This
Flow Virtual Networking Guide
describes how to enable and deploy Nutanix
Flow Virtual Networking on Prism Central.
Upgrading from EA Versions
If you have enabled the early access (EA) version of Flow Virtual Networking, disable it
before upgrading the Prism Central and enabling the general availability (GA) version of
Flow Virtual Networking.
Related Documentation
Links to Nutanix Support Portal software and documentation.
The
Nutanix Support
Portal
provides software download pages, documentation, compatibility, and other
information/
Port Reference: See this page for details of ports that must be open in the
firewalls to enable
Flow Virtual Networking
to function.
Nutanix Security Guide
Prism Element and Prism Central security, cluster hardening, and
authentication.
AOS guides and release notes
Covers AOS Administration, Hyper-V Administration for Acropolis, Command
Reference, Powershell Cmdlets Reference, AOS Family Release Notes, and AOS
release-specific Release Notes
Acropolis Upgrade Guide
How to upgrade core and other Nutanix software.
AHV guides and release notes
Administration and release information about AHV.
Prism Central and Web Console guides and release notes
Administration and release information about Prism Central and Prism Element.
Flow Virtual Networking Overview
Enabled and administered from Prism Central,
Flow Virtual Networking
powers network virtualization to
offer a seamless network experience with enhanced security. It is disabled by default.
To enable and use
Flow Virtual Networking
, ensure
that you log on to Prism Central as a local account user with
Prism
Admin
role. If you log on to Prism Central as a non-local account (IDP-based)
user or without
Prism Admin
role privileges, then Prism Central does
not allow you to enable or use
Flow Virtual Networking
. The task is reported as
Failed
with a
User Denied
Access
message.
Note:
Nutanix deploys a number of ports and protocols in its software. ports that must be open in
the firewalls to enable
Flow Virtual Networking
to
function. To see the ports and protocols used
Flow Virtual Networking
, see Port Reference.
It is a software-defined network virtualization solution providing overlay capabilities for
the on-prem AHV clusters. It integrates tools to deploy networking features like Virtual
Private Cloud (VPC) and Virtual Private Network (VPN) to support flexible app-driven
networking that focuses on VMs and applications instead of virtual LANs and network
addresses.
After you enable it on Prism Central,
Flow Virtual Networking
delivers the following.
A simplified, Prism Central-based workflow that deploys the application-driven network
virtualization feature.
A secure multi-tenancy solution allowing per-tenant isolation using VPC-based network
segmentation and namespace isolation.
A secure VPN-based connectivity solution for multiple sites, with automated VPN bundle
upgrades.
NAT-based secure egress to external networks, with IP address retention and policy-based
routing.
Self-serve networking services using REST APIs.
Enhanced networking features for more effective disaster recovery.
Note:
You can enable
network segmentation on a Layer 2 extended virtual subnet that does not have a gateway.
For more information about Layer 2 subnet extensions, see Layer 2 Virtual Network Extension. For information about network
segmentation of an extended layer 2 subnet, see
Segmenting a Stretched L2 Network
for Disaster Recovery
in the
Securing Traffic through Network
Segmentation
section of the
Security Guide
.
Deployment Workflow
You can enable
Flow Virtual Networking
using a
simple Prism Central driven workflow, which installs the network controller. The network
controller is a collection of containerized services that run directly on the Prism Central
VM(s). The network controller orchestrates all the virtual networking operations.
Ensure that microservices infrastructure is enabled in
Prism Central Settings
>
Prism Central Management
. See
Prism Central Guide
for information about enabling
microservices infrastructure.
Enable
Flow Virtual Networking
in
Prism Central Settings
>
Advanced Networking
. It is disabled by default. See
Enabling Flow Virtual Networking
You can opt out of
Flow Virtual Networking
by
disabling the
Advanced Networking
option subject to prerequisites
to disable advanced networking. See Disabling Flow Virtual Networking.
You can deploy
Flow Virtual Networking
in a
dark site (a site that does not have Internet access) environment. See the Deploying Flow Virtual Networking at a Dark Site topic for more information.
You can upgrade the
Flow Virtual Networking
controller. Nutanix releases an upgrade for the Flow Virtual Networking controller with
AOS and Prism Central releases. See Upgrading Flow Virtual Networking.
See the
AOS Family Release Notes
and
Release Notes | Prism
Central
.
Flow Virtual Networking
allows you to create
and manage virtual private clouds (VPCs) and overlay subnets to leverage the underlying
physical networks that connect clusters and datacenters. See Virtual Private Cloud.
You can upgrade the network gateway version. Network gateway is used to create VPN or
VTEP gateways to connect subnets using VPN connections, or Layer 2 subnet extensions
over VPN or VTEP.
Flow Virtual Networking Architecture
The Flow virtual networking architecture uses a three-plane approach to simplify network
virtualization.
Prism Central provides the management plane, the network controller itself acts as the
control plane while the AHV nodes provide the data plane. This architecture provides a
strong foundation for Flow virtual networking. This architecture is depicted in the
following chart.
Figure.
Flow Virtual Networking Architecture
Click to enlarge
Deployment Scale
Flow virtual networking supports the following scale:
Entities
Scale
Virtual Private Clouds
500
Subnets
5,000
Ports
50,000
Floating IPs
2,000 per networking controller-enabled Prism Central.
Routing Policies
1,000 per Virtual Private Cloud.
10,000 per networking controller-enabled Prism Central.
Essential Concepts
VPC
A Virtual Private Cloud (VPC) is an independent and isolated IP address space that
functions as a logically isolated virtual network. A VPC could be made up of one or
more subnets that are connected through a logical or virtual router. The IP addresses
within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs
are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they
are often referred to as the overlay networks. Tenants may spin up VMs and connect
them to one or more subnets within a VPC. Virtual Private Cloud (VPC) is a virtualized
network of resources that are specifically isolated from the rest of the resource
pool. VPC allows you to manage the isolated and secure virtual network with enhanced
automation and scaling. The isolation is done using network namespace techniques like
IP-based subnets or VLAN based networking.
VPC Subnets
You can use IP address-based subnets to network virtual machines within a VPC. A VPC
may use multiple subnets. VPC subnets use private IP address ranges. IP addresses
within a single VPC must be unique, in other words, IP addresses inside the same VPC
cannot be repeated. However, IP addresses can overlap across multiple VPCs. The
following figure shows two VPCs named Blue and Green. Each VPC has two subnets,
192.168.1.0/24 and 192.168.2.0/24, that are connected by a logical router. Each subnet
has a VM with an IP address assigned. The subnets and VM IP addresses overlap between
the two VPCs.
Figure.
VPC Subnet
Click to enlarge
The communication between VMs in the same subnets or different subnets in the same VPC
(also called East-West communication) is enabled using GEneric NEtwork Virtualization
Encapsulation (GENEVE). If a Prism Central manages multiple clusters, then the VMs that
belong to the same VPC could be deployed across different clusters. The virtual switch on
the AHV nodes provide distributed virtual switching and distributed virtual routing for all
VPCs.
The communication from a VM in a VPC to an endpoint outside the VPC (called external
communication or North-South communication) is enabled by an external network connection.
Such a connection may be secured using VPN. The following figure shows the logical
connectivity of the VPCs to the external network, and subsequently to the Internet.
Note:
You
must configure the default route (0.0.0.0/0) to the external subnet as the next hop for
connectivity outside the cluster (north-south connectivity).
Figure.
External Communication
Click to enlarge
External Subnets
Subnets outside a VPC are external subnets. External subnets may be subnets within
the deployment but not included in a specific VPC. External subnets may also be
subnets that connect to the endpoints outside the deployment such as another
deployment or site.
External subnets can be deployed with NAT or without NAT. You can add a maximum of
two external subnets - one external subnet with NAT and one external subnet without
NAT to a VPC. Both external subnets cannot be of the same type. For example, you
cannot add two external subnets, both with NAT. You can update an existing VPC
similarly.
Primary and Secondary IP Addresses for VMs
See VM IP Address Management.
SNAT and Floating IP Address
SNAT and Floating IP addresses are used only when you use NAT for an external
subnet.
In Source Network Address Translation (SNAT), the NAT router modifies the IP address
of the sender in IP packets. SNAT is commonly used to enable hosts with private
addresses to communicate with servers on the public Internet.
For VMs within the VPC to communicate with the rest of the deployment, the VPC must
be associated with an external network. In such a case, the VPC is assigned a unique
IP address, called the SNAT IP, from the subnet prefix of the external network. When
the traffic from a VM needs to be transmitted outside the VPC, the source IP address
of the VM, which is a private IP address, is translated to the SNAT IP address. The
reverse translation from SNAT IP to private IP address occurs for the return traffic.
Since the SNAT IP is shared by multiple VMs within a VPC, only the VMs within the VPC
can initiate connections to endpoints outside the VPC. The NAT gateway allows the
return traffic for these connections only. Endpoints outside the VPC cannot initiate
connections to VMs within a VPC.
In addition to the SNAT IP address, you can also request a Floating IP address — an
IP from the external subnet prefix that is assigned to a VM via the VPC that manages
the network of the VM. Unless the floating IP address is assigned to the private IP
address (primary or secondary IP address) of the VM, the floating IP address is not
reachable. When the VM transmits packets outside the VPC, the private IP of the VM is
modified to the Floating IP. The reverse translation occurs on the return traffic. As
the VM uses the Floating IP address, an endpoint outside the VPC can also initiate a
connection to the VM with the floating IP address.
The translation of the private IP addresses to Floating IP or SNAT IP address, and
vice versa, is performed in the hypervisor virtual switch. Therefore, the VM is not
aware of this translation. Floating IP translation may be performed on the hypervisor
that hosts the VM to which the floating IP is assigned to. However, SNAT translation
is typically performed in a centralized manner on a specific host.
NAT Gateway
NAT Gateways are used only when you use NAT for an external subnet.
Network Address Translation (NAT) is a process for modifying the source or
destination addresses in the headers of an IP packet while the packet is in transit.
In general, the sender and receiver applications are not aware that the IP packets are
being manipulated.
A NAT Gateway provides the entities inside an internal network with connectivity to
the Internet without exposing the internal network and its entities.
A NAT Gateway is:
A node or a AHV host. You need a host or a node to implement a NAT Gateway because
NAT gateways require operations like load balancing and routing that are
automatically performed by Flow virtual networking.
Connected to the internal network with an internal subnet based IP address and to
the external network with an externally-routable IP address.
The
externally-routable IP address may be an IP address from a private IP address
space or an RFC1918 address that is used as a NAT gateway. The NAT Gateway IP
address could be a static IP address or a DHCP assigned IP address.
Table 1.
NAT Gateway Failover Time
Event
Failover Time
Network controller stops on AHV
Up to 45 seconds.
Node reboot
Up to 45 seconds.
Node power off:
When NAT Gateway and network controller MSP worker VMs are
not on the same node.
Up to 45 seconds.
Node power off:
When NAT Gateway and network controller MSP worker VMs are
on the same node.
Up to 300 seconds (5 minutes).
Static IP Address
A static IP address is a fixed IP address that is manually assigned to an interface
in a network. Static IP addresses provide stable routes that do not have to be updated
frequently in the routing table since the static routes generated using static IP
addresses do not need to be updated.
Usually in a large IP-based network (a network that uses IP addresses), a Dynamic
Host Configuration Protocol or DHCP server assigns IP addresses to interfaces of an
entity (using DHCP client service on the entity). However, some entities may require a
static IP address that can be reached (manual remote access or via VPN) quickly. A
static IP address can be reached quickly because the IP address is fixed, assigned
manually and is stored in the routing table for a long duration. For example, a
printer in an internal network would need a static IP address so that it can be
connected reliably. Static IP addresses can be used to generate static routes which
remain unchanged in routing tables, thus providing stable long-term connectivity to
the entity that has the static IP address assigned.
Static Route
Static routes are fixed routes that are created manually by the network
administrator. Static routes are more suited for small networks or subnets.
Irrespective of the size of a network, static routes may be required in a variety of
cases. For example, in VPCs where you use virtual private networks (VPNs) or Virtual
Tunnel End Point (VTEP) over VxLAN transport connections to manage secure connections,
you could use static routes for specific connections such as site-to-site connections
for disaster recovery. In such a case it is necessary to have a known reliable route
over which the disaster recovery operations can be performed smoothly. Static routes
are primarily used for:
Facilitating the easy maintenance of the routing table in small networks that are
not expected to grow.
Routing to and from other internal route or stub networks. A stub network or an
internal route network is a network accessed using a single route and the router has
only one neighbor.
Use as a default or backup route. Such a route is not expected to specifically
match any other route in the routing table.
In a network that is not constantly changing, static routes can provide faster and
more reliable services by avoiding the network overheads like route advertisement and
routing table updates for specific routes.
Overlay networks
You can create an IP-based Overlay subnet for a VPC. An Overlay network is a
virtualized network that is configured on top of an underlying virtual or physical
network. A special purpose multicast network can be created as an Overlay network
within an existing network. A peer-to-peer network or a VPN are also examples of
Overlay networks. An important assumption for an Overlay network is that the
underlying network is fully connected. Nutanix provides the capability to create
Overlay network-based VPCs.
Comparing Overlay with VLAN
See how overlay networks compare with VLAN networks. A virtual local area network or VLAN
network is a Layer 2 network that provides virtualized network segmentation solution. VLANs
route and balance traffic in a network based on MAC addresses, Protocols such as Ethernet,
ports or specific subnets. A VLAN creates a virtual Layer 3 network using Layer 2 addressing
by separating broadcast domains virtually or logically. A VLAN configured network behaves as
if the network is segmented using a physical layer 2 switch without implementing a layer 3
IP based subnet for the segmentation. VLAN traffic usually cannot traverse outside the
VLAN.
The main advantage that VLAN networks provide is that VLAN networks require only layer 2
(L2) connectivity. VLANs do not require any of the layer 3 (L3) Flow virtual networking
features.
Overlay networks can be laid on underlying physical network connections including VLAN
networks. Overlay networks provide the following advantages and constraints:
IP address namespace is decoupled from the physical network.
You can create, update or delete overlay networks without requiring any configurations
on the physical network and powering down the systems.
You can create overlay networks that can span across multiple clusters.
VLAN networks are necessary for Bootstrapping of Flow virtual networking.
Note:
Nutanix
recommends using VLAN0 as the default untagged (also called native) VLAN for a CVM and
AHV host. You can create VLANs for user VMs using the
Network
Configuration
page. You can use the
Create Virtual
Switch
dialog box from the
Network Configuration
page
to create virtual switches for the user VM VLANs.
AHV Networking VLAN and Flow virtual networking VLAN: VLAN backed subnets for external
connectivity are managed by the Flow virtual networking control plane. Traditional AHV
VLAN IPAM networks are managed by Acropolis. Do not configure the same VLAN as both a Flow
virtual networking external network and an AHV IPAM network, as this can lead to IP
address conflicts.
Traffic Behavior
Broadcast Traffic
When all the guest VMs belonging to a subnet are in the same AHV: Flow virtual
networking broadcasts the traffic to all guest VMs in the same subnet.
When some VMs belonging to a subnet are in other AHVs: Flow virtual networking
tunnels the traffic to only those AHVs which have endpoints in the same subnet.
In other words, Flow virtual networking broadcasts traffic to all the guest VMs in
the same subnet.
Unicast Traffic
Unicast traffic is traffic transmitted on a one-to-one basis between IP addresses and
ports. There is only one sender and one receiver for the traffic. Unicast traffic is
usually the most used form of traffic in any LAN network using Ethernet or IP
networking. Flow virtual networking transmits unicast traffic based on the networking
policies set.
Unknown Unicast Traffic
Flow virtual networking always drops unknown unicast traffic. It is not transmitted
to any guest VM within or outside the source AHV.
Multicast Traffic
Flow virtual networking transmits the traffic to the VMs in the multicast group
within the same subnet. If the VM is on another AHV, the destination AHV must have an
endpoint in the subnet.
Multicast Group
A multicast group is defined by an IP address (called a multicast IP address, usually
a Class D IP address) and a port number. Once a host has group membership, the host
will receive any data packets that are sent to that group defined by an IP
address/port number.
Prerequisites for Enabling Flow Virtual Networking
Make sure you meet these prerequisites before you enable
Flow Virtual Networking
on Prism Central.
Requirements
Important:
Prism Central protection and recovery does not protect or recover
Flow Virtual Networking
services.
You must have the following fulfilled to enable
Flow Virtual Networking
:
Ensure that you log on to Prism Central as a local account user with
Prism
Admin
role. If you log on to Prism Central as a non-local account
(IDP-based) user or without
Prism Admin
role privileges, then
Prism Central does not allow you to enable or use
Flow Virtual Networking
. The task is reported as
Failed
with a
User Denied Access
message.
Ensure that the Prism Central running
Flow Virtual Networking
is hosted on an AOS
cluster running AHV.
The network controller has a dependency only on the AHV version.
Ensure that microservices infrastructure on Prism Central is enabled. See
Prism
Central Guide
for information about microservices infrastructure.
Choose the x-large PC VM size for
Flow Virtual Networking
deployments. Small or
large PC VMs are not supported for Flow virtual networking.
If you are running a small or large Prism Central VMs, upgrade the Prism Central VM
resources to x-large PC VM. See
Acropolis Upgrade Guide
for procedure to
install an x-large Prism Central deployment.
Although
Flow Virtual Networking
may be enabled
on a single-node PC, Nutanix strongly recommends that you deploy a three-node scale-out
Prism Central for production deployments. The availability of
Flow Virtual Networking
service in Prism Central
is critical for performing operations on VMs that are connected to overlay networks. A
three-node scale-out Prism Central ensures that
Flow Virtual Networking
continues to run even if
one of the nodes with a PCVM fails.
Prism Central VM registration. You cannot unregister the Prism Element cluster that is
hosting the Prism Central deployment where you have enabled
Flow Virtual Networking
. You can unregister other
clusters being managed by this Prism Central deployment.
Ensure that Microservices Infrastructure (CMSP) is enabled on Prism Central before you
enable
Flow Virtual Networking
. See the
Prism Central Guide
for more information.
For the procedure to enable Microservices Infrastructure (including enable in dark
site), see
Enabling Micro Services Infrastructure
section in the
Prism Central Guide
.
Note:
When you configure microservices infrastructure, ensure that the DNS name you
configure for CMSP does not end with
test
.
Flow Virtual Networking
does not support
test
as a top level domain. For example, the following are valid domain configurations:
my.cluster.domain
my.test.cluster.test.domain
However, the following are examples of domains that
Flow Virtual Networking
does not support:
my.cluster.test
my.cluster.domain.test
Ensure that you have created a virtual IP address (VIP) for Prism Central. The
Acropolis Upgrade Guide
describes how to set the VIP for the Prism
Central VM. Once set, do not change this address.
Ensure connectivity:
Between Prism Central and its managed Prism Element clusters.
To the Internet for connectivity (not required for dark site) to:
ECR for Docker images
S3 storage for LCM portal
Note:
For dark site deployments, Nutanix provides a dark
site bundle, which has the Docker images (normally hosted on ECR) and the network
controller package (normally hosted on LCM portal). These dark site bundles can be
downloaded using an internet-connected system outside the dark site.
Prism Central backup, restore, and migration. You cannot perform these operations on
MSP-enabled Prism Central.
Nutanix recommends increasing the MTU to 9000 bytes on the virtual switch vs0 and
ensure that the physical networking infrastructure supports higher MTU values (jumbo
frame support). The recommended MTU range is 1600-9000 bytes.
Nutanix CVMs use the standard Ethernet MTU (maximum transmission unit) of 1,500 bytes
for all the network interfaces by default. The system advertises the MTU of 1442 bytes
to guest VMs using DHCP to account for the extra 58 bytes used by Generic Network
Virtualization Encapsulation (Geneve). However, some VMs ignore the MTU advertisements
in the DHCP response. Therefore, to ensure that Flow Virtual Networking functions properly with
such VMs, enable jumbo frame support on the physical network and the default virtual
switch vs0.
If you cannot increase the MTU of the physical network, decrease the MTU of every VM in
a VPC to 1442 bytes in the guest VM console.
Note:
Do not change the MTU of the CVM.
Figure.
Sample Configurations with and without Higher MTU - VS0, CVM and UVMs
Click to enlarge
Requirements for Upgrades
The following applies to upgrades of
Flow Virtual Networking
network controller
(
Advanced Networking
in
Prism Control
Settings
):
Ensure that the Prism Central host is running an AHV version compatible with the
networking controller upgrade version. If necessary, upgrade the AHV version using LCM to
the version compatible with the network controller upgrade version.
Note:
See Compatibility and Interoperability Matrix on
the Nutanix Support portal for AOS and Prism Central compatibility.
Ensure that all the AHV hosts in the AOS cluster are running the version compatible with
the network controller upgrade version.
The network controller upgrade fails if any of
the AHV hosts is running an incompatible version.
Limitations
Limitations for Flow Virtual Networking are as follows.
Flow Virtual Networking
does not support
Flow Network Security
for guest VMs.
You cannot configure rules for
Flow Network Security
if a guest VM has any NICs
connected to VPCs.
Flow Virtual Networking
is supported only on
AHV clusters. It is not supported on ESXi or Hyper-V clusters.
Flow Virtual Networking
is not enabled on the
new PE cluster registering with the
Flow Virtual Networking
-enabled Prism Central if
the Prism Element cluster has an incompatible AHV version.
Flow Virtual Networking does not support updating a VLAN-backed subnet as an external subnet.
You cannot enable the external connectivity option in the
Update
Subnet
dialog box. Therefore, you cannot modify an existing VLAN-backed
subnet to add external connectivity.
VLAN backed subnets for external connectivity are managed by the
Flow Virtual Networking
control plane. Traditional
AHV VLAN IPAM networks are managed by acropolis.
Note:
Do not configure the same VLAN as both a
Flow Virtual Networking
external network and an
AHV IPAM network, as this can lead to IP address conflicts.
Flow Virtual Networking
cannot be disabled if
any external subnets and VPCs are in use. Delete the external subnets and VPCs and then
disable
Flow Virtual Networking
.
Disaster Recovery backup and migration: CMSP-enabled Prism Central does not support
disaster recovery backup and migration operations both as a source and target host.
Flow Virtual Networking Configurations
Enabling Flow Virtual Networking
Before you begin
Ensure that microservices infrastructure is enabled on Prism Central. See
Enabling Micro Services Infrastructure
section in the
Prism
Central Guide
.
About this task
Before you proceed to enable Flow virtual networking by enabling the
Advanced Networking
option, see Prerequisites for Enabling Flow Virtual Networking.
To enable Advanced Networking, go to
Prism Central Settings
>
Advanced Networking
and do the following.
Procedure
In the
Advanced Networking
pane, click
Enable
.
Ensure that the prerequisites specified on the pane are fulfilled.
Figure.
Enabling Flow Virtual Networking
Click to enlarge
Prism Central displays the deployment in-progress.
Figure.
Deployment Progress
Click to enlarge
Flow virtual networking is enabled.
Figure.
Flow Virtual Networking Status
Click to enlarge
Disabling Flow Virtual Networking
About this task
You can disable Flow virtual networking. However, the network controller cannot be
disabled if any external subnets and VPCs are in use. Delete the subnets and VPCs
before you disable advanced networking.
Note:
Flow virtual networking cannot be disabled if any external subnets and VPCs are
in use. Delete the external subnets and VPCs and then disable Flow virtual
networking.
To disable Flow virtual networking, do the following.
Procedure
On the
Advanced Networking
page, click
Disable
.
Figure.
Click to enlarge
On the confirmation message box, click
Confirm
to
confirm disablement.
To exit without disabling the
Advanced Networking
controller, click
Cancel
.
Unregistering a PE from the PC
Before unregistering a Prism Element from PC, disable Flow virtual networking on that
Prism Element using network controller CLI (or atlas_cli).
About this task
When Flow virtual networking is enabled on a Prism Central, it propagates the
capability to participate in VPC networking to all the registered Prism Elements
that are running the required AHV version.
In cases where there are VMs on the Prism Element attached to the VPC network, or if
the Prism Element is used to host one or more of the external VLAN networks attached
to a VPC, Prism Central alerts you with a prompt. When being alerted about the
aforementioned conditions, close the CLI and make adequate configuration to resolve
the condition (for example, select a different cluster for the external VLAN network
and delete the VMs attached to the VPC network running on the Prism Element). After
making such configurations, execute the network controller CLI to disable Flow
virtual networking. If the command goes through successfully, it is safe to
unregister the Prism Element.
For example, in a deployment of three Prism Elements - PE1, PE2 and PE3 - registered
to the Flow virtual networking-enabled PC, you want to unregister PE3 from the PC.
You must first disable Flow virtual networking using the following steps:
Procedure
SSH to PE3.
Run the
ncli cluster info
or
ncli cluster
get-params
command to get the cluster parameters.
Copy the cluster UUID (For example: 017457d3-1012-465c-9c54-aa145f2da7d9) from
the displayed cluster parameters.
SSH to the Prism Central VM.
Open the network controller console by executing the
atlas_cli
command.
nutanix@cvm$ atlas_cli
<atlas>
Execute the
config.add_to_excluded_clusters <cluster
uuid>
command, providing the cluster UUID that you copied
earlier.
An example of the PC alert, for the condition that PE3 VM is attached to an
external network, is as follows:
<atlas> config.add_to_excluded_clusters 0005bf8d-2a7f-3b2e-0310-d8e34995511e
Cluster 0005bf8d-2a7f-3b2e-0310-d8e34995511e has 1 external subnet,
which will lose connectivity. Are you sure? (yes/no)
Note:
To enable Flow virtual networking on the cluster, execute the
config.remove_from_excluded_clusters <cluster
uuid>
command, providing the cluster UUID.
What to do next
To verify if Flow virtual networking is disabled or enabled, SSH to PE3 and run the
acli atlas_config.get
command.
The output displays the
enable_atlas_networking
parameter as
False
if Flow
virtual networking is disabled and as
True
if Flow virtual networking
is enabled on the Prism
Element.
You can upgrade the Flow virtual networking controller (
Advanced Networking
Controller
in
Prism Central Settings
) using Life Cycle Manager
(LCM) on Prism Central.
Before you begin
See Prerequisites for Enabling Flow Virtual Networking.
In case of upgrading the Flow virtual networking controller in a dark site, ensure
that LCM is configured to reach the local web server that hosts the dark site
upgrade bundles.
Note:
The network controller upgrade fails to start after the pre-check if one or more
clusters have Flow virtual networking enabled and are running an AHV version
incompatible with the new network controller upgrade version.
About this task
To upgrade the network controller using LCM, do the following.
Procedure
Choose one of the following ways to reach the LCM page:
Go to
Administration
>
LCM
>
Inventory
Click
Check for Updates
on the
Advanced
Networking
page.
Figure.
Check for Updates
Click to enlarge
Click
Perform Inventory
.
When you click
Perform Inventory
, the system scans the
registered Prism Central cluster for software versions that are running
currently. Then it checks for any available upgrades and displays the
information on the LCM page under
Software
.
Go to
Updates
>
Software
. Select the
Advanced Networking Controller
version you want to upgrade to and click
Update
.
Figure.
Networking Controller version
Click to enlarge
Deploying Flow Virtual Networking at a Dark Site
About this task
Dark sites are primarily on-premises installations which do not have access to the
internet. Such sites are disconnected from the internet for a range of reasons
including security. To deploy Flow virtual networking at such dark sites, you need
to deploy the dark site bundle at the site.
This dark site deployment procedure includes downloading and deploying MSP and the
network controller bundles.
Before you begin
See Prerequisites for Enabling Flow Virtual Networking.
You need access to the Nutanix Portal from an Internet-connected device to
download the following dark site bundles:
Note:
For dark site deployments, Nutanix provides a dark
site bundle, which has the Docker images (normally hosted on ECR) and the network
controller package (normally hosted on LCM portal). These dark site bundles can be
downloaded using an internet-connected system outside the dark site.
MSP dark site bundle: https://portal.nutanix.com/page/downloads/list > Microservices Platform (MSP)
Flow virtual network controller dark site bundle: See the
Flow
Virtual Networking Release Notes
for the link to download the
dark site bundle.
Network Gateway bundle: See the
Flow Virtual Networking Release
Notes
for the link to download the dark site bundle with
checksum text file. Also, see
KB-12393
.
To deploy Flow virtual networking at a dark site, do the following.
Procedure
Start a web server to host the dark site bundles and act as a source for the
LCM downloads, if one is not already created.
The web server can be a virtual machine on a cluster at the dark site. All
the Prism Central VMs at the dark site must have access to this web server.
This web server is used when you deploy any dark site bundle including the
network controller darksite bundle.
For more information about the server installation, see:
Linux web server
Windows web server
In Prism Central, go to
Administration
>
LCM
>
Inventory
.
Alternatively, SSH into the Prim Central VM as an admin user and run the
following command.
Where <LCM-web-server-ip> is the IP address of the LCM web server and
release is the name of the directory where the packages were extracted.
For example,
admin@pcvm$ mspctl controller airgap enable
--url=http://10.48.111.33/release
. Here,
10.48.111.33
is the IP address of the LCM web server
and
release
is the name of the directory where the
packages were extracted.
Verify the configuration by running the following command:
nutanix@cvm$ mspctl controller airgap get
From a device that has public Internet access, click the Nutanix Compatibility Bundle link and
down the bundle. Transfer this bundle to the LCM web server and extract the
contents.
From a device that has public Internet access, Nutanix recommends that you
download and extract the latest MSP dark site bundle, transfer it to the LCM web
server, and extract the contents.
From a device that has public Internet access, download the Flow virtual
networking dark site bundle (see Release Notes | Flow Virtual Networking for download links).
Transfer the bundle to the LCM web server.
Extract or unpack the Flow Virtual Networking dark site bundle on the LCM web
server.
After unpacking, check if the system shows a directory path that includes the
following as per the example:
http://<LCM-web-server-ip>/release/builds/msp-builds/msp-services/464585393164.dkr.ecr.us-west-2.amazonaws.com/nutanix-msp/atlas-hermes/
.
Run the following command after unpacking to ensure that the file permissions
are not disrupted during the unpacking:
Linux.
chmod -R +r builds
Windows
NTFS.
$> takeown / R / F *
$> icacls <Build-file-path> /t /grant:F
This section provides information to assist troubleshooting of Flow virtual networking
deployments. This is in addition to the information that the "Prism Central Guide"
provides.
Audit Logs
Prism Central generates audit logs for all the flow networking activities like it
does for other activities on Prism Central. See
Audit Summary View
in the
Prism Central Guide
, for more information about Audit log.
Support Bundle Collection
To support troubleshooting for Flow virtual networking, you can collect logs.
To collect the logs, run the following commands on the Prism Central VM console:
msp
tag will collect logs from the services running on MSP
pods and persistent log volumes (application-level logs)
anc
tag will collect the support bundle, which includes
database dumps and OVN state
-O
flag adds tag-level options
msp_pod=true
collects logs from MSP service pods
On the PC, these logs can be found under
/var/log/containers
.
persistent=true
collects persistent log volumes
(application-level logs for ANC)
On the PC, these can be found under /var/log/ctrlog
kubectl_cmds=true
runs
kubectl
commands to
get the Kubernetes resource state
--duration
sets the duration from the present to collect
The command run generates a zip file at a location, for example:
/home/nutanix/data/logbay/bundles/<filename>.zip
Unzip the bundle and you'll find the
anc
logs under a directory
specific to your MSP cluster, the worker VM where the pod is running, and the logging
persistent volume of that pod. For example:
For more information about the task run, see the text file that the command generates
at a location, for
example:
/home/nutanix/data/logbay/taskdata/<taskID>/collection_result.txt
For more information about the
logbay collect
command, see the
Logbay Log Collection (Command Line)
topic in the
Nutanix Cluster
Check Guide
(NCC Guide).
Layer 2 Virtual Subnet Extension Alert
The
L2StretchLocalIfConflict
alert (Alert with Check ID
- 801109) may occur while performing Layer 2 virtual subnet extensions. See KB-10395
for more information about its resolution.
Network Gateway Upgrades
Nutanix deployment can detect and install upgrades for the onprem Nutanix Gateways.
For information about identifying the current Nutanix Gateway version, see Identifying the Gateway Version.
For onprem Nutanix Gateways, the upgrades need to be detected and installed on the respective
PC on which each Nutanix Gateway is installed.
For more information, see Detecting Upgrades for Gateways.
When Prism Central detects the upgrades, it displays a banner on the
Gateways
tab of the
Connectivity
page. The banner
notifies you that a Gateway upgrade is available after you have run LCM inventory. The table
on the
Gateways
tab also displays an alert (exclamation mark) icon for
the network gateways that the upgrade applies to. The hover message for the icon informs you
that an upgrade is available for that Gateway.
Figure.
Upgrade Banner
Click to enlarge
For more information about the upgrade procedure, see Upgrading the PC-managed Onprem Nutanix VPN Gateways.
Identifying the Gateway Version
About this task
To identify the current Nutanix Gateway version, do the following:
Procedure
Click the hamburger icon and
Networking & Security
>
Connectivity
.
On the
Gateways
tab, click the Gateway name link text to open the
Gateway details page.
In the Gateway table, the VPN Gateway name is a clickable link text.
The
Gateway Version
is listed in the
Properties
widget.
Figure.
Gateway Version
Click to enlarge
Detecting Upgrades for Gateways
About this task
Prism Central can detect whether new Gateway upgrades are available, or not, for
Nutanix Gateways using LCM. You can then install the upgrade.
Procedure
Click the hamburger icon of
Dashboard
.
Click
Administration
>
LCM
>
Inventory
.
Click
Perform Inventory
.
Note:
Nutanix recommends that you select
Enable LCM Auto
Inventory
in the
LCM
page in Prism
Central to continuously detect new Gateway upgrades as soon as they are
available.
The upgrade notification banner is displayed on the
Gateways
page.
Upgrading the PC-managed Onprem Nutanix VPN Gateways
About this task
Perform upgrades of PC-managed Nutanix Gateways using the respective PC on which the
Gateway is created.
To upgrade the on-prem Nutanix Gateways, do the following:
Procedure
Log on to the Prism Central as the admin user and click the gear icon.
Go to
Administration
>
LCM
>
Inventory
.
Click
Perform Inventory
.
When you click
Perform Inventory
, the system scans the
registered Prism Central cluster for software versions that are running
currently. Then it checks for any available upgrades and displays the
information on the
LCM
page under
Software
.
Note:
Skip this step if you have enabled auto-inventory in the
LCM
page in Prism Central.
Go to
Updates
>
Software
. Select the
Gateway version you want to upgrade to and click
Update
.
LCM upgrades the Gateway version. This process takes sometime.
Network and Security View
The
Network and Security
category in the
Entities
Menu
expands on-click to display the following networking and security
entities that are configured for the registered clusters:
Subnets
: This dashboard displays the subnets and the operations
you can perform on subnets.
Virtual Private Clouds
: This dashboard displays the VPCs and the
operations you can perform on VPCs.
Floating IPs
: This dashboard displays a list of floating IP
addresses that you are using in the network. It allows you to request for floating IP
addresses from the free pool of I addresses available to the clusters managed by the
Prism Central instance.
Connectivity
: This dashboard allows you to manage the following
networking capabilities:
Gateways
: This tab provides a list of network Gateways you
have created and configured, and the operations you can perform on the network
Gateways. You can check and upgrade the Gateway bundle in
Administration
>
LCM
>
Inventory
.
VPN Connections
: This tab provides a list of VPN connections
you have created and configured, and the operations you can perform on VPN
connections.
Subnet Extensions
: This tab provides a list of subnets that
you have extended at the Layer 2 level using VPN (point-to-point over Nutanix VPN)
or VTEP (point-to-multi-point including third party).
Security Policies
: This dashboard provides a list of security
policies you configured using Flow Segmentation. For more information about Security
Policies, see the Flow Microsegmentation Guide.
See Network Connections section for information on how
to configure network connections.
Subnets (Overlay IP subnets), Virtual private clouds, floating IPs, and Connectivity are
Flow virtual networking features. These features support flexible app-driven networking that
focuses on VMs and applications instead of virtual LANs and network addresses. Flow virtual
networking powers network virtualization to offer a seamless network experience with
enhanced security. It is disabled by default. It is a software-defined network
virtualization solution providing overlay capabilities for the on-premises AHV clusters.
Security policies drives the Flow Segmentation features for secure communications. See
Flow Microsegmentation Guide.
Subnets
Manage subnets in the
List
view of
Subnets
dashboard in the
Network and
Security
section.
To access the
Subnets
dashboard, select
Subnets
from the entities menu in Prism Central. The
Subnets
dashboard allows you to view information about the subnets configured for the registered
clusters.
Note:
This section describes the information and options that appear in the
Network
and Security
dashboard. See Entity Exploring for instructions on how to view and
organize that information in a variety of ways.
Figure.
Subnets Dashboard
Click to enlarge
The following table describes the fields that appear in the subnets list. A dash (-) is
displayed in a field when a value is not available or applicable.
