This topic describes how to create NSX objects for the VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) Management Plane.

Prerequisites

Before completing this section, make sure you have completed the following sections:

• NSX-T Installation Prerequisites
• Install and Configure the NSX-T Manager Hosts
• Generate and Register the NSX-T TLS Certificate and Private Key
• Create an IP Pool for VTEP
• Configure Transport Zones
• Configure vSphere Networking for ESXi Hosts
• Deploy NSX-T Edge Nodes
• Deploy NSX-T Transport Nodes
• Create NSX-T Objects for Kubernetes Clusters Provisioned by TKGI

Create Management Plane

Networking for the TKGI Management Plane consists of a Tier-1 Router and Switch with NAT Rules for the Management Plane VMs.

Create Tier-1 Router and Switch

Create Tier-1 Logical Switch and Router for TKGI Management Plane VMs. Complete the configuration by enabling Route Advertisement on the T1 router.

1. In the NSX Management console, navigate to Networking > Logical Switches.

2. Click Add.

3. Create the LS for TKGI Management plane VMs:

   • Name: LS-PKS-MGMT
   • Transport Zone: tz-overlay
     

4. Click Add and verify creation of the T1 logical switch.
   

5. Go to Networking > Tier-1 Logical Router.
   

6. Click Add.

7. Configure the Tier-1 logical router as follows:

   • Name: T1-PKS-MGMT
   • To router: T0-router
   • Edge Cluster: edge-cluster-1
   • Edge Cluster Members: edge-node-1 and edge-node-2
     

8. Click Add and verify.
   

9. Select the T1 router and go to Configuration > Router port.
   

10. Click Add.

11. Configure the T1 router port as follows:

    • Name: T1-PKS-MGMT-port
    • Logical Switch: LS-PKS-MGMT
    • Subnet: 10.1.1.1/24

12. Click Add and verify.

13. Select Routing tab.

14. Click Edit and configure route advertisement as follows:

    • Status: Enabled
    • Advertise All Connected Routes: Yes
      

15. Click Save and verify.
    

Create NAT Rules

You need to create the following NAT rules on the Tier-0 router for the TKGI Management Plane VMs.

• DNAT: 10.173.62.220 (for example) to access Ops Manager
• DNAT: 10.173.62.221 (for example) to access Harbor

• SNAT: 10.173.62.222 (for example) for all TKGI management plane VM traffic destined to the outside world

• In the NSX Management console, navigate to Networking > NAT.

• In the Logical Router field, select the T0-router you defined for TKGI.

• Click Add.

• Configure the Ops Manager DNAT rule as follows:

  • Priority: 1000
  • Action: DNAT
  • Protocol: Any Protocol
  • Destination IP: 10.173.62.220, for example
  • Translated IP: 10.1.1.2, for example
    

• Click Add and verify.

• Add a second DNAT rule for Harbor by repeating the same operation.

  • Priority: 1000
  • Action: DNAT
  • Protocol: Any Protocol
  • Destination IP: 10.173.62.221, for example
  • Translated IP: 10.1.1.6, for example

• Verify the creation of the DNAT rules.

• Create the SNAT rule for the management plane traffic as follows:

  • Priority: 9024
  • Action: SNAT
  • Protocol: Any Protocol
  • Source IP: 10.1.1.0/24, for example
  • Translated IP: 10.173.62.222, for example
    

• Verify the creation of the SNAT rule.
  

Next Steps

Configure the NSX-T Password Interval