A compute manager, for example, vCenter Server, is an application that manages resources such as hosts and VMs.

NSX polls compute managers to collect cluster information from vCenter Server.

For more information about vCenter Server roles and privileges, see the vSphere Security document.

Prerequisites

  • Verify that you use the supported vSphere version. See Supported vSphere version.
  • IPv4 communication with vCenter Server.
  • Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
  • Provide credentials of a vCenter Server user. You can provide the credentials of vCenter Server administrator, or create a role and a user specifically for NSX and provide this user's credentials. Add global permissions to the newly created user and role and select Propogate to Children.
    Create an admin role with the following vCenter Server privileges:
    Role Privilege
    Admin Extension.Register extension
    Admin Extension.Unregister extension
    Admin Extension.Update extension
    Admin Sessions.Message
    Admin Sessions.Validate session
    Admin Sessions.View and stop sessions
    Admin Host.Configuration.Maintenance
    Admin Host.Configuration.NetworkConfiguration
    Admin Host.Local Operations.Create virtual machine
    Admin Host.Local Operations.Delete virtual machine
    Admin Host.Local Operations.Reconfigure virtual machine
    Admin Tasks
    Admin Scheduled task
    Admin Global.Cancel task
    Admin Permissions.Reassign role permissions
    Admin Resource.Assign vApp to resource pool
    Admin Resource.Assign virtual machine to resource pool
    Admin Virtual Machine.Configuration
    Admin Virtual Machine.Guest Operations
    Admin Virtual Machine.Provisioning
    Admin Virtual Machine.Inventory
    Admin Network.Assign network
    Admin vApp

    To use the NSX license for the vSphere Distributed Switch 7.0 feature, the vCenter Server user must either be an administrator, or the user must have Global.Licenses privileges and be a member of the LicenseService.Administrators group.

  • Before you create a service account for the compute manager, add these additional vCenter Server privileges to the admin user role:

    Role Privilege
    Admin Service Account Management.Administer
    Admin Permissions.Modify permission
    Admin Permissions.Modify role
    Admin VMware vSphere Lifecycle Manager.ESXi Health Perspectives.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Remediation Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Write

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Fabric > Compute Managers > Add Compute Manager.
  3. Complete the compute manager details.
    Option Description
    Name and Description Type the name to identify the vCenter Server.

    You can optionally describe any special details such as, the number of clusters in the vCenter Server.

    Type The default compute manager type is set to vCenter Server.
    FQDN or IP Address Type the FQDN or IP address of the vCenter Server.
    HTTPS Port of Reverse Proxy The default port is 443. If you use another port, verify that the port is open on all the NSX Manager appliances.

    Set the reverse proxy port to register the compute manager in NSX.

    Username and Password Type the vCenter Server login credentials.
    SHA-256 Thumbprint Type the vCenter Server SHA-256 thumbprint algorithm value.
    Create Service Account Enable this field for features such as vSphere Lifecycle Manager that need to authenticate with NSX APIs. Log in with the administrator@vsphere.local credential to register a compute manager. After registration, the compute manager creates a service account.
    Note: Service account creation is not supported on a global NSX Manager.

    If service account creation fails, the compute manager's registration status is set to Registered with errors. The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled on NSX clusters.

    If a vCenter Server admin deletes the service account after it was successfully created, vSphere Lifecycle Manager tries to authenticate the NSX APIs and the compute manager's registration status is set to Registered with errors.

    Enable Trust

    Enable this field to establish trust between NSX and compute manager, so that services running in vCenter Server can establish trusted communication with NSX. For example, for vSphere Lifecycle Manager to be enabled on NSX clusters, you must enable this field.

    Supported only on vCenter Server 7.0 and later versions.

    Important: You can only enable trust on a maximum of 10 compute managers.
    Access Level Enable one of the options based on your requirement:
    • Full Access to NSX: Is selected by default. This access level gives the compute manager complete access to NSX. Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate with NSX. The vCenter Server user's role must be set to an Enterprise Admin.
    • Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate with NSX. The vCenter Server user's role must be set to Limited vSphere Admin.
    If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.

    After you accept the thumbprint, it takes a few seconds for NSX to discover and register the vCenter Server resources.

    Note: If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values.
  4. If the progress icon changes from In progress to Not registered, perform the following steps to resolve the error.
    1. Select the error message and click Resolve. One possible error message is the following:
      Extension already registered at CM <vCenter Server name> with id <extension ID>
    2. Enter the vCenter Server credentials and click Resolve.
      If an existing registration exists, it will be replaced.

Results

It takes some time to register the compute manager with vCenter Server and for the connection status to appear as UP.

You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.

After the vCenter Server is successfully registered, do not power off and delete the NSX Manager VM without deleting the compute manager first. Otherwise, when you deploy a new NSX Manager, you will not be able to register the same vCenter Server again. You will get the error that the vCenter Server is already registered with another NSX Manager.

Note: After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
  • Transport nodes are prepared using VDS that is dependent on the VC.
  • Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
  • You use the NSX Manager UI to deploy Edge VMs or NSX Manager nodes on a host or a cluster in the VC.

If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.

If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
  • Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
  • Undeploy all service VMs, all NSX Edge VMs, and all NSX Manager nodes. The undeployment must be successful or in a failed state.
  • If an NSX Manager cluster consists of nodes deployed from the VC (manual method) and nodes deployed from the NSX Manager UI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To successfully remove the VC, ensure that you re-deploy an NSX Manager node from the VC.

This restriction applies to a fresh installation of NSX as well as an upgrade.