Configure the Abiquo NSX-T integration

Owned by MS (Unlicensed)
Last updated: Sept 06, 2023
11 min read

This document describes how to configure the NSX-T integration for Abiquo. In summary, first you will install and configure NSX-T with a vCenter. Then in Abiquo, you should register your hypervisors as vCenter hosts or clusters, and create a device to register the NSX-T.

Requirements of the NSX-T integration

Abiquo offers support for NSX-T.

  • For supported version numbers, see VMware

  • Abiquo 5.4.0+ supports NSX-T with N-VDS and VDS (v5.4.1+) 

  • To use load balancers NSX-T Advanced edition or higher is required.

  • The NSX-T plugin requires a separate Abiquo license

  • Abiquo uses the Policy mode and it does not modify the Fabric. The administrator must create at least one Tier-0 configuration to register in Abiquo. We describe the basic requirements of the Tier-0 below. 

Only one vCenter with NSX-T per Abiquo datacenter

In Abiquo you can only use one vCenter for VMs working with NSX-T in each Abiquo datacenter. You can use one vCenter but then register several hypervisors controlled by vCenter in each cluster. But you cannot register another cluster or any hosts from a different vCenter (with or without NSX-T) in the same Abiquo datacenter.

Deploy your Edge appliances in a separate cluster

We recommend that you deploy the Edge appliances in a cluster that is not managed by Abiquo. In each Abiquo datacenter, you will need to define this cluster on the Remote Services servers using Abiquo properties. With this configuration, the VMs that you deploy with Abiquo will be in a different cluster from the VMs deployed by NSX-T. An advantage of this separation is that you won’t accidentally capture your Edge appliances with Abiquo!

 

Introduction to the NSX-T integration in Abiquo

Every time administrators create a virtual datacenter, Abiquo will create a Tier 1 entity and a segment (Abiquo default private network). Abiquo will manage the east-west firewall with groups to ensure that user VMs can connect to private networks that are in their virtual datacenter only. This is different from other providers, where user VMs can connect to other VMs in the same private network only. 

Administrators can create NAT networks for NAT, which is in Tier-1. Abiquo creates a firewall rule to allow NAT connectivity outside of the virtual datacenters through gateway/s (set in Abiquo properties). Users can configure NAT interfaces with SNAT and DNAT interfaces on demand. Users can also configure private networks (segments), and firewall policies (north-south firewall), and load balancers. The integration with NSX-T VPNs requires NAT networks. Abiquo creates the VPN at the Tier-1 level.

To provide public networks in Abiquo, Administrators can create segments on a Tier-0 entity. These networks will be accessible to users in all enterprises using this Tier-0. Administrators can enter the network path to create or capture the corresponding public networks to manage them in Abiquo.

Design your tier-0 configurations

The administrator must create at least one Tier-0 to register in Abiquo. Abiquo will then create Tier-1 configurations for each virtual datacenter. You can configure NSX-T at different levels, depending on the number and type of tier0 configurations that you want to use.

Default Tier-0 for all datacenters

To use a single Tier-0 and edgeCluster for all NSX-T installations and all Abiquo datacenters, you can configure the default tier0 and edgeCluster in Abiquo properties. This configuration is very useful for a test environment.

Single Tier-0 for a tenant

To use a single Tier-0 and edgeCluster for a tenant, you can configure the tenant enterprise properties. These properties will override the default configuration in Abiquo properties for the tenant.

Multiple Tier-0 configurations for a tenant

To use more than one Tier-0 and/or edgeCluster in a tenant, DO NOT configure Abiquo properties or enterprise properties in the tenant for Tier-0 and the edgeCluster. Each time you create a VDC for the tenant, enter the configuration of the Tier-0 and edgeCluster as context properties. You can share Tier-0 configurations by entering them for more than one VDC, and other tenants can have configurations with enterprise properties.

Changes to the NSX-T integration

Create a Tier-0 configuration in NSX-T

To configure NSX-T, configure one or more Tier-0 configuration as described here.

