A compute manager, for example, VMware vCenter, is an application that manages resources such as hosts and VMs.

NSX polls compute managers to collect cluster information from VMware vCenter.

For more information about VMware vCenter roles and privileges, see the vSphere Security document.

Prerequisites

  • Verify that you use the supported vSphere version. See Supported vSphere version.
  • IPv4 communication with VMware vCenter.
  • Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
  • Provide credentials of a VMware vCenter user. You can provide the credentials of VMware vCenter administrator, or create a role and a user specifically for NSX and provide this user's credentials. Add global permissions to the newly created user and role and select Propogate to Children.
    Create an admin role with the following VMware vCenter privileges:
    Role Privilege
    Admin Extension.Register extension
    Admin Extension.Unregister extension
    Admin Extension.Update extension
    Admin Sessions.Message
    Admin Sessions.Validate session
    Admin Sessions.View and stop sessions
    Admin Host.Configuration.Maintenance
    Admin Host.Configuration.NetworkConfiguration
    Admin Host.Local Operations.Create virtual machine
    Admin Host.Local Operations.Delete virtual machine
    Admin Host.Local Operations.Reconfigure virtual machine
    Admin Tasks
    Admin Scheduled task
    Admin Global.Cancel task
    Admin Permissions.Reassign role permissions
    Admin Resource.Assign vApp to resource pool
    Admin Resource.Assign virtual machine to resource pool
    Admin Virtual Machine.Configuration
    Admin Virtual Machine.Guest Operations
    Admin Virtual Machine.Provisioning
    Admin Virtual Machine.Inventory
    Admin Network.Assign network
    Admin vApp

    To use the NSX license for the vSphere Distributed Switch 7.0 feature, the VMware vCenter user must either be an administrator, or the user must have Global.Licenses privileges and be a member of the LicenseService.Administrators group.

  • Before you create a service account for the compute manager, add these additional VMware vCenter privileges to the admin user role:

    Role Privilege
    Admin Service Account Management.Administer
    Admin Permissions.Modify permission
    Admin Permissions.Modify role
    Admin VMware vSphere Lifecycle Manager.ESXi Health Perspectives.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Remediation Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Write
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Read
    Admin VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Write

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Fabric > Compute Managers > Add Compute Manager.
  3. Complete the compute manager details.
    Option Description
    Name and Description Type the name to identify the VMware vCenter.

    You can optionally describe any special details such as, the number of clusters in the VMware vCenter.

    Type The default compute manager type is set to VMware vCenter.
    FQDN or IP Address Type the FQDN or IP address of the VMware vCenter.
    HTTPS Port of Reverse Proxy The default port is 443. If you use another port, verify that the port is open on all the NSX Manager appliances.

    Set the reverse proxy port to register the compute manager in NSX.

    Username and Password Type the VMware vCenter login credentials.
    SHA-256 Thumbprint Type the VMware vCenter SHA-256 thumbprint algorithm value.
    Create Service Account Enable this field for features such as vSphere Lifecycle Manager that need to authenticate with NSX APIs. Log in with the [email protected] credential to register a compute manager. After registration, the compute manager creates a service account.
    Note: Service account creation is not supported on a global NSX Manager.

    If service account creation fails, the compute manager's registration status is set to Registered with errors. The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled on NSX clusters.

    If a VMware vCenter admin deletes the service account after it was successfully created, vSphere Lifecycle Manager tries to authenticate the NSX APIs and the compute manager's registration status is set to Registered with errors.

    Enable Trust

    Enable this field to establish trust between NSX and compute manager, so that services running in vCenter Server can establish trusted communication with NSX. For example, for vSphere Lifecycle Manager to be enabled on NSX clusters, you must enable this field.

    Supported only on VMware vCenter 7.0 and later versions.

    Important: You can only enable trust on a maximum of 10 compute managers.
    Access Level Enable one of the options based on your requirement:
    • Full Access to NSX: Is selected by default. This access level gives the compute manager complete access to NSX. Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate with NSX. The VMware vCenter user's role must be set to an Enterprise Admin.
    • Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate with NSX. The VMware vCenter user's role must be set to Limited vSphere Admin.
    If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.

    After you accept the thumbprint, it takes a few seconds for NSX to discover and register the VMware vCenter resources.

    Note: If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values.
  4. If the progress icon changes from In progress to Not registered, perform the following steps to resolve the error.
    1. Select the error message and click Resolve. One possible error message is the following:
      Extension already registered at CM <vCenter Server name> with id <extension ID>
    2. Enter the VMware vCenter credentials and click Resolve.
      If an existing registration exists, it will be replaced.

Results

It takes some time to register the compute manager with VMware vCenter and for the connection status to appear as UP.

You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.

After the VMware vCenter is successfully registered, do not power off and delete the NSX Manager VM without deleting the compute manager first. Otherwise, when you deploy a new NSX Manager, you will not be able to register the same VMware vCenter again. You will get the error that the VMware vCenter is already registered with another NSX Manager.

Note: After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
  • Transport nodes are prepared using VDS that is dependent on the VC.
  • Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
  • You use the NSX Manager UI to deploy Edge VMs or NSX Manager nodes on a host or a cluster in the VC.

If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.

If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
  • Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
  • Undeploy all service VMs, all NSX Edge VMs, and all NSX Manager nodes. The undeployment must be successful or in a failed state.
  • If an NSX Manager cluster consists of nodes deployed from the VC (manual method) and nodes deployed from the NSX Manager UI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To successfully remove the VC, ensure that you re-deploy an NSX Manager node from the VC.

This restriction applies to a fresh installation of NSX as well as an upgrade.