Section 1 – Prepare VMware NSX Infrastructure
Objective 1.1 – Deploy VMware NSX Infrastructure components
- Deploy the NSX Manager Virtual Appliance
- Integrate the NSX Manager with vCenter Server
- Configure Single Sign On
- Specify a Syslog Server
- Implement and Configure NSX Controllers
- Exclude virtual machines from firewall protection according to a deployment plan
The NSX Manager Virtual Appliance is deployed from an OVA file downloaded from VMware, as such if you have the ability to download the appliance and deploy it in your own lab or a dedicated test area in your organization’s infrastructure then that will be the best way to get hands on experience completing this task. However, VMware Hands-On-Labs also provide the ability to do this if you don’t have enough free resources or have the ability to deploy it on your own infrastructure.
One thing to note is this LAB is an interactive simulation so you can’t go wrong you can only proceed by following the steps provided by VMware but still it is a useful tool. The Lab also covers integrating the NSX Manager with vCenter Server (✔️) Configuring SSO and Syslogging (✔️) and it also covers the deployment of NSX Controllers (✔️)
The last bullet point in this objective is excluding VMs from the distributed firewall, depending on the environment and topology management components integral to running NSX should be excluded from the distributed firewall such as vCenter Server (NSX Manager and NSX Controllers are automatically excluded from DFW policy enforcement)
I found that instructions from VMware were either incomplete or didn’t provide enough information to follow. So if you want to exclude a VM from DFW (Note: this works at the VM Level and all vNICs will be excluded) then these are the steps to go about doing it.
- When connected to the Networking and Security Menu from the left menu select NSX Managers from the bottom
- Next, select the NSX Manager where you want to apply the exclusion (in my environment 10.50.0.12 is the primary NSX Manager in a Cross-vCenter Deployment so I have selected this NSX Manager)
- Then you will need to select the Manage Tab in the right pane
- Under the manage tab, you will need to select the Exclusion List tab
- From there selecting the plus icon will allow you to add VMs to this exclusion list
- Now select the VM in question that you want to exclude and use the blue arrow in the center to move it to the right side in order to be excluded (as you can see it only shows me my two test VMs and not any of the controllers, ESGs, DLR Control VMs or NSX Manager this is because they are excluded by default)
- Finally, select OK and that’s it your VM is now excluded from the DFW function
As discussed previously VMware recommends that you exclude management VMs that reside in an NSX Prepared cluster in order to allow for communication to continue without interruption such as the vCenter, PSC and any third-party service VMs such as the Palo Alto Networks Virtual Firewall.
Links
https://mylearn.vmware.com/mgrReg/plan.cfm?plan=88781&ui=www_cert