A compute manager, for example, VMware vCenter, is an application that manages resources such as hosts and VMs.

NSX polls compute managers to collect cluster information from VMware vCenter.

For more information about VMware vCenter roles and privileges, see the vSphere Security document.

Prerequisites

  • Verify that you use the supported vSphere version. See Supported vSphere version.
  • IPv4 communication with VMware vCenter.
  • Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
  • Decide the hashing algorithm type you want to use for stamping NSX Manager thumbprint in compute manager extension. SHA1 and SHA256 algorithm types are supported. The default is SHA1. If you use SHA256 there might be communication issues between WCP component in VC and NSX Manager.
    • To set the hashing algorithm, run API PUT https://<nsx-mgr>/api/v1/fabric/compute-managers/thumbprint-hashing-algorithm
      {
          "hashing_algorithm_type": "SHA1"
      }
  • Provide credentials of a VMware vCenter user. You can provide the credentials of VMware vCenter administrator, or create a role and a user specifically for NSX and provide this user's credentials. Go to the Administration > Global Permissions tab. Add global permissions to the newly created user and role and select Propogate to Children.

    Create an admin role with the following VMware vCenter privileges:
    Global Cancel task
    Extension Register extension
    Extension Unregister extension
    Extension Update extension
    Host Configuration.Maintenance
    Host Configuration.NetworkConfiguration
    Host Local Operations.Create virtual machine
    Host Local Operations.Delete virtual machine
    Host Local Operations.Reconfigure virtual machine
    Network Assign network
    Permissions Reassign role permissions
    Resource Assign vApp to resource pool
    Resource Assign virtual machine to resource pool
    Sessions Message
    Sessions Validate session
    Sessions View and stop sessions
    Scheduled task Select all privileges
    Tasks Select all privileges
    vApp Select all privileges
    Virtual Machine. Configuration
    Virtual Machine Guest Operations
    Virtual Machine Provisioning
    Virtual Machine Inventory

    To use the NSX license for the vSphere Distributed Switch 7.0 feature, the VMware vCenter user must either be an administrator, or the user must have Global.Licenses privileges and be a member of the LicenseService.Administrators group.

  • Before you create a service account for the compute manager, add these additional VMware vCenter privileges to the admin user role:

    Permissions Modify permission
    Permissions Modify role
    Service Account Management Administer
    VMware vSphere Lifecycle Manager ESXi Health Perspectives.Read
    VMware vSphere Lifecycle Manager Lifecycle Manager: General Privileges.Read
    VMware vSphere Lifecycle Manager Lifecycle Manager: Image Privileges.Read
    VMware vSphere Lifecycle Manager Lifecycle Manager: Image Privileges.Write
    VMware vSphere Lifecycle Manager Lifecycle Manager: Image Remediation Privileges.Write
    VMware vSphere Lifecycle Manager Lifecycle Manager: Settings Privileges.Read
    VMware vSphere Lifecycle Manager Lifecycle Manager: Settings Privileges.Write
    VMware vSphere Lifecycle Manager Lifecycle Manager: General Privileges.Write

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address> or https://<nsx-manager-fqdn>.
  2. Select System > Fabric > Compute Managers > Add Compute Manager.
  3. Complete the compute manager details.
    Option Description
    Name and Description Type the name to identify the VMware vCenter.

    You can optionally describe any special details such as, the number of clusters in the VMware vCenter.

    Type The default compute manager type is set to VMware vCenter.
    Multi NSX

    Starting with NSX 3.2.2, you can register the same vCenter Server with multiple NSX Managers.

    Enable this field if you want to allow multiple NSX instances to manage a single VMware vCenter. This functionality is supported from VMware vCenter 7.0 or later versions.
    Note: Cannot be enabled on a Workload Control Plane (WCP) cluster or vSphere Lifecycle Manager (vLCM) cluster.

    See Multiple NSX Managers Managing a Single VMware vCenter.

    FQDN or IP Address Type the FQDN or IP address of the VMware vCenter.
    Note: If you plan to deploy NSX Manager in dual stack mode (IPv4 and IPv6) and if you plan to configure NSX Manager with CA signed certificates, you must set a FQDN with valid domain name.
    HTTPS Port of Reverse Proxy The default port is 443. If you use another port, verify that the port is open on all the NSX Manager appliances.

    Set the reverse proxy port to register the compute manager in NSX.

    Username and Password Type the VMware vCenter login credentials.
    SHA-256 Thumbprint (Optional) Type the VMware vCenter SHA-256 thumbprint algorithm value. If you configured the VMware vCenter WCP (Workload Control Plane) feature, using the SHA256 setting results in communication issues between the WCP component in VMware vCenter and NSX Manager. In such cases, use the SHA1 algorithm instead.
    Create Service Account (Optional) Enable this field for features such as vSphere Lifecycle Manager that need to authenticate with NSX APIs. Log in with the [email protected] credential to register a compute manager. After registration, the compute manager creates a service account.
    Note: Service account creation is not supported on a global NSX Manager.

    If service account creation fails, the compute manager's registration status is set to Registered with errors. The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled on NSX clusters.

    If a VMware vCenter admin deletes the service account after it was successfully created, vSphere Lifecycle Manager tries to authenticate the NSX APIs and the compute manager's registration status is set to Registered with errors.

    Enable Trust

    (Optional) Enable this field to establish trust between NSX and compute manager, so that services running in vCenter Server can establish trusted communication with NSX. For vSphere Lifecycle Manager to be enabled on NSX clusters, you must enable the Enable Trust field.

    Supported only on VMware vCenter 7.0 and later versions.

    Access Level Enable one of the options based on your requirement:
    • Full Access to NSX: Is selected by default. This access level gives the compute manager complete access to NSX. Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate with NSX. The VMware vCenter user's role must be set to an Enterprise Admin.
    • Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate with NSX. The VMware vCenter user's role must be set to Limited vSphere Admin.
    If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.

    After you accept the thumbprint, it takes a few seconds for NSX to discover and register the VMware vCenter resources.

    Note: If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values.
  4. If the progress icon changes from In progress to Not registered, perform the following steps to resolve the error.
    1. Select the error message and click Resolve. One possible error message is the following:
      Extension already registered at CM <vCenter Server name> with id <extension ID>
    2. Enter the VMware vCenter credentials and click Resolve.
      If an existing registration exists, it will be replaced.

Results

It takes some time to register the compute manager with VMware vCenter and for the connection status to appear as UP.

You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.

After the VMware vCenter is successfully registered, do not power off and delete the NSX Manager VM without deleting the compute manager first. Otherwise, when you deploy a new NSX Manager, you will not be able to register the same VMware vCenter again. You will get the error that the VMware vCenter is already registered with another NSX Manager.

Note: After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
  • Transport nodes are prepared using VDS that is dependent on the VC.
  • Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
  • You use the NSX Manager UI to deploy Edge VMs or NSX Manager nodes on a host or a cluster in the VC.

If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.

If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
  • Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
  • Undeploy all service VMs, all NSX Edge VMs, and all NSX Manager nodes. The undeployment must be successful or in a failed state.
  • If an NSX Manager cluster consists of nodes deployed from the VC (manual method) and nodes deployed from the NSX Manager UI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To successfully remove the VC, ensure that you re-deploy an NSX Manager node from the VC.

This restriction applies to a fresh installation of NSX as well as an upgrade.