Table 1.
Subnets Dashboard Fields
Parameter
Description
Values
Name
Displays the subnet name.
(subnet name)
External Connectivity
Displays whether or not the subnet has external connectivity
configured.
(Yes/No)
Type
Displays the subnet type.
VLAN
VLAN ID
Displays the VLAN identification number.
(ID number)
VPC
Displays the name of the VPC that the Subnet is used in.
(Name of VPC)
Virtual Switch
Displays the virtual switch that is configured for the VLAN you selected. The
default value is the default virtual switch
vs0
.
Note:
The virtual
switch name is displayed only if you add a VLAN ID in the VLAN ID
field.
(virtual switch name)
IP Prefix
Displays the IPv4 Address of the network with the prefix.
(IPv4 Address/Prefix)
Cluster
Displays the name of the cluster for which this subnet is configured.
(cluster name)
Hypervisor
Displays the hypervisor that the subnet is hosted on.
(Hypervisor)
To filter the list by network name, enter a string in the filter field. (Ignore the
Filters
pane as it is blank.)
To view focused fields in the List, select the focus parameter from the
Focus
drop down list. You can create your own customised focus
parameters by selecting
Add custom
from the drop down list and
selecting the necessary fields after providing a
Name
, in the
Subnet Columns
.
There is a
Network Config
action button to configure a new network
(see Configuring Network Connections)
The
Actions
menu appears when one or more networks are selected and
includes a
Manage Categories
option (see Assigning a Category).
Go to the
Subnets
list view by clicking
Network and Security
>
Subnets
on the left side-bar.
Figure.
Subnets Page
Click to enlarge
To view or select actions you can perform on a subnet, select the subnet and click the
Actions
dropdown.
Figure.
Subnet Actions
Click to enlarge
Table 2.
Subnet Actions
Action
Description
Update
Click this action to update the selected subnet. see Updating a Subnet.
Manage Extension
Click this action to create a subnet extension. A subnet extension allows VMs
to communicate over the same broadcast domain to a remote Xi availability zone (in
case of Xi-Leap based disaster recovery) via the extension.
Manage Categories
Click this action to associate the subnet with a category or change the
categories that the subnet is associated with.
Delete
Click this action to delete the selected subnet. See Deleting Subnets, Policies, or Routes.
You can also filter the list of subnets by clicking the
Filters
option and selecting the filtering parameters.
Subnet Summary View
View the details of a subnet listed on the Subnets page.
To view the details of a subnet, click the name of the subnet on the subnet list view.
Figure.
Subnet Summary Page
Click to enlarge
The
Summary
page provides buttons for the actions you can perform on
the subnet, at the top of the page. Buttons for the following actions are available:
Update
,
Extend
,
Manage
Categories
, and
Delete
.
The subnet
Summary
page has the following widgets:
Widget Name
Information provided
Subnet Details
Provides the following:
Type
— Displays the type of network like VLAN or
Overlay.
VLAN ID
— Displays the VLAN ID. This parameter is
displayed only for VLAN networks.
VPC
— Displays the VPC name. This parameter is displayed
only for Overlay networks.
Cluster
— Displays the cluster that the VLAN network is
configured on. This parameter is displayed only for VLAN networks.
IP Prefix
— Displays the IP address prefix configured for
the network. This parameter is displayed for both VLAN and Overlay
networks.
IP Pool
Provides the IP address
Pool Range
assigned to the
network.
External Connectivity
Provides the following:
NAT
— Displays whether NAT is enabled or disabled for
VPCs connecting to the network. When you hover on the
Enabled
/
Disabled
status, the hover message displays details of VPCs connected to the external
subnet.
Associated VPCs
— Displays the VPCs associated with this
external subnet.
Virtual Private Clouds
You can manage Virtual Private Clouds (VPCs) on the
Virtual Private
Clouds
dashboard.
Go to the
Virtual Private Clouds
dashboard by clicking
Network and Security
>
Virtual Private Clouds
on the left side-bar.
Figure.
Virtual Private Clouds dashboard
Click to enlarge
You can configure the table columns for the VPC list table. The available column list
includes
Externally Routable IP Addresses
that provides address
space within the VPC that is reachable externally without NAT.. For the list of columns that
you can add to the list table, see Customizing the VPC List View.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
To view or select actions you can perform on a VPC, select the VPC and click the
Actions
drop down.
You can also filter the list of VPC by clicking the
Filters
option
and selecting the filtering parameters.
Customizing the VPC List View
About this task
You can customize the columns in the table. Click the
View by
drop down and select
+ Add custom
.
In the
Virtual Network Columns
dialog box, do the following.
Procedure
Enter a name for the view.
Select the columns you want displayed in the table.
During the column selection, the columns you select are moved under the
Selected Columns
list. The
Name
(of the VPC) column is the default column
already selected. You can add a maximum of 10 columns (including the
Name
column) to the
Selected
Column
list.
Figure.
Customizing Columns in VPC View
Click to enlarge
To arrange the order of the selected columns, hover on the column name and
click the up or down arrow button as appropriate.
Click
Save
.
VPC Details View
To view the details of a VPC, click the name of the VPC on the VPC list view.
The VPC details view has the following tabs:
Summary
Figure.
Summary Tab
Click to enlarge
The
Summary
tab provides the following panes:
DNS Servers—Provides more information about the DNS Servers used by the VPC.
External Connectivity—Provides the name of the external subnet, NAT Gateway host
details, router/SNAT IP address and the IP address spaces or ranges configured for the
VPC.
Floating IP Addresses—Provides details of the floating IP addresses that the VPC
uses.
Subnets
Figure.
Subnet Tab
Click to enlarge
The
Subnet
tab provides the following information for the
subnets:
Name—Displays the name of the subnet.
IP Range—Displays the IP address range configured for the subnet.
DHCP IP Pool—Displays the DHCP IP address pool configured for the subnet.
Default Gateway IP—Displays the IP address used as the default gateway by the
entities in the subnet.
Actions—Displays the actionable links to
Edit
or
Delete
the subnet.
Policies
Figure.
Policies Tab
Click to enlarge
The
Policies
tab maps the following information about the
security-based traffic shaping policies you configure:
Priority—The traffic priority.
Rule—The
Allow
or
Deny
rule set for
the priority.
Traffic—The traffic type that the priority and rule should be applied to.
Actions—Actions you can take on the policy. You can perform three actions:
Clear counters
,
Edit
the policy or
Delete
the policy.
Routes
Figure.
Routes Tab
Click to enlarge
The
Routes
tab provides the following information about the
routes:
The VPC details view has the following configuration options for the VPC:
Update
: Use this option to update the VPC. For more information,
see Updating Virtual Private Cloud.
Add Subnet
: Use this option to add a subnet to the VPC. For more
information, see Creating a Subnet.
Create Static Routes
: Use this option to create a static route.
For more information, Creating Static Routes.
Update Static Routes
: Use this option to update static route
configurations that you already created. For more information, see Updating Static Routes.
Create Policy
: Use this option to create traffic policies in
addition to the pre-configured default policy. When you create a VPC, there is one default
policy that Advanced Networking creates for the VPC. This policy is pre-configured and
cannot be edited. For more information, see Creating a Policy.
Clear All Counters
: Allows you to clear all the counters for the
VPC.
Delete
: Allows you to delete the VPC. For more information, see
Deleting a Virtual Private Cloud.
Floating IPs
You can access floating IPs on the
Floating IPs
dashboard or list view in the
Network and Security
section.
For information about floating IP addresses and their role in Flow virtual networking, see
SNAT and Floating IP Address.
Go to the
Floating IPs
dashboard by clicking
Network and Security
>
Floating IPs
on the left side-bar.
Figure.
Floating IPs dashboard
Click to enlarge
To view or select actions you can perform on a floating IP address assigned, select the
floating IP address and click the
Actions
drop down. The following
actions are available for a selected floating IP address:
Update—Assign or change the assignment of the floating IP address. You can assign the
floating IP address to a IP address such as a private IP address in a VPC or the primary
IP address of a VM or a secondary IP address created on a VM.
Delete—Delete the floating IP address. The deleted IP address returns to the IP address
pool as unused. Before you delete, ensure that it is not assigned to a private IP address
or a VM. Change the assignment to
None
if it is already assigned,
using the
Update
action.
Note:
Floating IP addresses are not reachable (Pings fail) unless you associate them to
primary or secondary IP addresses of VMs. For more information about assigning floating IP
addresses to secondary IP addresses of VMs, see
Assigning Secondary IP Addresses to Floating
IPs
.
To filter the list of floating IP address assignments, click the
Filters
option and select the appropriate filtering
parameters.
To request floating IP addresses, see Requesting Floating IPs.
Connectivity
You can access network Gateways, VPN connections and subnet extensions on the
Connectivity
dashboard.
Click
Network & Security
>
Connectivity
to see the
Connectivity
dashboard.
The
Connectivity
dashboard opens on the
Gateways
tab. To see the VPN connections, click the
VPN Connections
tab. To see
the subnets extended across AZs, click the
Subnet Extensions
tab.
Gateways Summary View
The
Connectivity
dashboard opens on the
Gateways
dashboard or summary view.
The
Gateway
dashboard provides a list of gateways created for the
clusters managed by the Prism Central.
The
Gateways
dashboard provides a
Create
Gateway
dropdown menu that lets you create a
Local
or a
Remote
gateway. You can create a local or remote gateway with
VPN
or
VTEP
service. For more information,
see Creating a Network Gateway.
You can select a gateway from the list (select the checkbox provided for the gateway) and
then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected gateway.
Figure.
Gateways dashboard
Click to enlarge
The
Gateway
summary list view provides the following details about
the gateway.
Table 1.
Gateway List Fields
Parameter
Description
Values
Name
Displays the name of the gateway.
(Name of gateway)
Type
Displays the gateway type.
(Local or Remote)
Service
Displays the service that the gateway uses.
(VPN or VTEP)
Service IP
Displays the IP address used by the service.
(IP address)
Status
Displays the operational status of the gateway.
(Up or Down)
Attachment Type/Vendor
Displays the type of subnet associated with the gateway.
(VLAN or Overlay-VPC name)
Connections
Displays the number of service connections (such as VPN connections) configured
and operational on the gateway.
(number)
You can click the name of a gateway to open the gateway details page that presents the
information about the gateway in widgets.
Gateway Details View
You can click the name of a gateway in the
Gateway
dashboard
list to open the gateway details page that presents the information about the gateway in
widgets.
The gateway details page displays the name of the gateway on the top left corner.
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update
Gateway
page. For more information, see Updating a Network Gateway in
Flow
Networking Guide
.
The
Delete
button allows you to delete the gateway. For more
information, see Deleting a Network Gateway in
Flow
Networking Guide
.
Figure.
Gateway Details View
Click to enlarge
The details about the gateway are organized in widgets as follows:
Table 1.
Gateway Details
Parameter
Description
Values
Properties widget
Type
Displays the gateway type.
(Local or Remote)
Attachment Type
Displays the network entity like VLAN or VPC that the gateway is attached
to.
(VLAN or VPC)
VPC or Subnet (VLAN)
Displays the name of the attached VPC or VLAN subnet.
(Name of VLAN or VPC)
Floating or Private IP Address
Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to
the gateway.
(IP Address)
Status
Displays the operational status of the gateway.
(Up or Down)
Gateway Version
Displays the version of the Nutanix gateway appliance deployed.
(Version)
Cluster
Displays the name of the cluster on which the gateway is created.
(Cluster name)
Gateway VM
Displays the name of the VM on which the gateway is created.
(Name of VM - actionable link. Click the name-link to open the VM details page
of the gateway VM.)
Service Configuration
Service
Displays the service used by the gateway.
(VPN or VTEP)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
Internal Routing
Displays the type of routing associated with the gateway for internal traffic
routing.
(Static or eBGP with ASN)
VPN Connections
Displays the total number of VPN connections associated with the
gateway.
(Number - actionable link. Click the link to open the VPN connection details
page for the associated VPN connection.)
View VPN Connections
Click this link to open the VPN Connections tab.
-
VPN Connections Summary View
The
Connectivity
dashboard allows you to open the
VPN
Connections
dashboard or summary view.
VPN Connection: Represents the VPN IPSec tunnel established between local gateway and
remote gateway. When you create a VPN connection, you need to select two gateways between
which you want to create the VPN connection.
The
VPN Connections
dashboard provides a list of VPN connections
created for the clusters managed by the Prism Central.
The
VPN Connections
dashboard provides a
Create VPN
Connection
button that opens the
Create VPN Connection
.
For more information, see Creating a VPN Connection in
Flow Networking
Guide
.
You can select a VPN connection from the list (select the checkbox provided for the VPN
connection) and then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected VPN
connection.
The
VPN Connections
summary list view provides the following details
about the VPN connection.
Figure.
VPN Connections dashboard
Click to enlarge
Table 1.
VPN Connections List Fields
Parameter
Description
Values
Name
Displays the name of the connection.
(gateway name)
IPSec Status
Displays the connection status of IPSec tunnel.
(Connected or Not Connected)
EBGP Status
Displays the status of the EBGP gateway connection.
(Established or Not Established)
Local Gateway
Displays the name of the local gateway used for the connection.
(Name of local gateway)
Remote Gateway
Displays the name of the remote gateway used for the connection.
(Name of remote gateway)
Dynamic Routing Priority
Displays the dynamic routing priority assigned to the connection for throughput
management. You can assign any value in the range of 100-1000. Flow Virtual Networking
assigns the first VPN connection the value 500 by default. Thereafter, subsequent
VPN connections are assigned values decremented by 50. For example, the first
connections is assigned 500, then the second connection is assigned 450, the third
one 400 and so on.
(Number in the range of 100-1000. User assigned.)
VPN Connections Details View
You can click the name of a VPN connection in the
VPN
Connections
dashboard list to open the VPN connection details page that presents
the information about the VPN connection in widgets.
The VPN connection details page displays the name of the VPN connection on the top left
corner.
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update VPN
Connection
page. For more information, see Updating a VPN Connection in
Flow
Networking Guide
.
The
Delete
button allows you to delete the VPN connection. For
more information, see Deleting a VPN Connection in
Flow
Networking Guide
.
Figure.
VPN Connection Details
Click to enlarge
The details about the VPN connection are organized in widgets as follows:
Summary tab—See the
VPN Connection Summary Tab Details
table below.
Throughput tab—See the
VPN Connection Throughput Tab Details
table
below.
IPSec Logging tab—Provides logs for the IPSec tunnel.
Routing Protocol Logging tab—Provides logs for the routing protocol used in the VPN
connection.
Table 1.
VPN Connection Summary Tab Details
Parameter
Description
Values
VPN Connection widget
IPSec Status
Displays the connection status of IPSec tunnel.
(Connected or Not Connected)
EBGP Status
Displays the status of the EBGP gateway connection.
(Established or Not Established)
Dynamic Routing Priority
Displays the dynamic routing priority assigned to the connection for throughput
management. You can assign any value in the range of 100-1000. Flow Virtual Networking
assigns the first VPN connection the value 500 by default. Thereafter, subsequent
VPN connections are assigned values decremented by 50. For example, the first
connections is assigned 500, then the second connection is assigned 450, the third
one 400 and so on.
(Number in the range of 100-1000. User assigned.)
Local Gateway Properties
Gateway Name
Displays the name of the local gateway used for the connection.
(Name of local gateway)
Type
Displays the type of gateway.
(Local)
Attachment Type
Displays the network entity like VLAN or VPC that the gateway is attached
to.
(VLAN or VPC)
VPC or Subnet (VLAN)
Displays the name of the attached VPC or VLAN subnet.
(Name of VLAN or VPC)
Tunnel IP
Displays the Tunnel IP address of the local gateway.
(IP Address)
Connection Type
Displays the connection type you selected while creating the VPN connection.
The connection type may be Initiator or Acceptor of a VPN connection between the
local and remote gateways. T
(Initiator or Acceptor)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
Internal Routing
Displays the type of routing associated with the gateway for internal traffic
routing.
(Static or eBGP with ASN)
Floating or Private IP Address
Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to
the gateway.
(IP Address that you assigned to the local gateway with /30 prefix when you
configured the VPN connection.)
Status
Displays the operational status of the gateway.
(Up or Down)
Cluster
Displays the name of the cluster on which the gateway is created.
(Cluster name)
Gateway VM
Displays the name of the VM on which the gateway is created.
(Name of VM - actionable link. Click the name-link to open the VM details page
of the gateway VM.)
Remote Gateway Properties
Gateway Name
Displays the name of the remote gateway used for the connection.
(Name of remote gateway)
Type
Displays the type of gateway.
(Remote)
Tunnel IP
Displays the Tunnel IP address of the remote gateway.
(IP Address)
Connection Type
Displays the connection type you selected while creating the VPN connection.
The connection type may be Initiator or Acceptor of a VPN connection between the
local and remote gateways. T
(Initiator or Acceptor)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
ASN
Displays the ASN of the EBGP route. This information is only displayed if you
configured EBGP as the External Routing protocol.
(Number)
Vendor
Displays the name of the vendor of the gateway appliance at the remote
site.
(Name of vendor of gateway appliance)
External IP
Displays the IP address assigned to remote the gateway.
(IP Address that you assigned to the remote gateway with /30 prefix when you
configured the VPN connection.)
Status
Displays the operational status of the gateway.
-
Protocol Details
Service
Displays the service used by the gateway.
(VPN or VTEP)
Gateway Routes
Displays the status of the routes used by the gateways.
(Sent)
Subnet Extensions Summary View
The
Connectivity
dashboard opens on the
Subnet
Extensions
dashboard or summary view.
This Guide does not provide detailed information about
Security Policies
. It
only describes the Summary and Details views for the same. For detailed information about
Security Policies
, see Flow Microsegmentation Guide
The
Subnet Extensions
dashboard provides a list of subnet extensions
created for the clusters managed by the Prism Central.
The
Subnet Extensions
dashboard provides a
Create Subnet
Extension
dropdown menu that lets you extend a subnet
Across
Availability Zones
or
To a Third Party Data Center
. You
can extend a subnet using
VPN
or
VTEP
service.
See Layer 2 Virtual Network Extension for more information.
You can select a subnet extension from the list (select the checkbox provided for the
subnet extension) and then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected subnet
extension.
Figure.
Subnet Extensions dashboard
Click to enlarge
The
Subnet Extensions
summary list view provides the following
details about the gateway.
Table 1.
Subnet Extensions List Fields
Parameter
Description
Values
Name
Displays the name of the subnet extension.
(Name of subnet extension)
Type
Displays the subnet extension type.
(
Across Availability Zones
or
To a Third
Party Data Center
)
Extension Over
Displays the service that the subnet extension uses.
(VPN or VTEP)
Extension Uses
Displays the name of the local network gateway that the subnet extension
uses.
(Name of local network gateway)
Local Subnet
Displays the name of the local subnet that the subnet extension uses.
(Name of local subnet)
Remote Site
Displays the name of the remote network gateway that the subnet extension
uses.
(Name of remote network gateway)
Connection Status
Displays the status of the connection that is created by the subnet extension.
Not Available
status indicates that Prism Central is unable
to ascertain the status.
(Not Available, Connected, or Disconnected)
Interface Status
Displays the status of the interface that is used by the subnet
extension.
(Connected or Down)
You can click the name of a subnet extension to open the subnet extension details page that
presents the information about the subnet extension in widgets.
Subnet Extensions Details View
You can click the name of a subnet extension in the
Subnet
Extensions
dashboard list to open the subnet extension details page that presents
the information about the subnet extension in widgets.
The subnet extension details page displays the name of the subnet extension on the top left
corner. It has two tabs -
Summary
,
Address Table
and
Throughput
.
Summary
The
Summary
tab provides the information about the subnet extension in
widgets. It also allows you to take the following actions:
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update Subnet
Extension
page. See Updating an Extended Subnet for more
information.
The
Delete
button allows you to delete the subnet extension. See
Removing an Extended Subnet for more
information.
Figure.
Subnet Extensions Details View - Summary tab sample for VTEP extension
Click to enlarge
(For VLAN subnets only) Displays the VLAN ID of the VLAN subnet that is
extended.
(VLAN ID number)
VPC
(For Overlay subnets only) Displays the name of the VPC subnet that is
extended.
(Name of VPC)
Cluster
(For VLAN subnets only) Displays the cluster that the VLAN subnet belongs
to.
(Name of cluster)
IP Address Prefix
Displays the network IP address with prefix, of the VLAN subnet that is
extended.
(IP Address with prefix)
Virtual Switch
(For VLAN subnets only) Displays the virtual switch on which the VLAN subnet is
configured.
(Virtual Switch name such as vs0 or vs1)
IP Address Pools
Pool Range
Displays the range of IP addresses in the pool configured in the subnet that is
extended.
(IP address range)
(Interactive Graphic Pie Chart)
Displays a dynamic pie chart that displays the statistic you hover on. Displays
the following IP address statistics outside the pie chart, that you can hover on:
Total number of IP addresses available.
Used IP addresses in the subnets
Used IP addresses in the IP address pools
Free IP addresses in the subnets
Free IP addresses in the IP address pools
(IP Address statistics)
Subnet Extension
Subnet Extension (properties) - Common
Type
Displays the subnet extension type.
(
Across Availability Zones
or
To a Third
Party Data Center
)
Interface Status
Displays the status of the interface that is used by the subnet
extension.
(Connected or Down)
Connection Status
Displays the status of the connection that is created by the subnet extension.
Not Available
status indicates that Prism Central is unable
to ascertain the status.
(Not Available, Connected, or Disconnected)
Local IP Address
Displays the IP address that you entered in the
Local IP
Address
field while creating the subnet extension.
(IP Address)
Local Subnet
Displays the name of the local subnet that the subnet extension uses.
(Name of local subnet)
Subnet Extension (properties) - (Only for
Across Availability Zones
type)
Local Availability Zone
(Only for
Across Availability Zones
type) Displays the
name of the local AZ that is hosting the subnet that is extended.
(Name of the local Availability Zone)
Remote Availability Zone
(Only for
Across Availability Zones
type) Displays the
name of the remote AZ that the subnet is extended to.
(Name of the remote Availability Zone)
Remote Subnet
(Only for
Across Availability Zones
type) Displays the
name of the remote subnet that the subnet extension connects to.
(Name of remote subnet)
Remote IP Address
(Only for
Across Availability Zones
type) Displays the
IP address that you entered in the
Remote IP Address
field
while creating the subnet extension.
(IP Address)
Subnet Extension (properties) - (Only for
To a Third Party Data Center
type)
Local Gateway
(Only for
To a Third Party Data Center
type) Displays
the name of the local gateway used for the subnet extension.
(Name of local gateway)
Remote Gateway
(Only for
To a Third Party Data Center
type) Displays
the name of the remote gateway used for the subnet extension.
(Name of remote gateway)
Address Table
The
Address Table
tab provides MAC Address information only when the
subnet extension uses VTEP service. The tab provides the following information in the
table:
MAC Address
: This provides the MAC addresses of devices connected
to the remote VTEP endpoint in the subnet extension.
Remote VTEP Endpoint
: This provides the IP address of the remote
VTEP endpoint in the subnet extension.
Figure.
Subnet Extensions Details View - Address Table tab sample for VTEP extension
Click to enlarge
Figure.
Subnet Extensions Details View - Address Table tab sample for VPN-based
Extension
Click to enlarge
Throughput
The
Throughput
tab provides a graphical representation of the
throughput of the subnet extension.
Figure.
Subnet Extensions Details View - Throughput tab sample for VTEP Extension
Click to enlarge
Note:
This section describes the information and options that appear in the security policies dashboard.
See Entity Exploring for instructions on how to view
and organize that information in a variety of ways.
See Flow Microsegmentation Guide for information
about how to create and apply security policies.
Figure.
Security Policies Dashboard
Click to enlarge
The following table describes the fields that appear in the security policies list. A dash
(-) is displayed in a field when a value is not available or applicable.
Table 1.
Security Policies List Fields
Parameter
Description
Values
Name
Displays the policy name. The policy is one of three types: application,
quarantine, or isolation.
(name), Application, Quarantine, Isolation
Purpose
Describes (briefly) the policy's purpose.
(text string)
Policy
Displays (high level) what the policy does.
(boxed text)
Status
Displays the current status of the policy (either applied currently or in
monitoring mode).
Applied, Monitoring
Last Modified
Displays the date the policy was last modified (or the creation date if the
policy has never been modified).
(date)
You can filter the security polices list based on several parameter values. The following
table describes the filter options available when you open the Security Policies view
Filter
pane. To apply a filter, select a parameter and check the
box of the desired value (or multiple values) you want to use as a filter. You can apply
filters across multiple parameters.
Table 2.
Filter Pane Fields
Parameter
Description
Values
Name
Filters on the item name. Select a condition from the pull-down list
(
Contains
,
Doesn't contain
,
Starts with
,
Ends with
, or
Equal to
) and enter a string in the field. It will return a
list of security policies that satisfy the name condition/string.
(policy name string)
Type
Filters on the policy type. Check the box for one or more of the policy types
(application, quarantine, isolation). It will limit the list to just those policy
types.
Application, Quarantine, Isolation
Status
Filters on the policy status. Check the box for applied or monitoring.
Applied, Monitoring
The security policies dashboard includes a
Create Security Policy
action button with a drop-down list to
Secure an Application
or
Isolation Environments
.
The
Actions
menu appears when one or more policies are selected. It
includes options to update, apply, monitor, and delete. The available actions appear in
bold; other actions are grayed out. (For grayed out options, a tool tip explaining the
reason is provided.)
Security Policy Details View
This Guide does not provide detailed information about
Security Policies
. It
only describes the Summary and Details views for the same. For detailed information about
Security Policies
, see Flow Microsegmentation Guide
To access the details page for a security policy, click on the desired security policy name
in the list (see Security Policies Summary View).
The Security Policy details page includes the following:
The policy name appears in the upper left. You can switch from one policy to another by
selecting the policy name from the pull-down list.
The rule status appears below the name and indicates whether the policy is being applied
currently or is in monitoring mode.
Three columns appear that specify the Inbound policy (on the left), the affected
entities (in the middle), and the Outbound policy (on the right).
There are three action buttons (upper right).
Click the appropriate button to update, apply, monitor, or delete the policy (see
Nutanix Security Guide
for details). The available actions appear in
bold; other actions are grayed out. (For grayed out options, a tool tip explaining the
reason is provided.)
Click the question mark icon to open a help page in a separate tab or window.
Click the X icon to close the details page.
Figure.
Security Policy Details View: Monitoring Rule Example
Click to enlarge
Figure.
Security Policy Details View: Applied Rule Example
Click to enlarge
For more information about Security Policies, see Flow Microsegmentation Guide.
Virtual Private Cloud
A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions
as a logically isolated virtual network. A VPC could be made up of one or more subnets that
are connected through a logical or virtual router. The IP addresses within a VPC must be
unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of
another IP-based infrastructure (connecting AHV nodes), they are often referred to as the
overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a
VPC.
Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically
isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure
virtual network with enhanced automation and scaling. The isolation is done using network
namespace techniques like IP-based subnets or VLAN based networking.
AHV provides the framework to deploy VPC on on-premises clusters using the following.
Advanced Networking subnets and DHCP management
Multiple uplink and bridge management via virtual switch (VS)
Virtual Private Network (VPN) gateways and connections
Flow Virtual Networking simplifies the deployment and configuration of overlay-based VPCs. It allows
you to quickly:
Create, update and delete VPCs.
Create, update and delete subnets within VPCs.
Note:
Create subnets as necessary when you
create VPCs.
Add network security policies and services.
Configure hybrid cloud connectivity with VPNs.
This section covers the concepts and procedures necessary to implement VPCs in the
network.
VM IP Address Management
Primary Address
The primary IP address is assigned to a VM during initialization when the cluster provides
any virtual NIC (NIC) to a VM.
Select
Assign Static IP
as the
Assignment
Type
to add a static IP address as primary IP address of the VM, when you
attach a subnet to a VM.
Select
Assign with DHCP
as the
Assignment
Type
to allow DHCP to dynamically assign an IP address to the VM.
Select
No Private IP
as the
Assignment
Type
if you do not want to assign an IP address to the vNIC of the VM.
For more information about attaching a subnet to a VM, see Creating a VM through Prism Central (AHV) in the
Prism Central Guide
.
Secondary IP Addresses (Overlay Networks only)
For your deployment, you may need to configure multiple (static) IP addresses to a single
NIC. These IP addresses (other than the primary IP address) are secondary IP addresses. A
secondary IP address can be permanently associated with a specific NIC or be changed to any
other NIC. The NIC ownership of a secondary IP address is important for security routing
policies.
Note:
You can configure secondary IP addresses only for VMs in an Overlay network.
You can configure secondary IP addresses to a NIC when you want to:
Associate multiple floating IP addresses with one VM without creating multiple NICs
(each with one primary IP address) for the VM. You can assign one floating IP address to
one secondary IP address that you create for the single NIC. For information about
floating IP addresses, see Requesting Floating IPs.
Run appliances, such as load balancers, that have multiple IP addresses on each
interface.
Host applications in a High Availability (HA) configuration where the ownership of IP
address moves from the active entity to the standby entity when the active entity goes
down.
Host applications in a clustered configuration where the ownership of IP address follows
the leader.
Host Nutanix Files service in a VPC as a case of clustered application.
Note:
In applications that use secondary IP addresses as virtual IP addresses and the NIC
ownership of the secondary IP address changes dynamically from one NIC to another,
configure the application to incorporate the ownership change in its settings or
configuration. If the applications do not incorporate these ownership changes, the VPCs
configured for such applications fail.
For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.
IP Address Information
You can view the IP addresses configured on a VM by clicking the
See
More
link in the
IP Address
column in the VM
details view to open the
IP Address Information
box.
Note:
The
See More
link in the
IP Address
column in the VM details view and the
IP Address Information
box are
available only if the VM has any secondary IP addresses configured.
Figure.
IP Address Information
Click to enlarge
Creating Secondary IP Addresses
You can assign multiple secondary IP addresses to a single vNIC.
About this task
You can add multiple secondary IP addresses to the vNIC configured on a VM. Add the
secondary IP addresses to the vNIC in the
Create
VM
or the
Update
VM
page.
Procedure
Go to the
Networks
section.
Click the
Edit
icon for the subnet that you want to add
the secondary IP addresses from.
The
Update NIC
dialog box opens.
Check the
Add Secondary IPs
check box in the
Update NIC
dialog box.
Figure.
Add Secondary IP Addresses
Click to enlarge
Add a comma-separated list of the secondary IP addresses that you want to add
to the vNIC of the VM.
Note:
Ensure that the secondary IP addresses are within the same subnet that
the primary IP address of the
NIC
is from. The subnets are displayed in the
Private IP Assignment
section in the
Update NIC
dialog box.
Ensure that the secondary IP address is not the same as the IP address
provided in the
Private IP Assignment
field.
Click
Save
.
Click
Next
on the
Resources
and the
Management
tabs of the
Update VM
page.
If you need to make any other changes on the
Resources
and the
Management
tabs for any configurations other
than adding secondary IP addresses, make the changes and then click
Next
on these tabs.
Click
Launch VM
on the
Review
tab
after you review
What to do next
You can view the secondary IP addresses configured on the VM in the
IP
Address Information
box.
Assigning Secondary IP Addresses to Interfaces
Assign the secondary IP addresses to interfaces or subinterfaces on the
VM.
About this task
To assign the secondary IP addresses to virtual interfaces on the VM, do the
following on the VM details page:
Procedure
Click
Console
.
Log in as a root user.
Run the
ifconfig
command as follows:
root@host$ ifconfig <interface> <secondary ip address> <network mask>
Provide the following in the command:
Parameter
Description
<interface>
The interface of the VM such as eth0. You can provide
subinterfaces
such as eth0:1 and eth0:2.
<secondary IP address>
The secondary IP address that you created and want to
associate with the interface.
<network mask>
The network mask that is an expansion of the network prefix
of the network that the secondary IP address belongs to. For
example, if the secondary IP address belongs to 10.0.0.0/24 then
the network mask is 255.255.255.0.
Repeat the aforementioned steps for all the secondary IP addresses you want to
associate with interfaces on the VM.
Exit from the Console.
Assigning Secondary IP Addresses to Floating IPs
Assign the secondary IP addresses to floating IP addresses on the VM.
About this task
After you assign secondary IP addresses to interfaces or subinterfaces on the VM, you
can assign the secondary IP addresses to floating IP addresses that may be used for
external connectivity.
Do one of the following:
Procedure
Assign floating IP addresses when you request floating IP addresses in the
Assign Floating IPs
section of the
Request
Floating IP
dialog box.
To assign floating IP addresses while requesting for them, you must have the
secondary IP addresses configured and ready when you are requesting the floating
IP addresses.
Select the floating IP address you want to assign, in the
Floating
IPs
dashboard. Click the
Update
option in
the
Actions
drop-down menu.
Assign the secondary IP addresses you configured to the floating IP addresses
you have.
VPC Workflow
A virtual private cloud (VPC) can be deployed on Nutanix cluster infrastructure to manage
the internal and external networking requirements using Flow Virtual Networking. The workflow to
create a complete network based on VPC is described below.
Create a VPC—See Creating Virtual Private Cloud. See Updating Virtual Private Cloud to update a VPC you created.
Add Subnets to the VPC—See Creating a Subnet to create a
Subnet. See Updating a Subnet to update a subnet.
Attach the Subnet to VMs—See Attaching a Subnet to a Virtual Machine.
VPC Management
This section provides information and procedures that you need to manage virtual
private clouds using Flow Virtual Networking.
Creating Virtual Private Cloud
About this task
You can create VPCs on the Virtual Private Clouds page. Go to the Virtual Private
Clouds page by clicking
Virtual Infrastructure
>
Networking
>
Virtual Private Clouds
.
To create a VPC, do the following.
Procedure
On the VPC dashboard, click
Create VPC
.
See Network and Security View for more information about the
VPC dashboard.
The
Create Virtual Private Cloud (VPC)
dialog box opens.
Figure.
Create Virtual Private Cloud
Click to enlarge
Provide the necessary values in respective fields in the
Create
Virtual Private Cloud (VPC)
dialog box.
Fields
Description and Values
Name
Provide a name for the VPC.
External Connectivity
This section takes you through configuration of the
parameters necessary for connectivity to the Internet or
clusters outside the VPC.
A subnet with external connectivity
(External Subnet) is required if the VPC needs to send
traffic to a destination outside of the VPC.
Note:
You
can add a maximum of two external subnets - one external
subnet with NAT and one external subnet without NAT to a
VPC. Both external subnets cannot be of the same type. For
example, you cannot add two external subnets, both with NAT.
You can update an existing VPC similarly.
Network
address translation (NAT) Gateways perform the required
IP-address translations required for external routing. You
can also have external connectivity without NAT.
External Subnet
Select an external subnet from the drop down list. By
associating the VPC with the external subnet you can provide
external connectivity to the VPC.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
Externally Routable IP Addresses
Provide IP addresses that are externally routable. Externally
routable IP addresses are IP addresses that within the VPC which
can communicate externally without NAT. These IP addresses are
used when an external subnet without NAT is used.
Domain Name Servers (DNS)
(Optional) DNS is advertised to Guest VMs via DHCP. This can
be overridden in the subnet configuration.
Click
+
Server IP
to add DNS server IPs under
IP Address
and click the check
mark.
You can
Edit
or
Delete
an IP address you added
using the options under
Actions
.
Click
Save
.
Requesting Floating IPs
About this task
Each VPN gateway requires a floating IP. If you do not provide one during the VPN
gateway creation, then Flow Virtual Networking automatically allocates a floating IP to a
VPN gateway. To provide floating IP during the VPN gateway creation, you can request
floating IPs and assign them to VMs.
You can view the allocated floating IPs on the
Floating IPs
page. Click
Networking
>
>
Floating IPs
.
To request a floating IP, do the following.
Procedure
Click the
Request Floating IP
button on the
Floating IPs
page.
On the
Request Floating IP
dialog box, provide the
information in the respective fields.
Figure.
Request and Assign Floating IPs
Click to enlarge
Note:
Uncheck the
Assign Floating IPs
box if you want to
assign the requested IP addresses after you receive it.
See Floating IPs for more
information.
Fields
Description and Values
External Subnet
Select a subnet that you configured with external
connectivity.
Number of Floating IPs
Enter the number of floating IPs you want. You can request a
maximum of 5 floating IP addresses.
Assign Floating IPs
Select this check box if you want to assign the floating IPs
to specific VMs in the table.
Based on the number you entered in the
Number of
Floating IPs
field, the system provides an
equivalent number of rows of
Search
VMs
and
IP
Address
in the table.
Under
Search VMs
, select the VM to
which you want to assign a floating IP address. Under
IP Address
, select the IP address
on the VM (primary or secondary IP address) to which you
want to assign the floating IP.
