NSX integration with vRealize Automation 7.4 - part 1

From time to time I find myself facing a new configuration of vRealize Automation. And since I don't do it very often I also find myself having forgotten some steps. For this reason I will write down my typical integration of NSX with vRA.

The post has two parts:

• part 1 - describes the vRA configuration at infrastructure/tenant level
• part 2 - focuses on creation of the service that consumes NSX

Requirements:

• NSX  ( > 6.3.x) is installed and configured (VXLAN, distributed logical router, edge services gateways)
• vRA 7.4 is deployed, tenant created, user directory integrated (optional) 
• familiarity with vRA 

Goal: 

• all vRA workloads are deployed to on-demand created networks and we do not worry about routing or virtual network creation
• security for workloads is ensured using distributed firewall and security tags (but more on this in another post). 

First thing first, drawing a small diagram (sometimes my creative side kicks in :-)) of the desired state:

To solve L2/L3 requirements, we need the following:

• vRA uses on demand created VXLAN's that use Distributed Logical Router (DLR) as default gateway
• DLR is connected to Edge Services Gateway (ESG) via a transit network
• dynamic routing protocol is running between DLR and ESG
• ESG connects VRA workloads to the rest of the world via the External portgroup (which is a distributed portgroup)
• ESG may also run dynamic routing protocols

(please don't judge the usage of /24 in the diagram, in real life I am subnetting)

As stated earlier, NSX is already configured, DLR and ESG deployed. Let's see how to configure vRA. 

Logon to the tenant as IaaS Administrator. Ideally, you would have IaaS Administrator + Tenant Administrator roles assigned to your account so you don't need to change between roles. We  need to create vSphere endpoint, fabric group, business group, NSX endpoint, reservation. 

Create vSphere (vCenter) Endpoint:

• go to Infrastructure > Endpoints > Endpoints
• New > Virtual > vSphere (vCenter)
• on General tab: give it a name (vcenter1), add the URL of vCenter Server API (https://vcenter1.mydomain.local/sdk, add credentials and Test Connection. 
• If all good, press OK and you have created your endpoint.  

Create NSX Endpoint:

• go to Infrastructure > Endpoints > Endpoints
• New > Network and Security > NSX
• on General tab: type the name of the endpoint, add the  URL to the NSX manager and the credentials
• on Associations tab: map NSX endpoint with the previously created vSphere endpoint (this is a step that appeared in vRA 7.3 due to changes on how NSX is integrated) 

• press Test Connection, and then OK

Create Fabric Group:

• go to Infrastructure > Endpoints > Fabric Group > New
• give it a name, add the Fabric administrators (users, user groups) and select the compute resources available (the list of compute resources is based on the permissions the user has in vCenter Server)

Now the compute resources are available (Infrastructure > Compute Resources > Compute Resources). Check on the compute resource that data collection has run successfully - hover on the compute resource and from the menu choose Data Collection. 

Create Business Group:

• go to Infrastructure > Users & Groups > Business Groups > New
• on General tab: type in the name, add an e-mail for alerts, test
• on Members tab: add the users/user groups for the following roles - Group manager role, Support role, Shared access role,User role and press ok

Starting with vRA 7.3 there is a new role for Business group - Shared access role which can use and run actions on resources deployed by other users in the business group. It is a good addition since I remember a client wanting this back in 2015.  

Create Network Profiles

• go to Infrastructure > Reservations > Network Profiles
• New > External 
• on General tab: for Transit VXLAN: add the name, subnet mask and gateway IP address 
• on DNS tab: add DNS details
• on Network Ranges tab: add the IP range that is usable (do not forget that there are 2 IPs already used by ESG and DLR) 
• New > Routed 
• on General tab: use the external network profile created previously, and add some subnetting details:
• subnet mask (could be /24 - 254 IPs) - the whole range given to vRA for its workloads
• range subnet mask (can be /29 - 6 IPs ) - for each application/group of application deployed
• on Network Ranges tab: press Generate Ranges

At least the following two network profiles will be displayed:

Create Reservation:

• go to Infrastructure > Reservations 
• New >  vSphere (vCenter)
• on General tab: type in the Name of the reservation, tenant name (if multiple tenants exist), business group for which the reservation is created, priority (in case multiple reservations exist for the same business group)
• on Resources tab: select the compute resource, put in a machine quota (if needed), select the size of the memory, select the datastores and the storage quota and select the Resource pool (if one has been defined in vCenter Server)
• on Network tab: select network adapter (transit VXLAN), transport zone, DLR and network profile
• finalize the task by pressing OK

And we are set: we have compute, storage and network resource available for consumption. In the next post we will create a service and see how we consume NSX on demand.