VMware Networking Community
wombatclov
Contributor
Contributor

NSX-V Edge Services On NSX-T

We have run the NSX-V in our local datacenter, using the distributed firewall and the Edge device services like load balancer and VPN.  We are starting fresh (not migrating) with NSX-T.  We used the new (ish) V-Center UI integration wizard to set up "security", which gives us the look and feel of the distributed firewall we are familiar with.

However, we still need to support the edge services.  Been doing a lot of reading and clicking around in the NSX-T management.  If we understand it correctly, TEPs will need to be setup on the hosts (ESXi hosts), and an edge cluster will need to be built, which then the services can run on top of.

My main question is that with everything I have seen, the modes are that for the edges services to function, we must either peer with a router or use NAT.  This was not the case in NSX-V.  We simply used a (virtual) uplink to our main routed network.  NAT was not necessary, nor was peering.  It was more like a bridge to our physical network through the VDS.  Is there a similar, simple way to achieve this in NSX-T?

Thank you!

Reply
0 Kudos
2 Replies
p0wertje
Hot Shot
Hot Shot

H,

Yes, you need edge nodes to run the services on (called T0 and T1) You can use loadbalancing, natting, ipsec vpn.
The edge nodes can be Baremetal or Virtual.

You can use static routes if you want. You might want the put the T0 in Active-standby and use HA (HA vip)
For fast failover, it is advised to use bgp+bfd. But it depends on your needs.
You can even use OSPF if you want.

 

 

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
wombatclov
Contributor
Contributor

Hi-

A follow up question.  In the old NSX-V land, our DFW seemed to block north-south traffic.  That is, say, a VM that has a public IP (not NAT), and was connected to a vNIC with the VLAN routable to outside world by our physical routers.

This does not seem to be the case with just the bare bones DFW in NSX-T.  The DFW works between VM's on the same VLAN.

Is it the case that I must build a Gateway firewall?


Thanks,

Reply
0 Kudos