Redeploy an NSX Edge VM Appliance

You want to redeploy an NSX Edge VM when it becomes defunct or its placement in the datacenter needs to change. For example, when the NSX Edge must be moved to another datastore or compute resource, redeploy the NSX Edge node. You can also move the node to another network. However, there could be other reasons to redeploy depending on your network requirements.

You can only redeploy an existing NSX Edge node (physical server or NSX Edge VM appliance) with an NSX Edge VM appliance.

Prerequisites

While you can change some configurations of NSX Edge transport node payload, do not change these configurations on the existing NSX Edge node, that is to be redeployed by a new node:
- Failure domain
- Transport node connectivity
- Physical NIC configuration
- Logical routers
- Load balancer allocations
Ensure connectivity between NSX Edge node and NSX Manager is down if the existing NSX Edgenode is a physical server or a manually deployed VM through vSphere Client. If connectivity is Up, then NSX does not allow the existing NSX Edge node to be replaced with a new one.
Existing autodeployed NSX Edge will remain with hardware version 13. Starting with NSX 4.0.1.1, if the NSX Edge VM is redeployed, the new NSX Edge VM is automatically deployed with an upgraded hardware version compatible with the ESXi host version. VM hardware versions compatible with ESXi hosts are listed in KB article 2007240.

Procedure

(Physical server or NSX Edge deployed through vSphere Client) Open an SSH session and connect to the NSX Edge console.
Verify the logical routes configured on the NSX Edge node through the CLI console, get logical-routers.
Power off NSX Edge node.
Verify that the NSX Edge node is disconnected from NSX Manager by running the following API command.
GET api/v1/transport-nodes/<edgenode>/state
```
 "node_deployment_state": 
        {"state": MPA_Disconnected"}
```
The node_deployment_state value is MPA Disconnected, which indicates you can proceed to redeploy the NSX Edge node.

Note: If node_deployment_state is Node Ready, NSX Manager displays an error 78006 - Manager connectivity to Edge node must be down. Else replacement/redeployment of hardware is not allowed.
Alternatively, view the state of connectivity between NSX Edge node and NSX Manager from the Edge Transport Node page. A disconnected NSX Edge node displays the following system message, Configuration Error, Edge VM MPA Connectivity is down.

If the NSX Edge node is an auto-deployed node, run GET /<NSX-Manager-IPaddress>/api/v1/transport-nodes/<edgenode>. Copy the output payload of this API.

"resource_type": "EdgeNode",
	        "id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	        "display_name": "Edge_TN2",
	        "description": "EN",
	        "external_id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	        "ip_addresses": [
	            "10.170.94.240"
	        ],
	        "_create_user": "admin",
	        "_create_time": 1600106319056,
	        "_last_modified_user": "admin",
	        "_last_modified_time": 1600106907312,
	        "_system_owned": false,
	        "_protection": "NOT_PROTECTED",
	        "_revision": 2
	    },
	    "is_overridden": false,
	    "failure_domain_id": "4fc1e3b0-1cd4-4339-86c8-f76baddbaafb",
	    "resource_type": "TransportNode",
	    "id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	    "display_name": "Edge_TN2",
	    "_create_user": "admin",
	    "_create_time": 1600106319399,
	    "_last_modified_user": "admin",
	    "_last_modified_time": 1600106907401,
	    "_system_owned": false,
	    "_protection": "NOT_PROTECTED",
	    "_revision": 1
	}

You can choose from one of the redeploy scenarios:

Choice Actions

Choice	Actions
Redeploy an existing NSX Edge node (physical server or manually deployed node) with an NSX Edge VM node (deployed through NSX Manager API)	Perform the following in the API command, /api/v1/transport-nodes/<transport-node-id>?action=redeploy Paste the payload in the body of the redeploy API. Verify the `deployment_config` section references the compute manager, datstore, and network details, where you want to redeploy the node. Ensure these values are consistent with the values used in the `node_settings` section. Add login passwords in the `deployment_config` section. NSX Manager redeploys the NSX Edge node based on the details provided in the `deployment_config` section.
Change the placement of the existing NSX Edge node	Perform the following in the API command, /api/v1/transport-nodes/<transport-node-id>?action=redeploy Paste the payload in the body of the redeploy API. In the `deployment_config` section, reference the new compute manager, datastore, network, CPU, memory, or latency sensitivity details.

Redeploy an existing NSX Edge node (physical server or manually deployed node) with an NSX Edge VM node (deployed through NSX Manager API)

Perform the following in the API command, /api/v1/transport-nodes/<transport-node-id>?action=redeploy

Paste the payload in the body of the redeploy API.
Verify the deployment_config section references the compute manager, datstore, and network details, where you want to redeploy the node. Ensure these values are consistent with the values used in the node_settings section.
Add login passwords in the deployment_config section.

