Jun 13 2019

Micro-Segmentation and Security Design Planning with vRealize Network Insight, vRNI

This blogpost has been prepared to describe the Micro-Segmentation and security conceptual design planning utilizing VMware vRealize Network Insight, vRNI. It can act as a support for anyone that wishes to know how to think and implement doing microsegmentation in a VMware based environment either with NSX-V or NSX-T. Some of my text that is written out in this post is borrowed and referenced from an official document by VMware: Data Center Security and
Networking Assessment

My design is based upon the findings, utilizing the network assessment tool performed by VMware vRealize Network Insight.

Details:

You can deploy a Micro-Segmentation security architecture, bearing in mind to:

  • Deploy firewalls to protect the traffic flowing East­West (e.g., from server to server). The vast majority of the network traffic in a VMware based SDDC is East­West based. Unprotected East­West traffic seriously compromises data center security by allowing threats to easily spread throughout the data center.
  • Implement a solution that can filter all traffic within the virtualized part of the data center, as well as firewall the traffic between systems on the same Layer 2 segment (VLAN). My analysis showed a vast majority of traffic is VM­ to­ VM, and a significant amount is between systems on the same VLAN.

About VMware NSX and vRealize Network Insight

Because of its unique position inside the hypervisor layer, VMware NSX is able to have deep visibility into traffic patterns on the network – even when this traffic flows entirely in the virtualized part of the data center. Combining this intelligence with advanced analytics, vRNI Visibility and Operations Platform provides insight for IT managers, enabling them to make better decisions on what and how to protect critical assets.

Security in the Data Center Today

The standard approach to securing data centers has emphasized strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats – including advanced persistent threats and coordinated attacks. What’s needed is a better model for data center security: one that assumes threats can be anywhere and probably are everywhere, then acts accordingly. Micro­ Segmentation, powered by VMware NSX, not only adopts such an approach, but also delivers the operational agility of network virtualization that is foundational to a modern software defined data center.

Threats to Today’s Data Centers

Cyber threats today are coordinated attacks that often include months of reconnaissance, vulnerability exploits, and “sleeper” malware agents that can lie dormant until activated by remote control. Despite increasing types of protection at the edge of data center networks – including advanced firewalls, intrusion prevention systems, and network based malware detection – attacks are succeeding in penetrating the perimeter, and breaches continue to occur.

The primary issue is that once an attack successfully gets past the data center perimeter, there are few lateral controls to prevent threats from traversing inside the network. The best way to solve this is to adopt a stricter, micro granular security model with the ability to tie security to individual workloads and the agility to provision policies automatically.

The Solution: VMware NSX & Micro­Segmentation

VMware NSX is a network virtualization platform that for the first time makes micro­segmentation economically and operationally feasible. NSX provides the networking and security foundation for the software defined data center (SDDC), enabling the three key functions of micro­segmentation: isolation, segmentation, and segmentation with advanced services. Businesses gain key benefits with micro­segmentation:

  • Network security inside the data center: flexible security policies aligned to virtual network, VM, OS type, dynamic security tag, and more, for granularity of security down to the virtual NIC
  • Automated deployment for data center agility: security policies are applied when a VM spins up, are moved when a VM is migrated, and are removed when a VM is de-provisioned – no more stale firewall rules.
  • Integration with leading networking and security infrastructure: NSX is the platform enabling an ecosystem of partners to integrate – adapting to constantly changing conditions in the data center to provide enhanced security. Best of all, NSX runs on existing data center networking infrastructure.

So I started out by drawing up a conceptual design of the test environment.

Conceptual Layout of Test Environment

The conceptual layout included some sample Applications and Server communication in the Test environment and the systems that were added in is to show just how multifaceted an environment can be.

Figure 1. Conceptual Layout of Environment

  • We have the System1 system that need access to the Database server, DB.
  • We have the System2 system that need access to the Shared Infrastructure Services.
  • We have a Jumphost that connect to the the System1 server and the System2 server.
  • We are going to connect All the systems to the organizations Shared Infrastructure Services; Active Directory, DNS, NTP, SCCM, SCOM, MDM and RDGW.

