All configurations made from the Global Manager are made in Policy mode. Manager mode is not available in NSX Federation.

See NSX Manager for more information about the two modes.

Configuration Maximums

An NSX Federation environment has the following configuration maximums:
  • For most configurations, the Local Manager cluster has the same configuration maximums as an NSX Manager cluster. Go to VMware Configuration Maximums tool and select NSX.

    Select the NSX Federation category for NSX in the VMware Configuration Maximums tool for exceptions and other NSX Federation-specific values.

  • For a given location, the following configurations contribute to the configuration maximum:
    • Objects that were created on the Local Manager.
    • Objects that were created on the Global Manager and include the location in its span.

    You can view the capacity and usage on each Local Manager. See View the Usage and Capacity of Categories of Objects in the NSX Administration Guide.

Feature Support

Note that in NSX Federation, Service insertion (Network Introspection) support only occurs when an NSX Federation environment has a Global Manager (GM) deployed under the following conditions:
  • All service-insertion related configuration such as partner service registration, deployment and consumption, is done from a Local Manager (LM).
  • Only objects configured on the LM are used with service insertion. This includes groups, segments, and any other constructs. Service insertion cannot be applied to workloads connected to a stretched/global segment defined from the GM, or any segment connected to a logical router created from the GM. Groups created from the Global Manager should not be used within service insertion redirection polices.
Important:
  • NSX Federation locations must run on environments where administrators have full control of the underlay fabric.
  • NSX Federation does not currently support Global Manager and Local Manager hosted on VMware Cloud on AWS, VMware Cloud on Dell, Azure VMware Solution, Google Cloud VMware Engine, Oracle Cloud VMware Solution, or Alibaba VMware Cloud Service.
After Local Manager is registered to Global Manager:
  • You can continue to configure on Local Manager. For more details, refer to Understanding NSX Federation.
  • Some objects configured from Local Manager can have options/settings that are Global Manager objects. For example, you can plug in an LM_created-t1 to a GM_created-t0.
  • Some objects configured from Local Manager cannot be configured with options/settings that are Global Manager objects. For example, you cannot plug in an LM_created-segment to a GM_created-t0. Note that you can only edit those LM-objects from Local Manager; Global Manager does not see those object. For more information, refer to "Logical Configuration Ownership" in the NSX-T Multi-Location Design Guide for your release.

The Features Supported in NSX Federation table describe the features available in Global Manager.

Table 1. Features Supported in NSX Federation
Feature Details Related Links
Tier-0 Gateway
  • Active-active and active-standby.
  • Active-active only
Add a Tier-0 Gateway from Global Manager
Tier-1 Gateway Add a Tier-1 Gateway from Global Manager
Segments You can include Layer 2 bridge configuration from Global Manager. Add a Segment from Global Manager and Configure Bridging on Global Manager
Groups Some limitations. See Security in NSX Federation. Create Groups from Global Manager
Distributed Firewall Drafts of the security policies are now available on Global Manager. This includes support for auto and manual drafts. Create Drafts In Global Manager
Firewall Exclusion List Available. Manage a Firewall Exclusion List
Time Based Firewall Rules Available. Time-Based Firewall Policy
Gateway Firewall Only Layer 3 and 4 rules are supported. Create Gateway Policies and Rules from Global Manager
Network Address Translation (NAT)
  1. Tier-0 Gateway:
    • Active-active: You can configure stateless NAT only, that is, with action type Reflexive.

    • Active-standby: You can create stateful or stateless NAT rules.

  2. Tier-1 Gateway:
    • You can create stateful or stateless NAT rules.

    • Stateless NAT rules are pushed to all locations in the gateway's span unless scoped to one or more locations specifically.
    • Stateful NAT rules are also pushed to all locations in the gateway's span or to the specific location selected. However, stateful NAT rules are realized and enforced only on the primary location.
Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT
DNS See Add an NSX DNS Forwarder Service
DHCP and SLAAC
  • DHCP Relay is supported on segments and gateways.
  • DHCPv4 server is supported on gateways with DHCP static bindings configured on segments.
  • You can assign IPv6 addresses using SLAAC with DNS Through RA (DAD detects duplicates within a location only).
Distributed Malware Detection and Prevention Starting with NSX 4.1.2:
  • Deploy NSX Application Platform (NAPP) on each federated Local Manager.
  • Deploy and manage Malware Prevention from the Local Manager UI.
  • You can use stretched and non-stretched segments for the virtual machine endpoints.
NSX IDS/IPS and NSX Malware Prevention
Network Detection and Response Starting with NSX 4.1.2:
  • Deploy NAPP on each federated Local Manager.
  • Deploy and manage NSX Network Detection and Response (NDR) from the Local Manager UI.
  • You can use stretched and non-stretched segments to collect NDR events.
NSX Network Detection and Response
Using objects created on Global Manager in a Local Manager configuration
  1. Most configurations are supported. For example:
    • Connecting a Local Manager tier-1 gateway to a Global Manager tier-0 gateway.
    • You can use a Global Manager group in a Local Manager distributed firewall rule.
  2. These configurations are not supported:
    • Connecting a Local Manager segment to a Global Manager tier-0 or tier-1 gateway.
    • Connecting a load balancer to a Global Manager tier-1 gateway.
Network Monitoring
  • Expanded communication monitoring between Local Manager and Global Manager.
  • Traceflow across NSX instances in the same Federation.
Certificates Starting with NSX 4.1, Local Manager self-signed certificates generate only when the Local Manager is in the NSX Federation environment. That same certificate gets deleted if Local Manager moves out of the NSX Federation environment. Certificates for NSX and NSX Federation
LDAP Authenticate Global Manager users using a directory service such as Active Directory over LDAP or OpenLDAP. Integration with LDAP
Backup and Restore Backup with FQDN or IP is supported. Backup and Restore in NSX Federation
Users Starting with NSX 4.1, you can add new local users and remove audit and guest users. Manage Local User Accounts
vMotion between locations Tag replication across locations is supported.