You can assign multiple floating IP addresses to multiple
secondary IP addresses that you can create on the NIC of the
VM.
For information about configuring secondary IP addresses, see
Creating Secondary IP Addresses.
Note:
Click
Save
.
What to do next
When you receive the floating IP address you requested, you can see it, assign it
(if not already assigned while requesting) or delete it in the
Floating
IPs
view.
Creating a Subnet
About this task
You can create subnets on the
Subnets
page. Go to the
Subnets
page by clicking
Virtual Infrastructure
>
Networking
and open the
Create Subnet
dialog box.
You can also open the
Create Subnet
dialog box from the VPC
details view by clicking the
Add Subnet
option.
To create a subnet, do the following.
Procedure
Click
Create Subnet
.
The
Create Subnet
dialog box opens. The following
figure displays the Create Subnet dialog box with all the options. These options
are displayed based on the values you select in the
Type
field.
Figure.
Create Subnet (With External Connectivity Disabled)
Click to enlarge
Figure.
Create Subnet (With External Connectivity Enabled)
Click to enlarge
Fields
Description and Values
Name
Provide a name for the subnet.
Type
Select the type of subnet you want to create.
You can create a
VLAN
subnet or an
Overlay
subnet.
VLAN ID
(VLAN subnet only) Enter the number of the
VLAN
.
Enter just the number in this field, for example 1 or 27.
Enter 0 for the native VLAN. The value is displayed as
vlan.1 or vlan.27 in the View pages.
Note:
Provision any single VLAN ID either in the AHV network
stack or in the Flow Virtual Networking (brAtlas) networking stack.
Do not use the same VLAN ID in both the stacks.
IP Address management
(Mandatory for Overlay type subnets) This section provides
the
Network IP Prefix
and
Gateway IP
fields for the subnet.
(Optional for VLAN type subnet) Check this box to display the
Network IP Prefix
and
Gateway IP
fields and configure the
IP address details.
Unchecking this box hides these fields. In this case, it is
assumed that this virtual LAN is managed outside the
cluster.
Note:
The
DHCP Settings
option is only
available for VLAN subnets if you select this
option.
DHCP Settings
(Optional for both VLAN and Overlay subnets) Check this box
to display fields for defining a domain.
Checking this box displays fields to specify DNS servers and
domains. Unchecking this box hides those fields.
See Settings the DHCP Options for more
information.
Cluster (VLAN subnet only)
(VLAN subnet only) This option is available only for
VLAN
subnet configuration. Select the
cluster that you want to assign to the subnet.
External Connectivity
(VLAN subnet
only) Turn on this toggle switch if you want use this
VLAN
subnet for external
connectivity.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
NAT
(Option under
External Connectivity
)
If you turn on the
External Connectivity
toggle switch, then you can choose whether to connect to
external networks with or without enabling NAT. Check the
NAT
check box to enable NAT for
external connectivity for VPCs.
Virtual Switch
(VLAN subnet only) Select the virtual switch that is
configured for the VLAN you selected. The default value is the
default virtual switch vs0. This option is displayed only if you
add a VLAN ID in the VLAN ID field.
VPC (Overlay subnet only)
Select the
Virtual Private Cloud (VPC)
that you want to assign to the subnet from the drop down
list.
You can create VPCs and assign them to
Overlay
subnets.
IP Address Pool
Defines a range of addresses for automatic assignment to
virtual NICs.
This field is optional for both
VLAN
and
Overlay
. For
VLAN
, this field is displayed
only if you select the
IP Address
Management
option.
Note:
Configure this field for
VLAN
or
Overlay
to complete the creation
of the VPC, if you do not need external connectivity for
this subnet. You must configure this field only if you need
external connectivity for this subnet.
Click the
Create Pool
button and enter
the following in the
Add IP Pool
page:
Enter the starting IP address of the range in the
Start Address
field.
Enter the ending IP address of the range in the
End Address
field.
Under
Actions
, click the check
mark to submit the starting and ending IP addresses
you entered.
Click the X mark to remove the entries.
Override DHCP Server
(VLAN subnet only) To configure a DHCP server, check the
Override DHCP Server
box and
enter an IP address in the
DHCP Server IP
Address
field.
See
Override DHCP Server (VLAN Only)
in Settings the DHCP Options for information
about this option.
Click
Save
.
Settings the DHCP Options
About this task
Selecting the
DHCP Settings
checkbox in
Create
Subnet
or
Update Subnet
allows you to configure
the DHCP options for the VMs within the subnet. When DHCP settings are configured
for a VM in a subnet and the VM is powered on, Flow Virtual Networking configures these
options on the VM automatically. If you do not configure the DHCP settings, then
these options are not available on the VM automatically when you power it on.
You can enable
DHCP Settings
when you create a subnet and
configure the
DHCP Settings
for the new subnet. You could also
update the DHCP Settings for an existing subnet.
DHCP Settings
is common to and is available on both the
Create Subnet
and the
Update Subnet
dialog boxes.
To configure the
DHCP Settings
, do the following in the
Create Subnet
or the
Update Subnet
dialog box:
Procedure
Provide the information in the
DHCP Settings
fields.
Figure.
DHCP Settings
Click to enlarge
Fields
Description and Values
Domain Name Servers
Provide a comma-separated list of DNS IP addresses.
Example: 8.8.8.8, 9.9.9.9
Domain Search
Enter the VLAN domain name. Use only the domain name
format.
Example: nutanix.com
TFTP Server Name
Enter a valid TFTP host server name of the TFTP server where
you host the host boot file. The IP address of the TFTP
server must be accessible to the virtual machines to
download a boot file.
Example: tftp_vlan103
Boot File Name
The name of the boot file that the VMs need to download from
the TFTP host server.
Example: boot_ahv2020xx
(Optional and for VLAN networks only) Check the
Override DHCP
Server
dialog box and enter an IP address in the
DHCP
Server IP Address
field.
You can configure a DHCP server using the
Override DHCP
Server
option only in case of VLAN networks.
The DHCP Server IP address (reserved IP address for the Acropolis DHCP
server) is visible only to VMs on this network and responds only to DHCP
requests. If this box is not checked, the DHCP Server IP Address field is
not displayed and the DHCP server IP address is generated automatically. The
automatically generated address is
network_IP_address_subnet.254
, or if the default
gateway is using that address,
network_IP_address_subnet.253
.
Usually the default DHCP server IP is configured as the last usable IP in the
subnet (For eg., its 10.0.0.254 for 10.0.0.0/24 subnet). If you want to use
a different IP address in the subnet as the DHCP server IP, use the override
option.
Attaching a Subnet to a Virtual Machine
About this task
To attach a subnet to a VM, go to the
Virtual Infrastructure
>
VM
>
List view
in Prism Central and do the following.
Procedure
Select the VM you want to attach a subnet to. Click
Actions
>
>
Update
.
In the
Update VM
dialog box, click
Add
NIC
.
Figure.
Click to enlarge
Provide the necessary information in the indicated fields in the
Create NIC
dialog box.
Select the
Subnet Name
from the drop down
list.
Select the
Network Connection State
as
Connected
or
Disconnected
.
The
Network Connection State
selection defines
the state of the connection after the NIC configuration is
implemented.
Select the
Assignment Type
.
You can select
Assign with DHCP
to assign a
DHCP based IP address to the VM.
You can select
Assign Static IP
to assign a
static IP address to the VM to reach the VM quickly from any
endpoint in the network such as a laptop.
Click
Add
.
Click
Save
on the
Update VM
dialog
box.
Creating a Policy
About this task
For Policy-based routing you need to create policies that route the traffic in the
network.
When you create a VPC, there is one default policy that Flow Virtual Networking creates for
the VPC. This policy is pre-configured with the Priority 1 and other default values
to
Deny
traffic flow and service (see the table of field
descriptions and values for this dialog box).
Note:
You cannot update or delete the
default policy.
Policies control the traffic flowing between subnets (inter-subnet
traffic).
Policies control the traffic flowing in and out of the VPC.
Policies do not control the traffic within a subnet (intra-subnet
traffic).
Figure.
Policy Tab
Click to enlarge
You can create
a traffic policy using the
Create Policy
dialog box. You can
open the
Create Policy
dialog box either from the VPC list view
or the VPC list view.
On the VPC list view, select the VPC you want to update and click
Create Policy
in the
Actions
drop down menu.
On the VPC details view, click the
Create Policy
option
in the
More
drop down menu.
To create a policy, do the following in the
Create Policy
dialog
box.
Procedure
Provide the necessary values in the respective fields.
Figure.
Create Policy
Click to enlarge
Fields
Description and Values
Value in Default Policy
Priority
The priority of the access list (ACL) determines which ACL is
processed first. Priority is indicated by an integer number. A
higher priority number indicates a higher priority.For example,
if two ACLs have priority numbers 100 and 70 respectively, the
ACL with priority 100 takes precedence over the ACl with
priority 70.
Note:
Click the
Understand
Priorities
link to see the
Understand Priorities
information box (see the image of this box below
this table).
1
Source
The source indicates the source IP or subnet for which you
want to manage traffic.
Source can be:
Any
: Indicates any IP
address.
External
: Indicates an IP
address that is outside the subnets configured for
the VPC.
Custom
: You can provide a
specific
Source Subnet IP
with
prefix.
Any
Source Subnet IP
Only required if you selected the
Source
as
Custom
. Provide the subnet IP and
prefix that you want to designate as the source for the
policy. Use the CIDR notation format to provide the subnet
IP. For example, 10.10.10.0/24.
None
Destination
The destination is the destination IP or subnet for which you
want to set the priority.
Destination can be:
Any
: Indicates any IP
address.
External
: Indicates an IP
address that is outside the subnets configured for
the VPC.
Custom
: You can provide a
specific
Destination Subnet IP
with prefix.
Any
Destination Subnet IP
Only required if you selected the
Destination
as
Custom
.
None
Protocol
You can also set the priority configure policy for certain
protocols. You can select one of the following options:
Any
: Indicates any IP
address.
Protocol Number
: Provide an
integer number that indicates the protocol you want
to prioritize.
Provide the appropriate value in
the
Protocol Number
field.
TCP
UDP
ICMP
Protocol Number
This field is displayed only if you select
Protocol Number
as the value in
the
Protocol
field. The number you
provide must be the IANA designated number that indicates
respective protocol. See
IANA Protocol
Numbers
.
None
Action
Assign the appropriate action for implementation of the
policy.
Permit
: Permits traffic and
services based on the parameters set.
If the Permit rule is set to override a Drop rule,
then the Permit rule must be set in both the
directions to allow bidirectional communication
between the
Source
and
Destination
.
Deny
: Denies traffic and
service based on the parameters set.
Re-route
:Sends matching traffic
to the next-hop IP address specified by the
Reroute IP
. In case of
reroute, you need to provide an IP address that the
traffic needs to be re-routed to, in the
Reroute IP
field.
Permit
Figure.
Understanding Priorities
Click to enlarge
Click
Save
.
Creating Static Routes
About this task
You can create a static route using the
Create Static Routes
dialog box. You can open the
Create Static Routes
dialog box
either from the VPC list view or the VPC details view.
On the VPC list view, select the VPC and click
Create Static
Routes
in the Actions drop down menu.
On the VPC details view, click the
Create Static
Routes
option in the
More
drop down
menu.
Figure.
Create Static Routes
Click to enlarge
To create static route, do the following in the
Create Static
Routes
dialog box:
Procedure
Provide the necessary values in the respective fields.
Fields
Description and Values
Destination Prefix
Provide the IP address with prefix of the destination
subnet.
Next Hop Link
Select the next hop link from the drop down list. The next
hop link is the IP address that the traffic must be sent for the
static route you are configuring.
Add Prefix
You can create multiple static routes using this option.
Click this link to add another set of
Destination
Prefix
and
Next Hop Link
to configure another static route.
Click
Save
.
Updating Virtual Private Cloud
About this task
You can update a VPC using the
Update Virtual Private Cloud
(VPC)
dialog box. You can open the
Update Virtual Private
Cloud (VPC)
dialog box either from the VPC list view or the VPC
details view.
On the VPC list view, select the VPC you want to update and click
Update
in the
Actions
drop
down menu.
On the VPC details view, click the
Update
option.
The
Update Virtual Private Cloud (VPC)
dialog box is identical
to the
Create Virtual Private Cloud (VPC)
dialog box.
Figure.
Update VPC
Click to enlarge
For details about the parameters that you can update in the
Update Virtual
Private Cloud (VPC)
dialog box, see Creating Virtual Private Cloud.
Procedure
Update the parameters in the
Update Virtual Private Cloud
(VPC)
dialog box.
Click
Save
.
Updating a Subnet
About this task
You can update a subnet displayed on the
Subnets
page. Go to the
Subnets
page by clicking
Virtual Infrastructure
>
Networking
>
Subnets
and open the
Update Subnet
dialog box.
You can also open the
Update Subnet
dialog box from the VPC
dashboard for a specific VPC. Click the
Edit
option for the
subnet listed on the
Subnets
tab of the VPC dashboard.
The fields in the
Update Subnet
and the
Create
Subnet
dialog boxes are the same.
Note:
You cannot edit or update the
subnet type. For example, if the subnet type is already configured as
VLAN
, you cannot modify it to an
Overlay
type subnet.
To update a subnets, do the following.
Procedure
Select the subnet you want to update. Select
Actions
>
Update Subnet
.
Update the necessary values in the respective fields in the
Update
Subnet
dialog box.
Figure.
Update Subnet
Click to enlarge
The
Update Subnet
dialog box has the same fields as the
Create Subnet
dialog box. For details about the
fields and the values that can be updated in the
Update
Subnet
dialog box, see Creating a Subnet.
Click
Save
to ensure that the updates are saved in the
configuration.
Category Management
A category is a key-value pair that groups similar entities. Associating a policy with a
category ensures that the policy applies to all the entities in the group regardless of how
the group scales with time. For example, you can associate a group of VMs with the Department:
Marketing category, where Department is a category that includes a value Marketing along with
other values such as Engineering and Sales.
Currently, you can associate only VMs with a category. Categories are implemented in the same
way on on-premises Prism Central instances and in Xi Cloud Services. For information about
configuring categories, see the
Prism Central Guide
.
Updating a Policy
About this task
You can update a policy using the
Update Policy
dialog box. You
can open the
Update Policy
dialog box in two ways in the VPC
details view.
On the VPC details view, select the VPC you want to update and click the
Update
option in the top menu.
On the VPC details view, click the
Edit
option provided
in the
Actions
menu for the selected VPC.
Note:
You cannot update or delete the default policy.
The
Update Policy
dialog box has the same parameters as the
Create Policy
dialog box.
For details about the parameters that you can update in the
Update
Policy
dialog box, see Creating a Policy.
Procedure
Update the parameters in the
Update Policy
dialog
box.
Click
Save
.
Updating Static Routes
About this task
You can update a static route using the
Update Static Routes
dialog box. You can open the
Update Static Routes
dialog box
either from the VPC list view or the VPC details view.
Note:
You must configure the default route (0.0.0.0/0) to the external subnet as the
next hop for connectivity outside the cluster (north-south connectivity).
On the VPC details view, select the VPC you want to update and click the
Update
option in the top menu.
On the VPC details view, click the
Edit
option provided
in the
Actions
menu for the selected VPC.
The
Update Static Routes
dialog box has the same parameters as
the
Create Static Routes
dialog box.
For details about the parameters that you can update in the
Update Static
Routes
dialog box, see Creating Static Routes.
Procedure
Update the parameters in the
Update Static Routes
dialog
box.
Click
Save
.
Deleting a Virtual Private Cloud
About this task
Prism Central
does not allow you to delete a VPC if the VPC is associated with any subnets and/or
VPNs. After you remove all the subnets or VPN associations from the VPC, delete the
VPC.
You can delete a VPC from the VPC list view or the VPC details view.
Procedure
Do one of the following.
To delete a VPC from the VPC list view, select the VPC you want to
delete and click
Delete
in the
Actions
drop down menu.
To delete a VPC from the VPC details view, click the VPC name to go to
the VPC details view and click the
Delete
option in
the
More
drop down menu.
In the confirmation dialog box, do the following.
Click
Delete
to delete the VPC.
Click
Cancel
to exit without deleting the
VPC.
Deleting Subnets, Policies or Routes
About this task
You can delete VPC entities such as subnets, policies or routes from the VPC details
page.
Note:
You cannot update or delete the default policy.
Do the following.
Procedure
Open the VPC details page and go to the respective tab like
Subnets
,
Policies
or
Routes
.
Click the
Delete
option provided for the selected entity
(subnet, policy or route respectively).
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
Connections Management
This section covers the management of network gateways, VPN connections and subnet
extensions including operations like create, update and delete network gateways and VPN
connections, and extending subnets.
Network Gateway Management
You can create, update or delete network gateways that host one of VPN or VTEP service for
connections.
Creating a Network Gateway
About this task
VPN or s connect two networks together, and can be used in both VLAN and VPC networks
on AHV. In other words, you can extend the routing domain of a VLAN network or that
of a VPC using a VPN. Accordingly, VPN gateways can be configured using VLANs or
VPCs. You need VPN gateways on clusters to provide a gateway to the traffic between
on-premise clusters or remote sites.
You can create multiple VPN gateways for a VPC. Since a VPC is configured
only on a PC, the VPC is available to all the clusters registered to that PC.
A VPN gateway may be defined as a Local gateway or a Remote gateway based on where
the traffic needs to be routed.
To create a VPN gateway, do the following on the
Networking & Security
>
Connectivity
>
Gateways
page.
Procedure
Select
Local
or
Remote
in the
Create Gateway
drop-down menu.
If you select
Local
in the drop-down menu, the
Create Local Gateway
dialog box opens. If you select
Remote
in the drop-down menu, the
Create
Remote Gateway
dialog box opens.
Provide the necessary values in the respective fields as described in the
table.
For example, if you select
Local
in the drop-down menu,
then the
Create Local Gateway
dialog box opens. Provide the
necessary values in the respective fields as described in the table.
Figure.
Sample Create Local Gateway - VM Deployment
Click to enlarge
Figure.
Sample Create Local Gateway - VPN Service Configuration
Click to enlarge
Figure.
Sample Create Local Gateway - VTEP Service Configuration
Click to enlarge
Figure.
Sample Create Remote Gateway - VPN Gateway Service
Click to enlarge
Figure.
Sample Create Remote Gateway - VTEP Gateway Service
Click to enlarge
Table 1.
Local Gateway Fields
Fields
Description
Values
VM
Deployment
Name
Enter a name for the network gateway.
(Name)
Gateway Attachments
(for Local gateway type only) Select the gateway attachment
as
VPC
or
VLAN
.
The VPN VM is deployed on a VPC VM or a cluster that has the
selected VLAN respectively.
If you select
VPC
, then
VPC Attachment
is displayed.
VPC
is the default value for
the
Gateway Attachments
field. The
Gateway VM is deployed on the cluster and associated
with the VPC selected in the
VPC
Attachment
section.
VPC
attachment
mode provides the options of
eBGP and Static routing methods for external routing
(configured in the
External Routing
Configuration
section).
If you select
VLAN
, then the
VLAN Attachment
is displayed. The
Gateway VM is deployed on the cluster that has the VLAN
and the subnet specified in the
VLAN
Attachment
section.
VLAN
attachment
mode provides only the eBGP
routing method for external routing.
(VLAN or VPC)
Gateway VM Deployment - VPC
Attachment
Cluster
Select the cluster on which you want to deploy the Gateway VM
on.
(Name of the cluster)
VPC (If Gateway Attachment type is VPC)
Select the VPC configured on the selected cluster that you
want to use for the Gateway VM deployment.
(Name of the VPC selected)
Floating IP (Optional)
Select a floating IP for the network gateway configuration.
If you do not select a floating IP address then Prism
Central allocates a floating IP automatically. This
allocated floating IP is deleted when you delete the
gateway.
To request floating IPs and allocate them to subnets, see
Requesting Floating IPs
(IP address)
Gateway VM Deployment - VLAN
Attachment
Cluster
Select the Cluster, from the drop down list, on which you
want to deploy the Gateway VM on.
Note:
Only clusters with VLANs
are available in the list.
(Name of the cluster)
Subnet
Select the subnet you want to attach the Gateway VM to, from
the drop down list.
Note:
The list includes all the subnets you
created on the selected cluster.
After you select the
subnet, the details of the subnet are displayed in a box below
the
Subnet
field. The details include:
VLAN ID, IPAM type being Managed or Unmanaged, and Network
Address with Prefix.
(Name of the VLAN subnet)
Static IP Address for VPN Gateway VM
Enter the static IP address that the Gateway VM needs to
use.
(IP Address with Prefix)
Default Gateway IP
Enter the default gateway IP of the subnet for the Gateway
VM.
(IP Address)
Service
Configuration
Gateway Service
Select the gateway service you want to use for the
gateway.
(VPN or VTEP)
VPN Service Configuration -
External Routing Configuration (This section is available for
VLAN and VPC attachment types)
Routing Protocol
For
VPC
gateway attachments:
Select
Static
for static routing.
Note:
You need to create static routes (see Creating Static Routes)
for external routing and attach the route to the VPC
selected in this configuration.
Select
eBGP
for eBGP based
external routing.
For
VLAN
gateway attachments:
External routing protocol is pre-set to
eBGP
. You cannot change
the routing protocol.
(Static or eBGP)
Redistribute Connected Routes (Applicable only if VLAN type
gateway attachment is selected)
(
VLAN
only) Select this checkbox to
enable the redistribution of connected routes into the
eBGP.
(Check mark or blank)
ASN (Only available if eBGP routing protocol is
selected)
(For
eBGP
only) Enter the ASN for your
on-prem gateway. If you do not have a BGP environment in
your on-prem site, you can choose any number. For example,
you can choose a number in the 65000 range.
Note:
Make sure that this ASN does not conflict with any of the
other on-premises BGP ASNs.
ASN must be distinct in case of eBGP.
(Number)
eBGP Password
(For
eBGP
in
Local
gateway type only) Enter the
eBGP password for the eBGP route.
(Password: The password must be between 1 and 80 characters.
Password length: Minimum 1 and maximum 80
characters.
)
VPN Service Configuration -
Internal Routing Configuration (This section is available for
VLAN attachment type only.)
Routing Protocol (Between On-prem Gateway and On-prem
Router)
Select the
Routing Protocol
to be used
between on-premises Nutanix gateway and on-premises
router.
You can select:
Static
: Select this protocol
to provide a static route configuration for the VLAN
gateway.
OSPF
: Select this protocol to
provide an OSPF routing configuration for the VLAN
gateway.
iBGP
: Select this protocol to
provide a iBGP route configuration for the VLAN
gateway.
Note:
For iBGP, the ASN must be the same
between the Gateway appliance and the peer iBGP,
when iBGP is selected as the internal routing
protocol.
(Static or OSPF or iBGP)
+Add Prefix (Applicable to Static routing)
(For
Static
routing selected in
Routing Protocol
) Click this to
enter a
Local Prefix
and click the
check mark under
Actions
to add the
prefix.
If you click the X mark under
Actions
,
the local prefix you entered is not added.
The prefixes you add are advertised to all the connected
peers via eBGP.
The prefix must be a valid IP address with the host bits not
set.
You can add multiple local prefix IP addresses.
(prefix like /24)
Area ID (Applicable to OSPF protocol)
(OSPF only) Enter the OSPF area id in the IPv4 address
format.
Password Type
(OSPF only) Select the password type you want to set for the
OSPF route. The options are:
MD5
: Select this option to
encrypt the packets with MD5 hash that can be
decrypted with the MD5 password at the
destination.
Plain Text
: Select this option
to set a clear-text password.
None
: Select this if you do to
set an open route without password protection
Password
(OSPF only) Enter a password for the MD5 or Plain Text
password type you select in the
Password
Type
field.
For
MD5
: The password must be
1-16 characters long.
Characters allowed for OSPF passwords (MD5)
a-z
A-Z
0-9
For
Plain Text
: The password
must be 1-8 characters long.
Characters allowed for OSPF passwords (Plain text):
a-z.
Peer IP (for iBGP)
Enter the IP Address of the On-prem router used to exchange
routes with the network gateway.
(IP Address)
Password
Enter a password with 1-80 characters.
(Password)
VTEP Service Configurations
VxLAN (UDP) Port
The default value provided is 4789. Do not change
this.
(Number. Default value is 4789)
Table 2.
Remote Gateway Fields
Fields
Description
Values
Name
Enter a name for the network gateway.
(Name)
Gateway Service
Select the gateway service you want to use for the
gateway.
(VPN or VTEP)
VPN Service
Configurations
Public IP Address
Enter the public IP address of the remote endpoint. If a
Floating IP is not selected, a new Floating IP is automatically
allocated for the Gateway. These allocated IP addresses are
deleted when the network gateway is deleted.
(IP Address)
Vendor
Select the vendor of the third party gateway
appliance.
(Name of Vendor)
External Routing
Protocol
Select
Static
for static routing.
Note:
You need to create static routes (see Creating Static Routes)
for external routing and attach the route to the VPC
selected in this configuration.
Select
eBGP
for eBGP based
external routing.
(Static or eBGP)
eBGP ASN (Only available if eBGP routing protocol is
selected)
(For
eBGP
only) Enter the ASN for your
on-prem gateway. If you do not have a BGP environment in
your on-prem site, you can choose any number. For example,
you can choose a number in the 1-65000 range.
Note:
Make sure that this ASN does not conflict with any of the
other on-premises BGP ASNs.
ASN must be distinct in case of eBGP.
(Number)
VTEP Service
Configurations
VTEP IP Address
Enter VTEP IP Addresses of the remote endpoints that you want
to create the gateway for. You can add IP addresses of multiple
endpoints in one remote gateway.
(Comma separated list of IP Addresses)
VxLAN (UDP) Port
The default value provided is 4789. Do not change
this.
(Number. Default value is 4789)
Click
Save
.
What to do next
The Gateway you create is displayed in the
Gateways
page.
Updating a Network Gateway
About this task
You can update a network gateway using the
Update Gateway
dialog
box.
You can open the
Update Gateway
dialog box. The parameters in
the
Update Gateway
dialog box are the same as those in the
Create Local Gateway
or
Create Remote
Gateway
dialog box.
Procedure
Select the gateway you want to update on
Gateways
.
Click
Update
in the
Actions
menu.
Update the required details in the
Update Gateway
dialog
box.
You cannot modify some information. Such fields are greyed and in-actionable.
If you need to modify such information, consider creating a new gateway with the
updated parameters and deleting the current gateway.
Click
Save
.
Deleting a Network Gateway
About this task
If you want to delete a network gateway, you must first delete all the VPN
connections associated with the gateway and only then you can delete the network
gateway.
To delete a network gateway, do the following on the
Gateway
page.
Procedure
Do one of the following.
Select the check box next to the name of the gateway and, in the
Actions
drop-down list, click
Delete
.
Click the name of the gateway and, in the details page, click
Delete
.
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
Virtual Network Connections
Virtual Private Network
You can use the Nutanix VPN solution to set up VPN between your on-prem clusters, which
exist in distinct routing domains that are not directly connected. These distinct routing
domains could either be VPCs within the same cluster or remote clusters or sites.
If you need to connect one Nutanix deployment in one site to another deployment in a
different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists
of a local VPN gateway, remote VPN gateway and VPN connection. Local VPN gateway can be
instantiated in a VPC context or a legacy VLAN context. Launching the VPN gateway within a
VPC allows stretching of the VPC. For example, in the figure, the Blue VPC is stretched
between two sites with a VPN.
Figure.
VPN Working
Click to enlarge
VPN connections are useful in connecting two points. You can connect two VPCs in the same
cluster using a VPN or VPCs in different clusters in the same site. However, VPN connection
can connect only one endpoint to another endpoint. Flow virtual networking based VPN service
allows you to only connect two endpoints that use Nutanix VPN based gateway service.
Virtual Tunnel End Points Based Network Extensions
To connect one endpoint to multiple endpoints or third party (non Nutanix) networks, use
Virtual Tunnel End Point (VTEP) service based subnet extensions. For more information about
VTEP, see Layer 2 Virtual Subnet Extension Over VTEP.
VPN Workflow
If you need to connect one Nutanix deployment in one site to another deployment in a
different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists
of a local VPN gateway, remote VPN gateway and VPN connection. You can configure multiple
VPN endpoints for a site.
Each endpoint must have configurations for a local VPN gateway, remote VPN gateway (pointer
information for the peer local VPN in the remote site endpoint) and a VPN connection
(connecting the two endpoints). Then, based on the VPN connection configuration as initiator
or acceptor, one endpoint initiates a tunnel and the endpoint at the other end accepts the
tunnel connection and, thus, establishes the VPN tunnel.
Gateways: Every VPN endpoint for each site consists of two VPN gateway configurations -
Local and Remote.
Local gateway is a VM that runs the VPN protocols (IKEv2, IPSec) and routing (BGP and
OSPF). Remote gateway is a pointer - database entry - that provides information about
the peer remote VPN endpoint. One of the key information contained in the remote gateway
is the source IP of the remote VPN endpoint. For security reasons, the local VPN gateway
will accept IKEv2 packets originating only from this Source IP.
VPN gateways are of the following types:
On premises Nutanix VPN Gateway: Represents the VPN gateway appliance at your
on-premises local or remote site if you are using the Nutanix VPN solution.
On premises Third Party Gateway: Represents the VPN gateway appliance at your
on-prem site if you are using your own VPN solution (provided by a third-party
vendor).
To configure third party VPN Gateways, see the relevant third party
documentation.
VPN Connection: Represents the VPN IPSec tunnel established between local gateway and
remote gateway. When you create a VPN connection, you need to select two gateways
between which you want to create the VPN connection.
VPN appliances perform the following:
Implementation of IKEv2 and IPSec protocols.
Routing: Between remote sites, Flow virtual networking advertises prefixes using eBGP.
Optionally it uses Static routing. Within a site, Flow virtual networking uses iBGP or
OSPF to share prefixes between the Nutanix VPN appliance and the edge router.
Prerequisites for VPN Configurations
General Requirements
Ensure that you have enabled Flow virtual networking with microservices Infrastructure.
Ensure that you have floating IP addresses when you create VPN gateways.
Flow virtual networking automatically allocates a floating IP to a VPN gateway if you
do not provide one during the VPN gateway creation. To provide floating IP during the
VPN gateway creation, you can request floating IPs. See Requesting Floating IPs.
Ensure that you have one of the following, depending on whether you are using iBGP or
OSPF:
Peer IP (for iBGP): The IP address of the router to exchange routes with the VPN
gateway VM.
Area ID (for OSPF): The OSPF area ID for the VPN gateway in the IP address format.
Ensure that you have the following details for the deployment of the VPN gateway
VM:
Public IP address of the VPN Gateway Device: A public WAN IP address that you want
the on-prem gateway to use to communicate with the Xi VPN gateway appliance.
Static IP Address: A static IP address that you want to allocate to the VPN gateway
VM. Use a floating IP address requested as the static IP address.
IP Prefix Length: The subnet mask in CIDR format of the subnet on which you want to
install the VPN gateway VM. You can use an overlay subnet used for a VPC and
assigned to the VM that you are using for the VPN gateway.
Default Gateway IP: The gateway IP address for the on-premise VPN gateway
appliance.
Gateway ASN: ASN must not be the same as any of your on-prem BGP ASNs. If you
already have a BGP environment in your on-prem site, the customer gateway is the ASN
for your organization. If you do not have a BGP environment in your on-prem site,
you can choose any number. For example, you can choose a number in the 65000
range.
Ports and Protocols
Nutanix deploys a number of ports and protocols in its software. ports that must be open in
the firewalls to enable
Flow Virtual Networking
to
function. To see the ports and protocols used
Flow Virtual Networking
, see Port Reference.
Endpoints and Terminations
The following endpoints and terminations occur in the course of Flow virtual networking
based connections. For information about creating, updating or deleting VPN connections, see
Connections Management.
Note:
In a VPN connection do not configure both the
gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If
you configure the local gateway as Initiator then configure the remote gateway as Acceptor
in one endpoint and vice-versa in the (other) remote endpoint.
VPN Endpoint Behind a Network Address Translation or Firewall Device
In this scenario, the IPSec tunnel terminates behind a network address translation
(NAT) or firewall device. For NAT to work, open UDP ports 500 and 4500 in both
directions.
Figure.
VPN Endpoint Behind NAT or Firewall
Click to enlarge
Things to do in NAT
Things to do in on-prem VPN GW
Open UDP ports 500 and 4500 on both directions
Enable the business application policies to
Allow
the
commonly-used business application ports.
IPSec Terminates on the Firewall Device
In this scenario, you do not need to open the ports for NAT (500 and 4500).
However, enable the on-prem VPN gateway to allow the traffic from the PC subnet to
the advertised load balancer route where the Source port is any and the Destination
port may be in the range of 1024-1034.
The PC subnet refers to the subnet where your Prism Central is running.
Figure.
Tunnel Terminates on NAT or Firewall
Click to enlarge
Creating a VPN Connection
About this task
Create a VPN connection to establish a VPN IPSec tunnel between VPN gateways in your
on-prem site. Select the gateways between which you want to create the VPN
connection.
To create a VPN connection, do the following on the
Networking
>
VPN Connections
page.
Procedure
Click the
Create VPN Connection
button on the
VPN Connections
page.
In the
Create VPN Connection
dialog box, provide the
values in the respective fields.
Fields
Description and Values
Name
Enter a name for the connection.
VPN Connection
IPSec Secret
Enter a secret password for the IPSec connection. To see the
password, click
Show
. To hide the
password, click
Hide
.
Local Gateway
Select the connection parameters on the local gateway as
Initiator or Acceptor of VPN Tunnel connections.
VPN Gateway
Select the appropriate VPN Gateway as the local gateway for
the VPN connection
VTI Prefix - Local Gateway
Enter a IPv4 Address with /<prefix>. Example:
10.25.25.2/30.
This is the
VPN Tunnel
Interface
IP address with prefix for the local
gateway. The subnet for this IP address must be a /30 subnet
with two usable IP addresses. One of the IP addresses is
used for Local Gateway. Use the other IP address for the
Remote Gateway.
Connection Handshake
This defines the type of handshake that the connection must
use. There are two types of connection handshakes:
Initiator
: The local VPN gateway
acts as the initiator of the connection and thus
initializes the VPN tunnel.
Acceptor
: The local VPN gateway
accepts or rejects incoming connection requests from
other gateways.
Note:
In a VPN connection do not configure both the
gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If
you configure the local gateway as Initiator then configure the remote gateway as Acceptor
in one endpoint and vice-versa in the (other) remote endpoint.
Remote Gateway
For a specific VPN connection, set the remote gateway as
Initiator or Acceptor when you configure the VPN connection on
the Remote Gateway.
VPN Gateway
Select the appropriate VPN Gateway as the remote gateway for
the VPN connection.
VTI Prefix - Remote Gateway
The VPN Tunnel Interface IP address with prefix for the local
gateway. Provide a IPv4 Address with /<prefix>. Example:
10.25.25.2/30.
This is the
VPN Tunnel Interface
IP address with prefix for the local gateway. The subnet for
this IP address must be a /30 subnet with two usable IP
addresses. One of the IP addresses is used for Local
Gateway. Use the other IP address for the Remote
Gateway.
Advanced Settings
Set the traffic route priority for the VPN connection. The
route priority uses Dynamic route priority because the priority
is dependent on the routing protocol configured in the VPN
gateway.
Route Priority - Dynamic Route Priority
Set the route priority as an integer number. The greater the
number, higher is the priority.
Click
Save
.
What to do next
The VPN connection you create is displayed in the
VPN
Connections
page.
Updating VPN Connection
About this task
You can update a VPN Connection using the
Update VPN Connection
dialog box.
You can open the
Update VPN Connection
dialog box. The
parameters in the
Update VPN Connection
dialog box are the same
as those in the
Create VPN Connection
dialog box.
Procedure
Select the VPN Connection you want to update on the
VPN
Connection
.
Click
Update
in the
Actions
menu.
Update the required details in the
Update VPN Connection
dialog box.
Click
Save
.
Deleting a VPN Connection
About this task
To delete a VPN connection, do the following on the
VPN
Connection
page.
Procedure
Do one of the following.
Select the check box next to the name of the VPN connection and, in the
Actions
drop-down list, click
Delete
.
Click the name of the VPN connection and, in the details page, click
Delete
.
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
VPN Connection within Same Prism Central
You can connect two VPCs within the same Prism Central availability zone using a VPN
connection.
About this task
Assume that you have created two VPCs named
vpc-a
and
vpc-b
with overlay subnets named
subnet-a
and
subnet-b
.
To connect the two VPCs within the same Prism Central using a VPN connection, do the
following.
Procedure
Do the following for local gateways:
Create a local VPN gateway with dynamically assigned address for
vpc-a
, for example, named
local-vpn-a
. Note or write down the assigned
IP address.
Create a local VPN gateway with dynamically assigned address for
vpc-b
, for example, named
local-vpn-b
. Note or write down the assigned
IP address.