Security Framework

Provide a Zero Trust security model using Micro-segmentation around organization’s data center applications.  Facilitate only the necessary communications both to the applications and between the components of the applications.

The security framework is described below:

  • The blacklist rules at the top will block communication from certain IP addresses from accessing the SDDC environment.
  • Allow bi-directional communication between the Shared Infrastructure Services and all applications that require access to those services
  • Deny traffic from one environment (TEST) from communicating to another environment (PROD).
  • Allow SYSTEM1 Application to communicate with DB Server running on the default ports.
  • Allow DB Server to communicate with SYSTEM1 Application Server
  • Allow All Clients to communicate with SYSTEM1 and SYSTEM2 Servers
  • Block any unknown communications except the actual application traffic to and from the SYSTEM1 application.
  • Block any unknown communications except the actual application traffic and restrict access to the SYSTEM2 application.
  • Allow the rest of the traffic until Microsegmentation has been performed in the whole environment, then change to Deny the rest of the traffic.

The goal of the security framework is to deny traffic based on certain criteria, explicitly permit what is required and allow by default until Micro-segmentation has been performed throughout the whole environment. The firewall rules to deny traffic from environment to environment, organization to organization is required. For example, if deny Application to Application rule is missing, an app server from SYSTEM1 can communicate with an application server from SYSTEM2 by hitting the allow all traffic to SYSTEM2 servers rule.

There are different permutation and multiple scenarios to handle so there are many potential firewall rules to be allowed that are not known now. Applications can also be running on non-standard ports. In that case, you can manually open up the firewall rules and deny those that are necessary.

Overall Security Design Decisions

In order to be modular and scalable when creating firewall rules, security groups will be based on NSX security tags on the VMs inside the SDDC and IP Sets will be created for items outside the datacenter. Firewall rules will then be applied using these security groups. For each VM, it can be tagged with at least 3 security tags, with 1 of them in each category.

The security tags are classified into 3 categories and each category has a prefix to identify it:

The names illustrated below are a small subset of the actual names to exemplify the NSX security design.

  • Environment Management
    • ST-TEST
    • ST-PROD
  • Organization
    • FG-A
    • FG-B
    • FG-C
  • Tier
    • ST-PROD-INFRA-AD
    • ST-PROD-INFRA-SCOM
    • ST-PROD-INFRA-MDM
    • ST-PROD-INFRA-SCCM
    • ST-PROD-INFRA-FS
    • ST-PROD-INFRA-NTP
    • ST-PROD-INFRA-RDGW
    • ST-TEST-APP-SYSTEM1
    • ST-TEST-DB

For the tier category, a VM can belong to multiple tiers. For example, a VM can be tagged with all 3 security tags in the tier category.

For example, a VM can have the following tags:

  • ST-TEST
  • FG-A
  • ST-TEST-APP-SYSTEM1

This VM can immediately be identified as a TEST VM belonging to the FG-A Organization and the SYSTEM1 application. Using such classification, you could create your security groups accordingly.

To create microsegmentation for systems outside the datacenters.  Creation of IP Sets can be used.  IP Sets may contain any combination of individual IP addresses, IP ranges and/or subnets to be used as sources and destinations for firewall rules or as members of Security groups.

Below lists down some of the security groups:

  • SG-PROD – Include VMs with a tag that contain ST-PROD
  • SG-TEST – Include VMs with a tag that contain ST-TEST
  • SG-FG-A – Include VMs with a tag that contain ST-FG-A
  • DG-FG-B – Include VMs with a tag that contain ST-FG-B
  • SG-PROD-INFRA-ALL – Include all Infra VMs that are AD/DNS servers
  • SG-PROD-INFRA-AD – include IP Set of VMs that are AD/DNS servers
  • SG-PROD-INFRA-NTP – include IP Set of NTP servers or VMs hosting NTP service
  • SG-PROD-INFRA-SCOM – include IP Set of SCOM servers or VMs hosting SCOM services
  • SG-PROD-INFRA-SCCM – include IP Set of SCCM servers or VMs hosting SCCM services
  • SG-PROD-INFRA-MDM – include IP Set of SNOW servers or VMs hosting SNOW services
  • SG-PROD-INFRA-RDGW – include IP Set of RDGW servers or VMs hosting RDGW service
  • SG-PROD-INFRA-FS – include IP Set of FS servers or VMs hosting FS services
  • SG-TEST-APP-SYSTEM1 – Include VMs that belongs to the application ANTURA
  • SG-TEST-DB – Include the DB VMs that belongs
  • SG-KLIENT-ALL – Include the IP Sets for all external clients
  • SG-WindowsServers – Include VMs whose OS starts with Microsoft Windows Server
  • SG-LinuxServers – Include VMs whose OS contains CentOS, Red Hat etc

