VMware NSX Manager

Introduction

The VMware NSX Manager is a key component of the NSX architecture that belongs to the control layer. It is a component that provides a graphical interface and a REST API to manage the complete VMware NSX infrastructure. NSX Manager provides a centralized display of system and network components such as NSX controllers, logical switches and Edge gateways. VMware NSX manager is an integral part of the vCenter which share one to one relationship.

NSX manager communication matrix

 

NSX Manager communication

NSX Manager communication

NSX Manager communication path interconnects with all NSX architecture layers. From the top layer perspective, client PC connects to NSX Manager through TCP 80 and 443 ports. NSX Manager configures NSX Controllers over TCP 443 port. Syslog, DNS and NTP supply NSX Manager with defined services. NSX Manager is an integral part of vCenter and communication goes through ports TCP 443 and 902. If we dive into bottom layers, ESXi hosts send DVS sync updates to NSX Manager via port TCP 8302. With the help of Rabbit MQ (messaging bus technology), NSX Manager sends firewall policy rules, private keys, certificates and controller IP addresses to vsfwd service installed on ESXI hosts. Learning NSX gives more details about the NSX Manager.

Client PC > NSX Manager (NSX Manager Administrative Interface)
Client PC > NSX Manager (NSX Manager VIB Access)
ESXi Host > NSX Manager (AMQP)
ESXi Host > NSX Manager (DVS Sync)
vCenter Server > NSX Manager (Host Preparation)

NSX Manager > DNS Server (DNS client connection)
NSX Manager > ESXi Host (Management and provisioning connection)
NSX Manager > ESXi Host (DVS Sync)
NSX Manager > ESXi Host (Management and provisioning connection)
NSX Manager > NSX Controller (Controller to Manager Communication)

NSX Manager > NTP Time Server (NTP client connection)
NSX Manager > Syslog Server (Syslog connection)
NSX Manager > vCenter Server (vSphere Web Access)

How to install NSX Manager?

VMware NSX Manager is installed in the form of OVA files and stored in the vCenter inventory as any virtual machine. VMware recommends that NSX Manager be installed in a separate management cluster that is separated from production virtual machines.

What are the main functionalities of NSX Managers?

  1. Provides user interface and VMware NSX API
  2. Installs user world agents, VXLAN, distributed routing and distribute firewall kernel modules
  3. Install VMware NSX controllers
  4. Configures the VMware NSX controller nodes through the REST API
  5. Configures hosts through the message bus
  6. Generates certificates for secure communication between layers

What if NSX Manager is unavailable?

After NSX Manager installs components of all NSX layers, components do not depend on NSX Manager availability to continue running. NSX Manager is installed in the form of just one virtual machine. In the event of a failure, the instance can be quickly returned from backup without any interference in network traffic.

Design guidelines

  1. Install NSX Manager in a separate management cluster and configure VMware vSphere High Availability
  2. It is recommended to set up a backup to a remote location. The backup schedule should match the company RPO
  3. Configuration of NTP service as well as log redirection to syslog server
  4. It is not recommended to install or upgrade VMware tools

Security

NSX manager provides communication that takes place through the control layer of the NSX architecture itself. Self-signed certificates are created for NSX controller kernels and ESXI nodes which are then allowed to access the NSX domain. Push of self-signed certificates down to NSX controllers and ESXi hosts is done via a secure channel. When certificates are verified by destination controllers and nodes, mutual authentication is established and all communication on the control layer is encrypted. From version 6.1, SSL is enabled by default.

NSX Manager in the Cross-vCenter environment

In a cross-vCenter environment, for example, with two vCenters, it is necessary to pair NSX Manager with each vCenter. One of the NSX Managers is assigned a primary role while the other is working as a secondary one. The primary NSX Manager is used to install a universal NSX control cluster that provides the functionality of the control layer.

The secondary NSX Manager does not have its own NSX control cluster. The primary can install universal objects such as universal logic switches. All objects are synchronized with the secondary NSX Manager. Each of the NSX Managers can also create local objects specific to each vCenter instance.