Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services
- Configure DHCP services according to a deployment plan:
- Create/edit a DHCP IP Pool
- Create/edit DHCP Static Binding
- Configure DHCP relay
- Configure DNS services
- Configure NAT services to provide access to services running on privately addressed virtual machines
Configure DHCP services according to a deployment plan
NSX services gateway offers IP addressing using static addressing or DHCP services. DHCP services require a pool of IP addresses. An IP pool is setup withing vSphere as a range of IP addresses within your network. If your VM doesn’t have a IP allocated to it, an IP pool can assign it one.
Create/edit a DHCP IP Pool
Navigate to Networking & Security > NSX Edges > Double click the NSX Edge > Manage > DHCP. Click Pools and click the green +.
Enter in the IP information. Click OK.
Create/edit DHCP Static Binding
If you have services running on a virtual machine and do not want the IP address to be changed, you can bind an IP address to the MAC address of a virtual machine or the VM NIC. The IP address you bind must not overlap an IP pool. If you bind to the VM NIC, the VM must reside on a logical switch that is directly connected to the NSX Edge. If you decide to use MAC address binding, then the GUI does not ask you either the VM name or the interface from the NSX edge since a MAC address is unique.
To begin, go to your NSX edge and under Manage > DHCP > Bindings, click the green +
Choose either VM NIC Binding or MAC Binding. Fill in the appropriate information. Click OK.
Now when I go the VM that I created the binding for, I see that the VM got assigned that IP address
Configure DHCP relay
DHCP relay is a feature within NSX that allows you to use your existing DHCP server (in the physical environment) to service IP addresses to VMs inside your VMware environment. The DHCP requests are relayed from the VM, on to the DHCP server, by the edge device. In my environment, I’m using a NSX edge device to distribute IP addresses from a IP pool. So to start, I’m going to navigate to my DLR and under Manage > DHCP Relay > DHCP Relay Global configuration, click Edit.
Here, you would put in the IP address of the external DHCP server. For me that is the address of my NSX edge. Click OK.
Now under DHCP Relay Agents, click the green +. Select the interface from which DHCP requests are relayed to the external DNS servers. This is the internal interface on my DLR where my VMs reside. Click OK.
Configure DNS services
You can configure NSX to forward name resolution to external DNS servers.
Navigate to your NSX edge device and click Manage > Settings > Configuration. Beside DNS Configuration, click Change.
Check the box for Enable DNS service. Enter in the IP address of your external DNS server/s. Click OK.
Now you can check the status of DNS services on the NSX Edge.
Configure NAT services to provide access to services running on privately addressed virtual machines
NSX Edge provides network address translation (NAT) service to assign a public address to a computer within a private network. The NSX edge supports using source NAT (SNAT) and destination NAT (DNAT). SNAT is used for translating a internal IP address to a public external address. Since external IP addresses have no knowledge of internal IP addresses, NAT is needed for communication. DNAT allows access from outside/external networks to internal private networks. NAT is important for providing access to services within your private network and for providing the ability to access services that are external to your network. For ex: In order for a machine on your private network to be able to access the internet, NAT is need. Next, I’ll show you how to configure source NAT (SNAT) on a NSX edge device to do just that and then we will configure destination NAT (DNAT).
In our example, we will have a VM (VM01) with a IP address of 10.1.2.20 that is attached to a NSX logical switch (Tenant A). In order for this VM to access the internet, we will translate it’s IP to an IP that is internet accessible. Right now, as you can see, we cannot access the outside world. We test this by pinging Google’s public DNS (126.96.36.199).
Let’s get started with changing this and making the VM accessible to the internet.
As mentioned, NAT translates one IP address into another. So, our first step is to have a IP address that we can use to translate to. Our first step is to make sure the firewall services are enabled on our NSX edge. Without that, we cannot configure NAT.
Next, we can either translate to the external IP of the NSX edge or we can add a secondary IP address to the external interface and use that for our translation. We will add a secondary IP. Navigate to Manage > Settings >Interfaces of the NSX Edge. Edit the external interface and add a secondary IP address from the same subnet as the primary IP address. In our case we will use 192.168.1.12. Click OK.
Now we should see a second IP address appear for our external interface. The primary address is identified by a asterisk beside it.
Navigate to the NAT tab for the NSX edge. Click the green “+” and select Add SNAT Rule. Select your protocol that you want to allow. In our case, we will choose any. Enter in the original IP/range that you are translating. In this case, we want all VMs on the 10.1.2.0/24 network to be able to access the outside network. For the translated source IP/range, enter in the secondary IP address that we set on the NSX edge. Click OK.
Now, our VM should be able to access the outside world. Again, let’s try to ping Google’s public DNS (188.8.131.52).
Now we see we are getting replies when before we were not. That’s it! It’s that simple to configure SNAT on the NSX Edge.
Now to configure DNAT, we start at the same location we did the configure SNAT. But first, I need another external IP on the uplink interface of my NSX Edge to translate to my internal web server.
Now, navigate to the NAT tab for the NSX edge. Click the green “+” and select Add DNAT Rule. Just to show the concept of this working, I made the original destination port 8081. In reality, my web server is only using port 80, so for the translated IP I put the IP address of my internal web server and port 80.
Publish the changes for the DNAT to take affect.
Now if I navigate to http://192.168.1.13:8081, I can hit my web server
And its that simple to configure DNAT!