Book Image

VMware NSX Cookbook

By : Bayu Wibowo, Tony Sangha
Book Image

VMware NSX Cookbook

By: Bayu Wibowo, Tony Sangha

Overview of this book

This book begins with a brief introduction to VMware's NSX for vSphere Network Virtualization solutions and how to deploy and configure NSX components and features such as Logical Switching, Logical Routing, layer 2 bridging and the Edge Services Gateway. Moving on to security, the book shows you how to enable micro-segmentation through NSX Distributed Firewall and Identity Firewall and how to do service insertion via network and guest introspection. After covering all the feature configurations for single-site deployment, the focus then shifts to multi-site setups using Cross-vCenter NSX. Next, the book covers management, backing up and restoring, upgrading, and monitoring using built-in NSX features such as Flow Monitoring, Traceflow, Application Rule Manager, and Endpoint Monitoring. Towards the end, you will explore how to leverage VMware NSX REST API using various tools from Python to VMware vRealize Orchestrator.

Related Content you might be interested in

Current Title:

Small book image
VMware NSX Cookbook
Bayu Wibowo | Tony Sangha
Mar, 2018 | 584 pages
Small book image
Learning VMware NSX
Ranjit Singh Thakurratan
Aug, 2017 | 254 pages
Small book image
VMware Cross-Cloud Architecture
Ajit Pratap Kundan
Mar, 2018 | 504 pages
Small book image
Mastering VMware vSphere 6.5
Andrea Mauro | Paolo Valsecchi | Karel Novak
Dec, 2017 | 598 pages
Table of Contents (19 chapters)
Title Page
Title Page
Packt Upsell
Packt Upsell
Foreword
Foreword
Contributors
Contributors
Preface
Preface
Free Chapter
1
Getting Started with VMware NSX for vSphere
Getting Started with VMware NSX for vSphere
Introduction
Choosing the right VMware NSX for vSphere edition
Selecting ESXi hosts and network adapters
Downloading NSX for vSphere
Deploying the NSX Manager virtual appliance
Replacing the NSX Manager certificate
Registering vCenter server with NSX Manager
Applying the NSX license
Deploying the NSX Controller Cluster
Preparing a vSphere cluster for NSX
Validating NSX VIB installation
2
Configuring VMware NSX Logical Switch Networks
Configuring VMware NSX Logical Switch Networks
Introduction
Configuring VXLAN Networking
Configuring a VXLAN Segment ID
Creating a NSX Transport Zone
Creating a NSX Logical Switch
Connecting a Virtual Machine to an NSX Logical Switch
Testing an NSX Logical Switch
Enabling the Controller Disconnected Operation Mode on a Transport Zone
3
Configuring VMware NSX Logical Routing
Configuring VMware NSX Logical Routing
Introduction
Configuring the Distributed Logical Router
Configuring the Distributed Logical Router for dynamic routing
Deploying and configuring the NSX ESG in HA mode
Understanding and configuring the NSX ESG for routing
4
Configuring VMware NSX Layer 2 Bridging
Configuring VMware NSX Layer 2 Bridging
Introduction
Configuring Software-Based Gateway Layer 2 Bridging
Selecting a hardware VTEP gateway
Integrating Hardware VTEP Gateway with VMware NSX
Extending VMware NSX Logical Switch to Hardware VTEP Gateway
5
Configuring VMware NSX Edge Services Gateway
Configuring VMware NSX Edge Services Gateway
Introduction
Configuring a DNS relay
Configuring a DHCP server
Configuring an Edge Firewall
Configuring Network Address Translation
Configuring Load Balancing
Configuring IPSEC VPN
Configuring SSL VPN
Configuring High Availability
6
Configuring VMware NSX Distributed Firewall (DFW) and SpoofGuard
Configuring VMware NSX Distributed Firewall (DFW) and SpoofGuard
Introduction
Verifying NSX DFW component status
Configuring IP Discovery for Virtual Machines
Working with SpoofGuard
Excluding Virtual Machines from DFW Protection
Configuring DFW Session Timeout
Creating Security Policy Rules from the Firewall Table Menu
Creating Security Policy Rules from the Service Composer menu
Verifying DFW rules
Leveraging the DFW Applied To field
Deploying Network or Guest Introspection Services
Configuring the Identity Firewall
7
Configuring Cross-vCenter NSX
Configuring Cross-vCenter NSX
Introduction
Configuring Primary and Secondary NSX Manager(s)
Creating a Universal Transport Zone and adding a vSphere cluster to the Universal Transport Zone
Creating a Universal Logical Switch
Creating a Universal Logical Router
Adding a VM to a Universal Logical Switch
Understanding and configuring the Universal Distributed Firewall
8
Backing up and Restoring VMware NSX Components
Backing up and Restoring VMware NSX Components
Introduction
Backing up NSX Manager
Restoring NSX Manager
Restoring NSX Controller Nodes
Restoring a Logical Switch Backing Port Group
Restoring NSX Edge
Exporting NSX DFW Rules configuration from the Firewall Menu
Restoring NSX DFW Rules configuration from the Firewall Menu
Exporting NSX Security Policy from the Service Composer Menu
Restoring NSX Security Policy from the Service Composer Menu
9
Managing User Accounts in VMware NSX
Managing User Accounts in VMware NSX
Introduction
Creating a service user account for vCenter server registration
Granting access to NSX
Creating and Managing CLI user accounts in NSX manager
10
Upgrading VMware NSX
Upgrading VMware NSX
Introduction
Preparing for VMware NSX upgrade
Verifying VMware NSX working state
Upgrading VMware NSX Manager
Upgrading NSX controller node
Upgrading VMware NSX Host Clusters
Upgrading VMware NSX Edge
Upgrading Network and Security Service Deployments
11
Managing and Monitoring VMware NSX Platform
Managing and Monitoring VMware NSX Platform
Introduction
Monitoring NSX using NSX Dashboard
Configuring the NSX Components Syslog
Configuring and viewing the NSX Distributed Firewall Log
Configuring vRealize Log Insight for NSX
Enabling NSX Flow Monitoring
Using Application Rule Manager
Using NSX Endpoint Monitoring
12
Leveraging the VMware NSX REST API for Management and Automation
Leveraging the VMware NSX REST API for Management and Automation
Introduction
Using the REST API with the Postman REST client
Using the REST API with cURL
Using the REST API with PowerShell
Using the REST API with Python
Using the vRealize Orchestrator plugin for NSX
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Replacing the NSX Manager certificate

