The duration for the NSX upgrade process depends on the number of components you have to upgrade in your infrastructure. It is important to understand the operational state of NSX components during an upgrade.
The upgrade process is as follows:
NSX Edge cluster > Hosts > Management plane.
Starting NSX 4.0.1.1, you have the flexibility to change the order of upgrade for your edge clusters and hosts. You can alternate between groups of hosts and groups of edge nodes during upgrade. The NSX Manager is upgraded only after all the edges and hosts have been upgraded.
NSX Edge Cluster Upgrade
During Upgrade | After Upgrade |
---|---|
|
|
Hosts Upgrade
During Upgrade | After Upgrade |
---|---|
|
|
Limitations on In-Place Upgrade
For ESXi hosts with version 7.0 and later, when upgrading from NSX 3.2 or later, in-place upgrade is not supported in the following scenarios:
- You are upgrading a vLCM-enabled cluster.
- More than 1000 vNICs are configured on the ESXi host and the VM's vNICs connect to a single VDS. If the host has multiple VDS for NSX, this vNIC limit is per VDS.
- Layer 7 firewall rules or Identity Firewall rules are enabled.
- Service Insertion has been configured to redirect north-south traffic or east-west traffic. See Security in the NSX Administration Guide for information on uninstalling service insertion.
- A VProbe-based packet capture is in progress.
- The nsx-cfgagent service is not running on the host.
- IDS/IPS or distributed malware prevention is enabled for your NSX environment.
For ESXi hosts with versions earlier than 7.0, in-place upgrade of a host is not supported in the following scenarios:
- You are upgrading a vLCM-enabled cluster.
- More than one N-VDS switch is configured on the host.
- More than 1000 vNICs are configured on the ESXi host and the VM's vNICs connect to a single VDS. If the host has multiple VDS for NSX, this vNIC limit is per VDS.
- ENS is configured on the host N-VDS switch.
- vSAN(with LACP) is configured on the host N-VDS switch.
- Layer 7 firewall rules or Identity Firewall rules are enabled.
- VMkernel interface is configured on the overlay network.
- Service Insertion has been configured to redirect north-south traffic or east-west traffic. See Security in the NSX Administration Guide for information on uninstalling service insertion.
- A VProbe-based packet capture is in progress.
- IDS/IPS or distributed malware prevention is enabled for your NSX environment.
- NSX in-place upgrade does not check vSAN health. The absence of a check means that in the event of a failure, you may experience a breach of vSAN FTT and/or some data loss.
- When upgrading to NSX 4.1.0 using in-place upgrade, serial upgrade within the cluster is recommended.
- When upgrading to NSX 4.1.1 and later using in-place upgrade, serial upgrade within the cluster is required.
Management Plane Upgrade
During Upgrade | After Upgrade |
---|---|
When upgrading from NSX 3.2, or 3.2.0.1:
|
|