This topic provides an overview of migrating VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) from the NSXManagement Plane API to NSX Policy API.
To migrate a TKGI from NSX Management Plane API to NSX Policy API, see Migrating the NSX Management Plane API to NSX Policy API.
The NSX Management Plane API has been deprecated. VMware recommends that you instead use the NSX Policy API. For more information about the deprecation of the NSX Management Plane API, see Deprecation announcement for NSX Manager APIs and NSX Advanced UIs in VMware NSX-T Data Center 3.2 Release Notes.
The NSX Management Plane API to NSX Policy API (MP2P) Migration feature switches TKGI environments using the NSX Management Plane API to the NSX Policy API.
Note: TKGI supports NSX Management Plane API to NSX Policy API Migration only. You cannot return TKGI to the NSX Management Plane API after starting TKGI MP2P Migration.
TKGI NSX Management Plane API to NSX Policy API Migration provides the following advantages over manual migration:
Supports TKGI MP2P Migration in most environments.
Reduces a complex manual workflow to a few procedures:
Reduces the impact on the workloads in your environment:
Supports migrating common topologies.
For more information, see:
Before initiating TKGI MP2P, consider the following supported and unsupported configurations:
TKGI MP2P Migration supports migrating TKGI in only NSX environments dedicated to TKGI. Do not start TKGI MP2P Migration if TKGI shares your NSX environment with other products, for example, Tanzu Application Service or VMware Aria Automation.
TKGI MP2P Migration supports the following topologies:
Contact VMware Support before initiating MP2P Migration if your TKGI environment uses a customized topology or is a multi-foundation deployment of TKGI.
The following are not supported by TKGI MP2P Migration or TKGI using the NSX Policy API:
Do not start TKGI MP2P Migration if TKGI shares your NSX environment with other products, for example, Tanzu Application Service or VMware Aria Automation.
TKGI MP2P Migration does not support clusters configured with NSGroups, including Bootstrap Security Group and BOSH VM Extensions NSGroup configurations.
The TKGI Management Console can not be used to manage TKGI after TKGI MP2P Migration.
Review the following and resolve concerns before initiating TKGI MP2P Migration:
Note: To reduce the possibility of unexpected issues, VMware recommends that you minimize the duration of your MP2P Migration mix-mode maintenance window by promoting all clusters as soon as possible.
Consider the following before initiating TKGI MP2P Migration:
During your MP2P Migration mixed-mode maintenance window:
VMware recommends that you migrate your entire TKGI environment to NSX Policy API as quickly as possible to avoid the extra complexity of an NSX Management Plane/Policy API mixed-mode environment.
Warning: Limit upgrading NSX and TKGI to only resolving critical issues while your environment is in MP2P Migration mixed-mode.
Policy API supports new firewall sections. The new firewall sections have a higher priority than existing Management Plane-based firewall rules, including existing top firewall rules.
The DFW migration procedure described in Migrating the NSX Management Plane API to NSX Policy API documents the recommended two-step MP2P firewall migration procedure for typical DFW firewall configurations:
Adhering to the recommended DFW migration sequence is critical to maintaining security and cluster workload network connectivity. If a TKGI cluster is:
An example result of failing to migrate DFW rules correctly is clusters with access to CIDRs that had been intended to be globally blocked.
Warning: If you do not configure your DFW Rules correctly, cluster workloads will lose network connectivity.
For information about migrating DFW rules for specific edge case configurations, see Dealing with DFW Sections Created by NSX Admin in the VMware NSX Container Plugin documentation.
Promoting a cluster to NSX Policy API migrates the cluster’s NSX resources and updates the cluster. Promote your clusters to the NSX Policy API serially only while the MP2P Migration mixed-mode maintenance window is active. If a cluster promotion fails, the only affected cluster is the one being promoted.
While promoting a cluster to NSX Policy API:
Workloads run as usual while promoting the cluster.
Clusters that are not actively being promoted:
The amount of time it takes to promote a cluster depends on the scale of resources NSX needs to migrate the cluster, and the time it takes to update the cluster.