A service is a protocol-port combination, and a service group is a group of services or other service groups. Below lists down some of the NSX Service groups and Services that can be created and used in combination with Security Groups when creating Firewall Rules in NSX:

SERVICE GROUP NAME SERVICE GROUP CONTAINS
SVG-INFRA-AD SV-INFRA-FS, SV-INFRA-NTP, SV-INFRA-DNS
SVG-WEBPORTS http/https 80/443
SV-INFRA-FS 445
SV-INFRA-NTP 123
SV-INFRA-DNS 53
SV-SQL-1433 tcp/udp 1433

SYSTEM1 Analysis and Rule Building

Requirements for SYSTEM1

  • Allow SYSTEM1 Application to communicate with DB Server running on the default ports.
  • Allow DB Server to communicate with SYSTEM1 Application Server.
    Allow Clients to communicate with SYSTEM1 Servers.
    Block any unknown communications except the actual application traffic to and from the SYSTEM1 application.

To start building firewall rules utilization of vRNI is needed. To ‘Plan Security’ for the VM’s utilize vRNI to start by examining the flows of the SYSTEM1 VM to/from other VMs.

Analysis of flows is done by selecting scope and segment them accordingly based on entities such as VLAN/VXLAN, Security Groups, Application, Tier, Folder, Subnet, Cluster, virtual machine (VM), Port, Security Tag, Security Group, and IPSet. The micro-segmentation dashboard provides the analysis details with the topology diagram. This dashboard consists of the following sections:

  • Micro-Segments: This widget provides the diagram for topology planning. You can select the type of group and flows. Based on your inputs, you can view the corresponding topology planning diagram.
  • Traffic Distribution: This widget provides the details of the traffic distribution in bytes.
  • Top Ports by Bytes: This widget lists the top 100 ports that record the highest traffic. The metrics for the flow count and the flow volume are provided. You can view the flows for a particular port by clicking the count of flows corresponding to that port.

vRNI displays all flows that are inbound, outbound and bi-directional going to the SYSTEM1 server.

By selecting the SYSTEM1 wedge in the circle it is possible to go in deeper and see the actual flows between the application and other servers and services.

Detailed in this section are the services the SYSTEM1 VM are using, the number of external services that are accessed (49), the number of flows that goes to/from (60) and also the recommended Firewall Rules (14) that can be created to micro-segment the server. vRNI is recommending 14 rules to accommodate micro-segmentation for the SYSTEM1 application. 

Option exist to export all the recommended rules as CSV for further processing manually or by automation if needed.

The exported table is listed below for the SYSTEM1 recommended firewall rules.

SourceDestinationServicesProtocolsActionRelated FlowsType
SYSTEM1Others_Internet53 [dns] 137 [netbios-ns] 138 [netbios-dgm] 389 [ldap] 5355UDPALLOW9Virtual
Others_InternetSYSTEM180 [http] 443 [https]TCPALLOW4Virtual
Others_InternetSYSTEM1443 [https]TCPALLOW1Virtual
Others_InternetSYSTEM1123 [ntp]UDPALLOW2Virtual
SYSTEM1Others_Internet80 [http] 88 [kerberos] 135 [epmap] 389 [ldap] 443 [https] 445 [microsoft-ds] 1433 [ms-sql-server] 3268 [msft-gc] 5723 8530 10000-19999 40000-49999 49155 49158TCPALLOW34Virtual
SYSTEM1Others_Internet80 [http]TCPALLOW1Virtual

By continuing the procedure detailed for remaining servers, applications, shared infrastructure services and environments with vRNI, going through each application traffic-flows, exporting the recommended firewall rules, micro-segmentation can be implemented with NSX.

