Road to VCAP6-NV: Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

In this blog post I will cover section 3 object 3.3 of the VCAP6-NV Deploy exam.

Objective 3.3 – Configure and Manage Additional VMware NSX Edge Services

  • Configure DHCP services according to a deployment plan:
    • Create/edit a DHCP IP Pool
    • Create/edit DHCP Static Binding
    • Configure DHCP relay
  • Configure DNS services
  • Configure NAT services to provide access to services running on privately addressed virtual machines

Configure DHCP services according to a deployment plan

NSX services gateway offers IP addressing using static addressing or DHCP services. DHCP services require a pool of IP addresses. An IP pool is setup withing vSphere as a range of IP addresses within your network. If your VM doesn’t have a IP allocated to it, an IP pool can assign it one.

Create/edit a DHCP IP Pool

Navigate to Networking & Security > NSX Edges > Double click the NSX Edge > Manage > DHCP. Click Pools and click the green +.


Enter in the IP information. Click OK.


Publish Changes


Create/edit DHCP Static Binding

If you have services running on a virtual machine and do not want the IP address to be changed, you can bind an IP address to the MAC address of a virtual machine or the VM NIC. The IP address you bind must not overlap an IP pool. If you bind to the VM NIC, the VM must reside on a logical switch that is directly connected to the NSX Edge. If you decide to use MAC address binding, then the GUI does not ask you either the VM name or the interface from the NSX edge since a MAC address is unique.

To begin, go to your NSX edge and under Manage > DHCP > Bindings, click the green +


Choose either VM NIC Binding or MAC Binding. Fill in the appropriate information. Click OK.


Publish Changes


Now when I go the VM that I created the binding for, I see that the VM got assigned that IP address


Configure DHCP relay

DHCP relay is a feature within NSX that allows you to use your existing DHCP server (in the physical environment) to service IP addresses to VMs inside your VMware environment. The DHCP requests are relayed from the VM, on to the DHCP server, by the edge device. In my environment, I’m using a NSX edge device to distribute IP addresses from a IP pool. So to start, I’m going to navigate to my DLR and under Manage > DHCP Relay > DHCP Relay Global configuration, click Edit.


Here, you would put in the IP address of the external DHCP server. For me that is the address of my NSX edge. Click OK.


Now under DHCP Relay Agents, click the green +. Select the interface from which DHCP requests are relayed to the external DNS servers. This is the internal interface on my DLR where my VMs reside. Click OK.


Publish Changes.


Configure DNS services

You can configure NSX to forward name resolution to external DNS servers.

Navigate to your NSX edge device and click Manage > Settings > Configuration. Beside DNS Configuration, click Change.


Check the box for Enable DNS service. Enter in the IP address of your external DNS server/s. Click OK.


Now you can check the status of DNS services on the NSX Edge.


Configure NAT services to provide access to services running on privately addressed virtual machines

NSX Edge provides network address translation (NAT) service to assign a public address to a computer within a private network. The NSX edge supports using source NAT (SNAT) and destination NAT (DNAT). SNAT is used for translating a internal IP address to a public external address. Since external IP addresses have no knowledge of internal IP addresses, NAT is needed for communication. DNAT allows access from outside/external networks to internal private networks. NAT is important for providing access to services within your private network and for providing the ability to access services that are external to your network. For ex: In order for a machine on your private network to be able to access the internet, NAT is need. Next, I’ll show you how to configure source NAT (SNAT) on a NSX edge device to do just that and then we will configure destination NAT (DNAT).

In our example, we will have a VM (VM01) with a IP address of that is attached to a NSX logical switch (Tenant A). In order for this VM to access the internet, we will translate it’s IP to an IP that is internet accessible. Right now, as you can see, we cannot access the outside world. We test this by pinging Google’s public DNS (


Let’s get started with changing this and making the VM accessible to the internet.

As mentioned, NAT translates one IP address into another. So, our first step is to have a IP address that we can use to translate to.  Our first step is to make sure the firewall services are enabled on our NSX edge. Without that, we cannot configure NAT.


Next, we can either translate to the external IP of the NSX edge or we can add a secondary IP address to the external interface and use that for our translation. We will add a secondary IP. Navigate to Manage > Settings >Interfaces of the NSX Edge. Edit the external interface and add a secondary IP address from the same subnet as the primary IP address. In our case we will use Click OK.


Now we should see a second IP address appear for our external interface. The primary address is identified by a asterisk beside it.


Navigate to the NAT tab for the NSX edge. Click the green “+” and select Add SNAT Rule. Select your protocol that you want to allow. In our case, we will choose any. Enter in the original IP/range that you are translating. In this case, we want all VMs on the network to be able to access the outside network. For the translated source IP/range, enter in the secondary IP address that we set on the NSX edge. Click OK.


Publish Changes


Now, our VM should be able to access the outside world. Again, let’s try to ping Google’s public DNS (


Now we see we are getting replies when before we were not. That’s it! It’s that simple to configure SNAT on the NSX Edge.

Now to configure DNAT, we start at the same location we did the configure SNAT. But first, I need another external IP on the uplink interface of my NSX Edge to translate to my internal web server.


Now, navigate to the NAT tab for the NSX edge. Click the green “+” and select Add DNAT Rule. Just to show the concept of this working, I made the original destination port 8081. In reality, my web server is only using port 80, so for the translated IP I put the IP address of my internal web server and port 80.


Publish the changes for the DNAT to take affect.


Now if I navigate to, I can hit my web server


And its that simple to configure DNAT!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s