  1. Create a Tier-0 router

    1. Enable dynamic routing with Border Gateway Protocol 

    2. Enable redistribution

      1. Create a valid list of route redistribution elements (view NSXTEntityConfigurationChecker)

  2. To route from Tier-0 to outside networks or the Internet

    1. Connect the Tier 0 router to your physical infrastructure

    2. Create a VLAN transport zone (TZ) and connect your Tier-0 router to the TZ  

  3. To allow NAT connectivity for a VDC, you will need to configure one or more IP addresses or a single existing group name and register it in Abiquo using an Abiquo property

    1. Users from outside the VDC could connect into the VDC with traffic allowed through this IP, which in a simple environment may be the Tier-0 gateway address. See Allowed gateways below.

  4. Select an Edge Cluster ID where Abiquo will create the Tier-1 gateways

  5. To dynamically assign IP addresses to all segments, manually create at least one DHCP profile

    1. DHCP Server type

    2. Add an IP and a range, for example, 192.168.254.1/24

  6. Select an Overlay TZ ID to allocate to the Segments

  7. Connect one or more hosts to the Tier-0 (via N-VDS for instance)

Next add the details of your Tier-0 configurations to Abiquo as described below, using either Abiquo properties, enterprise properties, or virtual datacenter context properties.

 

NAT Firewalls

The NAT rules are configured at Tier1. Abiquo will create firewall rules for NAT IP addresses and rules. You can allow access from SNAT and to DNAT with an IP or network, or a list of IPs and networks, or a single, existing group that you can specify in Abiquo context properties. You can also control internet access for SNAT and DNAT with properties. Remember that NAT IP addresses are also used as VPN endpoints.

 

Check your NSX-T configuration

You can use the nsxt-tool from Abiquo to check your configurations in NSX-T. Please contact Abiquo Support to obtain the tool.

The tool will list valid configurations and recommend changes to invalid configurations.

Configure NSX-T on the Remote services servers

To configure NSX-T networking options for the platform:

  1. Log in to the Remote services server as an administrator

  2. Edit the abiquo.properties file

  3. Set the following properties as required in your environment. To activate a property, delete the hash (#) comment symbol before the property name, then set the value.

# Time to keep the lease in the NSX-T DHCP. #abiquo.nsxt.dhcp.leasetime-ms=86400 # Configure Tier-1 DFW to allow DHCP traffic from these services in CSV list format. # To disable, set the property with an empty value. #abiquo.nsxt.dhcp.services=DHCP-Client,DHCP-Server,DHCPv6_Client,DHCPv6_Server # Size of the NSX-T Load Balancer. # Valid values: SMALL, MEDIUM, LARGE, XLARGE #abiquo.nsxt.infra.load-balancers.size=SMALL # Error log level of the NSX-T Load Balancers. # Valid values: INFO, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY #abiquo.nsxt.infra.load-balancers.error-log-level=INFO # Number of IP addresses that are reserved for NSX-T in each private network # to allocate to load balancers. #abiquo.nsxt.infra.load-balancers.reserved-ips=20 # Allocation size of Edges in pool defined in Tier-1. # Valid values: ROUTING, LB_SMALL, LB_MEDIUM, LB_LARGE, LB_XLARGE #abiquo.nsxt.infra.tier1.pool-allocation=LB_SMALL # Time to wait between checks of the NSX-T API. #abiquo.nsxt.polling-ms=3000 # New in Abiquo 6.0.6 # Handle defragmentation bit present in the inner packet. # COPY (default) - copies the defragmentation bit from the inner IP packet # into the outer packet. # CLEAR - ignores the defragmentation bit present in the inner packet. # Valid values: COPY, CLEAR #abiquo.nsxt.vpn.profile.df=COPY # Algorithm to be used for message digest. Only used when encryption algorithm # is not AES_GCM # Valid values: SHA1, SHA2_256, SHA2_384, SHA2_512 #abiquo.nsxt.vpn.profile.digest=SHA2_512 # SA life time specifies the expiry time of security association in seconds #abiquo.nsxt.vpn.profile.sa-expire-seconds=3600 # Connection initiation mode used by local endpoint to establish IKE connection # with peer site. # INITIATOR - In this mode local endpoint initiates tunnel setup and will also # respond to incoming tunnel setup requests from peer gateway. # RESPOND_ONLY - In this mode, local endpoint shall only respond to incoming tunnel # setup requests. It shall not initiate the tunnel setup. # ON_DEMAND - In this mode local endpoint will initiate tunnel creation once first # packet matching the policy rule is received and will also respond to # incoming initiation request. # Valid values: INITIATOR, RESPOND_ONLY, ON_DEMAND #abiquo.nsxt.vpn.session.connection-mode=INITIATOR # IPSec session compliance suite # Valid values: NONE, CNSA, SUITE_B_GCM_128, SUITE_B_GCM_256, PRIME, # FOUNDATION, FIPS #abiquo.nsxt.vpn.session.compliance=NONE

You can also set the properties to configure the management of asynchronous task and connections to tune the performance of the NSX-T plugin.