When you first deploy the NSX Manager, it creates a self-signed certificate. Using a self-signed certificate is generally not a recommended security practice. It is recommended to deploy a signed certificate from your internal certificate authority. NSX Manager supports two ways of deploying a signed certificate, which are as follows:

  • Certificate signing request to a Certificate Authority (CA)
  • Importing a PKCS#12 certificate archive (bundle) onto the NSX Manager, which includes the private and public key for NSX Manager and certificate chain of any subordinate CAs in your environment

In the following recipes, we will explore how you can create a certificate signing request on NSX Manager and how to import a PKCS#12 certificate bundle onto the NSX Manager.

Certificate Signing Request

A Certificate Signing Request (CSR) is the first part in a three-step process; this process involves the following steps:

  1. The NSX Manager creating a CSR
  2. The CSR is sent as a request to the certificate authority, which then signs the certificate and sends back a signed certificate
  3. Importing the signed certificate into the NSX Manager

How to do it...

The procedure to complete a certificate signing request is as follows:

  1. Log into NSX Manager via your web browser
  2. Click on Manage Appliance Settings
  3. Click on SSL Certificates
  1. Click on Generate CSR and follow the prompts as per the following screenshot:
  1. Click on OK and select Download CSR
  2. Send the CSR file to your security administrator and get the certificate signed
  3. With the returned certificate, click on Import so you can import the correct certificate into the NSX Manager
  4. Reboot the NSX Manager to complete the process of importing a signed certificate into the NSX Manager

PKCS#12 certificate

Importing PKCS#12 into the NSX Manager is used when the certificate signing was not completed using the CSR method outlined in the previous recipe. The PKCS#12 format is typically used in scripted installations of NSX Manager and other components. If a CSR was not generated by the NSX Manager itself, it is required that the PKCS#12 archive is imported into NSX Manager.

The PKCS#12 archive generally consists of the following:

  • A signed server certificate
  • A private key for the signed certificate
  • Root and intermediate certificate authority public keys

The PKCS#12 is also password-protected, so it's important to have the password before attempting to import the PKCS#12 archive into NSX Manager.

In some cases, the received signed certificate may not be in the PCKS#12 format. In this event, you must convert the certificates into the PKCS#12 format for import into the NSX Manager. This can be achieved using openSSL (https://www.openssl.org/), and the command to achieve this is as follows:

openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt

How to do it...

The procedure to import the PCKS#12 archive is as follows:

  1. Log into the NSX Manager via your web browser
  2. Click on Manage Appliance Settings
  3. Click on SSL Certificates
  4. Click on Upload PCKS#12Keystore and browse to the file
  5. Enter the password for archive and click on Import
  6. Reboot the NSX Manager to complete the process of importing the signed certificate
Previous Section
End of Section 7
Next Section