Blog
21 April, 2024
Managed VMware on the public cloud is provided by all three major cloud providers – VMC (VMware Cloud on AWS), GCVE (Google Cloud VMware Engine), and AVS (Azure VMware Solution). All providers include NSX-T and HCX VMware products on your cloud-side installation. For L3 connectivity with your on-prem infrastructure, there are broad options for internet protocol security (IPsec) — either using the cloud providers’ managed VPN service or with NSX-T — or some form of direct connect. But for those scenarios where we want to execute an L2 extension for some subnets or VLANs from on-prem, we must rely on VMware-provided software. We can choose to do it with HCX or NSX-T L2VPN:
HCX
For network extension, HCX deploys a separate network extension appliance (or multiple appliances, if running in HA mode) in-service mesh, and the appliance can extend NSX segments or distributed switch port groups. The whole-network extension process has a nice GUI in HCX and everything is well automated — just choose networks for extension, and the rest is handled by HCX.
It is important to keep in mind that there are some restrictions on which portgroups or segments can be extended:
- VMkernel networks
- Networks used in HCX network profiles (used to deploy service mesh appliances)
- Trunk networks (Distributed portgroup type trunk)
- Portgroups without VLAN ID (VLAN type None, ID 0 or NULL)
- Private VLAN
- Port groups with ephemeral binding
Likewise, there are some infrastructure restrictions – vSphere source networks — that cannot be extended at all:
- Standard Switch networks (VSS)
- Cisco Nexus 1000v or other non-VMware switches
- Distributed switches using LACP
A full list of network extension restrictions can be found here: https://docs.vmware.com/en/VMware-HCX/4.3/hcx-user-guide/GUID-DBDB4D1B-60B6-4D16-936B-4AC632606909.html
Furthermore, given the above restrictions in your source site, you must have either vSphere Enterprise Plus licenses or NSX. Both give distributed switch functionality.
One network appliance can extend up to 8 networks, and they are created in pairs (one on source DC and one in cloud). If HA mode for network extension is used, the appliance count increases twofold. In the planning phases, be sure to allocate enough IP addresses in the HCX network profile to cover all network extension needs.
NSX-T L2VPN
NSX-T itself can also extend segment networks over IPsec VPN tunnels. On the NSX-T cloud-side, we create an L2VPN server and configure a tunnel for segment extension. The client for the L2VPN server can be another NSX-T installation on our source DC, or NSX Autonomous Edge, which is a free download from VMware. Here, the whole-network extension procedure is much more complicated and labor-intensive compared to HCX — for each network you want to extend, the entire configuration procedure must be performed on both the server and client side. However, Autonomous Edge is able to extend vSphere standard switch port groups, and for some smaller clients, this provides the opportunity to smoothly move to the cloud or operate in a hybrid mode without additional expenses for licensing.
This blog was contributed by:
Justas Krikštaponis Chief Technology Officer, Baltics