A sample build of firewall rules was conceptually created based on what was gathered during the collection and processing of the data

Firewall Rules The table below shows the firewall rules based on the security framework described based on the requirements above:

Next Steps

When the structure is in order, it is possible to start building the Security Groups, Security, Tags, Services, and Service Groups in NSX once that has been implemented. The next step when creating rules and all needed objects to accomplish micro-segmentation it is important to go through and check the communications with the servers and applications and verify they’re all still working correctly per the requirements given.

I would also like to show a table from VMware regarding the Segmentation Strategies. Make sure to start Small and work your way through your environments and systems.

Start with doing MacroSegmentation. Meaning start finding out what Environments can/cannot communicate with other Environments.

When that is completed Setup the MesoSegmentation; Meaning go through what Applications within your Environments can/cannot communicate with other Applications inside the same or outside the Environment.

And Lastly do the MicroSegmentation; Meaning go through what Systems inside the Application can/cannot communicate with other Systems inside the Applications and inside the Environments. Inception thinking is needed 🙂

Also a good idea when drawing out the different Environments, Applications and Systems withing each Application is to Build a Segmentation Flow Chart. With it you will get a picture drawn up on how things are connected and interacted with each other and also makes it much easier to establish what can/cannot communicate with each other.

A micro­segmentation approach powered by VMware NSX can address the inadequacy of East­West security controls that affect most data centers. The vRNI Visibility and Operations software helps to jumpstart the journey to micro­ segmentation by providing actionable insights into how workloads in a data center communicate and plan the segmentation accordingly.

Thanks for this time! /Jimmy

Mar 07 2019

vExpert 2019!

Happy to update that I’m now a 2nd Time vExpert 2019

I also would like to congratulate all the other returning vExpert NSX members and welcome to all new members joining for the 1st time!

Link to the Announcements!

https://blogs.vmware.com/vexpert/2019/03/07/vexpert-2019-award-announcement/

Dec 16 2018

VMware NSX Data Center for vSphere 6.4.4 Released

So the latest patch update for NSX Datacenter for vSphere has been release as of 14 dec 2018.

The latest release finally include even more support in the HTML UI in vSphere.

NSX User Interface

  • VMware NSX – Functionality Updates for vSphere Client (HTML): The following VMware NSX features are now available through the vSphere Client: Logical Switches, Edge Appliance Management, Edge Services (DHCP, NAT), Edge Certificates, Edge Grouping Objects. For a list of supported functionality, please see VMware NSX for vSphere UI Plug-in Functionality in vSphere Client.

Networking and Edge Services

  • Static Routes per Edge Service Gateway:increases from 2048 to 10,240 static routes for Quad Large and X-Large Edge Service Gateways.

Also some other issues has been resolved with the latest fix. Please stop by the Release notes page to read about these: Release Notes 6.4.4

This means that we can manage more of NSX features from vSphere. Still there is no functionality to access the Edges firewall, VPN and Routing but in time that will hopefully be release.

Have a great winter Holiday

Oct 17 2018

VMware Specialist – Cloud Provider 2019

Today I recieved the latest certification called VMware Specialist – Cloud Provider 2019 after passing the exam last week.

The certification validates my expertise in deploying and managing VMware vCloud Director and demonstrates knowledge of the overall Cloud Provider Platform.

Aug 27 2018

VMWARE VCLOUD DIRECTOR 9.5 Released and what’s new?

The new version of vCloud Director is being released and I wanted to do a quick writeup on what to expect with the new version and all the features that will be available.

Most interesting in my standpoint. If you are a developer working in vCD Cloud are the new integration with NSX-T and Kubernetes. Beeng able to provision containers into the vCD Cloud your company might have in place today. NSX-T is only in an initial integration at the moment, but will surely get full integration as we move forward with the product.

Read the full Blog about the new version. And checkout the datasheet Here.

What’s new in vCloud Director 9.5?