See Creating a Network Gateway for more information about
creating a VPN gateway.
Do the following for remote gateways:
Create a remote VPN gateway with the IP address noted in 1.a for
vpc-a
, for example, named
remote-vpn-a
.
create a local VPN gateway with the IP address noted in 1.b for
vpc-b
, for example, named
remote-vpn-b
.
See Creating a Network Gateway for more information about
creating a VPN gateway.
Create a VPN connection between
vpc-a
and
vpc-b
named, for example,
vpn-conn-a-to-b
.
Ensure that the VTI IP addresses for the local and remote gateways is unique
with /30 prefix.
Note:
The
VPN Tunnel Interface
IP address with
prefix for the local gateway. The subnet for this IP address must be a /30
subnet with two usable IP addresses. One of the IP addresses is used for
Local Gateway. Use the other IP address for the Remote
Gateway.
Ensure that you select
local-vpn-a
as the local gateway with
Connection Handshake
set as
Acceptor
.
Ensure that you select
remote-vpn-b
as the remote gateway.
Create a VPN connection between
vpc-b
and
vpc-a
named, for example,
vpn-conn-b-to-a
.
Ensure that the VTI IP addresses with /30 prefix for local and remote gateways
are the reverse (vice versa) of what you configured for the VPN connection in
previous step. For example, if in previous step you configured the VTI IP
addresses as 10.20.20.5/30 for local and 10.20.20.6/30 for remote then for VPN
connection in this step, configure 10.20.20.6/30 for local gateway and
10.20.20.5/30 for remote gateway respectively. These IP addresses do not need to
be reachable anywhere else in the network. However, ensure that these IP
addresses do not overlap with any other IP addresses assigned in the
network.
Ensure that you select
local-vpn-b
as the
local gateway with
Connection Handshake
set as
Initiator
.
Ensure that you select
remote-vpn-a
as the remote gateway.
Layer 2 Virtual Network Extension
You can extend a subnet between
on-prem
local and remote clusters or sites (Availability Zones or AZs) to support seamless application
migration between these clusters or sites.
Note:
One or more on-prem cluster or sites managed by one Prism Central instance is defined as
an Availability Zone or AZ. In this section, Availability Zone or AZ refers to and must be
understood as one or more on-prem clusters or sites managed by one Prism Central. Local AZ
refers to local on-prem clusters or sites managed by a Prism Central instance and
remote
AZ
refers
to another on-prem cluster or site managed by another Prism Central
instance.
With Layer 2 subnet extension, you can migrate a set of applications to the remote AZ while
retaining their network bindings such as IP address, MAC address, and default gateway. Since
the subnet extension mechanism allows VMs to communicate over the same broadcast domain, it
eliminates the need to re-architect the network topology, which could otherwise result in
downtime.
Layer 2 extension assumes that there are underlying existing layer 3 connectivity already
available between the Availability Zones. You can extend a subnet from a remote AZ to the
primary (Local) AZ (and other remote AZs in case of VTEP-based subnet extensions)
You can extend a Layer 2 subnet across two Nutanix AZs over either VPN or Virtual tunnel
End Point (VTEP). SeeLayer 2 Virtual Subnet Extension Over VPN.
You can extend a Layer 2 subnet between a Nutanix AZ and one or more non-Nutanix
datacenters only over VTEP. See Layer 2 Virtual Subnet Extension Over VTEP.
You can extend subnets for the following configurations.
IPAM Type.
Managed and unmanaged networks.
Subnet Type.
On-prem VLAN subnets and VPC subnets.
Traffic Type.
IPv4 unicast traffic and ARP.
On-prem Hypervisor.
AHV and ESXi
Note:
If your cluster is ESXi, use vCenter Server
to manually configure the port group attached to the subnet you want to extend. Set the
security settings,
Promiscuous mode
and
Forged
transmits
to
Accept
on the vSwitch as shown in the
following image.
Figure.
ESXi Host Port Group Configuration
Click to enlarge
Prerequisites for Setting Up Subnet Extension
Ensure the following before you configure Layer 2 subnet extension between your on-prem
AZs.
Ensure that the Prism Central versions support Layer 2 virtual subnet extension as
specified in the Release Notes. See
AOS Family Release Notes
and
Release Notes | Prism Central
as applicable.
See the
Prism Central
Upgrade and Installation Guidelines and Requirements
section of the
Acropolis Upgrade Guide
for instructions about how to upgrade a Prism
Central instance through the Prism Central web console.
Ensure that you pair the Prism Central at the local AZ with the Prism Central at the
remote AZ to use
Create Subnet Extension
wizard to extend a subnet
across the AZs and facilitate bidirectional communication between these clusters or sites.
Using paired availability zones it is possible to configure both VXLAN over VPN and VTEP
based subnet extension. You can also extend subnets using the manual gateway and
connection workflows instead of pairing the AZs.
See the Pairing AZs (Nutanix Disaster Recovery) for instructions about how
to pair the local and remote AZs.
Ensure that you set up a default static route with
0.0.0.0/0
prefix and
the External Network next hop for the VPC you use for any subnet extension. This allows
NTP and DNS access for the Network Gateway appliance.
Best Practices for Subnet Extension
Nutanix recommends the following configurations to allow IP address retention for VMs on
extended subnets.
When using Nutanix IPAM ensure the address ranges in the paired subnets are unique to
avoid conflict between VM IP addresses across extended subnets.
If the source and target sites use third-party IPAM, ensure that there are no
conflicting IP address assignments across the two sites.
Note:
If the source and target
sites use Nutanix IPAM, the Prism Central web console displays a message that indicates
an IP address conflict if one exists.
If connectivity between sites already provides encryption, consider using VTEP only
subnet extension to reduce encryption overhead.
Use the
Subnet Extension to a Third Party Data-Center
workflow in
the following scenarios
To extend a subnet to more than one other AZ. This is also known as point to
multi-point.
To extend subnets between clusters managed by the same Prism Central.
Subnet Extension Workflow
You can manage Layer 2 subnet extension on the
Subnet Extensions
tab
of the
Connectivity
page. Open the
Subnet
Extensions
by clicking the hamburger icon in the top-left corner of the
Dashboard
and then clicking
Connectivity
.
You can create point-to-point Layer 2 subnet extensions between two AZs over VPN or
VTEP by opening the
Create Subnet Extension Across Availability
Zones
dialog box. See Extending a Subnet Over VPN for
VPN-based extensions. See Extending a Subnet Across Availability Zones Over VTEP for
VTEP-based extensions.
You can create point-to-point or point-to-multipoint Layer 2 subnet extensions to third
party datacenters over VTEP by opening the
Create Subnet Extension To A Third
Party Data-Center
dialog box. See Extending a Subnet to Third Party Datacenters Over VTEP.
You can update a subnet extension that extends across AZs using the
Update
Subnet Extension Across Availability Zones
dialog box. The
Update
Subnet Extension Across Availability Zones
has the same parameters and
fields as the
Create Subnet Extension Across Availability Zones
dialog box. You can open the
Update Subnet Extension Across Availability
Zones
dialog box by:
Selecting the subnet extended across AZs in the
Subnet
Extensions
and clicking the
Update
button.
Clicking the subnet extended across AZs in the
Subnet
Extensions
and clicking the
Update
button on the
Summary
tab.
You can update a subnet extension that extends to multiple AZs or third party datacenters
using the
Update Subnet Extension To A Third Party Data-Center
dialog
box.
Update Subnet Extension To A Third Party Data-Center
dialog box
has the same parameters and fields as the
Create Subnet Extension To A Third Party
Data-Center
dialog box. You can open the
Update Subnet Extension To A
Third Party Data-Center
dialog box by:
Selecting the subnet extended to third datacenters in the
Subnet
Extensions
and clicking the
Update
button.
Clicking the subnet extended to third datacenters in the
Subnet
Extensions
and clicking the
Update
button on the
Summary
tab.
See Updating an Extended Subnet.
Layer 2 Virtual Subnet Extension Over VPN
Subnet extension using VPN allows seamless, secure migration to a new datacenter or for
disaster recovery. VPN based Layer 2 extension provides secure point to point connection to
migrate workloads between Availability Zones. Consider VTEP-only Subnet Extension without VPN
when encryption is not required.
Subnet extension using VPN is useful:
When the two Availability Zones (where the subnets to be extended belong) do not have any
underlying secure connectivity. For example, when connecting over the Internet, VPN (IPSec)
provides the necessary connectivity and encryption (security).
Sometimes when you need to move (lift-and-shift) workloads from a VLAN subnet to a VPC
subnet retaining the same VM IP addresses . You need connectivity from other subnets to
workloads that have already migrated to VPC. In such cases, VPN provides the Layer 3
connectivity and encryption between the VPC segment of extended subnet to other VLAN
subnets.
Prerequisites for Setting Up Subnet Extension Over VPN
See Layer 2 Virtual Network Extension for general
prerequisites to extend subnets.
Set up VPN gateway services and a VPN connection between local AZ and the remote AZ.
The subnet extension feature supports only the Nutanix VPN solution (not a third-party
VPN solution) at the both the local and remote AZs. See the Virtual Network Connections for instructions about how to upgrade the VPN gateway
VM at the local and remote clusters or sites.
Note:
Ensure that the VPN gateway version
is 5.0 or higher. See the Updating a Network Gateway section for
instructions about how to upgrade the network gateway at the local and remote sites.
Configure subnets with the same IP CIDR prefix at the source and target sites. For
example, if the IP prefix at one site is 30.0.0.0/24, the IP prefix at the other site must
also be 30.0.0.0/24. The network and mask must match at both AZs.
Configure distinct DHCP pools for the source and target sites with no IP address
overlap. Separate DHCP pools ensure no IP address conflicts occur for dynamically assigned
IP addresses between the two AZs.
Procure two free IP addresses, one from each subnet, for the Network Gateway in the
subnets to be extended. These IP addresses are configured as local IP address and remote
IP address for the subnet extension in the
Subnet Extension
wizard.
These two free IP addresses are the externally accessible IP addresses for the local
gateway, and the remote gateway. Those two usable IP addresses are already contained
inside the VPN connection and must not conflict with the following:
DHCP pools on any of the Availability Zones.
Gateway IP address on any of the Availability Zones.
IP addresses allocated to existing user VMs on any of the Availability Zones.
IP addresses used by Network Gateway Management NIC subnet (IP pool
100.64.1.0/24)
Limitation
To use subnet extension over a VPN, both sites must use the VPN service of the Nutanix
Network Gateway. Consider VTEP-only subnet extension to connect to non-Nutanix third party
sites.
Pairing AZs (Nutanix Disaster Recovery)
To replicate entities (protection policies, recovery plans, and recovery points) to
different on-prem AZs (AZs) bidirectionally, pair the AZs with each
other. To replicate entities to different Nutanix clusters at the same AZ bidirectionally,
you need not pair the AZs because the primary and the recovery Nutanix clusters are
registered to the same AZ (Prism Central). Without pairing the AZs, you cannot perform
DR to a different AZ.
About this task
To pair an on-prem AZ with another on-prem AZ, perform the following procedure at
either of the on-prem AZs.
Procedure
Log on to the Prism Central web console.
Click the hamburger icon at the top-left corner of the window. Go to
Administration
>
AZs
in the left pane.
Figure.
Pairing AZ
Click to enlarge
Click
Connect to AZ
.
Specify the following information in the
Connect to Availability
Zone
window.
Figure.
Connect to AZ
Click to enlarge
AZ Type
: Select
Physical Location
from the drop-down
list.
A physical location is an on-prem AZ (AZ). To pair
the on-prem AZ with Xi Cloud Services, select
XI
from the drop-down list, and enter the
credentials of your Xi Cloud Services account in step c and set
d.
IP Address for Remote PC
: Enter the IP address
of the recovery AZ Prism Central.
Username
: Enter the username of your recovery
AZ Prism Central.
Password
: Enter the password of your recovery
AZ Prism Central.
Click
Connect
.
Both the on-prem AZs are paired to each other.
Extending a Subnet Over VPN
The subnet extension allows VMs to communicate over the same broadcast domain to a
remote site or Availability Zone (AZ).
Before you begin
See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VPN for information on prerequisites
and best practices for extending a subnet.
About this task
Perform the following procedure to extend a subnet from the on-prem site.
Procedure
Click the hamburger icon in the top-left corner of the
Dashboard
>
Networking & Security
>
Connectivity
>
Subnet Extension
.
On the
Subnet Extension
page, select
Create Subnet Extension
>
Across Availability Zones
.
In the
Create Subnet Extension Across Availability Zones
dialog box, enter the necessary details as described in the table.
Figure.
Create Subnet Extension Across Availability Zones
Click to enlarge
Fields
Description
Values
Extend Subnet over a
Select the gateway service you want to use for the subnet
extension.
(VPN or VTEP)
Note:
Configure the following fields for the
Local
and the
Remote
sides of the dialog
box.
Availability Zone
(For Local) Local AZ is pre-selected default.
(For Remote)
Select the appropriate AZ from the drop-down list of
AZs.
(Local: Local AZ)
(Remote: Dropdown list of
AZs.)
Subnet Type
Select the type of subnet that you want to extend.
(VLAN or Overlay)
Cluster
Displayed if your selected VLAN subnet. Select the cluster
from the dropdown list of clusters.
(Name of cluster selected from dropdown list)
VPC
Displayed if your selected Overlay subnet. Select the
appropriate VPC from the dropdown list of VPCs.
(Name of VPC selected from dropdown list)
Subnet
Select the subnet that needs to be extended.
(Name of subnet selected from dropdown list)
(Network Information frame)
Displays the details of the VLAN or Overlay network that you
selected in the preceding fields.
(Network information)
Gateway IP Address/Prefix
Displays the gateway IP address for the subnet. This field is
already populated based on the subnet selected.
(IP Address)
(Local or Remote) IP Address
Enter a unique and available IP address that are externally
accessible IP addresses in
Local IP
Address
and
Remote IP
Address
.
(IP Address)
VPN Connection
Select the appropriate VPN Connection from the dropdown list
that Flow virtual networking must use for the subnet extension.
See Creating a VPN Connection for
instructions to create VPN connection.
(Name of VPN connection selected from the dropdown
list)
Click
Save
.
A successful subnet extension is listed on the
Subnet
Extension
dashboard. See .
Layer 2 Virtual Subnet Extension Over VTEP
Subnet extension using Virtual tunnel End Point (VTEP) allows seamless migration to new
datacenters or for disaster recovery. VTEP based Layer 2 extension provides
point-to-multipoint connections to migrate workloads from one Availability Zone to multiple
Availability Zones
without
encryption.
If you need security and encryption, consider using Subnet Extension over VPN.
Subnet extension using VTEP is useful:
When both subnets that need to be stretched are Nutanix subnets (managed or unmanaged).
VTEP provides an optimized workflow to stretch the two subnets.
When both subnets are connected over an existing private and secure link that does not
need additional encryption.
When one Nutanix subnet needs to be stretched across one or more non-Nutanix
networks,
sites, or datacenters.
Subnet
Extension with third-party VTEPs provides point-to-multipoint connectivity
to third party datacenters assuming that there is underlying
layer 3
connectivity between these VTEPs.
VTEP-based Layer 2 Subnet Extension provides the following advantages:
Layer 2 subnet extension from one AZ to multiple AZs.
Layer 2 subnet extension between Nutanix AZs and non-Nutanix third party VTEP-based
AZs.
The Remote VTEP Gateway is a set of endpoint IP addresses. You can add endpoint IP
addresses to an existing operational Remote VTEP Gateway without stopping the subnet
extension services. This on-the-fly addition enables you to extend the subnets to more AZs
than originally
planned, or
perform maintenance, without disrupting the running services or
configuring new remote VTEP gateways.
Prerequisite for Setting Up Subnet Extension Over VTEP
See Layer 2 Virtual Network Extension for general
prerequisites to extend subnets.
Set up VTEP local and remote gateway services on local and remote AZs. In case of
point-to-multipoint extension, ensure that you create local and remote VTEP gateways on
all the remote AZs that the subnet needs to be extended to.
For each
extended subnet within the same Network Gateway appliance
ensure
that you have unique VxLAN Network Identifiers (VNIs) that you can use for the VTEP subnet
extensions. VNI may be any number between 0 and 16777215.
Extending a Subnet Across Availability Zones Over VTEP
The subnet extension over VTEP allows VMs to communicate two Availability Zones (AZ)
without a VPN connection.
Before you begin
See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VTEP for information on prerequisites and
best practices for extending a subnet.
About this task
To extend a subnet over VTEP across two availability zones (AZs), do the
following.
Procedure
Open the
Create Subnet Extension Across Availability Zones
in one of the following ways:
On the
Subnet Extensions
tab, click
>
Create Subnet Extension
>
Across Availability Zones
>
.
In the
Subnets
dashboard, select the subnet you want
to extend and click
Actions
>
Extend
>
Across Availability Zones
In the
Subnets
dashboard, click the subnet you want
to extend. On the subnet details page, click
Extend
>
Across Availability Zones
.
Figure.
Example of Create VTEP Extension Across AZs with VLAN Subnet
Click to enlarge
For
Extend Subnet over a
, select
VTEP
.
Enter or select the necessary values for the parameters in the
Local
and
Remote
(AZ)
sections as described in the table.
Parameters
Description and Value
Availability Zone
Displays the name of the paired availability zone at the
local AZ.
Subnet Type
Select the type of the subnet - VLAN or Overlay that you are
extending.
Cluster
Select the name of the cluster in the local AZ that the
subnet is configured for.
Subnet
Select the name of the subnet at the local AZ for network.
The VLAN ID and the IPAM - managed or unmanaged are displayed in
the box below the
Subnet
field.
Gateway IP Address.
Enter the gateway IP address of the subnet you want to
extend. Ensure that you provide the IP address in
<IP-address/network-prefix> format. for example the gateway
IP is 10.20.20.1 in a
/24
subnet then provide the
gateway
IP address as
10.20.20.1/24
.
Note:
For
an
unmanaged network, enter the gateway IP
address of the created subnet.
Local IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
for the Network
Gateway appliance.
Remote IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
for the remote
Network Gateway appliance.
Local VTEP Gateway
Select the local VTEP gateway you created on the local AZ.
See Creating a Network Gateway for information
about creating VTEP gateways.
Remote VTEP Gateway
Select the VTEP gateway you created on the remote AZ. See
Creating a Network Gateway for information
about creating VTEP gateways.
Connection
Properties
VxLAN Network Identifier (VNI)
Enter a unique number from the range 0-16777215 as VNI.
Ensure that this number is not reused anywhere in the local or
remote VTEP Gateways.
MTU
The default MTU is 1392 to account for 108 bytes of overhead
and the standard physical MTU of 1500 bytes. VPC Geneve
encapsulation requires 58 bytes and VXLAN encapsulation requires
50. However, you can enter any valid MTU value for the network,
taking this overhead into account. For example, if the physical
network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU
can be set to 1492 to account for 108 bytes of overhead. Ensure
that the MTU value does not exceed the MTU of the AHV Host
interface and all the network interfaces between the local and
remote AZs.
Click
Save
.
After the subnet is extended, the extension appears in the
Subnet Extensions
list view.
Extending a Subnet to Third Party Datacenters Over VTEP
The subnet extension over VTEP allows VMs to communicate with multiple remote sites
or Availability Zones (AZ) that may be third party (non-Nutanix) networks, or datacenters.
It also provides the flexibility of adding more remote AZs to the same VTEP-based extended
Layer 2 subnet. Examples of compatible VTEP gateways are switches from Cisco, Juniper,
Arista, and others that support plain VXLAN VTEP termination.
About this task
To extend a subnet over VTEP across multiple availability zones (AZs) or third party
datacenters, do the following.
Procedure
Open the
Create Subnet Extension To A Third Party
Data-Center
in one of the following ways:
On the
Subnet Extensions
tab, click
>
Create Subnet Extension
>
To A Third Party Data-Center
In the
Subnets
dashboard, select the subnet you want
to extend and click
Actions
>
Extend
>
To A Third Party Data-Center
In the
Subnets
dashboard, click the subnet you want
to extend. On the subnet details page, click
Extend
>
To A Third Party Data-Center
.
Figure.
Example of Create VTEP Extension To A Third Party Data-Center with
VLAN Subnet
Click to enlarge
Enter or select the necessary values for the parameters in the
Local
,
Remote
(AZ), and
Connection Properties
sections as described in the
table.
Parameters
Description and Value
Local
Availability Zone
Displays the name of the paired availability zone at the
local AZ.
Subnet Type
Select the type of the subnet - VLAN or Overlay that you are
extending.
Cluster
Select the name of the cluster in the local AZ that the
subnet is configured for.
Subnet
Select the name of the subnet at the local AZ for network.
The VLAN ID and the IPAM - managed or unmanaged are displayed in
the box below the
Subnet
field.
Gateway IP Address
Enter the gateway IP address of the subnet you want to
extend. Ensure that you provide the IP address in
<IP-address/network-prefix> format. for example the gateway
IP is 10.20.20.1 in a .24 subnet then provide the gatewway IP
address as
10.20.20.1/24
.
Note:
For
unmanaged network, enter the gateway IP address of the
created subnet.
Local IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
.
Local VTEP Gateway
Select the local VTEP gateway you created on the local AZ.
See Creating a Network Gateway for more
information about creating a local VTEP gateway.
Remote
Remote VTEP Gateway
Select the remote VTEP gateway you created on the local AZ.
See Creating a Network Gateway for more
information about creating a remote VTEP gateway.
Connection
Properties
VxLAN Network Identifier (VNI)
Enter a unique number from the range 0-16777215 as VNI.
Ensure that this number is not reused anywhere in the networks
that the Prism Central and Cluster are a part of.
MTU
The default MTU is 1392 to account for 108 bytes of overhead
and the standard physical MTU of 1500 bytes. VPC Geneve
encapsulation requires 58 bytes and VXLAN encapsulation
requires 50. However, you can enter any valid MTU value for
the network, taking this overhead into account. For example,
if the physical network MTU and vs0 MTU are 1600 bytes, the
Network Gateway MTU can be set to 1492 to account for 108
bytes of overhead. Ensure that the MTU value does not exceed
the MTU of the AHV Host interface and all the network
interfaces between the local and remote AZs.
Click
Save
.
After the subnet is extended, the extension appears in the
Subnet Extensions
list view.
Updating an Extended Subnet
The
Update Subnet Extension Across Availability Zones
dialog box has the
same parameters and fields as the
Create Subnet Extension Across Availability
Zones
dialog box.
About this task
You can update a subnet extension that extends across AZs using the
Update
Subnet Extension Across Availability Zones
or the
Update
Subnet Extension To A Third Party data center
dialog box. The
Update Subnet Extension Across Availability Zones
or the
Update Subnet Extension To A Third Party data center
dialog
box has the same parameters and fields as the
Create Subnet Extension
Across Availability Zones
or the
Create Subnet Extension To
A Third Party data center
dialog box, respectively.
Based on the type of the subnet extension that you want to modify, refer to the
following:
Procedure
Extending a Subnet Over VPN
Extending a Subnet Across Availability Zones Over VTEP
Extending a Subnet to Third Party Datacenters Over VTEP
Removing an Extended Subnet
Perform this procedure to remove the subnet extension.
About this task
This procedure deletes the extended subnet between the two Availability Zones (AZs)
or between one Nutanix AZ and one or more third party subnets. Deleting the subnet
extension does not automatically remove the network gateways or VPN connections that
may have automatically been created by the Subnet Extension wizard. You need to
separately delete these entities created automatically when the subnet was
extended.
Note:
Removing an extended subnet from a cluster or AZ (either source or target AZs)
automatically deletes the extended subnet from the corresponding source or target
AZs.
Procedure
Click the hamburger icon in the top-left corner of the
Dashboard
.
The
Subnet Extensions
tab displays a list of the
extended subnets.
Figure.
Sample Subnet Extensions dashboard
Click to enlarge
Select the subnet extension you want to remove.
Click
Actions
>
Delete
The confirmation dialog box is displayed.
Click
Remove
.
Click
Cancel
to close the dialog box without removing
the subnet extension.
What to do next
Check the list in the
Subnet Extensions
tab to confirm that
the subnet extension is removed.
Flow Networking Guide
Flow Virtual Networking
pc.2022.1
Product Release Date: 2022-02-24
Last updated: 2022-12-09
Purpose
This
Flow Networking Guide
describes how to enable and deploy Nutanix Flow
Networking on Prism Central.
Upgrading from EA Versions
If you have enabled the early access (EA) version of Flow Networking, disable it before
upgrading the Prism Central and enabling the general availability (GA) version of Flow
Networking.
Related Documentation
Links to Nutanix Support Portal software and documentation.
The
Nutanix Support
Portal
provides software download pages, documentation, compatibility, and other
information/
Documentation
Description
Release Notes | Flow Networking
Flow Networking Release Notes
Port Reference
Port Reference: See this page for details of ports that must be open in the
firewalls to enable Flow Networking to function.
Nutanix Security Guide
Prism Element and Prism Central security, cluster hardening, and
authentication.
AOS guides and release notes
Covers AOS Administration, Hyper-V Administration for Acropolis, Command
Reference, Powershell Cmdlets Reference, AOS Family Release Notes, and AOS
release-specific Release Notes
Acropolis Upgrade Guide
How to upgrade core and other Nutanix software.
AHV guides and release notes
Administration and release information about AHV.
Prism Central and Web Console guides and release notes
Administration and release information about Prism Central and Prism Element.
Flow Networking Overview
Enabled and administered from Prism Central, Flow Networking powers network virtualization to
offer a seamless network experience with enhanced security. It is disabled by default.
To enable and use Flow Networking, ensure that you log on to Prism Central as a local account
user with
Prism Admin
role. If you log on to Prism Central as a
non-local account (IDP-based) user or without
Prism Admin
role
privileges, then Prism Central does not allow you to enable or use Flow Networking. The task
is reported as
Failed
with a
User Denied Access
message.
Note:
Nutanix deploys a number of ports and protocols in its software. ports that must be open in
the firewalls to enable Flow Networking to function. To see the ports and protocols used
Flow Networking, see Port Reference.
It is a software-defined network virtualization solution providing overlay capabilities for
the on-prem AHV clusters. It integrates tools to deploy networking features like Virtual
Private Cloud (VPC) and Virtual Private Network (VPN) to support flexible app-driven
networking that focuses on VMs and applications instead of virtual LANs and network
addresses.
After you enable it on Prism Central, Flow Networking delivers the following.
A simplified, Prism Central-based workflow that deploys the application-driven network
virtualization feature.
A secure multi-tenancy solution allowing per-tenant isolation using VPC-based network
segmentation and namespace isolation.
A secure VPN-based connectivity solution for multiple sites, with automated VPN bundle
upgrades.
NAT-based secure egress to external networks, with IP address retention and policy-based
routing.
Self-serve networking services using REST APIs.
Enhanced networking features for more effective disaster recovery.
Note:
You can enable
network segmentation on a Layer 2 extended virtual subnet that does not have a gateway.
For more information about Layer 2 subnet extensions, see Layer 2 Virtual Network Extension. For information about network
segmentation of an extended layer 2 subnet, see
Segmenting a Stretched L2 Network
for Disaster Recovery
in the
Securing Traffic through Network
Segmentation
section of the
Security Guide
.
Deployment Workflow
You can enable Flow Networking using a simple Prism Central driven workflow, which installs
the network controller. The network controller is a collection of containerized services
that run directly on the Prism Central VM(s). The network controller orchestrates all the
virtual networking operations.
Ensure that microservices infrastructure is enabled in
Prism Central Settings
>
Prism Central Management
. See
Prism Central Guide
for information about enabling
microservices infrastructure.
Enable Flow Networking in
Prism Central Settings
>
Advanced Networking
. It is disabled by default. See
Enabling Flow Networking
You can opt out of Flow networking by disabling the
Advanced
Networking
option subject to prerequisites to disable advanced networking.
See Disabling Flow Networking.
You can deploy Flow Networking in a dark site (a site that does not have Internet
access) environment. See the Deploying Flow Networking at a Dark Site topic
for more information.
You can upgrade the Flow networking controller. Nutanix releases an upgrade for the
Flow networking controller with AOS and Prism Central releases. See Upgrading Flow Networking.
See the
AOS Family Release Notes
and
Release Notes | Prism
Central
.
Flow networking allows you to create and manage virtual private clouds (VPCs) and
overlay subnets to leverage the underlying physical networks that connect clusters and
datacenters. See Virtual Private Cloud.
You can upgrade the network gateway version. Network gateway is used to create VPN or
VTEP gateways to connect subnets using VPN connections, or Layer 2 subnet extensions
over VPN or VTEP.
Flow Networking Architecture
The Flow Networking architecture uses a three-plane approach to simplify network
virtualization.
Prism Central provides the management plane, the network controller itself acts as the
control plane while the AHV nodes provide the data plane. This architecture provides a
strong foundation for Flow Networking. This architecture is depicted in the following
chart.
Figure.
Flow Networking Architecture
Click to enlarge
Deployment Scale
Flow Networking supports the following scale:
Entities
Scale
Virtual Private Clouds
500
Subnets
5,000
Ports
50,000
Floating IPs
2,000 per networking controller-enabled Prism Central.
Routing Policies
1,000 per Virtual Private Cloud.
10,000 per networking controller-enabled Prism Central.
Essential Concepts
VPC
A Virtual Private Cloud (VPC) is an independent and isolated IP address space that
functions as a logically isolated virtual network. A VPC could be made up of one or
more subnets that are connected through a logical or virtual router. The IP addresses
within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs
are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they
are often referred to as the overlay networks. Tenants may spin up VMs and connect
them to one or more subnets within a VPC. Virtual Private Cloud (VPC) is a virtualized
network of resources that are specifically isolated from the rest of the resource
pool. VPC allows you to manage the isolated and secure virtual network with enhanced
automation and scaling. The isolation is done using network namespace techniques like
IP-based subnets or VLAN based networking.
VPC Subnets
You can use IP address-based subnets to network virtual machines within a VPC. A VPC
may use multiple subnets. VPC subnets use private IP address ranges. IP addresses
within a single VPC must be unique, in other words, IP addresses inside the same VPC
cannot be repeated. However, IP addresses can overlap across multiple VPCs. The
following figure shows two VPCs named Blue and Green. Each VPC has two subnets,
192.168.1.0/24 and 192.168.2.0/24, that are connected by a logical router. Each subnet
has a VM with an IP address assigned. The subnets and VM IP addresses overlap between
the two VPCs.
Figure.
VPC Subnet
Click to enlarge
The communication between VMs in the same subnets or different subnets in the same VPC
(also called East-West communication) is enabled using GEneric NEtwork Virtualization
Encapsulation (GENEVE). If a Prism Central manages multiple clusters, then the VMs that
belong to the same VPC could be deployed across different clusters. The virtual switch on
the AHV nodes provide distributed virtual switching and distributed virtual routing for all
VPCs.
The communication from a VM in a VPC to an endpoint outside the VPC (called external
communication or North-South communication) is enabled by an external network connection.
Such a connection may be secured using VPN. The following figure shows the logical
connectivity of the VPCs to the external network, and subsequently to the Internet.
Note:
You
must configure the default route (0.0.0.0/0) to the external subnet as the next hop for
connectivity outside the cluster (north-south connectivity).
Figure.
External Communication
Click to enlarge
External Subnets
Subnets outside a VPC are external subnets. External subnets may be subnets within
the deployment but not included in a specific VPC. External subnets may also be
subnets that connect to the endpoints outside the deployment such as another
deployment or site.
External subnets can be deployed with NAT or without NAT. You can add a maximum of
two external subnets - one external subnet with NAT and one external subnet without
NAT to a VPC. Both external subnets cannot be of the same type. For example, you
cannot add two external subnets, both with NAT. You can update an existing VPC
similarly.
Primary and Secondary IP Addresses for VMs
See VM IP Address Management.
SNAT and Floating IP Address
SNAT and Floating IP addresses are used only when you use NAT for an external
subnet.
In Source Network Address Translation (SNAT), the NAT router modifies the IP address
of the sender in IP packets. SNAT is commonly used to enable hosts with private
addresses to communicate with servers on the public Internet.
For VMs within the VPC to communicate with the rest of the deployment, the VPC must
be associated with an external network. In such a case, the VPC is assigned a unique
IP address, called the SNAT IP, from the subnet prefix of the external network. When
the traffic from a VM needs to be transmitted outside the VPC, the source IP address
of the VM, which is a private IP address, is translated to the SNAT IP address. The
reverse translation from SNAT IP to private IP address occurs for the return traffic.
Since the SNAT IP is shared by multiple VMs within a VPC, only the VMs within the VPC
can initiate connections to endpoints outside the VPC. The NAT gateway allows the
return traffic for these connections only. Endpoints outside the VPC cannot initiate
connections to VMs within a VPC.
In addition to the SNAT IP address, you can also request a Floating IP address — an
IP from the external subnet prefix that is assigned to a VM via the VPC that manages
the network of the VM. Unless the floating IP address is assigned to the private IP
address (primary or secondary IP address) of the VM, the floating IP address is not
reachable. When the VM transmits packets outside the VPC, the private IP of the VM is
modified to the Floating IP. The reverse translation occurs on the return traffic. As
the VM uses the Floating IP address, an endpoint outside the VPC can also initiate a
connection to the VM with the floating IP address.
The translation of the private IP addresses to Floating IP or SNAT IP address, and
vice versa, is performed in the hypervisor virtual switch. Therefore, the VM is not
aware of this translation. Floating IP translation may be performed on the hypervisor
that hosts the VM to which the floating IP is assigned to. However, SNAT translation
is typically performed in a centralized manner on a specific host.
NAT Gateway
NAT Gateways are used only when you use NAT for an external subnet.
Network Address Translation (NAT) is a process for modifying the source or
destination addresses in the headers of an IP packet while the packet is in transit.
In general, the sender and receiver applications are not aware that the IP packets are
being manipulated.
A NAT Gateway provides the entities inside an internal network with connectivity to
the Internet without exposing the internal network and its entities.
A NAT Gateway is:
A node or a AHV host. You need a host or a node to implement a NAT Gateway because
NAT gateways require operations like load balancing and routing that are
automatically performed by Flow Networking.
Connected to the internal network with an internal subnet based IP address and to
the external network with an externally-routable IP address.
The
externally-routable IP address may be an IP address from a private IP address
space or an RFC1918 address that is used as a NAT gateway. The NAT Gateway IP
address could be a static IP address or a DHCP assigned IP address.
Table 1.
NAT Gateway Failover Time
Event
Failover Time
Network controller stops on AHV
Up to 45 seconds.
Node reboot
Up to 45 seconds.
Node power off:
When NAT Gateway and network controller MSP worker VMs are
not on the same node.
Up to 45 seconds.
Node power off:
When NAT Gateway and network controller MSP worker VMs are
on the same node.
Up to 300 seconds (5 minutes).
Static IP Address
A static IP address is a fixed IP address that is manually assigned to an interface
in a network. Static IP addresses provide stable routes that do not have to be updated
frequently in the routing table since the static routes generated using static IP
addresses do not need to be updated.
Usually in a large IP-based network (a network that uses IP addresses), a Dynamic
Host Configuration Protocol or DHCP server assigns IP addresses to interfaces of an
entity (using DHCP client service on the entity). However, some entities may require a
static IP address that can be reached (manual remote access or via VPN) quickly. A
static IP address can be reached quickly because the IP address is fixed, assigned
manually and is stored in the routing table for a long duration. For example, a
printer in an internal network would need a static IP address so that it can be
connected reliably. Static IP addresses can be used to generate static routes which
remain unchanged in routing tables, thus providing stable long-term connectivity to
the entity that has the static IP address assigned.
Static Route
Static routes are fixed routes that are created manually by the network
administrator. Static routes are more suited for small networks or subnets.
Irrespective of the size of a network, static routes may be required in a variety of
cases. For example, in VPCs where you use virtual private networks (VPNs) or Virtual
Tunnel End Point (VTEP) over VxLAN transport connections to manage secure connections,
you could use static routes for specific connections such as site-to-site connections
for disaster recovery. In such a case it is necessary to have a known reliable route
over which the disaster recovery operations can be performed smoothly. Static routes
are primarily used for:
Facilitating the easy maintenance of the routing table in small networks that are
not expected to grow.
Routing to and from other internal route or stub networks. A stub network or an
internal route network is a network accessed using a single route and the router has
only one neighbor.
Use as a default or backup route. Such a route is not expected to specifically
match any other route in the routing table.
In a network that is not constantly changing, static routes can provide faster and
more reliable services by avoiding the network overheads like route advertisement and
routing table updates for specific routes.
Overlay networks
You can create an IP-based Overlay subnet for a VPC. An Overlay network is a
virtualized network that is configured on top of an underlying virtual or physical
network. A special purpose multicast network can be created as an Overlay network
within an existing network. A peer-to-peer network or a VPN are also examples of
Overlay networks. An important assumption for an Overlay network is that the
underlying network is fully connected. Nutanix provides the capability to create
Overlay network-based VPCs.
