Follow these steps to deploy NSX Cloud using the NSX Cloud Marketplace image in Microsoft Azure using the Terraform scripts provided by NSX Cloud.
Prerequisites
- Verify that you have access to the NSX Cloud Marketplace image in your Microsoft subscription.
- Verify that you have accepted Microsoft Azure's Marketplace legal terms in the subscription where you are deploying NSX cloud appliances.
- You must have Microsoft Azure CLI installed and configured on the system. This is required for authenticating and running Azure APIs that are used in the Terraform scripts.
If possible, use the same system to run the Terraform scripts that you use to access your Microsoft subscription from. This ensure that your Microsoft Azure credentials can be used from within the system and you do not have share this information with a different system.
Also, as a security recommendation, run these scripts on a Linux/Unix or macOS system that supports the Python crypt module.
- Verify that you have binaries of Terraform 0.13 or higher on the system where you plan to run the Terraform scripts.
- You must have Python 3.0 or higher installed on this system.
Procedure
Results
- A VNet to host the NSX Cloud management appliances. This VNet is named <deployment_prefix>-nsx-mgmt-vnet.
- An Availability Set in which the three nodes of the NSX Manager cluster are deployed. This Availability Set is named <deployment_prefix>-nsx-aset.
- Microsoft Azure Resource Group named <deployment_prefix>nsx-mgmt-rg.
- The following resources for the each of the NSX Manager nodes and for the CSM appliance:
- VMs named <deployment_prefix>nsx-csm for CSM, and <deployment_prefix>nsx-mgr0, <deployment_prefix>nsx-mgr1 and <deployment_prefix>nsx-mgr2 for the NSX Manager cluster.
- OS Disk for each VM.
- Network interface (NIC) for each VM.
- Public IP address for each VM.
- Data disk for each VM.
- Network Security Groups for NSX Cloud management components that allow connectivity for these appliances.
- <deployment_prefix>-nsx-mgr-sg:
Table 1. Inbound Rules for NSX Manager deployed using the Terraform scripts Priority Name Port Protocol Source Destination Action 1000 AllowInboundRuleAPI 443 TCP Any Any Allow Table 2. Outbound Rules for NSX Manager deployed using the Terraform scripts Priority Name Port Protocol Source Destination Action 100 AllowOutboundRuleAPI Any TCP Any Any Allow - <deployment_prefix>-nsx-csm-sg:
Table 3. Inbound Rules for CSM deployed using the Terraform scripts Priority Name Port Protocol Source Destination Action 1000 AllowInboundRuleAPI 443 TCP Any Any Allow Table 4. Outbound Rules for CSM deployed using the Terraform scripts Priority Name Port Protocol Source Destination Action 100 AllowOutboundRuleAPI 80,443 TCP Any Any Allow
Note: Consider updating the Source field of these auto-created network security groups to a restricted set of CIDRs from which you want to access NSX Manager and CSM. The default Any is not safe. - <deployment_prefix>-nsx-mgr-sg:
- A Microsoft Azure Recovery Service Vault with a vault policy to perform a recurring backup of all three NSX Manager nodes and the CSM appliance. The vault policy is named <deployment_prefix>-nsx-vault and the default backup schedule is set to: daily recurring at 11PM UTC.
See Managing Backup and Restore of NSX Manager and CSM in Microsoft Azure in the NSX Administration Guide for details on restore options.