Deeper Integration with NSX

• Integrated into vCD: universal transport zone, universal logical switch and universal logical router now integrated into vCD
• Local egress is supported, active-active or active-standby
• Stretch L2 network across org VDCs in different vCenters/PVDCs in the   same site and across different sites
• Each network can be stretched across up to four Org VDCs
• IP address management (static and DHCP) for cross-VDC networks

Initial Integration with NSX-T

• NSX-T and NSX-V managers in the same vCD instance
• Regular vSwitch and DPDK vSwitch (ENS) for VLAN and Overlay
• Directed connected network (imported from NSX-T logical switch)
• Provider Virtual Datacenters allow clusters of hosts with and without ENS

HTML5 UI

Complete tenant user experience, including:
• User Management
• RBAC Management
• Organization Management

• Expanded Provider Portal
• RBAC Management
• Organization VDC Management

Improved RBAC

• Cascading levels of access
• Implement a flat, consistent, intuitive set of rights

What are the key features of VMware vCloud Director?

• Multi-tenant Resource Pooling: easily create virtual datacenters from common infrastructure to cater to heterogeneous enterprise needs. Policy- driven approach ensures enterprises have isolated virtual resources, independent role-based authentication and fine-grained access control.

• Multi-site Management: stretch data centers across sites and geographies and monitor these resources across sites from a single pane of glass.

• 3rd-party ISV Services: vCloud Director has an extensible UI that can be leveraged by 3rd-parties and Cloud Providers to natively integrate and publish services on the vCloud Director UI. For example, Dell EMC Avamar has natively integrated their Data Protection capabilities right onto the vCD UI.

• Datacenter Extension and Cloud Migration: enable simple, secure VM migration and data center extension with vCloud Director Extender. Allows for true hybridity, enterprise-driven workflows, seamless connectivity and cold or warm migration options.

• Operational Visibility and Insights: refreshed dashboard for centralized multi-tenant cloud management views. Leverage vRealize Operations’ native integration with vCloud Director using advanced analytics, chargeback and more for deep visibility into enterprise environments.

• Containers-as-a-Service: vCloud Director provides an easy on-ramp for enterprises, by delivering containers and VMs in the same virtual datacenter and faster time-to-consumption for Kubernetes, using the Container Services Extension.

Aug 18 2018

2018 vExpert NSX

Happy to update that I’m now a vExpert NSX 2018.

I also would like to congratulate all the other returning vExpert NSX members and welcome to all new members joining for the 1st time!

Link to the Announcements:

https://blogs.vmware.com/vexpert/2018/08/17/vexpert-nsx-2018-award-announcement/

Jul 24 2018

What’s new and awesome with VMware NSX for vSphere 6.4.1 features and licensing.

I wanted to do give some important changes regarding the latest version update of NSX for vSphere 6.4.1 that was released on May 24 2018.

VMware have with this release created a new licensing model that is not that completely different from before but it has some new additions that might be good to be aware of if you are planning to start using NSX.

The new license release is named VMware NSX Data Center. With the same tiers as before; Standard, Advanced, Enterprise Plus and Remote Branch Office.

There are some differences that now is available from before.

When it comes to the Advanced and Datacenter Advanced Editions and Enterprise Plus and

NSX Data Center Enterprise Plus editions

Starting to compare the Advanced Editions you will from 6.4.1 get the following change.

Cross vCenter Networking & Security

Controller Architecture

  • Universal Controller for X-VC

Switching

Overlay to VLAN bridging
  • Hardware VTEP (OVSDB) with L2 Bridging
  • Universal Distributed Logical Switching

Distributed Routing

  • Universal Distributed Logical Router

Edge Routing N/S

  • Egress Routing Optimization in X-VC

The above editions gives organizations the opportunity to run cross vCenter NSX. With all the features that is required. This was something you needed Enterprise Plus license for before.

Regarding the license for NSX Data Center Enterprise Plus you get the following additions compared to Enterprise Plus:

The Description for it states the following:

NSX Data Center Enterprise Plus: For organizations that need the most advanced capabilities of NSX Data Center, plus vRealize Network Insight for network visibility and security operations, and NSX Hybrid Connect for hybrid cloud mobility.

This means as of version 6.4.1 of NSX if you buy the licenses for Advanced Plus you will also get licenses included for running vRealize Network Insight.

This is a great thing, since it means that you will have the ability to do all the things that vRNI offers.