Comparing Overlay with VLAN
See how overlay networks compare with VLAN networks. A virtual local area network or VLAN
network is a Layer 2 network that provides virtualized network segmentation solution. VLANs
route and balance traffic in a network based on MAC addresses, Protocols such as Ethernet,
ports or specific subnets. A VLAN creates a virtual Layer 3 network using Layer 2 addressing
by separating broadcast domains virtually or logically. A VLAN configured network behaves as
if the network is segmented using a physical layer 2 switch without implementing a layer 3
IP based subnet for the segmentation. VLAN traffic usually cannot traverse outside the
VLAN.
The main advantage that VLAN networks provide is that VLAN networks require only layer 2
(L2) connectivity. VLANs do not require any of the layer 3 (L3) Flow Networking
features.
Overlay networks can be laid on underlying physical network connections including VLAN
networks. Overlay networks provide the following advantages and constraints:
IP address namespace is decoupled from the physical network.
You can create, update or delete overlay networks without requiring any configurations
on the physical network and powering down the systems.
You can create overlay networks that can span across multiple clusters.
VLAN networks are necessary for Bootstrapping of Flow Networking.
Note:
Nutanix
recommends using VLAN0 as the default untagged (also called native) VLAN for a CVM and
AHV host. You can create VLANs for user VMs using the
Network
Configuration
page. You can use the
Create Virtual
Switch
dialog box from the
Network Configuration
page
to create virtual switches for the user VM VLANs.
AHV Networking VLAN and Flow Networking VLAN: VLAN backed subnets for external
connectivity are managed by the Flow Networking control plane. Traditional AHV VLAN IPAM
networks are managed by Acropolis. Do not configure the same VLAN as both a Flow
Networking external network and an AHV IPAM network, as this can lead to IP address
conflicts.
Traffic Behavior
Broadcast Traffic
When all the guest VMs belonging to a subnet are in the same AHV: Flow Networking
broadcasts the traffic to all guest VMs in the same subnet.
When some VMs belonging to a subnet are in other AHVs: Flow Networking tunnels the
traffic to only those AHVs which have endpoints in the same subnet.
In other words, Flow Networking broadcasts traffic to all the guest VMs in the same
subnet.
Unicast Traffic
Unicast traffic is traffic transmitted on a one-to-one basis between IP addresses and
ports. There is only one sender and one receiver for the traffic. Unicast traffic is
usually the most used form of traffic in any LAN network using Ethernet or IP
networking. Flow Networking transmits unicast traffic based on the networking policies
set.
Unknown Unicast Traffic
Flow Networking always drops unknown unicast traffic. It is not transmitted to any
guest VM within or outside the source AHV.
Multicast Traffic
Flow Networking transmits the traffic to the VMs in the multicast group within the
same subnet. If the VM is on another AHV, the destination AHV must have an endpoint in
the subnet.
Multicast Group
A multicast group is defined by an IP address (called a multicast IP address, usually
a Class D IP address) and a port number. Once a host has group membership, the host
will receive any data packets that are sent to that group defined by an IP
address/port number.
Prerequisites for Enabling Flow Networking
Make sure you meet these prerequisites before you enable Flow networking on Prism
Central.
Requirements
Important:
Prism Central protection and recovery does not protect or recover
Flow networking services.
You must have the following fulfilled to enable Flow networking:
Ensure that you log on to Prism Central as a local account user with
Prism
Admin
role. If you log on to Prism Central as a non-local account
(IDP-based) user or without
Prism Admin
role privileges, then
Prism Central does not allow you to enable or use Flow Networking. The task is reported
as
Failed
with a
User Denied Access
message.
Ensure that the Prism Central running Flow networking is hosted on an AOS cluster
running AHV.
The network controller has a dependency only on the AHV version.
Ensure that microservices infrastructure on Prism Central is enabled. See
Prism
Central Guide
for information about microservices infrastructure.
Choose the x-large PC VM size for Flow networking deployments. Small or large PC VMs
are not supported for Flow Networking.
If you are running a small or large Prism Central VMs, upgrade the Prism Central VM
resources to x-large PC VM. See
Acropolis Upgrade Guide
for procedure to
install an x-large Prism Central deployment.
Although Flow networking may be enabled on a single-node PC, Nutanix strongly
recommends that you deploy a three-node scale-out Prism Central for production
deployments. The availability of Flow networking service in Prism Central is critical
for performing operations on VMs that are connected to overlay networks. A three-node
scale-out Prism Central ensures that Flow networking continues to run even if one of the
nodes with a PCVM fails.
Prism Central VM registration. You cannot unregister the Prism Element cluster that is
hosting the Prism Central deployment where you have enabled Flow Networking. You can
unregister other clusters being managed by this Prism Central deployment.
Ensure that Microservices Infrastructure (CMSP) is enabled on Prism Central before you
enable Flow Networking. See the
Prism Central Guide
for more
information.
For the procedure to enable Microservices Infrastructure (including enable in dark
site), see
Enabling Micro Services Infrastructure
section in the
Prism Central Guide
.
Note:
When you configure microservices infrastructure, ensure that the DNS name you
configure for CMSP does not end with
test
. Flow networking does not support
test
as a top level domain. For example, the following are valid domain configurations:
my.cluster.domain
my.test.cluster.test.domain
However, the following are examples of domains that Flow networking does not support:
my.cluster.test
my.cluster.domain.test
Ensure that you have created a virtual IP address (VIP) for Prism Central. The
Acropolis Upgrade Guide
describes how to set the VIP for the Prism
Central VM. Once set, do not change this address.
Ensure connectivity:
Between Prism Central and its managed Prism Element clusters.
To the Internet for connectivity (not required for dark site) to:
ECR for Docker images
S3 storage for LCM portal
Note:
For dark site deployments, Nutanix provides a dark
site bundle, which has the Docker images (normally hosted on ECR) and the network
controller package (normally hosted on LCM portal). These dark site bundles can be
downloaded using an internet-connected system outside the dark site.
Prism Central backup, restore, and migration. You cannot perform these operations on
MSP-enabled Prism Central.
Nutanix recommends increasing the MTU to 9000 bytes on the virtual switch vs0 and
ensure that the physical networking infrastructure supports higher MTU values (jumbo
frame support). The recommended MTU range is 1600-9000 bytes.
Nutanix CVMs use the standard Ethernet MTU (maximum transmission unit) of 1,500 bytes
for all the network interfaces by default. The system advertises the MTU of 1442 bytes
to guest VMs using DHCP to account for the extra 58 bytes used by Generic Network
Virtualization Encapsulation (Geneve). However, some VMs ignore the MTU advertisements
in the DHCP response. Therefore, to ensure that Flow networking functions properly with
such VMs, enable jumbo frame support on the physical network and the default virtual
switch vs0.
If you cannot increase the MTU of the physical network, decrease the MTU of every VM in
a VPC to 1442 bytes in the guest VM console.
Note:
Do not change the MTU of the CVM.
Figure.
Sample Configurations with and without Higher MTU - VS0, CVM and UVMs
Click to enlarge
Requirements for Upgrades
The following applies to upgrades of Flow networking network controller
(
Advanced Networking
in
Prism Control
Settings
):
Ensure that the Prism Central host is running an AHV version compatible with the
networking controller upgrade version. If necessary, upgrade the AHV version using LCM to
the version compatible with the network controller upgrade version.
Note:
See Compatibility and Interoperability Matrix on
the Nutanix Support portal for AOS and Prism Central compatibility.
Ensure that all the AHV hosts in the AOS cluster are running the version compatible with
the network controller upgrade version.
The network controller upgrade fails if any of
the AHV hosts is running an incompatible version.
Limitations
Limitations for Flow networking are as follows.
Flow networking does not support Flow security for guest VMs.
You cannot configure rules for Flow security if a guest VM has any NICs connected to
VPCs.
Flow networking is supported only on AHV clusters. It is not supported on ESXi or
Hyper-V clusters.
Flow networking is not enabled on the new PE cluster registering with the Flow
networking-enable Prism Central if the Prism Element cluster has an incompatible AHV
version.
Flow networking does not support updating a VLAN-backed subnet as an external subnet.
You cannot enable the external connectivity option in the
Update
Subnet
dialog box. Therefore, you cannot modify an existing VLAN-backed
subnet to add external connectivity.
VLAN backed subnets for external connectivity are managed by the Flow networking
control plane. Traditional AHV VLAN IPAM networks are managed by acropolis.
Note:
Do not configure the same VLAN as both a Flow networking external network and an AHV
IPAM network, as this can lead to IP address conflicts.
Flow networking cannot be disabled if any external subnets and VPCs are in use. Delete
the external subnets and VPCs and then disable Flow Networking.
Disaster Recovery backup and migration: CMSP-enabled Prism Central does not support
disaster recovery backup and migration operations both as a source and target host.
Flow Networking Configurations
Enabling Flow Networking
Before you begin
Ensure tha microservices infrastructure is enabled on Prism Central. See
Enabling Micro Services Infrastructure
section in the
Prism
Central Guide
.
About this task
Before you proceed to enable Flow Networking by enabling the
Advanced
Networking
option, see Prerequisites for Enabling Flow Networking.
To enable Advanced Networking, go to
Prism Central Settings
>
Advanced Networking
and do the following.
Procedure
In the
Advanced Networking
pane, click
Enable
.
Ensure that the prerequisites specified on the pane are fulfilled.
Figure.
Enabling Flow Networking
Click to enlarge
Prism Central displays the deployment in-progress.
Figure.
Deployment Progress
Click to enlarge
Flow Networking is enabled.
Figure.
Flow Networking Status
Click to enlarge
Disabling Flow Networking
About this task
You can disable Flow Networking. However, the network controller cannot be disabled
if any external subnets and VPCs are in use. Delete the subnets and VPCs before you
disable advanced networking.
Note:
Flow Networking cannot be disabled if any external subnets and VPCs are in use.
Delete the external subnets and VPCs and then disable Flow Networking.
To disable Flow Networking, do the following.
Procedure
On the
Advanced Networking
page, click
Disable
.
Figure.
Click to enlarge
On the confirmation message box, click
Confirm
to
confirm disablement.
To exit without disabling the
Advanced Networking
controller, click
Cancel
.
Unregistering a PE from the PC
Before unregistering a Prism Element from PC, disable Flow Networking on that Prism
Element using network controller CLI (or atlas_cli).
About this task
When Flow Networking is enabled on a Prism Central, it propagates the capability to
participate in VPC networking to all the registered Prism Elements that are running
the required AHV version.
In cases where there are VMs on the Prism Element attached to the VPC network, or if
the Prism Element is used to host one or more of the external VLAN networks attached
to a VPC, Prism Central alerts you with a prompt. When being alerted about the
aforementioned conditions, close the CLI and make adequate configuration to resolve
the condition (for example, select a different cluster for the external VLAN network
and delete the VMs attached to the VPC network running on the Prism Element). After
making such configurations, execute the network controller CLI to disable Flow
Networking. If the command goes through successfully, it is safe to unregister the
Prism Element.
For example, in a deployment of three Prism Elements - PE1, PE2 and PE3 - registered
to the Flow Networking-enabled PC, you want to unregister PE3 from the PC. You must
first disable Flow Networking using the following steps:
Procedure
SSH to PE3.
Run the
ncli cluster info
or
ncli cluster
get-params
command to get the cluster parameters.
Copy the cluster UUID (For example: 017457d3-1012-465c-9c54-aa145f2da7d9) from
the displayed cluster parameters.
SSH to the Prism Central VM.
Open the network controller console by executing the
atlas_cli
command.
nutanix@cvm$ atlas_cli
<atlas>
Execute the
config.add_to_excluded_clusters <cluster
uuid>
command, providing the cluster UUID that you copied
earlier.
An example of the PC alert, for the condition that PE3 VM is attached to an
external network, is as follows:
<atlas> config.add_to_excluded_clusters 0005bf8d-2a7f-3b2e-0310-d8e34995511e
Cluster 0005bf8d-2a7f-3b2e-0310-d8e34995511e has 1 external subnet,
which will lose connectivity. Are you sure? (yes/no)
Note:
To enable Flow Networking on the cluster, execute the
config.remove_from_excluded_clusters <cluster
uuid>
command, providing the cluster UUID.
What to do next
To verify if Flow Networking is disabled or enabled, SSH to PE3 and run the
acli atlas_config.get
command.
The output displays the
enable_atlas_networking
parameter as
False
if Flow
Networking is disabled and as
True
if Flow Networking is enabled on
the Prism
Element.
You can upgrade the Flow networking controller (
Advanced Networking
Controller
in
Prism Central Settings
) using Life Cycle Manager
(LCM) on Prism Central.
Before you begin
See Prerequisites for Enabling Flow Networking.
In case of upgrading the Flow networking controller in a dark site, ensure that LCM
is configured to reach the local web server that hosts the dark site upgrade
bundles.
Note:
The network controller upgrade fails to start after the pre-check if one or more
clusters have Flow Networking enabled and are running an AHV version
incompatible with the new network controller upgrade version.
About this task
To upgrade the network controller using LCM, do the following.
Procedure
Choose one of the following ways to reach the LCM page:
Go to
Administration
>
LCM
>
Inventory
Click
Check for Updates
on the
Advanced
Networking
page.
Figure.
Check for Updates
Click to enlarge
Click
Perform Inventory
.
When you click
Perform Inventory
, the system scans the
registered Prism Central cluster for software versions that are running
currently. Then it checks for any available upgrades and displays the
information on the LCM page under
Software
.
Go to
Updates
>
Software
. Select the
Advanced Networking Controller
version you want to upgrade to and click
Update
.
Figure.
Networking Controller version
Click to enlarge
Deploying Flow Networking at a Dark Site
About this task
Dark sites are primarily on-premises installations which do not have access to the
internet. Such sites are disconnected from the internet for a range of reasons
including security. To deploy Flow networking at such dark sites, you need to deploy
the dark site bundle at the site.
This dark site deployment procedure includes downloading and deploying MSP and the
network controller bundles.
Before you begin
See Prerequisites for Enabling Flow Networking.
You need access to the Nutanix Portal from an Internet-connected device to
download the following dark site bundles:
Note:
For dark site deployments, Nutanix provides a dark
site bundle, which has the Docker images (normally hosted on ECR) and the network
controller package (normally hosted on LCM portal). These dark site bundles can be
downloaded using an internet-connected system outside the dark site.
MSP dark site bundle: https://portal.nutanix.com/page/downloads/list > Microservices Platform (MSP)
Flow Networking network controller dark site bundle: See the
Flow
Networking Release Notes
for the link to download the dark
site bundle.
Network Gateway bundle: See the
Flow Networking Release
Notes
for the link to download the dark site bundle with
checksum text file. Also, see
KB-12393
.
To deploy Flow Networking at a dark site, do the following.
Procedure
Start a web server to host the dark site bundles and act as a source for the
LCM downloads, if one is not already created.
The web server can be a virtual machine on a cluster at the dark site. All
the Prism Central VMs at the dark
site must have access to this web server. This web server
is used when you deploy any dark site bundle including the network
controller darksite bundle.
For more information about the server installation, see:
Linux web server
Windows web server
In Prism Central, go to
Administration
>
LCM
>
Inventory
.
Alternatively, SSH into the Prim Central VM as an admin user and run the
following command.
Where <LCM-web-server-ip> is the IP address of the LCM web server and
release is the name of the directory where the packages were extracted.
For example,
admin@pcvm$ mspctl controller airgap enable
--url=http://10.48.111.33/release
. Here,
10.48.111.33
is the IP address of the LCM web server
and
release
is the name of the directory where the
packages were extracted.
Verify the configuration by running the following command:
nutanix@cvm$ mspctl controller airgap get
From a device that has public Internet access, click the Nutanix Compatibility Bundle link and
down the bundle. Transfer this bundle to the LCM web server and extract the
contents.
From a device that has public Internet access, Nutanix recommends that you
download and extract the latest MSP dark site bundle, transfer it to the LCM web
server, and extract the contents.
From a device that has public Internet access, download the Flow networking
dark site bundle (see Release Notes | Flow Networking for
download links). Transfer the bundle to the LCM web server.
Extract or unpack the Flow networking dark site bundle on the LCM web
server.
After unpacking, check if the system shows a directory path that includes the
following as per the example:
http://<LCM-web-server-ip>/release/builds/msp-builds/msp-services/464585393164.dkr.ecr.us-west-2.amazonaws.com/nutanix-msp/atlas-hermes/
.
Run the following command after unpacking to ensure that the file permissions
are not disrupted during the unpacking:
Linux.
chmod -R +r builds
Windows
NTFS.
$> takeown / R / F *
$> icacls <Build-file-path> /t /grant:F
This section provides information to assist troubleshooting of Flow Networking
deployments. This is in addition to the information that the "Prism Central Guide"
provides.
Audit Logs
Prism Central generates audit logs for all the flow networking activities like it
does for other activities on Prism Central. See
Audit Summary View
in the
Prism Central Guide
, for more information about Audit log.
Support Bundle Collection
To support troubleshooting for Flow Networking, you can collect logs.
To collect the logs, run the following commands on the Prism Central VM console:
msp
tag will collect logs from the services running on MSP
pods and persistent log volumes (application-level logs)
anc
tag will collect the support bundle, which includes
database dumps and OVN state
-O
flag adds tag-level options
msp_pod=true
collects logs from MSP service pods
On the PC, these logs can be found under
/var/log/containers
.
persistent=true
collects persistent log volumes
(application-level logs for ANC)
On the PC, these can be found under /var/log/ctrlog
kubectl_cmds=true
runs
kubectl
commands to
get the Kubernetes resource state
--duration
sets the duration from the present to collect
The command run generates a zip file at a location, for example:
/home/nutanix/data/logbay/bundles/<filename>.zip
Unzip the bundle and you'll find the
anc
logs under a directory
specific to your MSP cluster, the worker VM where the pod is running, and the logging
persistent volume of that pod. For example:
For more information about the task run, see the text file that the command generates
at a location, for
example:
/home/nutanix/data/logbay/taskdata/<taskID>/collection_result.txt
For more information about the
logbay collect
command, see the
Logbay Log Collection (Command Line)
topic in the
Nutanix Cluster
Check Guide
(NCC Guide).
Layer 2 Virtual Subnet Extension Alert
The
L2StretchLocalIfConflict
alert (Alert with Check ID
- 801109) may occur while performing Layer 2 virtual subnet extensions. See KB-10395
for more information about its resolution.
Network Gateway Upgrades
Nutanix deployment can detect and install upgrades for the onprem Nutanix Gateways.
For information about identifying the current Nutanix Gateway version, see Identifying the Gateway Version.
For onprem Nutanix Gateways, the upgrades need to be detected and installed on the respective
PC on which each Nutanix Gateway is installed.
For more information, see Detecting Upgrades for Gateways.
When PC detects the upgrades, it displays a banner on the
Gateways
tab
of the
Connectivity
page. The banner notifies you that a Gateway upgrade
is available after you have run LCM inventory. The table on the
Gateways
tab also displays an alert (exclamation mark) icon for the network gateways that the upgrade
applies to. The hover message for the icon informs you that an upgrade is available for that
Gateway.
Figure.
Upgrade Banner
Click to enlarge
For more information about the upgrade procedure, see Upgrading the PC-managed Onprem Nutanix VPN Gateways.
Identifying the Gateway Version
About this task
To identify the current Nutanix Gateway version, do the following:
Procedure
Click the hamburger icon and
Networking & Security
>
Connectivity
.
On the
Gateways
tab, click the Gateway name link text to open the
Gateway details page.
In the Gateway table, the VPN Gateway name is a clickable link text.
The
Gateway Version
is listed in the
Properties
widget.
Figure.
Gateway Version
Click to enlarge
Detecting Upgrades for Gateways
About this task
Prism Central can detect whether new Gateway upgrades are available, or not, for
Nutanix Gateways using LCM. You can then install the upgrade.
Procedure
Click the hamburger icon of
Dashboard
.
Click
Administration
>
LCM
>
Inventory
.
Click
Perform Inventory
.
Note:
Nutanix recommends that you select
Enable LCM Auto
Inventory
in the
LCM
page in Prism
Central to continuously detect new Gateway upgrades as soon as they are
available.
The upgrade notification banner is displayed on the
Gateways
page.
Upgrading the PC-managed Onprem Nutanix VPN Gateways
About this task
Perform upgrades of PC-managed Nutanix Gateways using the respective PC on which the
Gateway is created.
To upgrade the on-prem Nutanix Gateways, do the following:
Procedure
Log on to the Prism Central as the admin user and click the gear icon.
Go to
Administration
>
LCM
>
Inventory
.
Click
Perform Inventory
.
When you click
Perform Inventory
, the system scans the
registered Prism Central cluster for software versions that are running
currently. Then it checks for any available upgrades and displays the
information on the
LCM
page under
Software
.
Note:
Skip this step if you have enabled auto-inventory in the
LCM
page in Prism Central.
Go to
Updates
>
Software
. Select the
Gateway version you want to upgrade to and click
Update
.
LCM upgrades the Gateway version. This process takes sometime.
Network and Security View
The
Network and Security
category in the
Entities
Menu
expands on-click to display the following networking and security
entities that are configured for the registered clusters:
Subnets
: This dashboard displays the subnets and the operations
that you can perform on subnets.
Virtual Private Clouds
: This dashboard displays the VPCs and the
operations that you can perform on VPCs.
Floating IPs
: This dashboard displays a list of floating IP
addresses that you are using in the network. It allows you to request for floating IP
addresses from the free pool of I addresses available to the clusters managed by the
Prism Central instance.
Connectivity
: This dashboard allows you to manage the following
networking capabilities:
Gateways
: This tab provides a list of network gateways that
you have created and configured, and the operations you can perform on the network
gateways. You can check and upgrade the Gateway bundle in
Administration
>
LCM
>
Inventory
.
VPN Connections
: This tab provides a list of VPN connections
that you have created and configured, and the operations you can perform on VPN
connections.
Subnet Extensions
: This tab provides a list of subnets that
you have extended at the Layer 2 level using VPN (point-to-point over Nutanix VPN)
or VTEP (point-to-multi-point including third party).
Security Policies
: This dashboard provides a list of security
policies you configured using Flow Segmentation. For more information about Security
Policies, see the Flow Microsegmentation Guide.
See "Network Connections" section for information on how to configure network connections.
Subnets (Overlay IP subnets), Virtual private clouds, floating IPs, and Connectivity are
Flow Networking features. These features support flexible app-driven networking that focuses
on VMs and applications instead of virtual LANs and network addresses. Flow Networking
powers network virtualization to offer a seamless network experience with enhanced security.
It is disabled by default. It is a software-defined network virtualization solution
providing overlay capabilities for the on-premises AHV clusters.
Security policies drives the Flow Segmentation features for secure communications. See
Flow Microsegmentation Guide.
Subnets
Manage subnets in the
List
view of
Subnets
dashboard in the
Network and
Security
section.
To access the
Subnets
dashboard, select
Subnets
from the entities menu in Prism Central. The
Subnets
dashboard allows you to view information about the subnets configured for the registered
clusters.
Note:
This section describes the information and options that appear in the
Network
and Security
dashboard. See
Entity Exploring
for instructions on how
to view and organize that information in a variety of ways.
Figure.
Subnets Dashboard
Click to enlarge
The following table describes the fields that appear in the subnets list. A dash (-) is
displayed in a field when a value is not available or applicable.
Table 1.
Subnets Dashboard Fields
Parameter
Description
Values
Name
Displays the subnet name.
(subnet name)
External Connectivity
Displays whether or not the subnet has external connectivity
configured.
(Yes/No)
Type
Displays the subnet type.
VLAN
VLAN ID
Displays the VLAN identification number.
(ID number)
VPC
Displays the name of the VPC that the Subnet is used in.
(Name of VPC)
Virtual Switch
Displays the virtual switch that is configured for the VLAN you selected. The
default value is the default virtual switch
vs0
.
Note:
The virtual
switch name is displayed only if you add a VLAN ID in the VLAN ID
field.
(virtual switch name)
IP Prefix
Displays the IPv4 Address of the network with the prefix.
(IPv4 Address/Prefix)
Cluster
Displays the name of the cluster for which this subnet is configured.
(cluster name)
Hypervisor
Displays the hypervisor that the subnet is hosted on.
(Hypervisor)
To filter the list by network name, enter a string in the filter field. (Ignore the
Filters
pane as it is blank.)
To view focused fields in the List, select the focus parameter from the
Focus
drop down list. You can create your own customised focus
parameters by selecting
Add custom
from the drop down list and
selecting the necessary fields after providing a
Name
, in the
Subnet Columns
.
There is a
Network Config
action button to configure a new network
(see
Configuring Network Connections
The
Actions
menu appears when one or more networks are selected and
includes a
Manage Categories
option (see
Assigning a Category
).
Go to the
Subnets
list view by clicking
Network and Security
>
Subnets
on the left side-bar.
Figure.
Subnets Page
Click to enlarge
To view or select actions you can perform on a subnet, select the subnet and click the
Actions
dropdown.
Figure.
Subnet Actions
Click to enlarge
Table 2.
Subnet Actions
Action
Description
Update
Click this action to update the selected subnet. see Updating a Subnet in the Flow Networking
Guide.
Manage Extension
Click this action to create a subnet extension. A subnet extension allows VMs
to communicate over the same broadcast domain to a remote Xi availability zone (in
case of Xi-Leap based disaster recovery) via the extension.
Manage Categories
Click this action to associate the subnet with a category or change the
categories that the subnet is associated with.
Delete
Click this action to delete the selected subnet. See Deleting Subnets, Policies, or Routes in the
Flow Networking Guide
.
You can also filter the list of subnets by clicking the
Filters
option and selecting the filtering parameters.
Subnet Summary View
View the details of a subnet listed on the Subnets page.
To view the details of a subnet, click the name of the subnet on the subnet list view.
Figure.
Subnet Summary Page
Click to enlarge
The
Summary
page provides buttons for the actions you can perform on
the subnet, at the top of the page. Buttons for the following actions are available:
Update
,
Extend
,
Manage
Categories
, and
Delete
.
The subnet
Summary
page has the following widgets:
Widget Name
Information provided
Subnet Details
Provides the following:
Type
— Displays the type of network like VLAN or
Overlay.
VLAN ID
— Displays the VLAN ID. This parameter is
displayed only for VLAN networks.
VPC
— Displays the VPC name. This parameter is displayed
only for Overlay networks.
Cluster
— Displays the cluster that the VLAN network is
configured on. This parameter is displayed only for VLAN networks.
IP Prefix
— Displays the IP address prefix configured for
the network. This parameter is displayed for both VLAN and Overlay
networks.
IP Pool
Provides the IP address
Pool Range
assigned to the
network.
External Connectivity
Provides the following:
NAT
— Displays whether NAT is enabled or disabled for
VPCs connecting to the network. When you hover on the
Enabled
/
Disabled
status, the hover message displays details of VPCs connected to the external
subnet.
Associated VPCs
— Displays the VPCs associated with this
external subnet.
Virtual Private Clouds
You can manage Virtual Private Clouds (VPCs) on the
Virtual Private
Clouds
dashboard.
Go to the
Virtual Private Clouds
dashboard by clicking
Network and Security
>
Virtual Private Clouds
on the left side-bar.
Figure.
Virtual Private Clouds dashboard
Click to enlarge
You can configure the table columns for the VPC list table. The available column list
includes
Externally Routable IP Addresses
that provides address
space within the VPC that is reachable externally without NAT.. For the list of columns that
you can add to the list table, see Customizing the VPC List View.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
To view or select actions you can perform on a VPC, select the VPC and click the
Actions
drop down.
You can also filter the list of VPC by clicking the
Filters
option
and selecting the filtering parameters.
Customizing the VPC List View
About this task
You can customize the columns in the table. Click the
View by
drop down and select
+ Add custom
.
In the
Virtual Network Columns
dialog box, do the following.
Procedure
Enter a name for the view.
Select the columns you want displayed in the table.
During the column selection, the columns you select are moved under the
Selected Columns
list. The
Name
(of the VPC) column is the default column
already selected. You can add a maximum of 10 columns (including the
Name
column) to the
Selected
Column
list.
Figure.
Customizing Columns in VPC View
Click to enlarge
To arrange the order of the selected columns, hover on the column name and
click the up or down arrow button as appropriate.
Click
Save
.
VPC Details View
To view the details of a VPC, click the name of the VPC on the VPC list view.
The VPC details view has the following tabs:
Summary
Figure.
Summary Tab
Click to enlarge
The
Summary
tab provides the following panes:
DNS Servers
—Provides more information about the DNS Servers
used by the VPC.
External Connectivity
—Provides the name of the external
subnet, NAT Gateway host details, router/SNAT IP address and the IP address spaces or
ranges configured for the VPC.
Floating IP Addresses
—Provides details of the floating IP
addresses that the VPC uses.
Subnets
Figure.
Subnet Tab
Click to enlarge
The
Subnet
tab provides the following information for the
subnets:
Name
—Displays the name of the subnet.
IP Range
—Displays the IP address range configured for the
subnet.
DHCP IP Pool
—Displays the DHCP IP address pool configured for
the subnet.
Default Gateway IP
—Displays the IP address used as the
default gateway by the entities in the subnet.
Actions
—Displays the actionable links to
Edit
or
Delete
the subnet.
Policies
Figure.
Policies Tab
Click to enlarge
The
Policies
tab maps the following information about the
security-based traffic shaping policies you configure:
Priority
—The traffic priority.
Rule
—The
Allow
or
Deny
rule set for the priority.
Traffic
—The traffic type that the priority and rule should be
applied to.
Actions
—Actions you can take on the policy. You can perform
three actions:
Clear counters
,
Edit
the
policy or
Delete
the policy.
Routes
Figure.
Routes Tab
Click to enlarge
The
Routes
tab provides the following information about the
routes:
The VPC details view has the following configuration options for the VPC:
Update
: Use this option to update the VPC. For more information,
see Updating Virtual Private Cloud.
Add Subnet
: Use this option to add a subnet to the VPC. For more
information, see Creating a Subnet.
Create Static Routes
: Use this option to create a static route.
For more information, Creating Static Routes.
Update Static Routes
: Use this option to update static route
configurations that you already created. For more information, see Updating Static Routes.
Create Policy
: Use this option to create traffic policies in
addition to the pre-configured default policy. When you create a VPC, there is one default
policy that Advanced Networking creates for the VPC. This policy is pre-configured and
cannot be edited. For more information, see Creating a Policy.
Clear All Counters
: Allows you to clear all the counters for the
VPC.
Delete
: Allows you to delete the VPC. For more information, see
Deleting a Virtual Private Cloud.
Floating IPs
You can access floating IPs on the
Floating IPs
dashboard or list view in the
Network and Security
section.
For information about floating IP addresses and their role in Flow Networking, see SNAT and Floating IP Address.
Go to the
Floating IPs
dashboard by clicking
Network and Security
>
Floating IPs
on the left side-bar.
Figure.
Floating IPs dashboard
Click to enlarge
To view or select actions you can perform on a floating IP address assigned, select the
floating IP address and click the
Actions
drop down. The following
actions are available for a selected floating IP address:
Update—Assign or change the assignment of the floating IP address. You can assign the
floating IP address to a IP address such as a private IP address in a VPC or the primary
IP address of a VM or a secondary IP address created on a VM.
Delete—Delete the floating IP address. The deleted IP address returns to the IP address
pool as unused. Before you delete, ensure that it is not assigned to a private IP address
or a VM. Change the assignment to
None
if it is already assigned,
using the
Update
action.
Note:
Floating IP addresses are not reachable (Pings fail) unless you associate them to
primary or secondary IP addresses of VMs. For more information about assigning floating IP
addresses to secondary IP addresses of VMs, see
Assigning Secondary IP Addresses to Floating
IPs
.
To filter the list of floating IP address assignments, click the
Filters
option and select the appropriate filtering
parameters.
To request floating IP addresses, see Requesting Floating IPs.
Connectivity
You can access network Gateways, VPN connections and subnet extensions on the
Connectivity
dashboard.
Click
Network & Security
>
Connectivity
to see the
Connectivity
dashboard.
The
Connectivity
dashboard opens on the
Gateways
tab. To see the VPN connections, click the
VPN Connections
tab. To see
the subnets extended across AZs, click the
Subnet Extensions
tab.
Gateways Summary View
The Connectivity dashboard opens on the Gateways dashboard or summary view.
The
Gateway
dashboard provides a list of gateways created for the
clusters managed by the Prism Central.
The
Gateways
dashboard provides a
Create
Gateway
dropdown menu that lets you create a
Local
or a
Remote
gateway. You can create a local or remote gateway with
VPN
or
VTEP
service. For more information,
see Creating a Network Gateway.
You can select a gateway from the list (select the checkbox provided for the gateway) and
then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected gateway.
Figure.
Gateways dashboard
Click to enlarge
The
Gateway
summary list view provides the following details about
the gateway.
Table 1.
Gateway List Fields
Parameter
Description
Values
Name
Displays the name of the gateway.
(Name of gateway)
Type
Displays the gateway type.
(Local or Remote)
Service
Displays the service that the gateway uses.
(VPN or VTEP)
Service IP
Displays the IP address used by the service.
(IP address)
Status
Displays the operational status of the gateway.
(Up or Down)
Attachment Type/Vendor
Displays the type of subnet associated with the gateway.
(VLAN or Overlay-VPC name)
Connections
Displays the number of service connections (such as VPN connections) configured
and operational on the gateway.
(number)
You can click the name of a gateway to open the gateway details page that presents the
information about the gateway in widgets.
Gateway Details View
You can click the name of a gateway in the
Gateway
dashboard
list to open the gateway details page that presents the information about the gateway in
widgets.
The gateway details page displays the name of the gateway on the top left corner.
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update
Gateway
page. See
Updating Gateways
for more information.
The
Delete
button allows you to delete the gateway. See
Deleting Gateways
for more information.
Figure.
Gateway Details View
Click to enlarge
The details about the gateway are organized in widgets as follows:
Table 1.
Gateway Details
Parameter
Description
Values
Properties widget
Type
Displays the gateway type.
(Local or Remote)
Attachment Type
Displays the network entity like VLAN or VPC that the gateway is attached
to.
(VLAN or VPC)
VPC or Subnet (VLAN)
Displays the name of the attached VPC or VLAN subnet.
(Name of VLAN or VPC)
Floating or Private IP Address
Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to
the gateway.
(IP Address)
Status
Displays the operational status of the gateway.
(Up or Down)
Gateway Version
Displays the version of the Nutanix gateway appliance deployed.
(Version)
Cluster
Displays the name of the cluster on which the gateway is created.
(Cluster name)
Gateway VM
Displays the name of the VM on which the gateway is created.
(Name of VM - actionable link. Click the name-link to open the VM details page
of the gateway VM.)
Service Configuration
Service
Displays the service used by the gateway.
(VPN or VTEP)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
Internal Routing
Displays the type of routing associated with the gateway for internal traffic
routing.
(Static or eBGP with ASN)
VPN Connections
Displays the total number of VPN connections associated with the
gateway.
(Number - actionable link. Click the link to open the VPN connection details
page for the associated VPN connection.)
View VPN Connections
Click this link to open the VPN Connections tab.
-
VPN Connections Summary View
The Connectivity dashboard allows you to open the VPN Connections dashboard or summary
view.
VPN Connection: Represents the VPN IPSec tunnel established between local gateway and
remote gateway. When you create a VPN connection, you need to select two gateways between
which you want to create the VPN connection.
The
VPN Connections
dashboard provides a list of VPN connections
created for the clusters managed by the Prism Central.
The
VPN Connections
dashboard provides a
Create VPN
Connection
button that opens the
Create VPN Connection
.
For more information, see Creating a VPN Connection.
You can select a VPN connection from the list (select the checkbox provided for the VPN
connection) and then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected VPN
connection.
The
VPN Connections
summary list view provides the following details
about the VPN connection.
Figure.
VPN Connections dashboard
Click to enlarge
Table 1.
VPN Connections List Fields
Parameter
Description
Values
Name
Displays the name of the connection.
(gateway name)
IPSec Status
Displays the connection status of IPSec tunnel.
(Connected or Not Connected)
EBGP Status
Displays the status of the EBGP gateway connection.
(Established or Not Established)
Local Gateway
Displays the name of the local gateway used for the connection.
(Name of local gateway)
Remote Gateway
Displays the name of the remote gateway used for the connection.
(Name of remote gateway)
Dynamic Routing Priority
Displays the dynamic routing priority assigned to the connection for throughput
management. You can assign any value in the range of 100-1000. Flow networking
assigns the first VPN connection the value 500 by default. Thereafter, subsequent
VPN connections are assigned values decremented by 50. For example, the first
connections is assigned 500, then the second connection is assigned 450, the third
one 400 and so on.
(Number in the range of 100-1000. User assigned.)
