To install the NSX Application Platform successfully and to activate the NSX features that it hosts, you must prepare the deployment environment so that it meets the minimum required resources.

You must satisfy the prerequisites listed in the following sections before you start deploying the NSX Application Platform.

NSX Interoperability Requirement

Confirm that the NSX product version you are using is compatible with the NSX Application Platform version that you plan to deploy, along with its related NSX features (Security Intelligence, NSX Network Detection and Response, NSX Malware Prevention, and NSX Metrics).

Important:

In an NSX Federation environment, you can deploy the NSX Application Platform on Local Managers only. You cannot deploy the NSX Application Platform using Global Managers. You can access the NSX Application Platform using a Local Manager only.

To determine which NSX Application Platform version you can deploy with which NSX version, use the Interoperability Matrix.

Use the following information in determining which documentation to use for your specific NSX Application Platform activation workflow.
  • If you need to install a brand new NSX installation, see the NSX Installation Guide for version 4.2 in the VMware NSX Documentation set for installation instructions.
  • For information about upgrading from NSX Application Platform version 3.2 or later to version 4.2, see Upgrade the NSX Application Platform.
  • If you are upgrading from NSX 3.1.x or earlier without Security Intelligence installed, see the NSX Upgrade Guide in the VMware NSX Documentation set.
  • If you are upgrading with an installation of Security Intelligence 1.1.x, you must migrate your current Security Intelligence installation to 3.2.x before you upgrade to Security Intelligence 4.2 and NSX 4.2. See the Activating and Upgrading Security Intelligence documentation in the Security Intelligence Documentation set.

Kubernetes Cluster Interoperability Requirement

  • NSX Application Platform deployment requires Kubernetes cluster. The supported options are Tanzu Kubernetes Grid (TKG) Cluster on Supervisor or an Upstream Kubernetes cluster.
    Important: Upstream Kubernetes refers to the vanilla, open-source Kubernetes maintained by the Cloud Native Computing Foundation and does not cover any distributions or releases of Kubernetes which are not explicitly listed in the following table.

    For TKG Cluster on Supervisor, the recommended deployment is to use the NSX Application Platform Automation Appliance or manual deployment of the versions validated as per the Interoperability Matrix.

Required Ports and Protocols

Verify that the required ports on your Kubernetes cluster host are open for the NSX Application Platform to access. See the VMware Ports and Protocols web page.

Valid License Requirement

To deploy the NSX Application Platform, the current NSX Manager session in use must have a valid license in effect during the NSX Application Platform deployment. The list of supported features for the different NSX license editions is available in the NSX Feature and Edition Guide.

License Expiration

If an assigned license expires or becomes invalid, only operations on the NSX Application Platform > System tab are available. All edit, create, and new operations are blocked. For information on NSX licensing and adding a new license key in NSX Manager. See the License Enforcement topic in the NSX Administration Guide.

The NSX Application Platform Automation Appliance UI, shows an error if the assigned license expires or becomes invalid.

On Security Intelligence, the Plan & Troubleshoot Recommendations and Discover & Take Action tabs are inaccessible.

The data and events monitoring capabilities, suspicious traffic, and malware prevention are inaccessible on NSX Network Detection and Response and NSX Malware Prevention.

Valid NSX User Role

To deploy the NSX Application Platform, you must have Enterprise Admin role privileges.

Valid CA-Signed Certificates

  • If your NSX Manager appliance uses CA-signed certificates with partial chain on the NSX Manager Unified Appliance cluster, you must replace the certificate with a full certificate chain. See VMware Knowledge Base article 78317 for more information.

  • When using multiple NSX Manager appliances, your environment must meet one of the following certificate prerequisites.

    • All the appliances must share the same SSL certificate.

    • A dedicated SSL certificate must be issued for each appliance, where the certificate Common Name (CN) must be unique across all nodes.

    • When using a Virtual IP (VIP), the cluster certificate must either be the same as shared by all individual appliances or must be unique from all the nodes.

Supported Certificate Types for Offline or Air-Gapped Deployments

Installing Harbor requires an SSL certificate. The following types are supported:

  • Certificates signed by a public trusted CA
  • Self-signed certificates using FQDN
  • Self-signed certificates using IP address
  • Certificates from a corporate CA

Internet Access Requirement

Ensure that your NSX system can access the public VMware-hosted registry and repository where you can obtain the packaged NSX Application Platform Helm chart and Docker images. The direct Internet access is only required during the installation and upgrade operations. This access is limited to the outbound access on TCP Port 443 (HTTPS) to https://projects.registry.vmware.com for the purpose of accessing the NSX Application Platform Helm charts and Docker images. No inbound access or permanent outbound access is required.

Outbound Internet access is required for both the NSX Unified Appliance VMs and NSX Application Platform guest cluster worker nodes.

To manually configure your NSX environment to use an Internet proxy server using the System > General Settings > Internet Proxy Server tab. See Manual Deployment of the NSX Application Platform. If your Kubernetes cluster does not have access to the Internet or you have security restrictions, see the optional requirement for an optional Private container registry with chart repository service.

To configure your NSX environment to use an Internet proxy server for automated deployment using the NSX Application Platform Automation Appliance, implement the prerequisites and activate proxy. See Run Deployment Wizard.