This post is the first of two posts on deploying NSX Edge Routers. This will look at the deployment and configuration, whilst an upcoming post will deal with implementing routing protocols in order to share routes with NSX distributed logical routers and with physical routers.
There are two router types with NSX:
- The NSX Edge Services Router (ESR)
- The NSX Distributed Logical Router (DLR)
Although you could route between NSX logical networks, and physical networks using a logical router, the recommended way is to use an Edge Services router. The ESR has a number of features such as Firewall, DHCP Services, NAT, load balancing and VPN services.
Deploying an Edge Services Gateway
The edge gateway is deployed in the same way as a distributed router instance. In the NSX Edges pane in the vSphere Web Client, click the green ‘+’ symbol to begin the deployment:
On the first screen of the deployment wizard, select ‘Edge Services Gateway’, then populate the other fields as required. On the next screen set the login credentials for the appliance. Optionally Enable SSH and HA. I won’t be enabling HA as this is a lab environment. Finally, enable auto rule generation, which will create necessary rules automatically when edge services such as VPN and load balancing are enabled:
On the next screen, choose the deployment type. There are a number of options for the appliance size. I have chosen ‘Compact’ in my lab environment. After specifying the appliance size, choose the cluster/resource pool where the router will be deployed to:
On the next screen, set up the edge router’s interfaces. Begin by clicking the green ‘+’ to add a new interface:
Here we need to assign a name to the interface on the edge gateway, select ‘Uplink’ as the interface type and connect it to the dvportgroup which will give the gateway access to the external network. The portgroup should provide connectivity to a network where a physical router has an interface. For example, I have a physical router with an interface on VLAN 200. I created a portgroup for VLAN 200 and connected the NSX Edge to that port group, providing connectivity between the NSX Edge gateway and my physical router.
Once complete you should see your interface listed:
On the next screen, configure the default gateway to be used as the edge router’s next hop:
On the next screen you can, optionally, select to configure the Firewall default policy:
The final screen will give the opportunity to review your settings, before clicking finish to begin the deployment:
Once the task has finished you should see the NSX Edge instance successfully deployed:
Now we have deployed the Edge router we need to provide the means to connect it to the logical distributed router. The logical distributed router will use the NSX edge as it’s ‘next hop’ to get traffic out onto the physical network.
Connecting NSX Logical Distributed Routers and Edge Routers
So, in the section above we deployed an edge router, with an interface connected to a standard port group on a dvSwitch. The next step is to connect the edge router with a distributed router, so that traffic originating from logical switches defined within NSX is able to get out onto the physical network via the edge router. To put this in context, I will be connecting the edge gateway deployed in the section above, with the distributed router I deployed here. In order to do so we need to start by creating a new logical switch that will act as a transit network between the distributed router and the edge router. The steps for creating a new logical switch are covered here.
The next step is to connect the edge router to the new logical switch. To do so, navigate to ‘NSX Edges’ then double click on the edge router created in the first section of this post:
Once there, click on the ‘Interfaces’ option in the menu, then select an unused interface and click the edit button:
Select ‘Internal’ as the type, and connect it to the ‘transit’ logical switch. After that, assign an IP address to the interface. Here I have used 192.168.180.1/24, though you can use a much smaller subnet if required.
Next, we need to connect the distributed router to the same logical switch. Do to so, in the ‘NSX Edges’ pane, double click the logical router, then browse to the interfaces screen, before clicking the green ‘+’ to add a new interface to the router:
Once complete we should have a distributed router and edge router connected via a ‘transit’ logical switch. At this point though we are still missing something, the virtual machines will not be able to find a route out onto the physical network. Stay tuned for my next post, where this issue will be addressed…