For all of you who do not know or want to know more about vRealize Network Insight you can read about it more on this link.

For reading about the release notes and comparison about the editions please below referenced links:

https://kb.vmware.com/s/article/2145269

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/rn/releasenotes_nsx_vsphere_641.html

I’m also writing this blogpost at my company Real Time Services site so please visit that one if you are in need of more information or need help implementing NSX or any other VMware related products.

Have a great Summer!

Jimmy….

Apr 17 2018

VMware Empower 2018

I’m in Atlanta this week for the VMWare Empower 2018 Conference.

I will update this page with workshops I will be attending and update with information with stuff that are not under NDA.

The Empower 2018 has started

Here are the keynote takeaways:

General session:

Things to look out for

VMware Cloud on AWS

AWS Greengrass – allowing select AWS services to run on vSphere in the data center or at the edge (IoT)

Plan your migration to VMware Cloud on AWS session:

  • Cloud Migrations
  • Data Center Extension
  • Disaster Recovery

Before you embark on the trip to migrate you workloads over to Vmware Cloud on AWS it is important to do an assessment and casestudy on the applications that you are currently running in your On-Premise datacenter.

Gather the data and information

Make sure to find application dependencies

Estimate the cost per year you as a company today have on running a certain application On-Prem. Total costs (Datacenter, cooling, power consumption, OPEX and CAPEX costs etc) put this into comparison with running it in the Cloud. Maybe it is a fit for your need or maybe it’s not.

A thorough assessment before can save you alot of time and money in the end.

Important to also know is that it is free to run 10 applications for evaluation in Vmware Cloud on AWS for 3 weeks at this point in time.

Remember to perform network and costinsight and confirm how the process looks in migrating to the cloud.

Mar 10 2018

VMware vExpert 2018

Hey great news today, I’m happy to announce that I have been awarded vExpert 2018 status by VMware. Click the link to see my profile.

The official vExpert 2018 announcement is here.  I would also like to congratulate my fellow Real Time Services colleges Anders Olsson and Johan Blom for also claiming the vExpert 2018 award. I’m privileged to be in company with so very talented collegues.

Thank you all for reading my Blog I will make sure to keep up the work of spreading knowledge in SDN, Virtualization and Automation.

I’m open to your feedback on what you would like to know more about so feel free to throw your comments my way!

Jan 17 2018

NSX 6.4 Released and a look at the Upgrade Coordinator

NSX 6.4 Released

Yesterday 16/1-2018 the new release of NSX 6.4 was Released. Here is a link to the Release Notes
There are a bunch of new features that was released and listing the top ones to me are the following:

Operations and Troubleshooting:
  • Upgrade Coordinator provides a single portal to simplify the planning and execution of an NSX upgrade. Upgrade Coordinator provides a complete system view of all NSX components with current and target versions, upgrade progress meters, one-click or custom upgrade plans and pre- and post-checks.
  • A new improved HTML5 dashboard is available along with many new components. Dashboard is now your default homepage. You can also customize existing system-defined widgets, and can create your own custom widgets through API.
  • New System Scale dashboard collects information about the current system scale and displays the configuration maximums for the supported scale parameters. Warnings and alerts can also be configured when limits are approached or exceeded.
  • New Packet Capture tab is available to capture packets through UI. If there is a host which is not in a healthy state, you can get the packet dump for that host, and administrator can examine the packet information for further debugging.
  • You can now enable Controller Disconnected Operation (CDO) mode from the Management tab on the secondary site to avoid temporary connectivity issues. CDO mode ensures that the data plane connectivity is unaffected in a multi-site environment, when the primary site lose connectivity.
  • API improvements including JSON support. NSX now offers the choice or JSON or XML for data formats. XML remains the default for backwards compatibility.
Security Services:
  • Identity Firewall: Identity Firewall (IDFW) now supports user sessions on remote desktop and application servers (RDSH) sharing a single IP address, new “fast-path” architecture improves processing speed of IDFW rules. Active Directory integration now allows selective synchronization for faster AD updates
  • Distributed Firewall: Distributed Firewall (DFW) adds layer-7 application-based context for flow control and micro-segmentation planning. Application Rule Manager (ARM) now recommends security groups and policies for a cohesive and manageable micro-segmentation strategy.
NSX Edge Enhancements:

 

  • Enhancement to Edge load balancer health check. Three new health check monitors have been added: DNS, LDAP, and SQL.
  • Improvements to L3 VPN performance and resiliency.

