Blog
21 April, 2024
HCX cloud installation and configuration is very simple, usually a one-click automated install. Meanwhile, HCX Connector, which is deployed inside your managed infrastructure, is a manual process where installation of appliances and firewall rules implementation comes down to different internal teams. VMware provided a network connectivity diagram of HCX components that is very good for planning firewall rules, but in the scenarios where interconnect appliance (IX) has more than one interface, it becomes unclear which interface is used for which flow.
These interfaces are defined in the HCX network profile configuration. For appliance interface we can have up to 5 different roles for a network interface:
- HCX Uplink – used for connection between cloud and on-prem IX or NE appliances, one-way connectivity on port UDP 4500 (Red line in the diagram). The source is an on-prem IX/NE appliance and the destination is cloud- a side counterpart appliance.
- HCX Management – used by all service mesh appliances to connect to HCX Manager, vCenter Server, NTP, and DNS.
- HCX vMotion – used by IX appliance to connect to ESXi vMotion vmkernel(s) interface(s). Required only when doing vMotion type of migrations.
- HCX Replication – used by IX appliance to connect to ESXi management and replication (if present) vmkernel interfaces. Required for Bulk migration, replication assisted motion, and DR scenarios. In the diagram, the flow is named HCX Bulk Migration.
- HCX Guest Network – used by OS-assisted migration Sentinel Gateway appliance to connect to sentinel agents which are installed on source servers. Only used in OS-assisted migration scenarios (for physical servers and Hyper-V VMs).
Once we have clarified connectivity requirements and purposes, here are the most common errors related to connectivity encountered while working in the field, and their likely causes:
| Problem | Cause |
| After successfully connecting the HCX manager to vCenter, tasks to download and install the HCX plugin are constantly failing. | Firewall openings between HCX Manager were opened one way only, so vCenter can’t connect to HCX manager on port 443 TCP. Meanwhile, the HCX manager can connect to vCenter, which is why the configuration worked, but the plugin fails to download. |
| Service mesh appliance deployment is failing. | Most likely, the HCX Manager cannot connect to ESXi to do OVF deployment. It is quite common to open firewall ports just for vCenter from the HCX manager but to forget the OVF import flow. |
| After a successful deployment of service mesh appliances, network tunnels for IX and NE appliances fail to come up. | In most cases, this connectivity happens through WAN using HCX Uplink interface, and UDP4500 rules were implemented only on the internal firewall, forgetting to implement it also on the public firewall. Another cause could be that the SNAT rule was not implemented for the HCX uplink interface IP address and it can’t go out to the internet (proxy is not supported). |
| Service mesh was deployed successfully, and all services are green, but cross-cloud vMotion migration is failing at the start. | IX appliance can’t connect to ESXi hosts VMkernel interface, check if there is physical connectivity between HCX IX appliance interface with vMotion role and ESXi vMotion vmkernel and appropriate FW rules were implemented. |
| Service mesh was deployed successfully, and all services are green, but using the bulk migration option or setup DR replication failed at the initial stages. | IX appliance can’t establish a connection from the interface with role HCX replication to ESXi management or replication VMkernel (if there is one configured on ESXi), check the firewall to determine if appropriate rules were implemented and no drops are occurring. |
This blog was contributed by:
Justas Krikštaponis Chief Technology Officer, TeraSky Baltics