In part one of this blog series we learned about HCX basics and the cloud side deployment, in this blog we will talk in depth about onprem deployment and will explore each and every components in detail. Alright ! so before starting with the deployment of on prem HCX manager lets get the list of ports which will be required by HCX manager and other HCX components to communicate with other resources and internet. Lets review the following port diagram.
As we can see, on-prem HCX Manager requires connectivity to :
1) Onprem vSphere infra like vCenter ( TCP Port 443), PSC ( TCP Port 7444), ESXi (TCP Port 902).
2) Onprem Infrastructure services DNS (TCP/UDP port 53) and optionally to NTP , Syslog and SNMP.
3) Access to internet for activation URL "connect.hcx.vmware.com" and for getting updates URL "hybridity-depot.vmware.com"
both on TCP port 443.
4) Other onprem HCX components like Interconnect appliance (TCP port 8123, 22, 443, 9443) & Network extension appliance (TCP port 9443)
5) Lets talk about the final and important point which is connectivity to VMware Cloud on AWS SDDC.
Onprem HCX Manager can connect to the VMware Cloud on AWS SDDC in two ways
- Via Internet (An internet connectivity between the appliances) - with this method the Site Pairing, IX IPsec tunnel and L2C IPSEC tunnel all get
established VIA Internet, we will require the onprem components to have internet connectivity and on the cloud side HCX Manager, IX Appliance
and L2C appliance will use public IP addresses.
- Via Direct connect connection (Private VIF): If you have an AWS direct connect connectivity from your onprem to VMware cloud on AWS
SDDC, the onprem routes and the SDDC routes will be exchanged between on prem router and AWS router over BGP, this will allow us a seamless
& fast connectivity between the two environments, with direct connect we can establish site paring (Port 443), IX IPsec tunnel (UDP 500 and
4500) and an L2C IPsec tunnel (UDP 500 and 4500) over private IPs, no public IP is required.
After taking care of the ports and deciding on the kind of connectivity we want between the 2 environments, Let's proceed with the HCX Manager on-prem Deployment.
I have already described in part 1, how to download the ovf for onprem HCX manager, after the download the deployment is very straight forward, during the deployment in the network section we just need to make sure we are selecting a network which has connectivity as per the first network port diagram we discussed (To all the onprem components as well as to https://connect.hcx.vmware.com for Activation, access to the cloud hcx manager public IP FQDN or If DX is used access to DX network).
After the deployment its time for the activation and registration process, we can open the HCX manager page by providing its FQDN or IP on port 9443, using admin as user and the password we supplied during the OVA deployment. which will directly give us the page for the registration where we will find the url mentioned for activation as "https://connect.hcx.vmware.com" and its asking for the activation key, paste the activation key (get the Activation key from cloud side Add on > open HCX page.
click on Activate.
Next we will be prompted to select the city and location of the on-prem HCX manager. select and click yes and continue and the activation will get completed.
And you are given an option to configure the appliance right now or later. lets click Continue.
Next screen is the registration with on-prem vCenter (vCenter fqdn, admin username and password, port 443))
Note: if NSX registration is required (For extending the vxlan network details ) select connect your nsx and enter the username and password for
Enter the SSO username and password and Click Continue (Port 7444 to the PSC)
To get everything correct and in working condition click on Restart HCX service (it takes 5 minutes to reinitialize the hcx)
We may have to keep refreshing the page and once everything is up and running, we will see the dashboard with all the updated information.
Once everything is up and running like in the above screen shot, we can start adding some users to manage the HCX components, we can do this by clicking on configuration and selecting "vSphere Role Mapping" option. through the configuration page, we can verify and change other registrations like vCenter or NSX as well.
Next we can verify the HCX plugin and its functionality by logging in to the on-prem vSphere web Client. if you are already logged in log off and log back in. it may take some time to install the plugin (There are almost 9 Plugins ). you might get a notification at the top about which plugin got installed and we should refresh the page.
And after final refresh we will be able to see the HCX Plugin.
The HCX Manager onprem Deployment is now completed, We will now start working on getting the 2 sites connected in the next post.