A look at the Upgrade Coordinator

 

Update NSX Manager:

I went ahead and grabbed the NSX Upgrade Bundle tar file from My Vmware portal and logged in to the NSX Manager.

I Uploaded the file and let the NSX Manager upgrade itself to 6.4

NSX 6.4 Flash, HTML5 UI

When all was done I logged in to vSphere. I checked Both the Flash and the HTML5 UIs and You are able to run the Upgrade Coordinator from both. The HTML5 is still lacking all the features for NSX Manager. But just for fun I went with the HTML5 one.

Network and Security for NSX is now viewable in VSphere HTML5 UI and selecting it will go into the NSX Manager part.

Start Upgrade Coordinator:

Now we see the all new Upgrade Coordinator and we can select to start to Plan Upgrade:

Select Upgrade Plan:

We are met with two options:

  • Plan Your Upgrade
    • You can customize and manage the upgrade by choosing components
  • One Click Upgrade
    • System plans and manages the entire process for you

So the difference in options you have is related to what fits your needs the most. In case you have a small NSX deployment One Click Upgrade could be an option. But incase you have a large NSX environment with several hosts clusters and alot of different NSX Edges deployed and you need better granular control then the Plan Your Upgrade option path is the way to go.

Starting of by selecting One Click Upgrade we see that there aren’t that much options more than selecting and starting the upgrade job. And then letting the system takeover the planning and scheduling of the upgrade.

I like to have a more bit controll in my environment so I went back and choose Plan Your Upgrade option:

Plan Content:

We see that we now have the option to select the components that we would like to plan to upgrade. The only option that is not possible to deselect is the upgrade of the NSX Controllers. And that is a prerequisite for to upgrade anyway before we can upgrade any of the other components.

  • Controllers
  • Clusters
  • NSX Edges
  • Service VMs

We also have two checkboxes that defines Pause Upgrade Options: These might be good to enable incase there is a failure in the upgrade process and you need to stop and troubleshoot.

  • Pause between components
  • Pause on Error

Plan Host Clusters:

In the next screen we plan the clusters that we intend to upgrade the Host NSX vibs and components on. Here we have the option to:

  • Add
  • Edit (Edit a cluster and deselect hosts that we do not intend to upgrade the vibs for)
  • Delete
  • Include
  • Exclude
  • and prioritize the clusters in order with Up and Down

Since I only have one cluster I contined with my planning to plan edges

Plan NSX Edges:

On this screen we can plan the NSX Edges we intend to upgrade in the environment. Maybe you sit in an environment for where you are not responsible to upgrade the NSX Edges or the Edges are used in productiontraffic that requires a maintenance window since you have Edges that are standalone in that environment that cannot tolerate a networkloss due to the upgrade and redeployment of that Edge appliance. Then this screen is important to make sure to exclude the edges.

Review Plan:

When the planning of the Edges are completed we proceed to the last screen to Start the Upgrade

Upgrade Status:

The upgrade has now started and we can click on View Details for the Upgrade Plan Progress to see the status for each of the components.

I also went into vSphere and checked the Controller status i the Management pane in NSX and saw that the Update was in progress.

Upgrade Paused:

Since I chose the option to pause between the components being upgrade the upgrade was paused after the Controllers was upgraded and successful.

Next step is the upgrade of the Hosts VIB components. And the Upgrade Coordinator will take care of everything here. That means taking the hosts down one by one in Maintenance Mode. Install the NSX VIBs and then continuing with the next host in the cluster until all are completed. Pretty smart!

Upgrade Complete:

All the components were now upgraded and successful.

Upgrade History:

There is also a history saved for all the upgrades that have been performed in the environment. Clicking that we can see that we have went from v 6.3.5 to 6.4 and the date when it was.

That is it I hoped you enjoyed this deepdive and walkthough of the Upgrade Coordinator.

Load more