NSX Cloud Manager

Posted on by Nitin

7th July 2020 – This blog helps to understand and configure NSX Cloud manager to manage and seamlessly configure policies between on-prem DC and native AWS VPC.

Topology – sample

The NSX Management/Control Plane (NSX Manager Appliance) and Cloud Services Manager components have been pre-deployed in the on-premises data center. NSX Cloud Services Manager manages the complete lifecycle of deployed NSX components in AWS and provides a unified view between NSX Manager and the public cloud inventory.  In addition, we have deployed the 3-tier WebApp application and also secured it using the distributed firewall rules as part of the micro-segmentation.

In the Transit VPC in AWS, the following components have been pre-configured.

  • Uplink subnet (used by the NSX Cloud Gateway for N-S internet traffic)
  • Management subnet (used by the NSX Cloud Gateway for management traffic between on-prem DC and PCG)
  • Downlink subnet (used by the NSX Cloud Gateway and where our application web tier and windows instance resides)
  • Internet Gateway
  • AWS Route table
  • Security Groups

The compute VPC has a similar configuration but we are not deploying a gateway here hence using only the downlink subnet to connect our workloads.

We first make the Transit VPC NSX Managed in NSX Enforced mode – meaning we will deploy a Public Cloud Gateway and install NSX tag/Tools in order to manage the workloads.

Next we leverage NSX IPSEC VPN to connect our AWS VPC with on-prem DC and implement micro-segmentation on the hybrid WebApp and AWS Service endpoint using NSX policies.

Then link the compute VPC to the transit VPC so the compute VPC workloads can be NSX managed via the PCG deployed in Transit VPC .

We can use the native cloud enforced mode on this compute VPC – meaning no NSX Tags/Tools and showcase how you can leverage NSX policies and translate them into native public cloud security policies to secure/manage your native AWS workloads leveraging NSX.

As part of bringup/configuration, we first need to register CSM with on-prem NSX manager.

Next enable your CSM to access your AWS:

Your AWS account contains VPCs that you want to bring under NSX-T Data Center management.

This is a two-step process:

  1. Generate Required Roles – Use the NSX Cloud script, that requires AWS CLI to do the following:
    • Create an IAM profile.
    • Create a role for PCG.
  2. Add the AWS account in CSM.

For NSX Cloud to operate in your AWS account, you need to generate an IAM profile and a role for PCG.

This is achieved by running the NSX Cloud shell script using the AWS CLI that creates the following constructs:

  • an IAM profile for NSX Cloud.
  • a role for PCG to enable it to work on your public cloud inventory.

Download the SHELL script named nsx_csm_iam_script.sh from the NSX-T Data Center Download page > Drivers & Tools > VMware NSX Cloud Scripts > VMware NSX Cloud Scripts for Adding Public Cloud Accounts for NSX 2.5.1.

When the script runs successfully, the IAM profile (NSX_Cloud_IAM_user) and a role for PCG (nsx_pcg_service) is created in your AWS account. The values are saved in the output file in the same directory where you ran the script.

The filename is aws_details.txt.

CSM will synchronize with AWS Management Console (using APIs) and summarize your AWS inventory once the sync is complete.

At this point, the CSM has gained visibility into your AWS account, associated VPCs and instances. In the next blog, we will deploy instances and cloud native service endpoints in this VPC.

Unknown's avatar

Published by Nitin

I am a Network and Security, Senior Consultant at VMware. I have 8 years of industry experience in traditional and well as modern SDN/cloud/SD-WAN solutions. With the help of this blog, I would like to share my knowledge with people near and far. I write about my work, the things I see and how I perceive them. Thanks for stopping by.

Leave a comment