Understanding VMware HCX deployment for VMware cloud on AWS Part -3 (Site Pair and Service mesh)
In Part 2 we discussed about the onprem HCX manager deployment and configuration, in this post we will take few steps further and will setup the connectivity between the 2 environments (Onprem and Cloud side). We will start with the site pairing.
HCX Site pairing is done between two HCX Manager deployments in our case its onprem and VMware cloud on AWS side of HCX manager. You can also have one to many relationship in which we can connect multiple Onprem HCX Managers (for example you have 2 datacenters and you want to connect both of them to cloud) to one VMware cloud on AWS HCX Manager.
Site pairing requires a connectivity between the onprem HCX Manager and Cloud HCX Manager on port 443. and as discussed in part 2 we can reach the cloud side HCX manager in 2 ways, either on public IP or if there is a direct connect in picture then using the private IP.
Note: To get the hcx cloud url click on open hcx in SDDC's add on section and copy the url . By default the cloud side hcx manager fqdn will resolve to public IP, however if we want it to go via private IP we will have to either create a DNS entry or we will have to edit the host file on the hcx manager appliance by doing an ssh to it.
For establishing a site pair go to the onprem vCenter html client and open hcx plug in. on the dashboard select New site pair. and cloudadmin user name and password and click register.
Once registered click cancel (Do not proceed with any component installation), you are now back on the dashboard, refresh the page and now you will be able to see the site pairing as up.
Note: We can also do the site pair from the site pair tab of the Interconnect > Multi-site Service Mesh
Tips: If site pairing is not up please check the connectivity on port 443
Now its time to understand and deploy the Service mesh.
The Multi-Site Service mesh is used to create a secure optimized transport fabric between any two sites managed by HCX. Also when HCX Migration, Disaster recovery, Network Extension, WAN Optimization services are enabled, HCX deploys Virtual Appliances in the source site and corresponding "peer" virtual appliances on the destination site. The Multi-Site Service Mesh enables the configuration, deployment, and serviceability of these Interconnect virtual appliance pairs with ease.
Before we deploy the service mesh and setup the hcx tunnels we first need to understand and create few profiles
1) Compute Profile : This profile will be used by service mesh to deploy the HCX appliances, we will supply details
like cluster, resources pool, Datastore in compute profile so that service mesh can use it for the
deployment of HCX appliances.
2) Networking Profile : In Network profile we are going to supply networking related information like port group,
vxlan IP-Address pool for appliances deployed with service mesh.
**We can create multiple compute and networking profile, a good used case would be if we want to keep vMotion, Management and uplink on different networks.
Before deploying the Compute profile we will have to create network profiles (because we are going to use these network profiles in compute profile)
To create a Network Profile we need to go to the HCX plugin in vCenter or open HCX manager page with fqdn and login to it with vCenter admin credentials.
Click on the interconnect option at the left and select Network profile under Multi-site service Mesh
On the create network profile page select the appropriate network and create an IP - pool for that network (Usually we need Management, vMotion and uplink profile, We can also use one profile for all these)
Management - will be used to communicate with management components (Esxi, vCenter etc)
vMotion - Make sure this network and ip pool is in the same range as your Esxi vMotion network
vSphere Replication - This profile will be used for replication purpose with Bulk Migration, RAV or HCX site recovery.
Uplink - This profile will be used for establishing the HCX tunnel (Over internet or Direct connect) between on-prem and SDDC.
After filling all the details click create.
In my lab I am using 1 network for everything however if you have different networks for Management, vMotion and uplink please create three network profiles.
Alright so lets start with the creation of Compute profile
On the same page where we created the network profile click compute profile and then select Create compute profile
1) Type a name for compute profile and click continue
2) Select the HCX services you want to use
3) Click continue and on the next page select the resource (Datacenter or specific cluster) where you want service mesh to deploy the appliance VMs.
4) Clicking continue will enable another option of selecting the data-store where we should deploy the HCX appliances.
5) Now We get an option to select a network profile for Management Network which will be used by the appliances to communicate with
management components like Esxi or vCenter.
Once you select the network you will see another option getting activated i.e. "Advanced Configurations" we will use this option if in case we want to define certain static routs for the appliances (This is optional).
6) After Management Network once you click on continue you will be presented with an option to select uplink profile which will be used for the
communication to the cloud side components in my lab I am using management for everything.
7) clicking continue will present you with vMotion network profile . with this network the HCX appliance is going to communicate with Esxi hosts over vMotion network. this network will only be used in case you are performing vMotion not Bulk Migration.
8) Finally we will select the Replication Network profile which will be used for Replication purpose.
10) after clicking continue it will ask us to select the network switch for network extensions which we will use in-case we want to extend any on
prem network to VMC cloud (L2 Extensions).
Clicking Continue will generate the a connection rules (LAN and WAN) which will help us to identify what Firewall rules need to be open, We can give this list to the networking team to review and open the required ports.
(The best part of this entire setup is that we have a pictorial representation of the connectivity and we can verify and correct if we see any issues in that representation. )
Finally we click on finish to complete the compute profile. On the finish page we can review entire connectivity in the diagram.
Alright so We have Network Profile and compute profile created, we have already reviewed the connectivity and we also have the list of subnets and required ports.
Finally we will create the service mesh
Checklist before creating Service mesh :
1) Compute Profile is created.
2) Firewall rules are opened.
3) We have sufficient resources available in vSphere.
4) Site Pairing is up and running.
Lets Start with service Mesh deployment now
Click on Service Mesh and select Create Service Mesh, Lets begin with the Wizard
1) Select the correct source and destination site pairing (You can do multiple site pairing and thats what it is important to
select the correct ones here based on this selection appliances are going to be deployed at onprem and cloud side to
create an IPsec tunnel).
2) Click continue and now select the compute profile we created earlier , and default compute profile at cloud side.
3) Next screen will give you option to deselect services which you defined in compute profile if in
case you do not want to use any service or you want to create different service mesh for different
4) Next screen will give you an option to select uplink profiles for setting up the tunnel, the tunnel can be established using either Direct connect
connection or Internet connection based on your connection preference you can use the network profile onprem and cloud side. Make sure the profile you are selecting has available Free IPs if not we can
always add IPs to network profiles.
5) Clicking continue will present you with the option to network extension appliance setup, on this page you can select the number of Network
extension appliance (one appliance can extend upto 7 on prem networks to cloud), by default it will deploy one appliance however to increase the
number of appliances click CONFIGURE THE NETWORK EXTENSION APPLIANCE SCALE
6) Further pages are bandwidth limit for uplink (Configure the maximum aggregate uplink bandwidth that will be consumed for migrations across all the uplinks), followed by topology review and final page will give you option for giving a name to your service Mesh.
Enter a name for your service mesh and click Finish. You can monitor the service Mesh deployment in Tasks tab. You can also monitor vCenter Tasks and events (Onprem and cloud side) which will show you multiple OVF deployments and VM re-configs.
Once service Mesh is deployed and if all the config is correct in 2-5 Minutes you should see Tunnel status as Up in the appliance section of the Service Mesh.
And now we are ready to Migrate VMs using IX and extend Network using NE..
Go back to