This section provides the configuration workflow to prepare your environment using the NSX Distributed Security for protecting the virtual machines.

Prerequisites

You have deployed the NSX Manager and configured the valid licenses.

Configuration Workflow

Preparing your virtual environment for the NSX Distributed Security involves two main steps:

  • Configure Compute Manager (vCenter)
  • Prepare vCenter cluster (ESXi hosts) for the NSX Distributed Security

1: Configure Compute Manager (vCenter)

You must add VMware vCenter as a compute manager on NSX to view all the VMware vCenter host and cluster inventory. You can then leverage the available inventory to prepare ESXi hosts and clusters for NSX Security.

  1. From your browser, log in to the NSX Manager appliance at https://<nsx-manager-ip-address> using the admin credentials.

  2. Register NSX with VMware vCenter from the System > Fabric > Compute Managers > Add Compute Manager. Add the VMware vCenter as a compute manager.

    Add compute manager

  3. Validate NSX registration in the VMware vCenter from the System > Fabric > Compute Managers page. Click Refresh and view the connection status.

    Refresh compute manager

After the VMware vCenter registration is successful, you can view the configured VMware vCenter host cluster inventory from the NSX Manager User Interface (UI). On the NSX Manager UI, go to System > Fabric > Hosts to view the inventory.

You can configure multiple VMware vCenters from the NSX Manager UI following these same steps for each of the VMware vCenter.

2: Prepare the vCenter Cluster (ESXi Hosts) for the NSX Distributed Security

NSX Distributed Security involves preparing VMware vCenter compute cluster of NSX. NSX supports two host preparation modes as follows:

  1. Security Only - Distributed Security for VDS port groups:
    • Supports security for VMs connected to the native vCenter Distributed Virtual Port Groups (DVPG).
    • Supports vSphere 6.7 and vSphere 7.0 Update1 or later.
    • Does not support NSX networking for the workload within the NSX prepared VMware vCenter cluster.
    • Workflow is supported only using the Quick Start wizard.
  2. Networking and Security - Distributed Security with NSX Networking:
    • Supports NSX networking and distributed security for the workload within the NSX prepared VMware vCenter cluster.
    • If VLAN connected workloads need distributed security, then you must move the workload to the NSX VLAN segments from DVPG.
    • Workflow is supported using the Quick Start wizard or manually from the System > Fabric > Hosts menu. This guide describes the quick start wizard. For manual workflow, refer to the NSX Installation Guide.

Based on your environment, select the required deployment method. The NSX environment can have a mix of NSX Security only prepared clusters and NSX Networking and Security prepared clusters. More details on each of the deployment modes are covered later in this section.

2.1: Security Only Host Preparation - Distributed Security for VDS Port Groups

After you configure the compute manager, you can prepare clusters of ESXi hosts only for distributed security. The hosts in your cluster must share VDS.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Quick Start.
  3. On the Prepare Clusters for Networking and Security card, click Get Started.

    Quick start widget to quickly prepare clusters for security only

  4. Select the clusters that you want to install Distributed Security.
  5. Click Install NSX and then select Security Only.
  6. In the dialog box, click Install.

    The NSX host preparation begins to install required software modules on the ESXi hosts.

    The process takes a few minutes to complete. After the process is complete, the status changes to Success. The objects like transport node profile, transport zone, and distributed port groups are automatically created.

    Install process showing in-progress and completed status

  7. To view VDS with Distributed Security installed, navigate to System > Fabric > Hosts.
    Note: vSphere clusters prepared for Distributed Security are identified by the Security label.

Results

On the NSX Manager UI, go to Networking > Segments > Distributed Port Groups tab to view the DVPG inventory from the VMware vCenter.

On the NSX Manager UI, go to Inventory > Virtual Machines to view the virtual machine inventory from all ESXi hosts.

What to do next

You can now start configuring your policy for the workloads hosted on DVPG on the prepared VMware vCenter.

2.2: Networking and Security - Distributed Security with NSX Networking

After you configure the compute manager, you can prepare clusters of ESXi hosts for VLAN networking and distributed security together.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. On the Prepare Clusters for Networking and Security card, click Get Started.
  3. Select the clusters you want to prepare for NSX networking.
  4. Click Install NSX and then select Networking and Security.
    Quick Start install for Networking and Security both (VLAN based)
  5. Depending on your requirement, you can prepare the same cluster for both VLAN and Overlay networking or for one type of networking. With Overlay networking, each host switch is added with a TEP IP address, which is required for overlay networking.
    Prepare cluster for VLAN and Overlay networking
  6. View the NSX recommended Host Switch configuration.
    However, you can customize the settings for the cluster, even though it is an optional step.
    Note: A dotted line originating from a switch to a physical NIC indicates that it is an existing configuration on the host switch, which will be replaced by a firm line going to the same physical NIC.
  7. Even though NSX provides recommendations, you can still customize the configuration. To customize the host switch, select the switch and change the recommended configuration.
    1. IP Assignment: Is applicable if overlay is selected for the host switch. Choose IP assignment type to be DHCP or a pre-created IP Pool for the overlay VTEP Pool.
    2. VDS: Select the VDS switch as the host switch.
    3. Transport Zone: Select a different transport zone that you want the host to be associated with.
    4. Uplink Profile: If needed, select a different uplink profile in place of the recommended uplink profile.
      Note: If you configure two VDS switches with the same configuration, the wizard recommends the same uplink profile for both the switches.
    5. Uplink to Physical NIC mapping: On a VDS switch, all uplinks configured on the VDS switch are mapped to the uplinks in NSX.
      A change to host switch type or uplink to vmnic mapping is reflected in the Host Switch Configuration network representation.
  8. Click Install.

    The NSX host preparation begins to install required software modules on the ESXi hosts.

    View the progress of installation on the Prepare Clusters for Networking and Security card. If installation on any of the host fails, retry installation by resolving the error.

    The process takes a few minutes to complete. After the process is complete, the status changes to Success.

  9. To view successfully prepared hosts, go to System > Fabric > Hosts > Clusters.

Results

On the NSX Manager UI, go to the Inventory > Virtual Machines tab to view the virtual machine inventory from all the ESXi hosts.

Note: VMware vCenter cluster prepared for Networking and Security does not support Security for workloads connected directly to the DVPG. If the DVPG VLAN connected workload needs security, you must move the workload to NSX VLAN segments (with the same VLAN) or move the workloads to the cluster prepared only for NSX Security.

For more information, see NSX Administration Guide.

What to do next

You can now start configuring your policy for the workloads hosted on the NSX segments on the prepared VMware vCenter clusters.