jeffersonc47's Posts

The NSX DFW can't do firewalling of ESXi host vmk interfaces. However, there is a firewall native to ESXi that you can use - https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8912DD42-C6EA-4299-9B10-5F3AEA52C605.html.

I realize this doesn't directly answer your question, but VMware would generally recommend you migrate load balancing to NSX Advanced Load Balancer not the native NSX-T load balancer. VMware has announced plans to remove the NSX native load balancer in favor of ALB in a future release: === Deprecation Announcement for NSX-T Load Balancing APIs NSX-T Load Balancer APIs would be marked as deprecated. This would apply to all APIs containing URIs that begin with /policy/api/v1/infra/lb- Please be aware that VMware intends to remove support of the NSX-T Load Balancer in an upcoming NSX-T release, which will be generally available no sooner than one year from the date this message was announced (December 16, 2021). NSX-T Manager APIs that are planned to be removed are marked with "deprecated" in the NSX Data Center API Guide. It is recommended that new deployments with NSX-T Data Center take advantage of VMware NSX Advanced Load Balancer (Avi) using release v20.1.6 or later. === (https://docs.vmware.com/en/VMware-NSX/3.2/rn/vmware-nsxt-data-center-32-release-notes/index.html#Feature%20/%20API%20Deprecations%20and%20Behavior%20Changes-Deprecation%20Announcement%20for%20NSX-T%20Load%20Balancing%20APIs) === VMware intends to deprecate the built-in NSX load balancer and recommends customers migrate to NSX Advanced Load Balancer (Avi) as soon as practical. VMware NSX Advanced Load Balancer (Avi) provides a superset of the NSX load balancing functionality and VMware recommends that you purchase VMware NSX Advanced Load Balancer (Avi) Enterprise to unlock enterprise grade load balancing, GSLB, advanced analytics, container ingress, application security and WAF. We are giving advanced notice now to allow existing customers who use the built-in NSX load balancer time to migrate to NSX Advanced Load Balancer (Avi). Support for the built-in NSX load balancer for customers using NSX-T Data Center 3.x will remain for the duration of the NSX-T Data Center 3.x release series. Support for the built-in NSX load balancer for customers using NSX 4.x will remain for the duration of the NSX 4.x release series. Details for both are described in the VMware Product Lifecycle Matrix. We do not intend to provide support for the built-in NSX load balancer beyond the last NSX 4.x release. === https://docs.vmware.com/en/VMware-NSX/4.0.1.1/rn/vmware-nsx-4011-release-notes/index.html#Feature%20Deprecation

A few comments: * VMware is still advising sticking with 3.2.x unless you need features from 4.x. ("NSX 4.1.0 is a new release providing a variety of new features. Customers who require these features should upgrade to adopt the new functionality. Customers who do not require this functionality at this time should upgrade to the latest available version of NSX 3.2 (currently 3.2.2), which continues to be VMware’s recommended release." - https://docs.vmware.com/en/VMware-NSX/4.1.0/rn/vmware-nsx-410-release-notes/index.html) * Starting with NSX-T 3.1.1, NSX-T provides a vDS license if your hosts don't otherwise have one. See https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-065D6BE8-1E72-48EB-BD2C-821FA86E1142.html for details. * I'm not 100% certain if NSX-T requires a vDS for endpoint only protection, but I think it does. Someone from VMware should be able to provide a more authoritative answer.  

One other thing to note - VMware has indicated they plan to remove the NSX-T built-in load balancer in favor of NSX ALB (AVI). As a result, everything new should be done using NSX ALB. As dragance noted, all license levels of NSX Data Center that include load balancing (Advanced and above) also include licensing for NSX ALB. (See https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-datasheet.pdf and https://avinetworks.com/docs/latest/nsx-alb-basic-edition/ for more details.) Note from NSX-T 3.2 release notes (https://docs.vmware.com/en/VMware-NSX/3.2/rn/vmware-nsxt-data-center-32-release-notes/index.html) === "Please be aware that VMware intends to remove support of the NSX-T Load Balancer in an upcoming NSX-T release, which will be generally available no sooner than one year from the date this message was announced (December 16, 2021)" === Note from NSX 4.1 release notes (https://docs.vmware.com/en/VMware-NSX/4.1.0/rn/vmware-nsx-410-release-notes/index.html) === VMware intends to deprecate the built-in NSX load balancer and recommends customers migrate to NSX Advanced Load Balancer (Avi) as soon as practical. VMware NSX Advanced Load Balancer (Avi) provides a superset of the NSX load balancing functionality and VMware recommends that you purchase VMware NSX Advanced Load Balancer (Avi) Enterprise to unlock enterprise grade load balancing, GSLB, advanced analytics, container ingress, application security and WAF. We are giving advanced notice now to allow existing customers who use the built-in NSX load balancer time to migrate to NSX Advanced Load Balancer (Avi). Support for the built-in NSX load balancer for customers using NSX-T Data Center 3.x will remain for the duration of the NSX-T Data Center 3.x release series. Support for the built-in NSX load balancer for customers using NSX 4.x will remain for the duration of the NSX 4.x release series. Details for both are described in the VMware Product Lifecycle Matrix. We do not intend to provide support for the built-in NSX load balancer beyond the last NSX 4.x release. ===

As of NSX-T 3.2 NSX Intelligence runs on top of the NSX Application Platform. The NSX Application Platform requires some Kubernetes platform. That can be Tanzu, but it doesn't have to be. Here a blog post series detailing how to use Tanzu Community Edition (free) for the NSX Application Platform - https://lumberjackwizard.com/2022/03/02/deploying-nsx-application-platform-part-one-introduction/

As mentioned you do not need T0s/T1s if you're just using distributed firewall. You have two options for a security-only use case: * Use the quick start wizard to do a security only deployment (see https://blog.redlogic.nl/en/nsxt-32-dfw-vds for an example). This will only install/configure the pieces of NSX-T needed for the DFW (and other security components). * Do a standard deployment but simply don't deploy any overlay networks/gateways/etc. This is a little more work up front in that you need to configure host TEPs, but it provides a simpler migration path if you decide you want overlay networks later. (If you deploy security-only using the quick-start wizard above, you have to completely unconfigure/reconfigure the hosts if you decide you want to add overlay networks.)

If you're looking for a vCenter plugin like NSX-V provides, you won't (generally) find that. NSX-T has it's own UI separate from vCenter. There is an option for deploying NSX for security-only use cases from vCenter. In that case you do get a limited plugin. See https://www.youtube.com/watch?v=9-mdB2cpvBw for more details.

Nope - NSX-T (As of 3.2.x) does not have the ability to read vCenter tags into NSX-T inventory. I've mentioned it to PM, and I've heard others doing so also. I expect it will come at some future point, but it's not here currently.

The native load balancer built into NSX-T does not support HTTP2 as far as I'm aware. NSX ALB does support HTTP2, but only in the enterprise license (https://avinetworks.com/docs/21.1/nsx-license-editions/). The basic license (that's included with most NSX-T data center editions) doesn't provide HTTP2.

The three local managers at a site will form a cluster. You apply the license once to the cluster and all 3 cluster members end up with it. You would repeat that process for the cluster at each site. You don't need to separately license the global managers. They'll read license information from the local managers when you add them.