For example, you could set the following properties.

#abiquo.nars.async.pool.nsxt.byvdc=true #abiquo.nars.async.pool.nsxt.max=1 #abiquo.virtualfactory.nsxt.device.openSession=2 #abiquo.virtualfactory.nsxt.device.openSession.byvdc=false

 

Set Abiquo properties to configure Tier-0 for the platform

To configure one Tier-0 for the Abiquo platform or to configure a default Tier-0:

  1. Log in to the Abiquo API server as an administrator

  2. Edit the abiquo.properties file

  3. Set the following properties as required in your environment. To activate a property, delete the hash (#) comment symbol before the property name, then set the value.

    # Name of the NSX-T DHCP Profile used to create Tier-1 VPCs. # NSX-T UI path is: Policy - Networking - IP Management - DCHP #abiquo.nsxt.infra.dhcp-conf-name= # Name of the NSX-T Edge Cluster used to create Tier-1 VPCs. # NSX-T UI path is: Policy - System - Fabric - Nodes - Edge Clusters #abiquo.nsxt.infra.edge-cluster-name=Edge-Cluster-01 # Name of the NSX-T Tier-0 used to create the Tier-1 VPCs. # NSX-T UI path is: Policy - Networking - Tier-0 Gateway #abiquo.nsxt.infra.tier0-name= # Name of the NSX-T Transport Zone (overlay) used to create segments / networks. NSX-T UI path is: Policy - System - Fabric - Transport Zones #abiquo.nsxt.infra.transport-zone-name= # NEW IN ABIQUO 6.0.6 # Allow DNAT traffic from the specified networks. # List of IPs or CIDRs in CSV format, or the name of a single NSX-T group # that already exists. #abiquo.nsxt.infra.allow-dnat-sources= # Allow DNAT traffic from the internet. # Valid values: true, false #abiquo.nsxt.infra.allow-dnat-sources-public=false # Allow SNAT traffic to the specified networks. # List of IPs or CIDRs in CSV format, or the name of a single NSX-T group # that already exists. #abiquo.nsxt.infra.allow-snat-destinations= # Allow SNAT traffic to the internet. # Valid values: true, false #abiquo.nsxt.infra.allow-snat-destinations-public=false

     

Set enterprise properties to configure Tier-0 for the tenant

To set a single Tier-0 configuration for a tenant, do these steps.

  1. Log in to Abiquo as an administrator

  2. Go to Users → edit the tenant enterprise → Properties

  3. Set keys and values for the following enterprise properties. Note that there is no "abiquo." prefix. 

Property

Description

Property

Description

nsxt.infra.allow-dnat-sources

In Abiquo 6.0.6+ add this property
Allow DNAT traffic from the specified networks. List of IPs or CIDRs in CSV format, or the name of a single NSX-T group that already exists.

nsxt.infra.allow-dnat-sources-public

In Abiquo 6.0.6+ add this property
Allow DNAT traffic from the internet.
Valid values: true, false

nsxt.infra.allow-snat-destinations

In Abiquo 6.0.6+ add this property
Allow SNAT traffic to the specified networks. List of IPs or CIDRs in CSV format, or the name of a single NSX-T group that already exists.

nsxt.infra.allow-snat-destinations-public

In Abiquo 6.0.6+ add this property
Allow SNAT traffic to the internet.
Valid values: true, false

nsxt.infra.dhcp-conf-name

Name of the NSX-T DHCP Profile used to create Tier1 VPCs.
The NSXT UI path is: Policy - Networking - Ip Management - DCHP

nsxt.infra.edge-cluster-name

Name of the NSX-T Edge Cluster used to create Tier1 VPCs.
The NSXT UI path is: Policy - System - Fabric - Nodes - Edge Clusters
Default: Edge-Cluster-01

nsxt.infra.tier0-name

Name of the NSX-T Tier0 used to create the Tier1 VPCs.
The NSXT UI path is: Policy - Networking - Tier-0 Gateway

nsxt.infra.transport-zone-name

Name of the NSX-T Transport Zone (overlay) used to create segments / networks.
The NSXT UI path is: Policy - System - Fabric - Transport Zones

Screenshot: Enterprise properties example
Note that you can configure the external IP with an enterprise property but it is not included in this screenshot.

