You can use the NSX Management Proxy in concert with the Antrea-NSX adapter to reach NSX Manager from Antrea-based TKG Service clusters. The NSX Management Proxy is required when there is isolation between the Supervisor Management and Workload networks. The proxy will apply to all TKGS clusters created after the NSX Management Proxy service is deployed.

Use Case

The NSX Management Proxy is intended to be used in conjunction with the Antrea-NSX adapter.

If Supervisor is deployed with separation between the Management and Workload Networks, as is typically the case, to reach the NSX Management plane from a TKGS cluster configured with the Antrea-NSX adapter, you must use the NSX Management Proxy. When the system detects this proxy, Supervisor automatically passes the proxy to the Antrea-NSX adapter configuration. If the proxy is not installed, the Antrea-NSX adapter will fail to start when there is Management Network isolation.

Once the NSX Management Proxy service is deployed, you can install the Antrea-NSX adapter. See Enable the Antrea-NSX Adapter for a TKG Service Cluster.

Prerequisites

The NSX Management Proxy is installed as a Supervisor Service. To install the proxy service, adhere to the following prerequisites:
  • vSphere 8 U3 (8.0.3) or later
  • NSX 4.1 or later
  • Supervisor is enabled with NSX networking
  • Manage Supervisor Services privilege on vCenter Server
  • Familiarity with Supervisor Services

Download Required YAML Files

Download the required YAML files, including the service definition and data values.
  1. Go to the Supervisor Services distribution site at https://www.vmware.com/go/supervisor-service.
  2. Scroll to the NSX Management Proxy section and download the following files:
    1. The NSX Management Proxy service definition file: nsx-management-proxy.yml
    2. The NSX Management Proxy service configuration file: nsx-management-proxy-data-values.yml

Register the NSX Management Proxy as a Service

Complete these steps to register the NSX Management Proxy as a Supervisor Service.
  1. Using the vSphere Client, navigate to Workload Management > Services.
  2. Select Add New Service > Add.
  3. Click Upload.
  4. Browse to and select the nsx-management-proxy.yml file you downloaded.
  5. Verify that the NSX Management Proxy service definition is successfully uploaded.
  6. Click Finish.
  7. Verify that the registration card for the NSX Management Proxy service is listed in the Services tab.

Configure the NSX Management Proxy Service

Before installing the NSX Manager Proxy service, update its data values file with configuration values appropriate for your environment.
  1. Using a text editor, open the nsx-management-proxy-data-values.yml file.
  2. Edit the properties to match your environment described in the table below.
  3. Save the changes.
    Name Value
    nsxManagers

    List of NSX Manager IP addresses (required).

    You must use an actual IP address and not the virtual IP address (VIP). If you are using an NSX Management cluster, you must include all 3 actual IP addresses in the list.

    loadBalancerIP

    IP from the Supervisor load balancer IP pool (optional).

    The IP address for this field is carved from the "Ingress" CIDR for the Workload Network. When a Workload Network is created, either initially during Supervisor enablement or later when creating a vSphere Namespace and overriding the network settings, there is a configuration setting for "Ingress" that accepts an IP CIDR block which is used to allocate IP addresses for services that are published via service type load balancer and Ingress across all vSphere Namespaces created on that Supervisor instance.

    If the "loadBalancerIP" field is not specified, the system will automatically allocate one available IP address from the "Ingress" CIDR range.

    If the "loadBalancerIP" is specified, it must be within the "Ingress" CIDR range and it must not conflict with IP addresses that are already allocated.

    You can view allocated "Ingress" IPs using the command "kubectl get services -o wide -A" on the vSphere Namespace. The IPs are in the "EXTERNAL-IP" column of the kubectl output.

Install the NSX Management Proxy Service

Install the NSX Management Proxy service by completing the following steps.
  1. Navigate to the Workload Management > > Services screen.
  2. In the NSX Management Proxy service card, select Actions > Install on Supervisor.
  3. Select the Available tab.
  4. Copy/paste the contents from the nsx-management-proxy-data-values.yml you edited to the "YAML Service Config" input field.
  5. Click OK to proceed with the Harbor installation.
  6. Monitor and verify the installation.

    Monitor the installation by checking the Supervisors field on the NSX Management Proxy service card. You should see the number next to Supervisors increments. The service is in Configuring state until the desired state is reached. When the desired state is reached, the state of the service changes to Configured.

  7. Verify that there is a vSphere Namespace for the NSX Management Proxy.

    Once the NSX Management Proxy is installed, a vSphere Namespace created for the service instance.

  8. Get the proxy load balancer IP address.

    You can view the proxy load balancer IP address from the Network tab of the NSX Management Proxy vSphere Namespace.

Troubleshoot the NSX Management Proxy Service

If you receive the following error, it means that the environment is not compatible. Make sure the environment complies with the versions listed in the prerequisites section.
Creation of Supervisor Service with ID nsx-management-proxy.nsx.vmware.com is not allowed. 
Only service IDs defined in the allow-list file /etc/vmware/wcp/supervisor-services-allow-list.txt are allowed.