locations
  • Tag replication across locations is supported.