NSX-T enterprise properties example
NSX-T enterprise properties example

For more details of how to create enterprise properties, see  .

 

Create an NSX-T device

To register an NSX-T in Abiquo:

  1. Log in to Abiquo as an administrator

  2. Go to Infrastructure → Networks → Devices.

  3. Click the + add button and create an NSX-T device

    1. You can create for a single tenant or for all tenants in a datacenter

    2. The NSX-T endpoint will usually be something like  https://ADDRESS , where ADDRESS is the NSX appliance IP address.

For more details, see 

After you create the device, go to Infrastructure → Servers and add the clusters or hosts connected to the NSX-T. 

Abiquo will automatically use NSX-T when you create virtual datacenters in the datacenter.

Configuration to use more than one Tier-0 configuration per tenant

To use more than one Tier-0 configuration per tenant, you will need to register the Tier-0 configuration when you are creating each virtual datacenter.

To make Abiquo request the required Tier-0 configuration, remove the default configuration for the Abiquo properties and for the tenant (enterprise properties). 

To remove the default configuration:

  1. Log in to the API Server and edit the abiquo.properties file. Remove the context properties.

  2. Log in to Abiquo as an administrator.

  3. Go to Users → edit the tenant enterpriseProperties. Remove the context properties.

Effectively, you must remove the configuration for the platform and for the tenant as described in the configuration sections above.

Now when you create a VDC, the UI will request the missing context properties (as defined in the UI configuration, See ).

Create a VDC for NSX-T with context properties
Create a VDC for NSX-T with context properties

 

The process to create a VDC with context properties in the Abiquo API is the same as the process to create one in the user interface.

Add public networks for NSX-T

The administrator can create Abiquo public networks in NSX-T as segments of Tier-0. The administrator can then add the networks to the platform for use by all tenants that share the Tier-0 configuration.

Before you begin, add NSX-T to your platform as described in the above section.

To create a public network for NSX-T

  1. Log in to NSX-T as an administrator and create a segment in a Tier-0 configuration

  2. From the segment's options menu, select Copy path to clipboard

  3. Log in to Abiquo as an administrator

  4. Go to Infrastructure → Private → select datacenter → Network → Public

  5. Create a public network. Select the Device and as the Provider ID, paste the network path, and Save

The platform will create the network and VMs in the virtual datacenters (Tier-1 entities) that belong to the same Tier-0 as the public network can use IP addresses in this network.

 

Capture VMs with NSX-T

To test VM capture with NSX-T, use this process:

  1. In Abiquo, create a VDC, which includes a Tier-1 and a segment, and make a note of the segment name

  2. Using vCenter, create a VM and attach it to the opaque network that represents the segment

  3. In Abiquo, capture the VM, assigning it to the VDC that you created earlier (Tier-1 from step 1)

 

Create VPNs with NSX-T

The Abiquo integration with NSX-T VPNs requires an NSX-T device and NAT networks. Abiquo creates the VPN at the Tier-1 level. For more details see

To create a VPN site in a virtual datacenter (VDC):

  1. We recommend that you create the VDC with a custom private network and use a different IP address range. Or create a separate private network. When you create the VDC, you may be able to allow SNAT and DNAT traffic to VMs in the VDC from the internet or from IP/network addresses or NSX-T groups

  2. For the VPN endpoint, obtain a NAT IP for the VDC. You don’t need to create any NAT rules to create the VPN. You can later create NAT rules to allow access to VMs.

  3. Create a firewall to allow traffic to the VMs in your VPN

  4. Obtain the values of the remote endpoint and network. They don’t need to exist when you create the VPN, but if you need to change them, you will need to delete the site and recreate it.

  5. Go to Networks → VPN and create the VPN site

  6. Go to your other VDC or provider and create the remote VPN site

To check the status of your VPN, in your VDC, go to Networks → VPN and beside the VPN details, click Check

 

Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved