Add an NSX VPC

NSX VPC provides an isolated space for application owners to host applications and consume networking and security objects by using a self-service consumption model.

Prerequisites

You must be assigned any one of these roles:

Project Admin
Enterprise Admin

Procedure

From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
Expand the Project drop-down menu, and then select the project where you want to add an NSX VPC.
Click the VPCs tab, and then click Add VPC.
(Required) Enter a name for the NSX VPC.
From the Tier-0/VRF Gateways drop-down menu, select a tier-0 or a tier-0 VRF gateway that the workloads can use for north-south connectivity outside this NSX VPC.

This drop-down menu displays only those tier-0 or tier-0 VRF gateways that were assigned to the project when the project was created.

If no gateway is selected, the workloads in the NSX VPC will not have north-south connectivity.

Configure the IP Assignment settings.

In the External IPv4 Blocks field, select the IPv4 blocks that the system can use for public subnets in the NSX VPC.

The external IP blocks that are assigned to the project are available for selection in the NSX VPC. These IPv4 blocks must be routable from outside the NSX VPC.

The selected external IPv4 blocks are used for public subnets only when the IP Assignment option is set to Automatic during the subnet creation.
In the Private IPv4 Blocks field, select the IPv4 blocks that the system can use for private subnets in this NSX VPC.

The IPv4 blocks that are added in the project with visibility set to Private are available for selection in the NSX VPC.

If no IPv4 blocks are available for selection, click , and then click Create New to add a private IPv4 block.

The selected private IPv4 blocks are used for private subnets only when the IP Assignment option is set to Automatic during the subnet creation.

You must select either external IPv4 blocks or private IPv4 blocks, or both. If neither of them are selected, an error message is displayed when you save the NSX VPC.

Under DHCP, select any one of these options.

Option	Description
Managed by NSX	Default option. The system configures a Segment DHCP server for each subnet in the NSX VPC. The DHCP server dynamically assigns IP addresses to the workload VMs that are connected to the subnets in the NSX VPC.
External	The system uses external or remote DHCP servers to dynamically assign IP addresses to the workload VMs that are connected to the subnets in the NSX VPC. You can specify the IP address of external DHCP servers in the DHCP relay profile that you select for the NSX VPC. Note: Workloads on only public VPC subnets can receive IP addresses from the external DHCP server. Currently, workloads on private VPC subnets cannot receive IP addresses from the external DHCP server unless the DHCP server itself is connected to the private or public VPC subnet. In the DHCP Relay Profile drop-down menu, select an existing relay profile. If no DHCP relay profile is available, click to create a new DHCP relay profile. For more information about adding a DHCP relay profile, see Add an NSX DHCP Relay Profile. The configuration of the external DHCP servers is not managed by NSX.
None	System does not configure DHCP for the subnets in the NSX VPC In this case, you must manually assign IP addresses to the workload VMs that are connected to the subnets in the NSX VPC.

Option

Description

Managed by NSX

Default option. The system configures a Segment DHCP server for each subnet in the NSX VPC. The DHCP server dynamically assigns IP addresses to the workload VMs that are connected to the subnets in the NSX VPC.

External

The system uses external or remote DHCP servers to dynamically assign IP addresses to the workload VMs that are connected to the subnets in the NSX VPC. You can specify the IP address of external DHCP servers in the DHCP relay profile that you select for the NSX VPC.

Note: Workloads on only public VPC subnets can receive IP addresses from the external DHCP server. Currently, workloads on private VPC subnets cannot receive IP addresses from the external DHCP server unless the DHCP server itself is connected to the private or public VPC subnet.

In the DHCP Relay Profile drop-down menu, select an existing relay profile. If no DHCP relay profile is available, click Actions menu. to create a new DHCP relay profile.

For more information about adding a DHCP relay profile, see Add an NSX DHCP Relay Profile.

The configuration of the external DHCP servers is not managed by NSX.

None

System does not configure DHCP for the subnets in the NSX VPC

In this case, you must manually assign IP addresses to the workload VMs that are connected to the subnets in the NSX VPC.

If DHCP configuration is managed by NSX, you can optionally enter the IP address of the DNS servers.

When not specified, no DNS is assigned to the workloads (DHCP clients) that are attached to the subnets in the NSX VPC.
Configure the Services Settings.
1. By default, the N-S Services option is turned on. If required, you can turn it off.
  
  When this option is turned on, it means that a service router is created for the connected subnets to support centralized services such as N-S firewall, NAT, or gateway QoS profile.
  