NSX Manager redeploys the NSX Edge node based on the details provided in the deployment_config section.

Change the placement of the existing NSX Edge node

Perform the following in the API command, /api/v1/transport-nodes/<transport-node-id>?action=redeploy

Paste the payload in the body of the redeploy API.
In the deployment_config section, reference the new compute manager, datastore, network, CPU, memory, or latency sensitivity details.

An example of the POST https://<manager-ip>/api/v1/transport-nodes/<transport-node-id>?action=redeploy

	{
	    "node_id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	    "host_switch_spec": {
	        "host_switches": [
	            {
	                "host_switch_name": "nsxvswitch_overlay",
	                "host_switch_id": "c0a4a83e-c8b8-4324-a4d7-dbbc07b30b53",
	                "host_switch_type": "NVDS",
	                "host_switch_mode": "STANDARD",
	                "host_switch_profile_ids": [
	                    {
	                        "key": "UplinkHostSwitchProfile",
	                        "value": "f9a2a2fa-b49d-498f-abaf-2fdc81917716"
	                    },
	                    {
	                        "key": "LldpHostSwitchProfile",
	                        "value": "9e0b4d2d-d155-4b4b-8947-fbfe5b79f7cb"
	                    }
	                ],
	                "pnics": [
	                    {
	                        "device_name": "fp-eth0",
	                        "uplink_name": "uplink1"
	                    }
	                ],
	                "is_migrate_pnics": false,
	                "ip_assignment_spec": {
	                    "ip_pool_id": "647d9b0d-0143-4903-91f5-930d9ab011e8",
	                    "resource_type": "StaticIpPoolSpec"
	                },
	                "cpu_config": [],
	                "transport_zone_endpoints": [
	                    {
	                        "transport_zone_id": "0b33b078-6438-4d9b-a1ec-33211fd36822",
	                        "transport_zone_profile_ids": [
	                            {
	                                "resource_type": "BfdHealthMonitoringProfile",
	                                "profile_id": "52035bb3-ab02-4a08-9884-18631312e50a"
	                            }
	                        ]
	                    },
	                    {
	                        "transport_zone_id": "a0133574-48de-4e3a-9407-7db1a68bae41",
	                        "transport_zone_profile_ids": [
	                            {
	                                "resource_type": "BfdHealthMonitoringProfile",
	                                "profile_id": "52035bb3-ab02-4a08-9884-18631312e50a"
	                            }
	                        ]
	                    }
	                ],
	                "vmk_install_migration": [],
	                "pnics_uninstall_migration": [],
	                "vmk_uninstall_migration": [],
	                "not_ready": false
	            }
	        ],
	        "resource_type": "StandardHostSwitchSpec"
	    },
	    "transport_zone_endpoints": [],
	    "maintenance_mode": "DISABLED",
	    "node_deployment_info": {
	        "deployment_type": "VIRTUAL_MACHINE",
	        "deployment_config": {
	            "vm_deployment_config": {
	                "vc_id": "cc82da39-b119-4869-a7fe-a54621cb4d3d",
	                "compute_id": "domain-c9",
	                "storage_id": "datastore-14",
	                "host_id": "host-12",
	                "compute_folder_id": "group-v5",
	                "management_network_id": "network-16",
	                "hostname": "EdgeSmallFactor",
	                "data_network_ids": [
	                    "5638c577-e142-4a50-aed3-a7079dc3b08c",
	                    "5638c577-e142-4a50-aed3-a7079dc3b08c",
	                    "5638c577-e142-4a50-aed3-a7079dc3b08c"
	                ],
	                "search_domains": [
	                    "eng.vmware.com",
	                    "vmware.com"
	                ],
	                "enable_ssh": true,
	                "allow_ssh_root_login": true,
	                "reservation_info": {
	                    "memory_reservation": {
	                        "reservation_percentage": 100
	                    },
	                    "cpu_reservation": {
	                        "reservation_in_shares": "HIGH_PRIORITY",
	                        "reservation_in_mhz": 0
	                    }
	                },
	                "resource_allocation": {
	                    "cpu_count": 4,
	                    "memory_allocation_in_mb": 8192
	                },
	                "placement_type": "VsphereDeploymentConfig"
	            },
	            "form_factor": "MEDIUM",
	            "node_user_settings": {
	                 "cli_username": "admin",
                        "root_password":"Admin!23Admin", 
                        "cli_password":"Admin!23Admin" 
	            }
	        },
	        "node_settings": {
	            "hostname": "EdgeSmallFactor",
	            "search_domains": [
	                "eng.vmware.com",
	                "vmware.com"
	            ],
	            "enable_ssh": true,
	            "allow_ssh_root_login": true
	        },
	        "resource_type": "EdgeNode",
	        "id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	        "display_name": "Edge_TN2",
	        "description": "EN",
	        "external_id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	        "ip_addresses": [
	            "10.170.94.240"
	        ],
	        "_create_user": "admin",
	        "_create_time": 1600106319056,
	        "_last_modified_user": "admin",
	        "_last_modified_time": 1600106907312,
	        "_system_owned": false,
	        "_protection": "NOT_PROTECTED",
	        "_revision": 2
	    },
	    "is_overridden": false,
	    "failure_domain_id": "4fc1e3b0-1cd4-4339-86c8-f76baddbaafb",
	    "resource_type": "TransportNode",
	    "id": "9f34c0ea-4aac-4b7f-a02c-62f306f96649",
	    "display_name": "Edge_TN2",
	    "_create_user": "admin",
	    "_create_time": 1600106319399,
	    "_last_modified_user": "admin",
	    "_last_modified_time": 1600106907401,
	    "_system_owned": false,
	    "_protection": "NOT_PROTECTED",
	    "_revision": 1
	}