VPN Connections Details View
You can click the name of a VPN connection in the
VPN
Connections
dashboard list to open the VPN connection details page that presents
the information about the VPN connection in widgets.
The VPN connection details page displays the name of the VPN connection on the top left
corner.
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update VPN
Connection
page. For more information, see Updating a VPN Connection.
The
Delete
button allows you to delete the VPN connection. For
more information, see Deleting a VPN Connection.
Figure.
VPN Connection Details
Click to enlarge
The details about the VPN connection are organized in widgets as follows:
Summary tab—See the
VPN Connection Summary Tab Details
table below.
Throughput tab—See the
VPN Connection Throughput Tab Details
table
below.
IPSec Logging tab—Provides logs for the IPSec tunnel.
Routing Protocol Logging tab—Provides logs for the routing protocol used in the VPN
connection.
Table 1.
VPN Connection Summary Tab Details
Parameter
Description
Values
VPN Connection widget
IPSec Status
Displays the connection status of IPSec tunnel.
(Connected or Not Connected)
EBGP Status
Displays the status of the EBGP gateway connection.
(Established or Not Established)
Dynamic Routing Priority
Displays the dynamic routing priority assigned to the connection for throughput
management. You can assign any value in the range of 100-1000. Flow networking
assigns the first VPN connection the value 500 by default. Thereafter, subsequent
VPN connections are assigned values decremented by 50. For example, the first
connections is assigned 500, then the second connection is assigned 450, the third
one 400 and so on.
(Number in the range of 100-1000. User assigned.)
Local Gateway Properties
Gateway Name
Displays the name of the local gateway used for the connection.
(Name of local gateway)
Type
Displays the type of gateway.
(Local)
Attachment Type
Displays the network entity like VLAN or VPC that the gateway is attached
to.
(VLAN or VPC)
VPC or Subnet (VLAN)
Displays the name of the attached VPC or VLAN subnet.
(Name of VLAN or VPC)
Tunnel IP
Displays the Tunnel IP address of the local gateway.
(IP Address)
Connection Type
Displays the connection type you selected while creating the VPN connection.
The connection type may be Initiator or Acceptor of a VPN connection between the
local and remote gateways. T
(Initiator or Acceptor)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
Internal Routing
Displays the type of routing associated with the gateway for internal traffic
routing.
(Static or eBGP with ASN)
Floating or Private IP Address
Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to
the gateway.
(IP Address that you assigned to the local gateway with /30 prefix when you
configured the VPN connection.)
Status
Displays the operational status of the gateway.
(Up or Down)
Cluster
Displays the name of the cluster on which the gateway is created.
(Cluster name)
Gateway VM
Displays the name of the VM on which the gateway is created.
(Name of VM - actionable link. Click the name-link to open the VM details page
of the gateway VM.)
Remote Gateway Properties
Gateway Name
Displays the name of the remote gateway used for the connection.
(Name of remote gateway)
Type
Displays the type of gateway.
(Remote)
Tunnel IP
Displays the Tunnel IP address of the remote gateway.
(IP Address)
Connection Type
Displays the connection type you selected while creating the VPN connection.
The connection type may be Initiator or Acceptor of a VPN connection between the
local and remote gateways. T
(Initiator or Acceptor)
External Routing
Displays the type of routing associated with the gateway for external traffic
routing.
(Static or eBGP with ASN)
ASN
Displays the ASN of the EBGP route. This information is only displayed if you
configured EBGP as the External Routing protocol.
(Number)
Vendor
Displays the name of the vendor of the gateway appliance at the remote
site.
(Name of vendor of gateway appliance)
External IP
Displays the IP address assigned to remote the gateway.
(IP Address that you assigned to the remote gateway with /30 prefix when you
configured the VPN connection.)
Status
Displays the operational status of the gateway.
-
Protocol Details
Service
Displays the service used by the gateway.
(VPN or VTEP)
Gateway Routes
Displays the status of the routes used by the gateways.
(Sent)
Subnet Extensions Summary View
The Connectivity dashboard opens on the Subnet Extensions dashboard or summary
view.
The
Subnet Extensions
dashboard provides a list of subnet extensions
created for the clusters managed by the Prism Central.
The
Subnet Extensions
dashboard provides a
Create Subnet
Extension
dropdown menu that lets you extend a subnet
Across
Availability Zones
or
To a Third Party Data Center
. You
can extend a subnet using
VPN
or
VTEP
service.
See Layer 2 Virtual Network Extension for more information.
You can select a subnet extension from the list (select the checkbox provided for the
subnet extension) and then perform an action provided in the
Actions
dropdown list. The
Actions
dropdown list allows you to
Update
or
Delete
the selected subnet
extension.
Figure.
Subnet Extensions dashboard
Click to enlarge
The
Subnet Extensions
summary list view provides the following
details about the gateway.
Table 1.
Subnet Extensions List Fields
Parameter
Description
Values
Name
Displays the name of the subnet extension.
(Name of subnet extension)
Type
Displays the subnet extension type.
(
Across Availability Zones
or
To a Third
Party Data Center
)
Extension Over
Displays the service that the subnet extension uses.
(VPN or VTEP)
Extension Uses
Displays the name of the local network gateway that the subnet extension
uses.
(Name of local network gateway)
Local Subnet
Displays the name of the local subnet that the subnet extension uses.
(Name of local subnet)
Remote Site
Displays the name of the remote network gateway that the subnet extension
uses.
(Name of remote network gateway)
Connection Status
Displays the status of the connection that is created by the subnet extension.
Not Available
status indicates that Prism Central is unable
to ascertain the status.
(Not Available, Connected, or Disconnected)
Interface Status
Displays the status of the interface that is used by the subnet
extension.
(Connected or Down)
You can click the name of a subnet extension to open the subnet extension details page that
presents the information about the subnet extension in widgets.
Subnet Extensions Details View
You can click the name of a subnet extension in the
Subnet
Extensions
dashboard list to open the subnet extension details page that presents
the information about the subnet extension in widgets.
The subnet extension details page displays the name of the subnet extension on the top left
corner. It has two tabs -
Summary
and
Address
Table
. The
Summary
tab provides the information about the
subnet extension in widgets. The
Address Table
tab provides MAC Address
information only when the subnet extension uses VTEP service.
On the top right corner, the close button (X) allows you to close the details page.
The
Update
button opens the
Update Subnet
Extension
page. See Updating an Extended Subnet for more information.
The
Delete
button allows you to delete the subnet extension. See
Removing an Extended Subnet for more information.
Figure.
Subnet Extensions Details View - Address Table Tab for VPN-based Extension
Click to enlarge
Figure.
Subnet Extensions Details View - Address Table Tab for VTEP-based Extension
Click to enlarge
The details about the subnet extension are organized in two tabs. The
Summary
tab organizes the subnet extension details in the extended
widget as provided in the table. The
Address Table
tab provides
details about the MAC addresses in a list.
(For VLAN subnets only) Displays the VLAN ID of the VLAN subnet that is
extended.
(VLAN ID number)
VPC
(For Overlay subnets only) Displays the name of the VPC subnet that is
extended.
(Name of VPC)
Cluster
(For VLAN subnets only) Displays the cluster that the VLAN subnet belongs
to.
(Name of cluster)
IP Address Prefix
Displays the network IP address with prefix, of the VLAN subnet that is
extended.
(IP Address with prefix)
Virtual Switch
(For VLAN subnets only) Displays the virtual switch on which the VLAN subnet is
configured.
(Virtual Switch name such as vs0 or vs1)
IP Address Pools
Pool Range
Displays the range of IP addresses in the pool configured in the subnet that is
extended.
(IP address range)
(Interactive Graphic Pie Chart)
Displays a dynamic pie chart that displays the statistic you hover on. Displays
the following IP address statistics outside the pie chart, that you can hover on:
Total number of IP addresses available.
Used IP addresses in the subnets
Used IP addresses in the IP address pools
Free IP addresses in the subnets
Free IP addresses in the IP address pools
(IP Address statistics)
Subnet Extension
Subnet Extension (properties) - Common
Type
Displays the subnet extension type.
(
Across Availability Zones
or
To a Third
Party Data Center
)
Interface Status
Displays the status of the interface that is used by the subnet
extension.
(Connected or Down)
Connection Status
Displays the status of the connection that is created by the subnet extension.
Not Available
status indicates that Prism Central is unable
to ascertain the status.
(Not Available, Connected, or Disconnected)
Local IP Address
Displays the IP address that you entered in the
Local IP
Address
field while creating the subnet extension.
(IP Address)
Local Subnet
Displays the name of the local subnet that the subnet extension uses.
(Name of local subnet)
Subnet Extension (properties) - (Only for
Across Availability Zones
type)
Local Availability Zone
(Only for
Across Availability Zones
type) Displays the
name of the local AZ that is hosting the subnet that is extended.
(Name of the local Availability Zone)
Remote Availability Zone
(Only for
Across Availability Zones
type) Displays the
name of the remote AZ that the subnet is extended to.
(Name of the remote Availability Zone)
Remote Subnet
(Only for
Across Availability Zones
type) Displays the
name of the remote subnet that the subnet extension connects to.
(Name of remote subnet)
Remote IP Address
(Only for
Across Availability Zones
type) Displays the
IP address that you entered in the
Remote IP Address
field
while creating the subnet extension.
(IP Address)
Subnet Extension (properties) - (Only for
To a Third Party Data Center
type)
Local Gateway
(Only for
To a Third Party Data Center
type) Displays
the name of the local gateway used for the subnet extension.
(Name of local gateway)
Remote Gateway
(Only for
To a Third Party Data Center
type) Displays
the name of the remote gateway used for the subnet extension.
Note:
This section describes the information and options that appear in the security policies dashboard.
See Entity Exploring for instructions on how to view
and organize that information in a variety of ways.
See Flow Microsegmentation Guide for information
about how to create and apply security policies.
Figure.
Security Policies Dashboard
Click to enlarge
The following table describes the fields that appear in the security policies list. A dash
(-) is displayed in a field when a value is not available or applicable.
Table 1.
Security Policies List Fields
Parameter
Description
Values
Name
Displays the policy name. The policy is one of three types: application,
quarantine, or isolation.
(name), Application, Quarantine, Isolation
Purpose
Describes (briefly) the policy's purpose.
(text string)
Policy
Displays (high level) what the policy does.
(boxed text)
Status
Displays the current status of the policy (either applied currently or in
monitoring mode).
Applied, Monitoring
Last Modified
Displays the date the policy was last modified (or the creation date if the
policy has never been modified).
(date)
You can filter the security polices list based on several parameter values. The following
table describes the filter options available when you open the Security Policies view
Filter
pane. To apply a filter, select a parameter and check the
box of the desired value (or multiple values) you want to use as a filter. You can apply
filters across multiple parameters.
Table 2.
Filter Pane Fields
Parameter
Description
Values
Name
Filters on the item name. Select a condition from the pull-down list
(
Contains
,
Doesn't contain
,
Starts with
,
Ends with
, or
Equal to
) and enter a string in the field. It will return a
list of security policies that satisfy the name condition/string.
(policy name string)
Type
Filters on the policy type. Check the box for one or more of the policy types
(application, quarantine, isolation). It will limit the list to just those policy
types.
Application, Quarantine, Isolation
Status
Filters on the policy status. Check the box for applied or monitoring.
Applied, Monitoring
The security policies dashboard includes a
Create Security Policy
action button with a drop-down list to
Secure an Application
or
Isolation Environments
.
The
Actions
menu appears when one or more policies are selected. It
includes options to update, apply, monitor, and delete. The available actions appear in
bold; other actions are grayed out. (For grayed out options, a tool tip explaining the
reason is provided.)
Security Policy Details View
To access the details page for a security policy, click on the desired security policy name
in the list (see Security Policies Summary View).
The Security Policy details page includes the following:
The policy name appears in the upper left. You can switch from one policy to another by
selecting the policy name from the pull-down list.
The rule status appears below the name and indicates whether the policy is being applied
currently or is in monitoring mode.
Three columns appear that specify the Inbound policy (on the left), the affected
entities (in the middle), and the Outbound policy (on the right).
There are three action buttons (upper right).
Click the appropriate button to update, apply, monitor, or delete the policy (see
Nutanix Security Guide
for details). The available actions appear in
bold; other actions are grayed out. (For grayed out options, a tool tip explaining the
reason is provided.)
Click the question mark icon to open a help page in a separate tab or window.
Click the X icon to close the details page.
Figure.
Security Policy Details View: Monitoring Rule Example
Click to enlarge
Figure.
Security Policy Details View: Applied Rule Example
Click to enlarge
For more information about Security Policies, see Flow Microsegmentation Guide.
Virtual Private Cloud
A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions
as a logically isolated virtual network. A VPC could be made up of one or more subnets that
are connected through a logical or virtual router. The IP addresses within a VPC must be
unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of
another IP-based infrastructure (connecting AHV nodes), they are often referred to as the
overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a
VPC.
Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically
isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure
virtual network with enhanced automation and scaling. The isolation is done using network
namespace techniques like IP-based subnets or VLAN based networking.
AHV provides the framework to deploy VPC on on-premises clusters using the following.
Advanced Networking subnets and DHCP management
Multiple uplink and bridge management via virtual switch (VS)
Virtual Private Network (VPN) gateways and connections
Flow Networking simplifies the deployment and configuration of overlay-based VPCs. It allows
you to quickly:
Create, update and delete VPCs.
Create, update and delete subnets within VPCs.
Note:
Create subnets as necessary when you
create VPCs.
Add network security policies and services.
Configure hybrid cloud connectivity with VPNs.
This section covers the concepts and procedures necessary to implement VPCs in the
network.
VM IP Address Management
Primary Address
The primary IP address is assigned to a VM during initialization when the cluster provides
any virtual NIC (NIC) to a VM.
Select
Assign Static IP
as the
Assignment
Type
to add a static IP address as primary IP address of the VM, when you
attach a subnet to a VM.
Select
Assign with DHCP
as the
Assignment
Type
to allow DHCP to dynamically assign an IP address to the VM.
Select
No Private IP
as the
Assignment
Type
if you do not want to assign an IP address to the vNIC of the VM.
For more information about attaching a subnet to a VM, see Creating a VM through Prism Central (AHV) in the
Prism Central Guide
.
Secondary IP Addresses (Overlay Networks only)
For your deployment, you may need to configure multiple (static) IP addresses to a single
NIC. These IP addresses (other than the primary IP address) are secondary IP addresses. A
secondary IP address can be permanently associated with a specific NIC or be changed to any
other NIC. The NIC ownership of a secondary IP address is important for security routing
policies.
Note:
You can configure secondary IP addresses only for VMs in an Overlay network.
You can configure secondary IP addresses to a NIC when you want to:
Associate multiple floating IP addresses with one VM without creating multiple NICs
(each with one primary IP address) for the VM. You can assign one floating IP address to
one secondary IP address that you create for the single NIC. For information about
floating IP addresses, see Requesting Floating IPs.
Run appliances, such as load balancers, that have multiple IP addresses on each
interface.
Host applications in a High Availability (HA) configuration where the ownership of IP
address moves from the active entity to the standby entity when the active entity goes
down.
Host applications in a clustered configuration where the ownership of IP address follows
the leader.
Host Nutanix Files service in a VPC as a case of clustered application.
Note:
In applications that use secondary IP addresses as virtual IP addresses and the NIC
ownership of the secondary IP address changes dynamically from one NIC to another,
configure the application to incorporate the ownership change in its settings or
configuration. If the applications do not incorporate these ownership changes, the VPCs
configured for such applications fail.
For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.
IP Address Information
You can view the IP addresses configured on a VM by clicking the
See
More
link in the
IP Address
column in the VM
details view to open the
IP Address Information
box.
Note:
The
See More
link in the
IP Address
column in the VM details view and the
IP Address Information
box are
available only if the VM has any secondary IP addresses configured.
Figure.
IP Address Information
Click to enlarge
Creating Secondary IP Addresses
You can assign multiple secondary IP addresses to a single vNIC.
About this task
You can add multiple secondary IP addresses to the vNIC configured on a VM. Add the
secondary IP addresses to the vNIC in the
Create
VM
or the
Update
VM
page.
Procedure
Go to the
Networks
section.
Click the
Edit
icon for the subnet that you want to add
the secondary IP addresses from.
The
Update NIC
dialog box opens.
Check the
Add Secondary IPs
check box in the
Update NIC
dialog box.
Figure.
Add Secondary IP Addresses
Click to enlarge
Add a comma-separated list of the secondary IP addresses that you want to add
to the vNIC of the VM.
Note:
Ensure that the secondary IP addresses are within the same subnet that
the primary IP address of the
NIC
is from. The subnets are displayed in the
Private IP Assignment
section in the
Update NIC
dialog box.
Ensure that the secondary IP address is not the same as the IP address
provided in the
Private IP Assignment
field.
Click
Save
.
Click
Next
on the
Resources
and the
Management
tabs of the
Update VM
page.
If you need to make any other changes on the
Resources
and the
Management
tabs for any configurations other
than adding secondary IP addresses, make the changes and then click
Next
on these tabs.
Click
Launch VM
on the
Review
tab
after you review
What to do next
You can view the secondary IP addresses configured on the VM in the
IP
Address Information
box.
Assigning Secondary IP Addresses to Interfaces
Assign the secondary IP addresses to interfaces or subinterfaces on the
VM.
About this task
To assign the secondary IP addresses to virtual interfaces on the VM, do the
following on the VM details page:
Procedure
Click
Console
.
Log in as a root user.
Run the
ifconfig
command as follows:
root@host$ ifconfig <interface> <secondary ip address> <network mask>
Provide the following in the command:
Parameter
Description
<interface>
The interface of the VM such as eth0. You can provide
subinterfaces
such as eth0:1 and eth0:2.
<secondary IP address>
The secondary IP address that you created and want to
associate with the interface.
<network mask>
The network mask that is an expansion of the network prefix
of the network that the secondary IP address belongs to. For
example, if the secondary IP address belongs to 10.0.0.0/24 then
the network mask is 255.255.255.0.
Repeat the aforementioned steps for all the secondary IP addresses you want to
associate with interfaces on the VM.
Exit from the Console.
Assigning Secondary IP Addresses to Floating IPs
Assign the secondary IP addresses to floating IP addresses on the VM.
About this task
After you assign secondary IP addresses to interfaces or subinterfaces on the VM, you
can assign the secondary IP addresses to floating IP addresses that may be used for
external connectivity.
Do one of the following:
Procedure
Assign floating IP addresses when you request floating IP addresses in the
Assign Floating IPs
section of the
Request
Floating IP
dialog box.
To assign floating IP addresses while requesting for them, you must have the
secondary IP addresses configured and ready when you are requesting the floating
IP addresses.
Select the floating IP address you want to assign, in the
Floating
IPs
dashboard. Click the
Update
option in
the
Actions
drop-down menu.
Assign the secondary IP addresses you configured to the floating IP addresses
you have.
VPC Workflow
A virtual private cloud (VPC) can be deployed on Nutanix cluster infrastructure to manage
the internal and external networking requirements using Flow Networking. The workflow to
create a complete network based on VPC is described below.
Create a VPC—See Creating Virtual Private Cloud. See Updating Virtual Private Cloud to update a VPC you created.
Add Subnets to the VPC—See Creating a Subnet to create a
Subnet. See Updating a Subnet to update a subnet.
Attach the Subnet to VMs—See Attaching a Subnet to a Virtual Machine.
VPC Management
This section provides information and procedures that you need to manage virtual
private clouds using Flow networking.
Creating Virtual Private Cloud
About this task
You can create VPCs on the Virtual Private Clouds page. Go to the Virtual Private
Clouds page by clicking
Virtual Infrastructure
>
Networking
>
Virtual Private Clouds
.
To create a VPC, do the following.
Procedure
On the VPC dashboard, click
Create VPC
.
See Network and Security View for more information about the
VPC dashboard.
The
Create Virtual Private Cloud (VPC)
dialog box opens.
Figure.
Create Virtual Private Cloud
Click to enlarge
Provide the necessary values in respective fields in the
Create
Virtual Private Cloud (VPC)
dialog box.
Fields
Description and Values
Name
Provide a name for the VPC.
External Connectivity
This section takes you through configuration of the
parameters necessary for connectivity to the Internet or
clusters outside the VPC.
A subnet with external connectivity
(External Subnet) is required if the VPC needs to send
traffic to a destination outside of the VPC.
Note:
You
can add a maximum of two external subnets - one external
subnet with NAT and one external subnet without NAT to a
VPC. Both external subnets cannot be of the same type. For
example, you cannot add two external subnets, both with NAT.
You can update an existing VPC similarly.
Network
address translation (NAT) Gateways perform the required
IP-address translations required for external routing. You
can also have external connectivity without NAT.
External Subnet
Select an external subnet from the drop down list. By
associating the VPC with the external subnet you can provide
external connectivity to the VPC.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
Externally Routable IP Addresses
Provide IP addresses that are externally routable. Externally
routable IP addresses are IP addresses that within the VPC which
can communicate externally without NAT. These IP addresses are
used when an external subnet without NAT is used.
Domain Name Servers (DNS)
(Optional) DNS is advertised to Guest VMs via DHCP. This can
be overridden in the subnet configuration.
Click
+
Server IP
to add DNS server IPs under
IP Address
and click the check
mark.
You can
Edit
or
Delete
an IP address you added
using the options under
Actions
.
Click
Save
.
Requesting Floating IPs
About this task
Each VPN gateway requires a floating IP. If you do not provide one during the VPN
gateway creation, then Flow Networking automatically allocates a floating IP to a
VPN gateway. To provide floating IP during the VPN gateway creation, you can request
floating IPs and assign them to VMs.
You can view the allocated floating IPs on the
Floating IPs
page. Click
Networking
>
>
Floating IPs
.
To request a floating IP, do the following.
Procedure
Click the
Request Floating IP
button on the
Floating IPs
page.
On the
Request Floating IP
dialog box, provide the
information in the respective fields.
Figure.
Request and Assign Floating IPs
Click to enlarge
Note:
Uncheck the
Assign Floating IPs
box if you want to
assign the requested IP addresses after you receive it.
See Floating IPs for more
information.
Fields
Description and Values
External Subnet
Select a subnet that you configured with external
connectivity.
Number of Floating IPs
Enter the number of floating IPs you want. You can request a
maximum of 5 floating IP addresses.
Assign Floating IPs
Select this check box if you want to assign the floating IPs
to specific VMs in the table.
Based on the number you entered in the
Number of
Floating IPs
field, the system provides an
equivalent number of rows of
Search
VMs
and
IP
Address
in the table.
Under
Search VMs
, select the VM to
which you want to assign a floating IP address. Under
IP Address
, select the IP address
on the VM (primary or secondary IP address) to which you
want to assign the floating IP.
You can assign multiple floating IP addresses to multiple
secondary IP addresses that you can create on the NIC of the
VM.
For information about configuring secondary IP addresses, see
Creating Secondary IP Addresses.
Note:
Click
Save
.
What to do next
When you receive the floating IP address you requested, you can see it, assign it
(if not already assigned while requesting) or delete it in the
Floating
IPs
view.
Creating a Subnet
About this task
You can create subnets on the
Subnets
page. Go to the
Subnets
page by clicking
Virtual Infrastructure
>
Networking
and open the
Create Subnet
dialog box.
You can also open the
Create Subnet
dialog box from the VPC
details view by clicking the
Add Subnet
option.
To create a subnet, do the following.
Procedure
Click
Create Subnet
.
The
Create Subnet
dialog box opens. The following
figure displays the Create Subnet dialog box with all the options. These options
are displayed based on the values you select in the
Type
field.
Figure.
Create Subnet (With External Connectivity Disabled)
Click to enlarge
Figure.
Create Subnet (With External Connectivity Enabled)
Click to enlarge
Fields
Description and Values
Name
Provide a name for the subnet.
Type
Select the type of subnet you want to create.
You can create a
VLAN
subnet or an
Overlay
subnet.
VLAN ID
(VLAN subnet only) Enter the number of the
VLAN
.
Enter just the number in this field, for example 1 or 27.
Enter 0 for the native VLAN. The value is displayed as
vlan.1 or vlan.27 in the View pages.
Note:
Provision any single VLAN ID either in the AHV network
stack or in the Flow Networking (brAtlas) networking stack.
Do not use the same VLAN ID in both the stacks.
IP Address management
(Mandatory for Overlay type subnets) This section provides
the
Network IP Prefix
and
Gateway IP
fields for the subnet.
(Optional for VLAN type subnet) Check this box to display the
Network IP Prefix
and
Gateway IP
fields and configure the
IP address details.
Unchecking this box hides these fields. In this case, it is
assumed that this virtual LAN is managed outside the
cluster.
Note:
The
DHCP Settings
option is only
available for VLAN subnets if you select this
option.
DHCP Settings
(Optional for both VLAN and Overlay subnets) Check this box
to display fields for defining a domain.
Checking this box displays fields to specify DNS servers and
domains. Unchecking this box hides those fields.
See Settings the DHCP Options for more
information.
Cluster (VLAN subnet only)
(VLAN subnet only) This option is available only for
VLAN
subnet configuration. Select the
cluster that you want to assign to the subnet.
External Connectivity
(VLAN subnet
only) Turn on this toggle switch if you want use this
VLAN
subnet for external
connectivity.
Note:
Ensure that the externally routable IP addresses (subnets with external connectivity
without NAT) for different VPCs do not overlap.
Configure the routes for the external connectivity subnets with next hop as the Router or
SNAT IP address. Also configure the routes on the router for the return traffic to reach
the VPC. See
External Connectivity
panel in VPC Details View.
NAT
(Option under
External Connectivity
)
If you turn on the
External Connectivity
toggle switch, then you can choose whether to connect to
external networks with or without enabling NAT. Check the
NAT
check box to enable NAT for
external connectivity for VPCs.
Virtual Switch
(VLAN subnet only) Select the virtual switch that is
configured for the VLAN you selected. The default value is the
default virtual switch vs0. This option is displayed only if you
add a VLAN ID in the VLAN ID field.
VPC (Overlay subnet only)
Select the
Virtual Private Cloud (VPC)
that you want to assign to the subnet from the drop down
list.
You can create VPCs and assign them to
Overlay
subnets.
IP Address Pool
Defines a range of addresses for automatic assignment to
virtual NICs.
This field is optional for both
VLAN
and
Overlay
. For
VLAN
, this field is displayed
only if you select the
IP Address
Management
option.
Note:
Configure this field for
VLAN
or
Overlay
to complete the creation
of the VPC, if you do not need external connectivity for
this subnet. You must configure this field only if you need
external connectivity for this subnet.
Click the
Create Pool
button and enter
the following in the
Add IP Pool
page:
Enter the starting IP address of the range in the
Start Address
field.
Enter the ending IP address of the range in the
End Address
field.
Under
Actions
, click the check
mark to submit the starting and ending IP addresses
you entered.
Click the X mark to remove the entries.
Override DHCP Server
(VLAN subnet only) To configure a DHCP server, check the
Override DHCP Server
box and
enter an IP address in the
DHCP Server IP
Address
field.
See
Override DHCP Server (VLAN Only)
in Settings the DHCP Options for information
about this option.
Click
Save
.
Settings the DHCP Options
About this task
Selecting the
DHCP Settings
checkbox in
Create
Subnet
or
Update Subnet
allows you to configure
the DHCP options for the VMs within the subnet. When DHCP settings are configured
for a VM in a subnet and the VM is powered on, Flow Networking configures these
options on the VM automatically. If you do not configure the DHCP settings, then
these options are not available on the VM automatically when you power it on.
You can enable
DHCP Settings
when you create a subnet and
configure the
DHCP Settings
for the new subnet. You could also
update the DHCP Settings for an existing subnet.
DHCP Settings
is common to and is available on both the
Create Subnet
and the
Update Subnet
dialog boxes.
To configure the
DHCP Settings
, do the following in the
Create Subnet
or the
Update Subnet
dialog box:
Procedure
Provide the information in the
DHCP Settings
fields.
Figure.
DHCP Settings
Click to enlarge
Fields
Description and Values
Domain Name Servers
Provide a comma-separated list of DNS IP addresses.
Example: 8.8.8.8, 9.9.9.9
Domain Search
Enter the VLAN domain name. Use only the domain name
format.
Example: nutanix.com
TFTP Server Name
Enter a valid TFTP host server name of the TFTP server where
you host the host boot file. The IP address of the TFTP
server must be accessible to the virtual machines to
download a boot file.
Example: tftp_vlan103
Boot File Name
The name of the boot file that the VMs need to download from
the TFTP host server.
Example: boot_ahv2020xx
(Optional and for VLAN networks only) Check the
Override DHCP
Server
dialog box and enter an IP address in the
DHCP
Server IP Address
field.
You can configure a DHCP server using the
Override DHCP
Server
option only in case of VLAN networks.
The DHCP Server IP address (reserved IP address for the Acropolis DHCP
server) is visible only to VMs on this network and responds only to DHCP
requests. If this box is not checked, the DHCP Server IP Address field is
not displayed and the DHCP server IP address is generated automatically. The
automatically generated address is
network_IP_address_subnet.254
, or if the default
gateway is using that address,
network_IP_address_subnet.253
.
Usually the default DHCP server IP is configured as the last usable IP in the
subnet (For eg., its 10.0.0.254 for 10.0.0.0/24 subnet). If you want to use
a different IP address in the subnet as the DHCP server IP, use the override
option.
Attaching a Subnet to a Virtual Machine
About this task
To attach a subnet to a VM, go to the
Virtual Infrastructure
>
VM
>
List view
in Prism Central and do the following.
Procedure
Select the VM you want to attach a subnet to. Click
Actions
>
>
Update
.
In the
Update VM
dialog box, click
Add
NIC
.
Figure.
Click to enlarge
Provide the necessary information in the indicated fields in the
Create NIC
dialog box.
Select the
Subnet Name
from the drop down
list.
Select the
Network Connection State
as
Connected
or
Disconnected
.
The
Network Connection State
selection defines
the state of the connection after the NIC configuration is
implemented.
Select the
Assignment Type
.
You can select
Assign with DHCP
to assign a
DHCP based IP address to the VM.
You can select
Assign Static IP
to assign a
static IP address to the VM to reach the VM quickly from any
endpoint in the network such as a laptop.
Click
Add
.
Click
Save
on the
Update VM
dialog
box.
Creating a Policy
About this task
For Policy-based routing you need to create policies that route the traffic in the
network.
When you create a VPC, there is one default policy that Flow Networking creates for
the VPC. This policy is pre-configured with the Priority 1 and other default values
to
Deny
traffic flow and service (see the table of field
descriptions and values for this dialog box).
Note:
You cannot update or delete the
default policy.
Policies control the traffic flowing between subnets (inter-subnet
traffic).
Policies control the traffic flowing in and out of the VPC.
Policies do not control the traffic within a subnet (intra-subnet
traffic).
Figure.
Policy Tab
Click to enlarge
You can create
a traffic policy using the
Create Policy
dialog box. You can
open the
Create Policy
dialog box either from the VPC list view
or the VPC list view.
On the VPC list view, select the VPC you want to update and click
Create Policy
in the
Actions
drop down menu.
On the VPC details view, click the
Create Policy
option
in the
More
drop down menu.
To create a policy, do the following in the
Create Policy
dialog
box.
Procedure
Provide the necessary values in the respective fields.
Figure.
Create Policy
Click to enlarge
Fields
Description and Values
Value in Default Policy
Priority
The priority of the access list (ACL) determines which ACL is
processed first. Priority is indicated by an integer number. A
higher priority number indicates a higher priority.For example,
if two ACLs have priority numbers 100 and 70 respectively, the
ACL with priority 100 takes precedence over the ACl with
priority 70.
Note:
Click the
Understand
Priorities
link to see the
Understand Priorities
information box (see the image of this box below
this table).
1
Source
The source indicates the source IP or subnet for which you
want to manage traffic.
Source can be:
Any
: Indicates any IP
address.
External
: Indicates an IP
address that is outside the subnets configured for
the VPC.
Custom
: You can provide a
specific
Source Subnet IP
with
prefix.
Any
Source Subnet IP
Only required if you selected the
Source
as
Custom
. Provide the subnet IP and
prefix that you want to designate as the source for the
policy. Use the CIDR notation format to provide the subnet
IP. For example, 10.10.10.0/24.
None
Destination
The destination is the destination IP or subnet for which you
want to set the priority.
Destination can be:
Any
: Indicates any IP
address.
External
: Indicates an IP
address that is outside the subnets configured for
the VPC.
Custom
: You can provide a
specific
Destination Subnet IP
with prefix.
Any
Destination Subnet IP
Only required if you selected the
Destination
as
Custom
.
None
Protocol
You can also set the priority configure policy for certain
protocols. You can select one of the following options:
Any
: Indicates any IP
address.
Protocol Number
: Provide an
integer number that indicates the protocol you want
to prioritize.
Provide the appropriate value in
the
Protocol Number
field.
TCP
UDP
ICMP
Protocol Number
This field is displayed only if you select
Protocol Number
as the value in
the
Protocol
field. The number you
provide must be the IANA designated number that indicates
respective protocol. See
IANA Protocol
Numbers
.
None
Action
Assign the appropriate action for implementation of the
policy.
Permit
: Permits traffic and
services based on the parameters set.
If the Permit rule is set to override a Drop rule,
then the Permit rule must be set in both the
directions to allow bidirectional communication
between the
Source
and
Destination
.
Deny
: Denies traffic and
service based on the parameters set.
Re-route
:Sends matching traffic
to the next-hop IP address specified by the
Reroute IP
. In case of
reroute, you need to provide an IP address that the
traffic needs to be re-routed to, in the
Reroute IP
field.
Permit
Figure.
Understanding Priorities
Click to enlarge
Click
Save
.
Creating Static Routes
About this task
You can create a static route using the
Create Static Routes
dialog box. You can open the
Create Static Routes
dialog box
either from the VPC list view or the VPC details view.
On the VPC list view, select the VPC and click
Create Static
Routes
in the Actions drop down menu.
On the VPC details view, click the
Create Static
Routes
option in the
More
drop down
menu.
Figure.
Create Static Routes
Click to enlarge
To create static route, do the following in the
Create Static
Routes
dialog box:
Procedure
Provide the necessary values in the respective fields.
Fields
Description and Values
Destination Prefix
Provide the IP address with prefix of the destination
subnet.
Next Hop Link
Select the next hop link from the drop down list. The next
hop link is the IP address that the traffic must be sent for the
static route you are configuring.
Add Prefix
You can create multiple static routes using this option.
Click this link to add another set of
Destination
Prefix
and
Next Hop Link
to configure another static route.
Click
Save
.
Updating Virtual Private Cloud
About this task
You can update a VPC using the
Update Virtual Private Cloud
(VPC)
dialog box. You can open the
Update Virtual Private
Cloud (VPC)
dialog box either from the VPC list view or the VPC
details view.
On the VPC list view, select the VPC you want to update and click
Update
in the
Actions
drop
down menu.
On the VPC details view, click the
Update
option.
The
Update Virtual Private Cloud (VPC)
dialog box is identical
to the
Create Virtual Private Cloud (VPC)
dialog box.
Figure.
Update VPC
Click to enlarge
For details about the parameters that you can update in the
Update Virtual
Private Cloud (VPC)
dialog box, see Creating Virtual Private Cloud.
Procedure
Update the parameters in the
Update Virtual Private Cloud
(VPC)
dialog box.
Click
Save
.
Updating a Subnet
About this task
You can update a subnet displayed on the
Subnets
page. Go to the
Subnets
page by clicking
Virtual Infrastructure
>
Networking
>
Subnets
and open the
Update Subnet
dialog box.
You can also open the
Update Subnet
dialog box from the VPC
dashboard for a specific VPC. Click the
Edit
option for the
subnet listed on the
Subnets
tab of the VPC dashboard.
The fields in the
Update Subnet
and the
Create
Subnet
dialog boxes are the same.
Note:
You cannot edit or update the
subnet type. For example, if the subnet type is already configured as
VLAN
, you cannot modify it to an
Overlay
type subnet.
To update a subnets, do the following.
Procedure
Select the subnet you want to update. Select
Actions
>
Update Subnet
.
Update the necessary values in the respective fields in the
Update
Subnet
dialog box.
Figure.
Update Subnet
Click to enlarge
The
Update Subnet
dialog box has the same fields as the
Create Subnet
dialog box. For details about the
fields and the values that can be updated in the
Update
Subnet
dialog box, see Creating a Subnet.
Click
Save
to ensure that the updates are saved in the
configuration.
Category Management
A category is a key-value pair that groups similar entities. Associating a policy with a
category ensures that the policy applies to all the entities in the group regardless of how
the group scales with time. For example, you can associate a group of VMs with the Department:
Marketing category, where Department is a category that includes a value Marketing along with
other values such as Engineering and Sales.
Currently, you can associate only VMs with a category. Categories are implemented in the same
way on on-premises Prism Central instances and in Xi Cloud Services. For information about
configuring categories, see the
Prism Central Guide
.
