This topic provides instructions for creating the NSX-T objects for the TKGI Management Plane.

Prerequisites

Before completing this section, make sure you have completed the following sections:

• NSX-T Installation Prerequisites
• Install and Configure the NSX-T Manager Hosts
• Generate and Register the NSX-T TLS Certificate and Private Key
• Create an IP Pool for VTEP
• Configure Transport Zones
• Configure vSphere Networking for ESXi Hosts
• Deploy NSX-T Edge Nodes
• Deploy NSX-T Transport Nodes
• Create NSX-T Objects for Kubernetes Clusters Provisioned by TKGI

Create Management Plane

Networking for the TKGI Management Plane consists of a Tier-1 Router and Switch with NAT Rules for the Management Plane VMs.

Create Tier-1 Router and Switch

Create Tier-1 Logical Switch and Router for TKGI Management Plane VMs. Complete the configuration by enabling Route Advertisement on the T1 router.

1. In the NSX Management console, navigate to Networking > Logical Switches.

2. Click Add.

3. Create the LS for TKGI Management plane VMs:

   • Name: LS-PKS-MGMT
   • Transport Zone: tz-overlay
     

4. Click Add and verify creation of the T1 logical switch.
   

5. Go to Networking > Tier-1 Logical Router.
   

6. Click Add.

7. Configure the Tier-1 logical router as follows:

   • Name: T1-PKS-MGMT
   • To router: T0-router
   • Edge Cluster: edge-cluster-1
   • Edge Cluster Members: edge-node-1 and edge-node-2
     

8. Click Add and verify.
   

9. Select the T1 router and go to Configuration > Router port.
   

10. Click Add.

11. Configure the T1 router port as follows:

    • Name: T1-PKS-MGMT-port
    • Logical Switch: LS-PKS-MGMT
    • Subnet: 10.1.1.1/24
      

12. Click Add and verify.
    

13. Select Routing tab.
    

14. Click Edit and configure route advertisement as follows:

    • Status: Enabled
    • Advertise All Connected Routes: Yes
      

15. Click Save and verify.
    

Create NAT Rules

You need to create the following NAT rules on the Tier-0 router for the TKGI Management Plane VMs.

• DNAT: 10.173.62.220 (for example) to access Ops Manager
• DNAT: 10.173.62.221 (for example) to access Harbor

• SNAT: 10.173.62.222 (for example) for all TKGI management plane VM traffic destined to the outside world

• In the NSX Management console, navigate to Networking > NAT.

• In the Logical Router field, select the T0-router you defined for TKGI.
  

• Click Add.

• Configure the Ops Manager DNAT rule as follows:

  • Priority: 1000
  • Action: DNAT
  • Protocol: Any Protocol
  • Destination IP: 10.173.62.220, for example
  • Translated IP: 10.1.1.2, for example
    

• Click Add and verify.

• Add a second DNAT rule for Harbor by repeating the same operation.

  • Priority: 1000
  • Action: DNAT
  • Protocol: Any Protocol
  • Destination IP: 10.173.62.221, for example
  • Translated IP: 10.1.1.6, for example

• Verify the creation of the DNAT rules.
  

• Create the SNAT rule for the management plane traffic as follows:

  • Priority: 9024
  • Action: SNAT
  • Protocol: Any Protocol
  • Source IP: 10.1.1.0/24, for example
  • Translated IP: 10.173.62.222, for example
    

• Verify the creation of the SNAT rule.

Next Steps

Configure the NSX-T Password Interval