Note: If the old node is an NSX Edge VM node deployed through NSX Manager UI, then you do not need to provide login credentials in the node_user_settings section in the API payload.

See the NSX API Guide for more information on the payload details.

In NSX Manager, verify the Configuration Status of the new NSX Edge node.
Alternatively, verify the status of the newly prepared NSX Edge transport node by running the API command, Get api/v1/transport-nodes/<node-id>/state.
Verify logical router configurations are migrated to the new NSX Edge node, by running the get logical-routers CLI command.
Verify the TEP address remain same on the replaced NSX Edge node.
Verify NSX Edge cluster status is Up. API is GET api/v1/edge-clusters/<cluster>. If NSX is configured to use NSX Federation, verify the intersite status us Up.
Check NSX Edge transport node and cluster state API to verify status is Up.
Troubleshoot error messages:
- (78006) NSX Manager connectivity to Edge node must be down. Else replacement of hardware is not allowed: Ensure NSX Edge node is not connected to NSX Manager.
- (16064) Deployment configuration is missing: In the redeploy API, enter details for the deployment_config section.
- (16066) Login password is missing: Provide login credentials.
- (15019) Insufficient resources on node to be allocated to load balancer pool: The form factor size of the new NSX Edge node might be smaller than the form factor of the old NSX Edge node. The new form factor might not have enough resources to be allocated to load balancer pool.

What to do next

If you want to bring up a replaced physical server or manually deployed NSX Edge VM appliance as part of your network, ensure that the node is disconnected from the network. Then, run del nsx to completely delete NSX VIBs on the node. See the NSX Installation Guide for more details on del nsx.
After you run del nsx on the host, old entries of logical routers, VTEP IP addresses, uplink IP addresses are released. You can now prepare the replaced physical server as a new NSX transport node.

After you redeploy a NSX Edge VM Appliance, few of the security parameters are set to their default values. Reconfigure these parameters as per your environment.
- set auth-policy minimum-password-length <password-length-arg>
  Set the minimum number of characters that passwords must have. The smallest value that can be set is 8
  For example, nsx> set auth-policy minimum-password-length 12
- set user <node-username> password-expiration <password-expiration-arg>
  Set number of days the user's password is valid after a password change.
  Where, <username> is the Username of user,
  <password-expiration> is the number of days password valid after change (1 - 9999)
  For example, nsx> set user audit password-expiration 120
- set auth-policy cli max-auth-failures <auth-failures-arg>
  Set the number of failed CLI authentication attempts that are allowed before the account is locked. If set to 0, account lockout is disabled.
  Where, <auth-failures> is the number of authentication failures to trigger lockout
  For example, nsx> set auth-policy cli max-auth-failures 5
- set banner
  
  Set the security banner or message of the day.
  
  For example, nsx> set banner
  
  Enter TEXT message. End with 'Ctrl-D'
- reset dataplane hugepage
  Reset the hugepage-related boot time option to factory default.
  For example
  nsx-edge-1> reset dataplane hugepage
```
0000:0b:00.0 already bound to driver vfio-pci, skipping
0000:1b:00.0 already bound to driver vfio-pci, skipping
0000:13:00.0 already bound to driver vfio-pci, skipping
INFO: Config was written to: /config/vmware/edge/config.json
Generating grub configuration file ...
Found linux image: /vmlinuz-3.14.17-nn4-server
Found initrd image: //initrd.img-3.14.17-nn4-server
File descriptor 4 (/tmp/ffinvYglp (deleted)) leaked on lvs invocation. Parent PID 32203: /bin/sh
done
INFO: Updated grub. Please reboot to take effect.
```