Updating a Policy
About this task
You can update a policy using the
Update Policy
dialog box. You
can open the
Update Policy
dialog box in two ways in the VPC
details view.
On the VPC details view, select the VPC you want to update and click the
Update
option in the top menu.
On the VPC details view, click the
Edit
option provided
in the
Actions
menu for the selected VPC.
Note:
You cannot update or delete the default policy.
The
Update Policy
dialog box has the same parameters as the
Create Policy
dialog box.
For details about the parameters that you can update in the
Update
Policy
dialog box, see Creating a Policy.
Procedure
Update the parameters in the
Update Policy
dialog
box.
Click
Save
.
Updating Static Routes
About this task
You can update a static route using the
Update Static Routes
dialog box. You can open the
Update Static Routes
dialog box
either from the VPC list view or the VPC details view.
Note:
You must configure the default route (0.0.0.0/0) to the external subnet as the
next hop for connectivity outside the cluster (north-south connectivity).
On the VPC details view, select the VPC you want to update and click the
Update
option in the top menu.
On the VPC details view, click the
Edit
option provided
in the
Actions
menu for the selected VPC.
The
Update Static Routes
dialog box has the same parameters as
the
Create Static Routes
dialog box.
For details about the parameters that you can update in the
Update Static
Routes
dialog box, see Creating Static Routes.
Procedure
Update the parameters in the
Update Static Routes
dialog
box.
Click
Save
.
Deleting a Virtual Private Cloud
About this task
Prism Central
does not allow you to delete a VPC if the VPC is associated with any subnets and/or
VPNs. After you remove all the subnets or VPN associations from the VPC, delete the
VPC.
You can delete a VPC from the VPC list view or the VPC details view.
Procedure
Do one of the following.
To delete a VPC from the VPC list view, select the VPC you want to
delete and click
Delete
in the
Actions
drop down menu.
To delete a VPC from the VPC details view, click the VPC name to go to
the VPC details view and click the
Delete
option in
the
More
drop down menu.
In the confirmation dialog box, do the following.
Click
Delete
to delete the VPC.
Click
Cancel
to exit without deleting the
VPC.
Deleting Subnets, Policies or Routes
About this task
You can delete VPC entities such as subnets, policies or routes from the VPC details
page.
Note:
You cannot update or delete the default policy.
Do the following.
Procedure
Open the VPC details page and go to the respective tab like
Subnets
,
Policies
or
Routes
.
Click the
Delete
option provided for the selected entity
(subnet, policy or route respectively).
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
Connections Management
This section covers the management of network gateways, VPN connections and Subnet
Extensions including operations like create, update and delete network gateways and VPN
connections, and extending subnets.
Network Gateway Management
You can create, update or delete network gateways that host one of VPN or VTEP service for
connections.
Creating a Network Gateway
About this task
VPN or s connect two networks together, and can be used in both VLAN and VPC networks
on AHV. In other words, you can extend the routing domain of a VLAN network or that
of a VPC using a VPN. Accordingly, VPN gateways can be configured using VLANs or
VPCs. You need VPN gateways on clusters to provide a gateway to the traffic between
on-premise clusters or remote sites.
You can create multiple VPN gateways for a VPC. Since a VPC is configured
only on a PC, the VPC is available to all the clusters registered to that PC.
A VPN gateway may be defined as a Local gateway or a Remote gateway based on where
the traffic needs to be routed.
To create a VPN gateway, do the following on the
Networking & Security
>
Connectivity
>
Gateways
page.
Procedure
Select
Local
or
Remote
in the
Create Gateway
drop-down menu.
If you select
Local
in the drop-down menu, the
Create Local Gateway
dialog box opens. If you select
Remote
in the drop-down menu, the
Create
Remote Gateway
dialog box opens.
Provide the necessary values in the respective fields as described in the
table.
For example, if you select
Local
in the drop-down menu,
then the
Create Local Gateway
dialog box opens. Provide the
necessary values in the respective fields as described in the table.
Figure.
Sample Create Local Gateway - VM Deployment
Click to enlarge
Figure.
Sample Create Local Gateway - VPN Service Configuration
Click to enlarge
Figure.
Sample Create Local Gateway - VTEP Service Configuration
Click to enlarge
Figure.
Sample Create Remote Gateway - VPN Gateway Service
Click to enlarge
Figure.
Sample Create Remote Gateway - VTEP Gateway Service
Click to enlarge
Table 1.
Local Gateway Fields
Fields
Description
Values
VM
Deployment
Name
Enter a name for the network gateway.
(Name)
Gateway Attachments
(for Local gateway type only) Select the gateway attachment
as
VPC
or
VLAN
.
The VPN VM is deployed on a VPC VM or a cluster that has the
selected VLAN respectively.
If you select
VPC
, then
VPC Attachment
is displayed.
VPC
is the default value for
the
Gateway Attachments
field. The
Gateway VM is deployed on the cluster and associated
with the VPC selected in the
VPC
Attachment
section.
VPC
attachment
mode provides the options of
eBGP and Static routing methods for external routing
(configured in the
External Routing
Configuration
section).
If you select
VLAN
, then the
VLAN Attachment
is displayed. The
Gateway VM is deployed on the cluster that has the VLAN
and the subnet specified in the
VLAN
Attachment
section.
VLAN
attachment
mode provides only the eBGP
routing method for external routing.
(VLAN or VPC)
Gateway VM Deployment - VPC
Attachment
Cluster
Select the cluster on which you want to deploy the Gateway VM
on.
(Name of the cluster)
VPC (If Gateway Attachment type is VPC)
Select the VPC configured on the selected cluster that you
want to use for the Gateway VM deployment.
(Name of the VPC selected)
Floating IP (Optional)
Select a floating IP for the network gateway configuration.
If you do not select a floating IP address then Prism
Central allocates a floating IP automatically. This
allocated floating IP is deleted when you delete the
gateway.
To request floating IPs and allocate them to subnets, see
Requesting Floating IPs
(IP address)
Gateway VM Deployment - VLAN
Attachment
Cluster
Select the Cluster, from the drop down list, on which you
want to deploy the Gateway VM on.
Note:
Only clusters with VLANs
are available in the list.
(Name of the cluster)
Subnet
Select the subnet you want to attach the Gateway VM to, from
the drop down list.
Note:
The list includes all the subnets you
created on the selected cluster.
After you select the
subnet, the details of the subnet are displayed in a box below
the
Subnet
field. The details include:
VLAN ID, IPAM type being Managed or Unmanaged, and Network
Address with Prefix.
(Name of the VLAN subnet)
Static IP Address for VPN Gateway VM
Enter the static IP address that the Gateway VM needs to
use.
(IP Address with Prefix)
Default Gateway IP
Enter the default gateway IP of the subnet for the Gateway
VM.
(IP Address)
Service
Configuration
Gateway Service
Select the gateway service you want to use for the
gateway.
(VPN or VTEP)
VPN Service Configuration -
External Routing Configuration (This section is available for
VLAN and VPC attachment types)
Routing Protocol
For
VPC
gateway attachments:
Select
Static
for static routing.
Note:
You need to create static routes (see Creating Static Routes)
for external routing and attach the route to the VPC
selected in this configuration.
Select
eBGP
for eBGP based
external routing.
For
VLAN
gateway attachments:
External routing protocol is pre-set to
eBGP
. You cannot change
the routing protocol.
(Static or eBGP)
Redistribute Connected Routes (Applicable only if VLAN type
gateway attachment is selected)
(
VLAN
only) Select this checkbox to
enable the redistribution of connected routes into the
eBGP.
(Check mark or blank)
ASN (Only available if eBGP routing protocol is
selected)
(For
eBGP
only) Enter the ASN for your
on-prem gateway. If you do not have a BGP environment in
your on-prem site, you can choose any number. For example,
you can choose a number in the 65000 range.
Note:
Make sure that this ASN does not conflict with any of the
other on-premises BGP ASNs.
ASN must be distinct in case of eBGP.
(Number)
eBGP Password
(For
eBGP
in
Local
gateway type only) Enter the
eBGP password for the eBGP route.
(Password: The password must be between 1 and 80 characters.
Password length: Minimum 1 and maximum 80
characters.
)
VPN Service Configuration -
Internal Routing Configuration (This section is available for
VLAN attachment type only.)
Routing Protocol (Between On-prem Gateway and On-prem
Router)
Select the
Routing Protocol
to be used
between on-premises Nutanix gateway and on-premises
router.
You can select:
Static
: Select this protocol
to provide a static route configuration for the VLAN
gateway.
OSPF
: Select this protocol to
provide an OSPF routing configuration for the VLAN
gateway.
iBGP
: Select this protocol to
provide a iBGP route configuration for the VLAN
gateway.
Note:
For iBGP, the ASN must be the same
between the Gateway appliance and the peer iBGP,
when iBGP is selected as the internal routing
protocol.
(Static or OSPF or iBGP)
+Add Prefix (Applicable to Static routing)
(For
Static
routing selected in
Routing Protocol
) Click this to
enter a
Local Prefix
and click the
check mark under
Actions
to add the
prefix.
If you click the X mark under
Actions
,
the local prefix you entered is not added.
The prefixes you add are advertised to all the connected
peers via eBGP.
The prefix must be a valid IP address with the host bits not
set.
You can add multiple local prefix IP addresses.
(prefix like /24)
Area ID (Applicable to OSPF protocol)
(OSPF only) Enter the OSPF area id in the IPv4 address
format.
Password Type
(OSPF only) Select the password type you want to set for the
OSPF route. The options are:
MD5
: Select this option to
encrypt the packets with MD5 hash that can be
decrypted with the MD5 password at the
destination.
Plain Text
: Select this option
to set a clear-text password.
None
: Select this if you do to
set an open route without password protection
Password
(OSPF only) Enter a password for the MD5 or Plain Text
password type you select in the
Password
Type
field.
For
MD5
: The password must be
1-16 characters long.
Characters allowed for OSPF passwords (MD5)
a-z
A-Z
0-9
For
Plain Text
: The password
must be 1-8 characters long.
Characters allowed for OSPF passwords (Plain text):
a-z.
Peer IP (for iBGP)
Enter the IP Address of the On-prem router used to exchange
routes with the network gateway.
(IP Address)
Password
Enter a password with 1-80 characters.
(Password)
VTEP Service Configurations
VxLAN (UDP) Port
The default value provided is 4789. Do not change
this.
(Number. Default value is 4789)
Table 2.
Remote Gateway Fields
Fields
Description
Values
Name
Enter a name for the network gateway.
(Name)
Gateway Service
Select the gateway service you want to use for the
gateway.
(VPN or VTEP)
VPN Service
Configurations
Public IP Address
Enter the public IP address of the remote endpoint. If a
Floating IP is not selected, a new Floating IP is automatically
allocated for the Gateway. These allocated IP addresses are
deleted when the network gateway is deleted.
(IP Address)
Vendor
Select the vendor of the third party gateway
appliance.
(Name of Vendor)
External Routing
Protocol
Select
Static
for static routing.
Note:
You need to create static routes (see Creating Static Routes)
for external routing and attach the route to the VPC
selected in this configuration.
Select
eBGP
for eBGP based
external routing.
(Static or eBGP)
eBGP ASN (Only available if eBGP routing protocol is
selected)
(For
eBGP
only) Enter the ASN for your
on-prem gateway. If you do not have a BGP environment in
your on-prem site, you can choose any number. For example,
you can choose a number in the 1-65000 range.
Note:
Make sure that this ASN does not conflict with any of the
other on-premises BGP ASNs.
ASN must be distinct in case of eBGP.
(Number)
VTEP Service
Configurations
VTEP IP Address
Enter VTEP IP Addresses of the remote endpoints that you want
to create the gateway for. You can add IP addresses of multiple
endpoints in one remote gateway.
(Comma separated list of IP Addresses)
VxLAN (UDP) Port
The default value provided is 4789. Do not change
this.
(Number. Default value is 4789)
Click
Save
.
What to do next
The Gateway you create is displayed in the
Gateways
page.
Updating a Network Gateway
About this task
You can update a network gateway using the
Update Gateway
dialog
box.
You can open the
Update Gateway
dialog box. The parameters in
the
Update Gateway
dialog box are the same as those in the
Create Local Gateway
or
Create Remote
Gateway
dialog box.
Procedure
Select the gateway you want to update on
Gateways
.
Click
Update
in the
Actions
menu.
Update the required details in the
Update Gateway
dialog
box.
You cannot modify some information. Such fields are greyed and in-actionable.
If you need to modify such information, consider creating a new gateway with the
updated parameters and deleting the current gateway.
Click
Save
.
Deleting a Network Gateway
About this task
If you want to delete a network gateway, you must first delete all the VPN
connections associated with the gateway and only then you can delete the network
gateway.
To delete a network gateway, do the following on the
Gateway
page.
Procedure
Do one of the following.
Select the check box next to the name of the gateway and, in the
Actions
drop-down list, click
Delete
.
Click the name of the gateway and, in the details page, click
Delete
.
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
Virtual Network Connections
Virtual Private Network
You can use the Nutanix VPN solution to set up VPN between your on-prem clusters, which
exist in distinct routing domains that are not directly connected. These distinct routing
domains could either be VPCs within the same cluster or remote clusters or sites.
If you need to connect one Nutanix deployment in one site to another deployment in a
different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists
of a local VPN gateway, remote VPN gateway and VPN connection. Local VPN gateway can be
instantiated in a VPC context or a legacy VLAN context. Launching the VPN gateway within a
VPC allows stretching of the VPC. For example, in the figure, the Blue VPC is stretched
between two sites with a VPN.
Figure.
VPN Working
Click to enlarge
VPN connections are useful in connecting two points. You can connect two VPCs in the same
cluster using a VPN or VPCs in different clusters in the same site. However, VPN connection
can connect only one endpoint to another endpoint. Flow networking based VPN service allows
you to only connect two endpoints that use Nutanix VPN based gateway service.
Virtual Tunnel End Points Based Network Extensions
To connect one endpoint to multiple endpoints or third party (non Nutanix) networks, use
Virtual Tunnel End Point (VTEP) service based subnet extensions. For more information about
VTEP, see .
VPN Workflow
If you need to connect one Nutanix deployment in one site to another deployment in a
different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists
of a local VPN gateway, remote VPN gateway and VPN connection. You can configure multiple
VPN endpoints for a site.
Each endpoint must have configurations for a local VPN gateway, remote VPN gateway (pointer
information for the peer local VPN in the remote site endpoint) and a VPN connection
(connecting the two endpoints). Then, based on the VPN connection configuration as initiator
or acceptor, one endpoint initiates a tunnel and the endpoint at the other end accepts the
tunnel connection and, thus, establishes the VPN tunnel.
Gateways: Every VPN endpoint for each site consists of two VPN gateway configurations -
Local and Remote.
Local gateway is a VM that runs the VPN protocols (IKEv2, IPSec) and routing (BGP and
OSPF). Remote gateway is a pointer - database entry - that provides information about
the peer remote VPN endpoint. One of the key information contained in the remote gateway
is the source IP of the remote VPN endpoint. For security reasons, the local VPN gateway
will accept IKEv2 packets originating only from this Source IP.
VPN gateways are of the following types:
On premises Nutanix VPN Gateway: Represents the VPN gateway appliance at your
on-premises local or remote site if you are using the Nutanix VPN solution.
On premises Third Party Gateway: Represents the VPN gateway appliance at your
on-prem site if you are using your own VPN solution (provided by a third-party
vendor).
To configure third party VPN Gateways, see the relevant third party
documentation.
VPN Connection: Represents the VPN IPSec tunnel established between local gateway and
remote gateway. When you create a VPN connection, you need to select two gateways
between which you want to create the VPN connection.
VPN appliances perform the following:
Implementation of IKEv2 and IPSec protocols.
Routing: Between remote sites, Flow Networking advertises prefixes using eBGP.
Optionally it uses Static routing. Within a site, Flow Networking uses iBGP or OSPF to
share prefixes between the Nutanix VPN appliance and the edge router.
Prerequisites for VPN Configurations
General Requirements
Ensure that you have enabled Flow Networking with microservices Infrastructure.
Ensure that you have floating IP addresses when you create VPN gateways.
Flow Networking automatically allocates a floating IP to a VPN gateway if you do not
provide one during the VPN gateway creation. To provide floating IP during the VPN
gateway creation, you can request floating IPs. See Requesting Floating IPs.
Ensure that you have one of the following, depending on whether you are using iBGP or
OSPF:
Peer IP (for iBGP): The IP address of the router to exchange routes with the VPN
gateway VM.
Area ID (for OSPF): The OSPF area ID for the VPN gateway in the IP address format.
Ensure that you have the following details for the deployment of the VPN gateway
VM:
Public IP address of the VPN Gateway Device: A public WAN IP address that you want
the on-prem gateway to use to communicate with the Xi VPN gateway appliance.
Static IP Address: A static IP address that you want to allocate to the VPN gateway
VM. Use a floating IP address requested as the static IP address.
IP Prefix Length: The subnet mask in CIDR format of the subnet on which you want to
install the VPN gateway VM. You can use an overlay subnet used for a VPC and
assigned to the VM that you are using for the VPN gateway.
Default Gateway IP: The gateway IP address for the on-premise VPN gateway
appliance.
Gateway ASN: ASN must not be the same as any of your on-prem BGP ASNs. If you
already have a BGP environment in your on-prem site, the customer gateway is the ASN
for your organization. If you do not have a BGP environment in your on-prem site,
you can choose any number. For example, you can choose a number in the 65000
range.
Ports and Protocols
Nutanix deploys a number of ports and protocols in its software. ports that must be open in
the firewalls to enable Flow Networking to function. To see the ports and protocols used
Flow Networking, see Port Reference.
Endpoints and Terminations
The following endpoints and terminations occur in the course of Flow networking based
connections. For information about creating, updating or deleting VPN connections, see Connections Management.
Note:
In a VPN connection do not configure both the
gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If
you configure the local gateway as Initiator then configure the remote gateway as Acceptor
in one endpoint and vice-versa in the (other) remote endpoint.
VPN Endpoint Behind a Network Address Translation or Firewall Device
In this scenario, the IPSec tunnel terminates behind a network address translation
(NAT) or firewall device. For NAT to work, open UDP ports 500 and 4500 in both
directions.
Figure.
VPN Endpoint Behind NAT or Firewall
Click to enlarge
Things to do in NAT
Things to do in on-prem VPN GW
Open UDP ports 500 and 4500 on both directions
Enable the business application policies to
Allow
the
commonly-used business application ports.
IPSec Terminates on the Firewall Device
In this scenario, you do not need to open the ports for NAT (500 and 4500).
However, enable the on-prem VPN gateway to allow the traffic from the PC subnet to
the advertised load balancer route where the Source port is any and the Destination
port may be in the range of 1024-1034.
The PC subnet refers to the subnet where your Prism Central is running.
Figure.
Tunnel Terminates on NAT or Firewall
Click to enlarge
Creating a VPN Connection
About this task
Create a VPN connection to establish a VPN IPSec tunnel between VPN gateways in your
on-prem site. Select the gateways between which you want to create the VPN
connection.
To create a VPN connection, do the following on the
Networking
>
VPN Connections
page.
Procedure
Click the
Create VPN Connection
button on the
VPN Connections
page.
In the
Create VPN Connection
dialog box, provide the
values in the respective fields.
Fields
Description and Values
Name
Enter a name for the connection.
VPN Connection
IPSec Secret
Enter a secret password for the IPSec connection. To see the
password, click
Show
. To hide the
password, click
Hide
.
Local Gateway
Select the connection parameters on the local gateway as
Initiator or Acceptor of VPN Tunnel connections.
VPN Gateway
Select the appropriate VPN Gateway as the local gateway for
the VPN connection
VTI Prefix - Local Gateway
Enter a IPv4 Address with /<prefix>. Example:
10.25.25.2/30.
This is the
VPN Tunnel
Interface
IP address with prefix for the local
gateway. The subnet for this IP address must be a /30 subnet
with two usable IP addresses. One of the IP addresses is
used for Local Gateway. Use the other IP address for the
Remote Gateway.
Connection Handshake
This defines the type of handshake that the connection must
use. There are two types of connection handshakes:
Initiator
: The local VPN gateway
acts as the initiator of the connection and thus
initializes the VPN tunnel.
Acceptor
: The local VPN gateway
accepts or rejects incoming connection requests from
other gateways.
Note:
In a VPN connection do not configure both the
gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If
you configure the local gateway as Initiator then configure the remote gateway as Acceptor
in one endpoint and vice-versa in the (other) remote endpoint.
Remote Gateway
For a specific VPN connection, set the remote gateway as
Initiator or Acceptor when you configure the VPN connection on
the Remote Gateway.
VPN Gateway
Select the appropriate VPN Gateway as the remote gateway for
the VPN connection.
VTI Prefix - Remote Gateway
The VPN Tunnel Interface IP address with prefix for the local
gateway. Provide a IPv4 Address with /<prefix>. Example:
10.25.25.2/30.
This is the
VPN Tunnel Interface
IP address with prefix for the local gateway. The subnet for
this IP address must be a /30 subnet with two usable IP
addresses. One of the IP addresses is used for Local
Gateway. Use the other IP address for the Remote
Gateway.
Advanced Settings
Set the traffic route priority for the VPN connection. The
route priority uses Dynamic route priority because the priority
is dependent on the routing protocol configured in the VPN
gateway.
Route Priority - Dynamic Route Priority
Set the route priority as an integer number. The greater the
number, higher is the priority.
Click
Save
.
What to do next
The VPN connection you create is displayed in the
VPN
Connections
page.
Updating VPN Connection
About this task
You can update a VPN Connection using the
Update VPN Connection
dialog box.
You can open the
Update VPN Connection
dialog box. The
parameters in the
Update VPN Connection
dialog box are the same
as those in the
Create VPN Connection
dialog box.
Procedure
Select the VPN Connection you want to update on the
VPN
Connection
.
Click
Update
in the
Actions
menu.
Update the required details in the
Update VPN Connection
dialog box.
Click
Save
.
Deleting a VPN Connection
About this task
To delete a VPN connection, do the following on the
VPN
Connection
page.
Procedure
Do one of the following.
Select the check box next to the name of the VPN connection and, in the
Actions
drop-down list, click
Delete
.
Click the name of the VPN connection and, in the details page, click
Delete
.
In the confirmation dialog box, do the following.
Click
Delete
to delete the entity.
Click
Cancel
to exit without deleting the
entity.
VPN Connection within Same Prism Central
You can connect two VPCs within the same Prism Central availability zone using a VPN
connection.
About this task
Assume that you have created two VPCs named
vpc-a
and
vpc-b
with overlay subnets named
subnet-a
and
subnet-b
.
To connect the two VPCs within the same Prism Central using a VPN connection, do the
following.
Procedure
Do the following for local gateways:
Create a local VPN gateway with dynamically assigned address for
vpc-a
, for example, named
local-vpn-a
. Note or write down the assigned
IP address.
Create a local VPN gateway with dynamically assigned address for
vpc-b
, for example, named
local-vpn-b
. Note or write down the assigned
IP address.
See Creating a Network Gateway for more information about
creating a VPN gateway.
Do the following for remote gateways:
Create a remote VPN gateway with the IP address noted in 1.a for
vpc-a
, for example, named
remote-vpn-a
.
create a local VPN gateway with the IP address noted in 1.b for
vpc-b
, for example, named
remote-vpn-b
.
See Creating a Network Gateway for more information about
creating a VPN gateway.
Create a VPN connection between
vpc-a
and
vpc-b
named, for example,
vpn-conn-a-to-b
.
Ensure that the VTI IP addresses for the local and remote gateways is unique
with /30 prefix.
Note:
The
VPN Tunnel Interface
IP address with
prefix for the local gateway. The subnet for this IP address must be a /30
subnet with two usable IP addresses. One of the IP addresses is used for
Local Gateway. Use the other IP address for the Remote
Gateway.
Ensure that you select
local-vpn-a
as the local gateway with
Connection Handshake
set as
Acceptor
.
Ensure that you select
remote-vpn-b
as the remote gateway.
Create a VPN connection between
vpc-b
and
vpc-a
named, for example,
vpn-conn-b-to-a
.
Ensure that the VTI IP addresses with /30 prefix for local and remote gateways
are the reverse (vice versa) of what you configured for the VPN connection in
previous step. For example, if in previous step you configured the VTI IP
addresses as 10.20.20.5/30 for local and 10.20.20.6/30 for remote then for VPN
connection in this step, configure 10.20.20.6/30 for local gateway and
10.20.20.5/30 for remote gateway respectively. These IP addresses do not need to
be reachable anywhere else in the network. However, ensure that these IP
addresses do not overlap with any other IP addresses assigned in the
network.
Ensure that you select
local-vpn-b
as the
local gateway with
Connection Handshake
set as
Initiator
.
Ensure that you select
remote-vpn-a
as the remote gateway.
Layer 2 Virtual Network Extension
You can extend a subnet between
on-prem
local and remote clusters or sites (Availability Zones or AZs) to support seamless application
migration between these clusters or sites.
Note:
One or more on-prem cluster or sites managed by one Prism Central instance is defined as
an Availability Zone or AZ. In this section, Availability Zone or AZ refers to and must be
understood as one or more on-prem clusters or sites managed by one Prism Central. Local AZ
refers to local on-prem clusters or sites managed by a Prism Central instance and
remote
AZ
refers
to another on-prem cluster or site managed by another Prism Central
instance.
With Layer 2 subnet extension, you can migrate a set of applications to the remote AZ while
retaining their network bindings such as IP address, MAC address, and default gateway. Since
the subnet extension mechanism allows VMs to communicate over the same broadcast domain, it
eliminates the need to re-architect the network topology, which could otherwise result in
downtime.
Layer 2 extension assumes that there are underlying existing layer 3 connectivity already
available between the Availability Zones. You can extend a subnet from a remote AZ to the
primary (Local) AZ (and other remote AZs in case of VTEP-based subnet extensions)
You can extend a Layer 2 subnet across two Nutanix AZs over either VPN or Virtual tunnel
End Point (VTEP). SeeLayer 2 Virtual Subnet Extension Over VPN.
You can extend a Layer 2 subnet between a Nutanix AZ and one or more non-Nutanix
datacenters only over VTEP. See Layer 2 Virtual Subnet Extension Over VTEP.
You can extend subnets for the following configurations.
IPAM Type.
Managed and unmanaged networks.
Subnet Type.
On-prem VLAN subnets and VPC subnets.
Traffic Type.
IPv4 unicast traffic and ARP.
On-prem Hypervisor.
AHV and ESXi
Note:
If your cluster is ESXi, use vCenter Server
to manually configure the port group attached to the subnet you want to extend. Set the
security settings,
Promiscuous mode
and
Forged
transmits
to
Accept
on the vSwitch as shown in the
following image.
Figure.
ESXi Host Port Group Configuration
Click to enlarge
Prerequisites for Setting Up Subnet Extension
Ensure the following before you configure Layer 2 subnet extension between your on-prem
AZs.
Ensure that the Prism Central versions support Layer 2 virtual subnet extension as
specified in the Release Notes. See
AOS Family Release Notes
and
Release Notes | Prism Central
as applicable.
See the
Prism Central
Upgrade and Installation Guidelines and Requirements
section of the
Acropolis Upgrade Guide
for instructions about how to upgrade a Prism
Central instance through the Prism Central web console.
Ensure that you pair the Prism Central at the local AZ with the Prism Central at the
remote AZ to use
Create Subnet Extension
wizard to extend a subnet
across the AZs and facilitate bidirectional communication between these clusters or sites.
Using paired availability zones it is possible to configure both VXLAN over VPN and VTEP
based subnet extension. You can also extend subnets using the manual gateway and
connection workflows instead of pairing the AZs.
See the Pairing Availability Zones for instructions about how to pair the
local and remote AZs.
Ensure that you set up a default static route with
0.0.0.0/0
prefix and
the External Network next hop for the VPC you use for any subnet extension. This allows
NTP and DNS access for the Network Gateway appliance.
Best Practices for Subnet Extension
Nutanix recommends the following configurations to allow IP address retention for VMs on
extended subnets.
When using Nutanix IPAM ensure the address ranges in the paired subnets are unique to
avoid conflict between VM IP addresses across extended subnets.
If the source and target sites use third-party IPAM, ensure that there are no
conflicting IP address assignments across the two sites.
Note:
If the source and target
sites use Nutanix IPAM, the Prism Central web console displays a message that indicates
an IP address conflict if one exists.
If connectivity between sites already provides encryption, consider using VTEP only
subnet extension to reduce encryption overhead.
Use the
Subnet Extension to a Third Party Data-Center
workflow in
the following scenarios
To extend a subnet to more than one other AZ. This is also known as point to
multi-point.
To extend subnets between clusters managed by the same Prism Central.
Subnet Extension Workflow
You can manage Layer 2 subnet extension on the
Subnet Extensions
tab
of the
Connectivity
page. Open the
Subnet
Extensions
by clicking the hamburger icon in the top-left corner of the
Dashboard
and then clicking
Connectivity
.
You can create point-to-point Layer 2 subnet extensions between two AZs over VPN or
VTEP by opening the
Create Subnet Extension Across Availability
Zones
dialog box. See Extending a Subnet Over VPN for
VPN-based extensions. See Extending a Subnet Across Availability Zones Over VTEP for
VTEP-based extensions.
You can create point-to-point or point-to-multipoint Layer 2 subnet extensions to third
party datacenters over VTEP by opening the
Create Subnet Extension To A Third
Party Data-Center
dialog box. See Extending a Subnet to Third Party Datacenters Over VTEP.
You can update a subnet extension that extends across AZs using the
Update
Subnet Extension Across Availability Zones
dialog box. The
Update
Subnet Extension Across Availability Zones
has the same parameters and
fields as the
Create Subnet Extension Across Availability Zones
dialog box. You can open the
Update Subnet Extension Across Availability
Zones
dialog box by:
Selecting the subnet extended across AZs in the
Subnet
Extensions
and clicking the
Update
button.
Clicking the subnet extended across AZs in the
Subnet
Extensions
and clicking the
Update
button on the
Summary
tab.
You can update a subnet extension that extends to multiple AZs or third party datacenters
using the
Update Subnet Extension To A Third Party Data-Center
dialog
box.
Update Subnet Extension To A Third Party Data-Center
dialog box
has the same parameters and fields as the
Create Subnet Extension To A Third Party
Data-Center
dialog box. You can open the
Update Subnet Extension To A
Third Party Data-Center
dialog box by:
Selecting the subnet extended to third datacenters in the
Subnet
Extensions
and clicking the
Update
button.
Clicking the subnet extended to third datacenters in the
Subnet
Extensions
and clicking the
Update
button on the
Summary
tab.
See Updating an Extended Subnet.
Layer 2 Virtual Subnet Extension Over VPN
Subnet extension using VPN allows seamless, secure migration to a new datacenter or for
disaster recovery. VPN based Layer 2 extension provides secure point to point connection to
migrate workloads between Availability Zones. Consider VTEP-only Subnet Extension without VPN
when encryption is not required.
Subnet extension using VPN is useful:
When the two Availability Zones (where the subnets to be extended belong) do not have any
underlying secure connectivity. For example, when connecting over the Internet, VPN (IPSec)
provides the necessary connectivity and encryption (security).
Sometimes when you need to move (lift-and-shift) workloads from a VLAN subnet to a VPC
subnet retaining the same VM IP addresses . You need connectivity from other subnets to
workloads that have already migrated to VPC. In such cases, VPN provides the Layer 3
connectivity and encryption between the VPC segment of extended subnet to other VLAN
subnets.
Prerequisites for Setting Up Subnet Extension Over VPN
See Layer 2 Virtual Network Extension for general
prerequisites to extend subnets.
Set up VPN gateway services and a VPN connection between local AZ and the remote AZ.
The subnet extension feature supports only the Nutanix VPN solution (not a third-party
VPN solution) at the both the local and remote AZs. See the Virtual Network Connections for instructions about how to upgrade the VPN gateway
VM at the local and remote clusters or sites.
Note:
Ensure that the VPN gateway version
is 5.0 or higher. See the Updating a Network Gateway section
of the
Nutanix Flow Networking Guide
for instructions about how to
upgrade the network gateway at the local and remote sites.
Configure subnets with the same IP CIDR prefix at the source and target sites. For
example, if the IP prefix at one site is 30.0.0.0/24, the IP prefix at the other site must
also be 30.0.0.0/24. The network and mask must match at both AZs.
Configure distinct DHCP pools for the source and target sites with no IP address
overlap. Separate DHCP pools ensure no IP address conflicts occur for dynamically assigned
IP addresses between the two AZs.
Procure two free IP addresses, one from each subnet, for the Network Gateway in the
subnets to be extended. These IP addresses are configured as local IP address and remote
IP address for the subnet extension in the
Subnet Extension
wizard.
These two free IP addresses are the externally accessible IP addresses for the local
gateway, and the remote gateway. Those two usable IP addresses are already contained
inside the VPN connection and must not conflict with the following:
DHCP pools on any of the Availability Zones.
Gateway IP address on any of the Availability Zones.
IP addresses allocated to existing user VMs on any of the Availability Zones.
IP addresses used by Network Gateway Management NIC subnet (IP pool
100.64.1.0/24)
Limitation
To use subnet extension over a VPN, both sites must use the VPN service of the Nutanix
Network Gateway. Consider VTEP-only subnet extension to connect to non-Nutanix third party
sites.
Pairing AZs (Nutanix Disaster Recovery)
To replicate entities (protection policies, recovery plans, and recovery points) to
different on-prem AZs (AZs) bidirectionally, pair the AZs with each
other. To replicate entities to different Nutanix clusters at the same AZ bidirectionally,
you need not pair the AZs because the primary and the recovery Nutanix clusters are
registered to the same AZ (Prism Central). Without pairing the AZs, you cannot perform
DR to a different AZ.
About this task
To pair an on-prem AZ with another on-prem AZ, perform the following procedure at
both the AZs.
Procedure
Log on to the Prism Central web console.
Click the hamburger icon at the top-left corner of the window. Go to
Administration
>
AZs
in the left pane.
Figure.
Pairing AZ
Click to enlarge
Click
Connect to AZ
.
Specify the following information in the
Connect to Availability
Zone
window.
Figure.
Connect to AZ
Click to enlarge
AZ Type
: Select
Physical Location
from the drop-down
list.
A physical location is an on-prem AZ (AZ). To pair
the on-prem AZ with Xi Cloud Services, select
XI
from the drop-down list, and enter the
credentials of your Xi Cloud Services account in step c and set
d.
IP Address for Remote PC
: Enter the IP address
of the recovery AZ Prism Central.
Username
: Enter the username of your recovery
AZ Prism Central.
Password
: Enter the password of your recovery
AZ Prism Central.
Click
Connect
.
Extending a Subnet Over VPN
The subnet extension allows VMs to communicate over the same broadcast domain to a
remote site or Availability Zone (AZ).
Before you begin
See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VPN for information on prerequisites
and best practices for extending a subnet.
About this task
Perform the following procedure to extend a subnet from the on-prem site.
Procedure
Click the hamburger icon in the top-left corner of the
Dashboard
>
Networking & Security
>
Connectivity
>
Subnet Extension
.
On the
Subnet Extension
page, select
Create Subnet Extension
>
Across Availability Zones
.
In the
Create Subnet Extension Across Availability Zones
dialog box, enter the necessary details as described in the table.
Figure.
Create Subnet Extension Across Availability Zones
Click to enlarge
Fields
Description
Values
Extend Subnet over a
Select the gateway service you want to use for the subnet
extension.
(VPN or VTEP)
Note:
Configure the following fields for the
Local
and the
Remote
sides of the dialog
box.
Availability Zone
(For Local) Local AZ is pre-selected default.
(For Remote)
Select the appropriate AZ from the drop-down list of
AZs.
(Local: Local AZ)
(Remote: Dropdown list of
AZs.)
Subnet Type
Select the type of subnet that you want to extend.
(VLAN or Overlay)
Cluster
Displayed if your selected VLAN subnet. Select the cluster
from the dropdown list of clusters.
(Name of cluster selected from dropdown list)
VPC
Displayed if your selected Overlay subnet. Select the
appropriate VPC from the dropdown list of VPCs.
(Name of VPC selected from dropdown list)
Subnet
Select the subnet that needs to be extended.
(Name of subnet selected from dropdown list)
(Network Information frame)
Displays the details of the VLAN or Overlay network that you
selected in the preceding fields.
(Network information)
Gateway IP Address/Prefix
Displays the gateway IP address for the subnet. This field is
already populated based on the subnet selected.
(IP Address)
(Local or Remote) IP Address
Enter a unique and available IP address that are externally
accessible IP addresses in
Local IP
Address
and
Remote IP
Address
.
(IP Address)
VPN Connection
Select the appropriate VPN Connection from the dropdown list
that Flow networking must use for the subnet extension. See
Creating a VPN Connection for
instructions to create VPN connection.
(Name of VPN connection selected from the dropdown
list)
Click
Save
.
