Use this procedure if "Applied To" is not configured in any of the DFW rules (this means that "Applied To" is set to "DFW").

If "Applied To" is configured in any of the DFW rules, do not use this procedure. Follow the procedures Create VM Groups for Workload Migration and Migrate Workload VMs (Complex Case) instead.

Note: For NSX-V to NSX migration, see the KB article https://kb.vmware.com/s/article/56991 for more information.

For NSX to NSX-V migration, migrating a workload VM back to NSX-V might not work because the distributed firewall filter in NSX is always higher than in NSX-V. The workaround is to place the workload VM in the NSX exclusion list prior to vMotion.

Prerequisites

  • Ensure that:
    • vSphere vMotion is enabled on the VMkernel adapter of each host in the cluster that is involved in this migration. For detailed steps about enabling vMotion on the VMkernel adapter, see the vSphere product documentation.
    • The destination host in NSX has sufficient resources to receive the migrated VMs.
    • The source and destination hosts are in an operational state. Resolve any problems with hosts including disconnected states.

For more information about vMotion, see Migration with vMotion in the vSphere product documentation.

Procedure

  1. Start migrating the workload VMs using vMotion in the vSphere Client. See Migrating Virtual Machines in the vSphere product documentation for detailed instructions.
    Note: During vMotion from NSX-V to NSX, the workload VMs are always protected because the migration coordinator translates the existing NSX-V DFW rules and security groups into temporary IP-based rules and groups.
  2. Finalize the infrastructure to finish the migration.
    POST https://{nsxt-mgr-ip}/api/v1/migration?action=finalize_infra
    This migration API deletes any temporary object configurations that were created during the migration, and ensures that the NSX infrastructure is in a clean state. For example, temporary IP Sets are removed from the Groups.

    This POST API does not have a request body.

  3. Verify that the expected configuration items have been migrated to the NSX environment.
    For example, check whether the following configurations are migrated successfully:
    • User-defined Distributed Firewall rules.
    • All Grouping objects, such as IP Sets, Groups, Tags, and so on.
    • Effective members are displayed in the dynamic Groups.
    • Tags are applied to migrated workload VMs.
  4. (Optional) Starting with NSX 4.1.1, when the migration is completed and before you click Finish, you can click Get Migration Report to see if certain objects were migrated correctly. When the report is ready, click Download Report.
    The report contains the following information:
    • VMs with security tags in NSX-V and after being migrated. If there are differences, they will be listed.
    • Security groups in NSX-V and after being migrated. If there are differences, they will be listed.
  5. On the Migrate Workloads page, click Finish.
    A dialog box appears to confirm finishing the migration. If you finish the migration, all migration details are cleared. You can no longer review the settings of this migration. For example, which inputs were made on the Resolve Configuration page.

What to do next

After the migration of workload VMs and the DFW-only configuration is successful and thoroughly verified, remove the Layer 2 bridge to release the NSX Edge that you used for bridging.