  When this option is turned off, only distributed router is created.
  
  Caution: After an NSX VPC is realized in the system, preferably avoid turning off the N-S Services option. The reason is that the centralized services will not be enforced on the subnets of the NSX VPC. For example, services such as N-S firewall, NAT, and so on, will not be enforced even if they are configured in the NSX VPC.
2. By default, the Default Outbound NAT option is turned on. If required, you can turn it off.
  
  This option is available only when the N-S Services option is turned on for the NSX VPC.
  
  When Default Outbound NAT is turned on, it means that traffic from the workloads on the private subnets can be routed outside the NSX VPC. System automatically creates one default SNAT rule for the NSX VPC. The translated IP for the SNAT rule is taken from the external IPv4 block of the NSX VPC.
  
  Note: After an NSX VPC is realized in the system, preferably avoid turning off the Default Outbound NAT option. The reason is that the workloads on the private subnets will no longer be able to communicate outside the NSX VPC.
3. From the Edge Clusters drop-down menu, select an edge cluster to associate with the NSX VPC.
  
  If the project does not have edge clusters assigned to it, this drop-down menu will be empty. Ensure that you have allocated at least one edge cluster to the project for it to be available for selection when adding an NSX VPC.
  
  The selected edge cluster is consumed for running centralized services in the NSX VPC such as NAT, DHCP, and N-S firewall. These services require an edge cluster to be associated with the NSX VPC.
  
  If DHCP is set to None and N-S Services option is turned off, then edge cluster is optional.
4. If you want the NSX VPC to be discovered by the NSX Advanced Load Balancer Controller, turn on the Enable for NSX Advanced Load Balancer option.
  By default, this option is turned off. When it is turned on, it provides the ability to extend NSX multi-tenancy to NSX Advanced Load Balancer Controller and hence enables load balancer configuration in this context.
  You can turn on this option only when the following conditions are met:
  - At least one private IP address block is assigned to the NSX VPC.
  - At least one edge cluster is assigned to the NSX VPC.
  NSX VPC requires a private IP block because the load balancer virtual service IP (VIP) needs to be on a private subnet. An edge cluster is required so that the NSX Advanced Load Balancer Service Engines can receive IP addresses dynamically from the DHCP server.
  
  To know more about NSX Advanced Load Balancer, see the VMware NSX Advanced Load Balancer Documentation.
Optionally, attach the following profiles that will be used by the subnets in the NSX VPC:
- N-S Egress Quality of Service (QoS) profile
- N-S Ingress QoS profile
- IP Discovery profile
- SpoofGuard profile
- Mac Discovery profile
- Segment Security profile
- QoS
To learn about the purpose of these profiles, see Segment Profiles.
In the Short log identifier text box, enter a string that the system can use to identify the logs that are generated in the context of the NSX VPC.

This identifier must be unique across all NSX VPCs. The identifier must not exceed eight alphanumeric characters.

If the identifier is not specified, the system autogenerates it when you save the NSX VPC. After the identifier is set, you cannot modify it.
Optionally, enter a description for the NSX VPC.
Click Save.

Results

When an NSX VPC is created successfully, the system implicitly creates a gateway. However, this implicit gateway is exposed to the Project Admin in a read-only mode and is not visible to the NSX VPC users.

To view the realized implicit gateway, a Project Admin can do the following steps:

Navigate to Networking > Tier-1 Gateways.
Click the VPC Objects check box at the bottom of the Tier-1 Gateways page.
Expand the gateway to view the configuration in a read-only mode.
The following naming convention is used for the implicit gateway:
_TIER1-VPC_Name

The lifecycle of this implicit gateway is managed by the system. When an NSX VPC is deleted, the implicit gateway is deleted automatically.

If you have enabled the Default Outbound NAT option, you can view the system-created default SNAT rule in the NSX VPC. Do these steps:

Expand the Network Services section of the NSX VPC.
Click the count next to NAT.
Observe the default NAT rule with SNAT action for the private IPv4 block in the NSX VPC. This NAT rule is not editable. If the NSX VPC is assigned multiple private IPv4 blocks, one default NAT rule with SNAT action is created for each private IPv4 block.
For example:

The source IP in the SNAT rule is the private IPv4 block of the NSX VPC. In this example, it is 193.0.1.0/24. The translated IP for this SNAT rule is assigned from the external IPv4 block of the NSX VPC. In this example, it is 192.168.1.0.