A successful subnet extension is listed on the
Subnet
Extension
dashboard. See .
Layer 2 Virtual Subnet Extension Over VTEP
Subnet extension using Virtual tunnel End Point (VTEP) allows seamless migration to new
datacenters or for disaster recovery. VTEP based Layer 2 extension provides
point-to-multipoint connections to migrate workloads from one Availability Zone to multiple
Availability Zones
without
encryption.
If you need security and encryption, consider using Subnet Extension over VPN.
Subnet extension using VTEP is useful:
When both subnets that need to be stretched are Nutanix subnets (managed or unmanaged).
VTEP provides an optimized workflow to stretch the two subnets.
When both subnets are connected over an existing private and secure link that does not
need additional encryption.
When one Nutanix subnet needs to be stretched across one or more non-Nutanix
networks,
sites, or datacenters.
Subnet
Extension with third-party VTEPs provides point-to-multipoint connectivity
to third party datacenters assuming that there is underlying
layer 3
connectivity between these VTEPs.
VTEP-based Layer 2 Subnet Extension provides the following advantages:
Layer 2 subnet extension from one AZ to multiple AZs.
Layer 2 subnet extension between Nutanix AZs and non-Nutanix third party VTEP-based
AZs.
The Remote VTEP Gateway is a set of endpoint IP addresses. You can add endpoint IP
addresses to an existing operational Remote VTEP Gateway without stopping the subnet
extension services. This on-the-fly addition enables you to extend the subnets to more AZs
than originally
planned, or
perform maintenance, without disrupting the running services or
configuring new remote VTEP gateways.
Prerequisite for Setting Up Subnet Extension Over VTEP
See Layer 2 Virtual Network Extension for general
prerequisites to extend subnets.
Set up VTEP local and remote gateway services on local and remote AZs. In case of
point-to-multipoint extension, ensure that you create local and remote VTEP gateways on
all the remote AZs that the subnet needs to be extended to.
For each
extended subnet within the same Network Gateway appliance
ensure
that you have unique VxLAN Network Identifiers (VNIs) that you can use for the VTEP subnet
extensions. VNI may be any number between 0 and 16777215.
Extending a Subnet Across Availability Zones Over VTEP
The subnet extension over VTEP allows VMs to communicate two Availability Zones (AZ)
without a VPN connection.
Before you begin
See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VTEP for information on prerequisites and
best practices for extending a subnet.
About this task
To extend a subnet over VTEP across two availability zones (AZs), do the
following.
Procedure
Open the
Create Subnet Extension Across Availability Zones
in one of the following ways:
On the
Subnet Extensions
tab, click
>
Create Subnet Extension
>
Across Availability Zones
>
.
In the
Subnets
dashboard, select the subnet you want
to extend and click
Actions
>
Extend
>
Across Availability Zones
In the
Subnets
dashboard, click the subnet you want
to extend. On the subnet details page, click
Extend
>
Across Availability Zones
.
Figure.
Example of Create VTEP Extension Across AZs with VLAN Subnet
Click to enlarge
For
Extend Subnet over a
, select
VTEP
.
Enter or select the necessary values for the parameters in the
Local
and
Remote
(AZ)
sections as described in the table.
Parameters
Description and Value
Availability Zone
Displays the name of the paired availability zone at the
local AZ.
Subnet Type
Select the type of the subnet - VLAN or Overlay that you are
extending.
Cluster
Select the name of the cluster in the local AZ that the
subnet is configured for.
Subnet
Select the name of the subnet at the local AZ for network.
The VLAN ID and the IPAM - managed or unmanaged are displayed in
the box below the
Subnet
field.
Gateway IP Address.
Enter the gateway IP address of the subnet you want to
extend. Ensure that you provide the IP address in
<IP-address/network-prefix> format. for example the gateway
IP is 10.20.20.1 in a
/24
subnet then provide the
gateway
IP address as
10.20.20.1/24
.
Note:
For
an
unmanaged network, enter the gateway IP
address of the created subnet.
Local IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
for the Network
Gateway appliance.
Remote IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
for the remote
Network Gateway appliance.
Local VTEP Gateway
Select the local VTEP gateway you created on the local AZ.
See Creating a Network Gateway for information
about creating VTEP gateways.
Remote VTEP Gateway
Select the VTEP gateway you created on the remote AZ. See
Creating a Network Gateway for information
about creating VTEP gateways.
Connection
Properties
VxLAN Network Identifier (VNI)
Enter a unique number from the range 0-16777215 as VNI.
Ensure that this number is not reused anywhere in the local or
remote VTEP Gateways.
MTU
The default MTU is 1392 to account for 108 bytes of overhead
and the standard physical MTU of 1500 bytes. VPC Geneve
encapsulation requires 58 bytes and VXLAN encapsulation requires
50. However, you can enter any valid MTU value for the network,
taking this overhead into account. For example, if the physical
network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU
can be set to 1492 to account for 108 bytes of overhead. Ensure
that the MTU value does not exceed the MTU of the AHV Host
interface and all the network interfaces between the local and
remote AZs.
Click
Save
.
After the subnet is extended, the extension appears in the
Subnet Extensions
list view.
Extending a Subnet to Third Party Datacenters Over VTEP
The subnet extension over VTEP allows VMs to communicate with multiple remote sites
or Availability Zones (AZ) that may be third party (non-Nutanix) networks, or datacenters.
It also provides the flexibility of adding more remote AZs to the same VTEP-based extended
Layer 2 subnet. Examples of compatible VTEP gateways are switches from Cisco, Juniper,
Arista, and others that support plain VXLAN VTEP termination.
About this task
To extend a subnet over VTEP across multiple availability zones (AZs) or third party
datacenters, do the following.
Procedure
Open the
Create Subnet Extension To A Third Party
Data-Center
in one of the following ways:
On the
Subnet Extensions
tab, click
>
Create Subnet Extension
>
To A Third Party Data-Center
In the
Subnets
dashboard, select the subnet you want
to extend and click
Actions
>
Extend
>
To A Third Party Data-Center
In the
Subnets
dashboard, click the subnet you want
to extend. On the subnet details page, click
Extend
>
To A Third Party Data-Center
.
Figure.
Example of Create VTEP Extension To A Third Party Data-Center with
VLAN Subnet
Click to enlarge
Enter or select the necessary values for the parameters in the
Local
,
Remote
(AZ), and
Connection Properties
sections as described in the
table.
Parameters
Description and Value
Local
Availability Zone
Displays the name of the paired availability zone at the
local AZ.
Subnet Type
Select the type of the subnet - VLAN or Overlay that you are
extending.
Cluster
Select the name of the cluster in the local AZ that the
subnet is configured for.
Subnet
Select the name of the subnet at the local AZ for network.
The VLAN ID and the IPAM - managed or unmanaged are displayed in
the box below the
Subnet
field.
Gateway IP Address
Enter the gateway IP address of the subnet you want to
extend. Ensure that you provide the IP address in
<IP-address/network-prefix> format. for example the gateway
IP is 10.20.20.1 in a .24 subnet then provide the gatewway IP
address as
10.20.20.1/24
.
Note:
For
unmanaged network, enter the gateway IP address of the
created subnet.
Local IP Address
Enter a unique and available (unused) IP address from the
subnet provided in
Subnet
.
Local VTEP Gateway
Select the local VTEP gateway you created on the local AZ.
See Creating a Network Gateway for more
information about creating a local VTEP gateway.
Remote
Remote VTEP Gateway
Select the remote VTEP gateway you created on the local AZ.
See Creating a Network Gateway for more
information about creating a remote VTEP gateway.
Connection
Properties
VxLAN Network Identifier (VNI)
Enter a unique number from the range 0-16777215 as VNI.
Ensure that this number is not reused anywhere in the networks
that the Prism Central and Cluster are a part of.
MTU
The default MTU is 1392 to account for 108 bytes of overhead
and the standard physical MTU of 1500 bytes. VPC Geneve
encapsulation requires 58 bytes and VXLAN encapsulation
requires 50. However, you can enter any valid MTU value for
the network, taking this overhead into account. For example,
if the physical network MTU and vs0 MTU are 1600 bytes, the
Network Gateway MTU can be set to 1492 to account for 108
bytes of overhead. Ensure that the MTU value does not exceed
the MTU of the AHV Host interface and all the network
interfaces between the local and remote AZs.
Click
Save
.
After the subnet is extended, the extension appears in the
Subnet Extensions
list view.
Updating an Extended Subnet
The
Update Subnet Extension Across Availability Zones
has the same
parameters and fields as the
Create Subnet Extension Across Availability Zones
dialog box.
About this task
You can update a subnet extension that extends across AZs using the
Update
Subnet Extension Across Availability Zones
or the
Update
Subnet Extension To A Third Party data center
dialog box. The
Update Subnet Extension Across Availability Zones
or the
Update Subnet Extension To A Third Party data center
dialog
box has the same parameters and fields as the
Create Subnet Extension
Across Availability Zones
or the
Create Subnet Extension To
A Third Party data center
dialog box, respectively.
Based on the type of the subnet extension that you want to modify, refer to the
following:
Procedure
Extending a Subnet Over VPN
Extending a Subnet Across Availability Zones Over VTEP
Extending a Subnet to Third Party Datacenters Over VTEP
Removing an Extended Subnet
About this task
Perform the following procedure to remove the subnet extension. This procedure
deletes the extended subnet between the two Availability Zones (AZs) or between one
Nutanix AZ and one or more third party subnets. Deleting the subnet extension does
not automatically remove the network gateways or VPN connections that may have
automatically been created by the Subnet Extension wizard. You need to separately
delete these entities created automatically when the subnet was extended.
Note:
Removing an extended subnet from a cluster or AZ (either source or target AZs)
automatically deletes the extended subnet from the corresponding source or target
AZs.
Procedure
Click the hamburger icon in the top-left corner of the
Dashboard
.
Karbon Platform Services is a Kubernetes-based multicloud platform as a service that enables
rapid development and deployment of microservice-based applications. These applications can
range from simple stateful containerized applications to complex web-scale applications across
any cloud.
In its simplest form, Karbon Platform Services consists of a Service Domain encapsulating a
project, application, and services infrastructure, and other supporting resources. It also
incorporates project and administrator user access and cloud and data pipelines to help
converge edge and cloud data.
With Karbon Platform Services, you can:
Quickly build and deploy intelligent applications across a public or private cloud infrastructure.
Connect various mobile, highly distributed data sensors (like video cameras, temperature or pressure sensors, streaming devices, and so on) to help collect data.
Create intelligent applications using data connectors and machine learning modules (for example, implementing object recognition) to transform the data. An application can be as simple as text processing code or it could be advanced code implementing AI by using popular machine learning frameworks like TensorFlow.
Push this data to your Service Domain or the public cloud to be stored or otherwise made available.
This data can be stored at the Service Domain or published to the cloud. You can then create intelligent applications using data connectors and machine learning modules to consume the collected data. These applications can run on the Service Domain or the cloud where you have pushed collected data.
Nutanix provides the Service Domain initially as a VM appliance hosted in an AOS AHV or ESXi
cluster. You manage infrastructure, resources, and Karbon Platform Services capabilities in a console
accessible through a web browser.
Cloud Management Console and User Experience
As part of initial and ongoing configuration, you can define two user types: an
infrastructure administrator
and a
project user
. The cloud
management console and user experience help create a more intuitive experience for
infrastructure administrators and project users.
Admin Console
drop-down menu for infra admins and
Home
Console
drop-down menu for project users. Both menus provide a list of all
current projects and 1-click access to an individual project. In the navigation sidebar,
Projects
also provides a navigation path to the overall list of
projects.
Vertical tabs
for most pages and dashboards. For example,
clicking
Administration
>
Logging
shows the
Logging
dashboard with related task and
Alert
tabs. The left navigation menu remains persistent to help
eliminate excessive browser refreshes and help overall navigation.
Simplified Service Domain Management
. In addition to the standard
Service Domain list showing all Service Domains, a consolidated dashboard for each Service
Domain is available from
Infrastructure
>
Service Domain
. Karbon Platform Services also simplifies upgrade operations available from
Administration
>
Upgrades
. For convenience, infra admins can choose when to download available
versions to all or selected Service Domains, when to upgrade them, and check status for
all or individual Service Domains.
Updated Workflows for Infrastructure Admins and Project Users
.
Apart from administration operations such as Service Domain, user management, and resource
management, the infra admin and project user work flow is project-centric. A project
encapsulates everything required to successfully implement and monitor the platform.
Updated GPU/vGPU Configuration Support
. If your Service Domain
includes access to a GPU/vGPU, you can choose its use case. When you create or update a
Service Domain, you can specify exclusive access by any Kubernetes app or data pipeline or
by the AI Inferencing API (for example, if you are using ML Models).
Built-In App Services, Logging, and Alerting
Karbon Platform Services includes these ready-to-use built-in services, which provide an advantage over self-managed services:
Secure by design.
No life cycle management. Service Domains do not require any user intervention to maintain or update service versions, patches, or other hands-on activities. For ease of use, all projects using the Service Domain use the same service version.
Dedicated service resources. Your project uses isolated service resources. Service resources are not shared with other projects. Applications within a project are not required to authenticate to use the service.
Service-specific alerts. Like other Karbon Platform Services features, the Service Domain helps monitor service health and raises service-specific alerts.
App Runtime Service
These services are enabled by default on each Service Domain. All services now have monitoring and status capabilities
Kubernetes Apps. Container-as-a-Service to manage and run Kubernetes apps without worrying about Kubernetes complexity and having to manage the underlying infrastructure.
Functions and Data Pipelines. Function-as-a-Service to run serverless functions. Invoke functions based on data triggers and publish to service end points.
AI Inferencing - updated in this release. ML model management and AI Inferencing runtime, pooled though an abstraction of GPUs and hardware accelerators. Enable this service to use your machine learning (ML) models in your project.
Ingress Controller
Ingress controller configuration and management is now available from the cloud management console (as well as from the Karbon Platform Services kps command line). Options to enable and disable the Ingress controller are available in the user interface.
Traefik or Nginx-Ingress. Content-based routing, load balancing, SSL/TLS termination. If your project requires Ingress controller routing, you can choose the open source Traefik router or the NGINX Ingress controller to enable on your Service Domain. You can only enable one Ingress controller per Service Domain.
Service Mesh
Istio. Provides traffic management, secure connection, and telemetry collection for your applications.
Data Streaming | Messaging
Kafka. Options to enable and disable Kafka are available in the user interface. Persistent, high performance data streaming with publish/subscribe and queue based messaging. Available for use within project applications and data pipelines, running on a Service Domain hosted in your environment.
NATS. In-memory, high performance data streaming with publish/subscribe and queue based messaging. Available for use within project applications and data pipelines. In-memory high performance data streaming including pub/sub (publish/subscribe) and queue-based messaging.
Logging | Monitoring | Alerting | Audit Trail
Prometheus. Provides Kubernetes app monitoring and logging, alerting, metrics collection, and a time series data model (suitable for graphing).
Log forwarding policies for all users. Create, edit, and delete log forwarding policies to help make collection more granular, and then forward those Service Domain logs to the cloud - for example, AWS CloudWatch.
Audit trail. Karbon Platform Services maintains an audit trail of any operations performed by users in the last 30 days and displays them in an
Audit Log
dashboard in the cloud management console.
Infrastructure Administrator Role
Karbon Platform Services allows and defines two user types: an infrastructure administrator and a project user. An infrastructure administrator can create both user types.
Infrastructure administrator creates and administers most aspects of Karbon Platform Services. The
infrastructure administrator provisions physical resources, Service Domains, services, data
sources, and public cloud profiles. This administrator allocates these resources by creating
projects and assigning project users to them. This user has create/read/update/delete (CRUD)
permissions for:
Categories
Cloud profiles
Container registry profiles
Data sources
Service Domains
Projects
Users
Logs
When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project.
When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.
Figure.
Infrastructure Administrator
Click to enlarge
Project User Role
A project user can view and use projects created by the infrastructure administrator.
This user can view everything that an infrastructure administrator assigns to a project. Project
users can utilize physical resources, as well as deploy and monitor data pipelines and
Kubernetes applications.
Karbon Platform Services allows and defines two user types: an infrastructure administrator and a project user.
An infrastructure administrator can create both user types.
The project user has
project-specific
create/read/update/delete (CRUD)
permissions: the project user can create, read, update, and delete the following and associate
it with an existing project:
Kubernetes Apps
Functions (scripts)
Data pipelines
Runtime environments
When an infrastructure administrator creates a project and then adds themselves as a user for
that project, they are assigned the roles of project user and infrastructure administrator for
that project.
When an infrastructure administrator adds another infrastructure administrator as a user to a
project, that administrator is assigned the project user role for that project.
Figure.
Project User
Click to enlarge
Naming Guidelines
Data Pipelines and Functions
When you create, clone, or edit a function, you can define one or more parameters.
When you create a data pipeline, you define values for the parameters when you
specify the function in the pipeline.
Data pipelines can share functions, but you can specify unique parameter values
for the function in each data pipeline.
Service Domain, Data Source, and Data Pipeline Naming
Starts and ends with a lowercase alphanumeric character
Dash (-) and dot (.) characters are allowed.For example, my.service-domain is a
valid Service Domain name.
Maximum length of 63 characters
Data Source Topic and Field Naming
Topic and field naming must be unique across the same data source types. You are
allowed to duplicate names across different data source types. For example, an MQTT
topic name and RTSP protocol stream name can share /temperature/frontroom.
An MQTT topic name must be unique when creating an MQTT data source. You cannot
duplicate or reuse an MQTT topic name for multiple MQTT data sources.
An RTSP protocol stream name must be unique when creating an RTSP data source. You
cannot duplicate or reuse an RTSP protocol stream name for multiple RTSP data
sources.
A GigE Vision data source name must be unique when creating a GigE Vision data
source. You cannot duplicate or reuse a GigE Vision data source name for multiple
GigE Vision data sources.
Container Registry Profile Naming
Starts and ends with a lowercase alphanumeric character
Dash (-) and dot (.) characters are allowed.
Maximum length of 200 characters
All Other Resource Naming
Starts and ends with a lowercase alphanumeric character
Dash (-) and dot (.) characters are allowed. For example, my.service-domain is a
valid Service Domain name
Maximum length of 200 characters
Karbon Platform Services Cloud Management Console
The web browser-based Karbon Platform Services cloud management console enables you to
manage infrastructure and related projects, with specific management capability dependent on
your role (infrastructure administrator or project user).
You can log on with your My Nutanix or local user credentials.
Logging On to The Cloud Management Console
Before you begin
The supported web browser is the current and two previous versions of Google
Chrome.
If you are logging on for the first time, you might experience a guided
onboarding workflow.
After three failed login attempts in one minute, you are locked out of your
account for 30 minutes.
Users without My Nutanix credentials log on as a local user.
Procedure
Open https://karbon.nutanix.com/ in a web browser.
Choose one of the following to log on:
Click
Login with My Nutanix
and log on with your
My Nutanix credentials.
Click
Log In with Local User Account
and log on
with your project user or infrastructure administrator user name and
password in the
Username
/
Password
fields.
The web browser displays role-specific dashboard.
Infrastructure Admin View
The default view for an infrastructure administrator is the
Dashboard
.
Click the menu button in the view to expand and display all available pages in this view.
Figure.
Default Infrastructure Administrator View
Click to enlarge
Admin Console / Projects
Drop-down menu that lets you quickly navigate to the Admin Console (home Dashboard) or
any project.
Dashboard
Customized widget panel view of your infrastructure, projects, Service Domains, and
alerts. Includes the
Onboarding Dashboard
panel, with links to create
projects and project components such as Service Domains, cloud profiles, categories, and
so on. Click Projects or Infrastructure to change the user dashboard view.
Services
Managed services dashboard. Add a service such as Istio to a project.
Alerts
Displays the Alerts page, which displays a sortable table of alerts associated with your
Karbon Platform Services deployment.
Audit Trail
Access the Audit Log dashboard to view the most recent events or tasks performed in the
console.
Projects
Displays a list of all projects.
Create projects from this page.
Infrastructure Submenu
Service Domains
Displays a list of available Service Domains.
Add an internet-connected Service Domain device or appliance.
You can create one or more Service Domains depending on your requirements and
manage them from the Karbon Platform Services management console.
Data Sources and IoT Sensors
Displays a list of available or created data sources sensors
Create and define a data source (sensor or gateway) and associate it with a
Service Domain.
Administration Submenu
Categories
Displays a list of available categories.
Create and define a category to logically group Service Domains, data sources, and
other items.
Cloud Profiles
Displays a list of cloud profiles.
Add and define a cloud profile (Amazon Web Services, Google Cloud Platform, and so
on) where acquired data is to be stored.
Container Registry Profiles
Displays a list of Docker container registry profiles.
Add and define a Docker container registry profile. This profile can optionally be
associated with an existing cloud profile.
Users
Displays a list of users.
Create infrastructure administrators and project users.
System Logs
Run Log Collector on one or more connected Service Domains and then download the
collected log bundle.
Upgrades
Apply software updates for your Service Domain when updates are available.
Help
Provides a link to the latest online documentation.
Project User View
The default view for a project user is the
Dashboard
.
Click the menu button in the view to expand and display all available pages in this view.
Figure.
Default Project User View
Click to enlarge
Dashboard
Customized widget panel view of your infrastructure, projects, Service Domains, and alerts. Includes the
Onboarding Dashboard
panel, with links to create projects and project components such as Service Domains, cloud profiles, categories, and so on. The user view indicate displays Project for project users.
Projects
Displays a list of all projects created by the infrastructure administrator.
Edit an existing project.
Alerts
Displays the Alerts page, which displays a sortable table of alerts associated with your Karbon Platform Services deployment.
Kubernetes Apps, Logging, and Services
Kubernetes Apps
Displays a list of available Kubernetes applications.
Create an application and associate it with a project.
Functions and Data Pipelines
Displays a list of available data pipelines.
Create a data pipeline and associate it with a project.
Create a visualization, a graphical representation of a data pipeline including data sources and Service Domain or cloud data destinations.
Displays a list of scripts (code used to perform one or more tasks) available for
use in a project.
Create a function by uploading a script, and then associate it with a
project.
Displays a list of available runtime environments.
Create an runtime environment and associate it with a project and a container
registry.
AI Inferencing
Create and display machine learning models (ML Models) available for use in a
project.
Services and Related Alerts
Kafka. Configured and deployed data streaming and messaging topics.
Istio. Defined secure traffic management service.
Prometheus. Defined app monitoring and metrics collection.
Nginx-Ingress. Configured and deployed ingress controllers.
Viewing Dashboards
After you log on to the cloud management console, you are presented with the main Dashboard
page as a role-specific landing page. You can also show this information at any time by
clicking
Dashboard
under the main menu.
Each Karbon Platform Services element (Service Domain, function, data pipeline, and so on) includes a dashboard
page that includes information about that element. It might also include information about
elements associated with that element.
The element dashboard view also enables you to manage that element. For example, click
Projects
and select a project. Click
Kubernetes
Apps
and click an application in the list. The application dashboard is
displayed along with an
Edit
button.
Example: Managing a Service Domain From Its Dashboard
About this task
To complete this task, log on to the cloud management console.
To delete a service
domain that does not have any associated data sources, click
Infrastructure
>
Service Domains
, select a Service Domain from the list, then
click
Remove
. Deleting a multinode Service Domain deletes all nodes
in that Service Domain.
Procedure
Click
Infrastructure
>
Service Domains
, then click a Service Domain in the list.
The Service Domain dashboard is displayed along with an
Edit
button.
Figure.
Service Domain Dash board
Click to enlarge
Click
Edit
to update Service Domain properties, such as its name, serial number, network settings, and so on. See Adding a Single Node Service Domain for information about these fields.
Click
Nodes
to view nodes associated with the service
domain.
Click
Data Sources
.
View any associated data sources.
Delete a data source: Select it, then click
Remove
.
Click
Add Data Source
to add another data source to the Service Domain. See Adding a Data Source and IoT Sensor.
Click
Alerts
to show available or active alerts.
Quick Start Menu
The Karbon Platform Services management console includes a
Quick Start
menu next to
your user name. Depending on your role (infrastructure administrator or project user), you
can quickly create infrastructure or apps and data. Scroll down to see items you can add for
use with projects.
Figure.
Quick Start Menu
Click to enlarge
Getting Started - Infrastructure Administrator
These tasks assume you have already done the following. Ensure that any network-connected devices are assigned static IP addresses.
Deployed data sources (sensors, gateways, other input devices) reachable by the Service Domain.
Deployed an internet-connected Service Domain as a VM hosted in an AHV cluster.
[Optional] Created an account with a supported cloud provider, where acquired data is transmitted for further processing.
[Optional] Create a container registry with profile (public or private/on-premise registry).
Obtained infrastructure administrator credentials for the Karbon Platform Services management console.
The Quick Start Menu lists the common onboarding tasks for the infrastructure administrator. It includes links to infrastructure-related resource pages. You can also go directly to any infrastructure resource from the
Infrastructure
menu item. As the infrastructure administrator, you need to create the following minimum infrastructure.
Add a Service Domain and add categories.
Add a data source to associate with a Service Domain.
Adding a Single Node Service Domain
Create and deploy a Service Domain cluster that consists of a single node.
About this task
To add (that is, create and deploy) a multinode Service Domain consisting of three or more
nodes, see Manage a Multinode Service Domain.
If you deploy the Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.
After adding a Service Domain, the status and dot color shows Service Domain status and
can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
Healthy (green). Service domain nodes started and connected.
Not Onboarded (gray). Service domain nodes have not started and are not yet
connected. Might be transitioning to Healthy.
Disconnected (red). Service domain nodes have not started and are not connected. VM
might be offline or unavailable.
Procedure
Log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
+ Service Domain
.
Select
Any other On-prem or Cloud Environment
and click
Next
.
Name
your Service Domain.
Starts and ends with a lowercase alphanumeric character
Maximum length of 63 lowercase alphanumeric characters
Dash (-) and dot (.) characters are allowed. For example, my-servicedomain.contoso.com is a valid Service Domain name.
Select
Single Node
to create a single-node Service Domain.
You cannot expand this Service Domain later by adding nodes.
Click
Add Node
and enter the following node details:
Serial Number
of your Service Domain node VM.
If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the
VM
page, select the Service Domain node VM, and note the ID.
You can also display the serial number by opening this URL in a browser. Use
your Service Domain node VM IP
address:
http://service-domain-node-ip-address:8080/v1/sn
Name
the node.
IP Address
of your Service Domain node VM.
Subnet Mask
and
Gateway
. Type the subnet mask and gateway IP address in these fields.
Click the check mark icon. To change the details, hover over the ellipses menu and click
Edit
.
Click
Add Category
.
See Creating a Category. You can create one or more categories to add them to a Service Domain.
Select a category and its associated value.
Click
Add
to select another category and value.
Click
Next
.
Enter environment variables as one or more key-value pairs for the service domain.
Click
Add Key-Value Pair
to additional pairs.
You can set environment variables and associated values for each Service Domain as a
key-value pair, which are available for use in Kubernetes apps.
For example, you could
set a secret variable key named
SD_PASSWORD
with a value of
passwd1234
.For an example of how to use existing environment
variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.
If your Service Domain includes a GPU/vGPU, choose its usage case.
To allow access by any Kubernetes app or data pipeline, choose
Use GPU
for Kubernetes Apps and Data Pipelines
.
To allow access by AI Inferencing API (for example, if you are using ML Models),
select
Use GPU for AI Inferencing
.
To provide limited secure shell (SSH) administrator access to your service domain to
manage Kubernetes pods. select
Enable SSH Access
.
SSH Service Domain access enables you to run Kubernetes
kubectl
commands to help you with application development, debugging, and pod troubleshooting. See
Secure Shell (SSH) Access to Service Domains.
Click
Add
.
What to do next
See Adding a Data Source and IoT Sensor.
See [Optional] Creating Your Cloud Profile
Creating Your Cloud Profile
Procedure
Click
Administration
>
Cloud Profiles
>
Create
.
Select a
Cloud Type
(your cloud service provider).
If you selected
Amazon Web Services
, complete the
following fields:
Cloud Profile Name
. Name your profile.
Cloud Profile Description
. Describe the profile
- for example, profile for car recognition apps. Up to 200 alphanumeric
characters are allowed.
Access Key
. Enter the AWS access key ID.
Secret
. Enter the AWS secret access key.
If you selected
Azure
, complete the following
fields:
Cloud Profile Name
. Name your profile.
Cloud Profile Description
. Describe the profile
- for example, profile for car recognition apps. Up to 200 alphanumeric
characters are allowed.
Storage Account Name
.
Storage Key
. Copy your key into this
field.
If you selected
Google Cloud Platform
, complete the
following fields:
Cloud Profile Name
. Name your profile.
Cloud Profile Description
. Describe the profile
- for example, profile for car recognition apps. Up to 200 alphanumeric
characters are allowed.
GCP Service Account Info JSON
. Download your
Google Cloud Platform service account key as a JSON file, open the file
in a text editor, and copy its contents into this field.
Click
Create
.
On the
Your Cloud Profile
page that is now displayed, you
can add another profile by clicking
Add Cloud
Profile
.
You can also
Edit
profile properties or
Remove
a profile from
Your Cloud
Profile
.
Creating a Category
About this task
Create categories of grouped attributes you can specify when you create a data source
or pipeline.
Procedure
Click
Administration
>
Categories
>
Create
.
Name
your category. Up to 200 alphanumeric characters are
allowed.
Purpose
. Describe the category. Up to 200 alphanumeric
characters are allowed.
Click
Add Value
and type a category component name in
the text field.
Click the check icon to add the data source field.
Click
Add Value
to add more category components in the
text field, clicking the check icon to add each one.
Click
Create
when you are finished.
Repeat to add more categories.
What to do next
Use these categories as attributes when adding a data source or data pipeline.
See also Adding a Single Node Service Domain or Manage a Multinode Service Domain, where you can add
these categories to a Service Domain.
Adding a Data Source and IoT Sensor
You can add one or more data sources (a collection of sensors, gateways, or other input
devices providing data) to associate with a Service Domain.
Each defined data source consists of the following:
Data source type (sensor, input device like a camera, or gateway) - the origin of the
data
Communication protocol typically associated with the data source
Authentication type to secure access to the data source and data
One or more fields specifying the data extraction method - the data pipeline
specification
Categories which are attributes that can be metadata you define to associate with the
captured data
Add a Data Source - MQTT
About this task
Add one or more data sources using the Message Queuing Telemetry Transport lightweight
messaging protocol (MQTT) to associate with a Service Domain.
Certificates downloaded from
the cloud management console have an expiration date 30 years from the certificate creation
date. Download the certificate ZIP file each time you create an MQTT data source. Nutanix
recommends that you use each unique set of these security certificates and keys for any MQTT
data sources you add.
When naming entities, Up to 200 alphanumeric characters are allowed.
Procedure
Click
Infrastructure
>
Data Sources and IoT Sensors
>
Add Data Source
.
Select a data source type:
Sensor
or
Gateway
.
Name
your data source.
Associated Service Domain
. Select a Service Domain for your data source.
Select
Protocol
>
MQTT
.
Authentication type
. When you select the
MQTT
protocol, the
Certificate
authentication type is selected automatically to authenticate the connection between your data source and the Service Domain.
Click
Generate Certificates
, then click
Download
to download a ZIP file that contains X.509 sensor certificate (public key) and its private key and Root CA certificates.
See Certificates Used with MQTT Data Sources.
Click
Next
to go to
Data Extraction
to specify the data fields to extract from the data source.
Data Extraction - MQTT
Procedure
Click
Add New Field
.
Name
. Enter a relevant name for the data source field.
Add MQTT Topic
. Enter a topic (a case-sensitive UTF-8 string). For example,
/temperature/frontroom
for a temperature sensor located in a specific room.
An MQTT topic name must be unique when creating an MQTT data source. You cannot duplicate or reuse an MQTT topic name for multiple MQTT data sources.
Click the check icon to add the data source field.
Click
Add New Field
to add another topic or click
Next
to go to the
Category Assignment
panel.
Category Assignment - MQTT
About this task
Categories enable you to define metadata associated with captured files from the data source.
Procedure
Select
All Fields
from
Select Fields
.
Select
Category
>
Data Type
.
Select one of the Categories (as defined by Categories you have created) in the third selection menu.
Click
Add
.
Add a Data Source - RTSP
About this task
Add one or more data sources using the Real Time Streaming protocol (RTSP) to
associate with a Service Domain.
Procedure
Click
Infrastructure
>
Data Sources
>
Add Data Source
.
Select a data source type:
Sensor
or
Gateway
.
Name
your data source. Up to 200 alphanumeric
characters are allowed.
Associated Service Domain
. Select a service
domain for your data source.
Select
Protocol
>
RTSP
.
Authentication type
. When you select
RTSP
, the
Username and
Password
authentication type is selected automatically
to authenticate the connection between your data source and the service
domain.
IP address
. Enter the sensor / gateway IP
address.
Port
. Specify a port number for the streaming
device. Default port is 554.
User Name
. Enter the user name credential for
the data source.
Password
. If your data source requires it, enter
the password credential for the data source. Click
Show
to display the password as you
type.
Click
Next
to go to
Data
Extraction
to specify the data fields to extract from the data
source.
These steps create an RTSP URL in the format
rtsp://username:password@ip-address/
. For example:
rstp://userproject2:
In the next step, you will specify one or more
streams.
Data Extraction - RTSP
Procedure
Click
Add New Field
on the
Data
Extraction
page depending on your data source type.
Name
. Enter a relevant name for the data
source.
Complete the
RTSP URL
field by specifying a
named protocol stream. For example,
BackRoomCam1
.
An RTSP protocol stream name must be unique when creating an RTSP
data source. You cannot duplicate or reuse an RTSP protocol stream
name for multiple RTSP data sources.
Click the check icon to add the data source.
Click
Add New Field
to add another stream or click
Next
to go to the
Category
Assignment
panel.
Category Assignment- RTSP
About this task
Categories enables you to define metadata associated with captured files from
the data source.
Procedure
Select
All Fields
from
Select
Fields
.
Select
Category
>
Data Type
.
Select one of the Categories (as defined by Categories you have created) in
the third selection menu.
Click
Add
.
Add a Data Source - GigE Vision
About this task
Add one or more data sources using the GigE Vision camera protocol to associate with a Service Domain.
Before you begin
GigE Vision data sources must be on the same subnet as the Service Domain.
Procedure
Click
Infrastructure
>
Data Sources and IoT Sensors
>
Add Data Source
.
Select a data source type:
Sensor
or
Gateway
.
Name
your data source. Up to 200 alphanumeric characters are allowed.
Associated Service Domain
. Select a Service Domain for your data source.
Select
Protocol
>
GigE Vision
.
Authentication type
. When you select
GigE Vision
, the
None
authentication type is selected automatically.
IP address
. Enter the sensor / gateway IP address.
Click
Next
to go to
Data Extraction
to specify the data fields to extract from the data source.
Data Extraction
Procedure
Click
Add New Field
on the
Data Extraction
page depending on your data source type.
Name
. Enter a relevant name for the data source.
Click the check icon to add the data source.
A GigE Vision data source name must be unique when creating a GigE Vision data source. You cannot duplicate or reuse a GigE Vision data source name for multiple GigE Vision data sources.
Category Assignment
About this task
Categories enables you to define metadata associated with captured files from the data source.
Procedure
Select
All Fields
from
Select Fields
.
Select
Category
>
Data Type
.
Select one of the Categories (as defined by Categories you have created) in the third selection menu.
Click
Add
.
Adding a Container Registry Profile
About this task
Create a new container registry profile or associate an existing cloud profile.
This profile stores container images which can be public (for example, Docker Hub) or
private (an on-premise registry).
Starts and ends with a lowercase alphanumeric character
Dash (-) and dot (.) characters are allowed
Description
. Describe the profile. Up to 75
alphanumeric characters are allowed.
Container Registry Host Address
. Provide a
public or private registry host address. The host address can be in the
format
host.domain:port_number/repository_name
For example,
https://index.docker.io/v1/
or
registry-1.docker.io/distribution/registry:2.1
Username
. Enter the user name credential for the
profile.
Password
. Enter the password credential for the
profile. Click
Show
to display the password as
you type.
Email Address
. Add an email address in this
field.
To use an existing cloud profile that you have already added (see Creating Your Cloud Profile):
Select
Use Existing cloud profile
:
Select an existing profile from
Cloud
Profile
.
Enter the
Name
of your container registry
profile.
Up to 200 alphanumeric characters are allowed
Starts and ends with a lowercase alphanumeric character
Dash (-) and dot (.) characters are allowed
Description
. Describe the profile. Up to 75
alphanumeric characters are allowed.
Server
. Provide a server URL to the container
registry in the format used by your cloud provider.
For example, an Amazon AWS Elastic Container Registry (ECR) URL might
be:
https://
aws_account_id
.dkr.ecr.
region
.amazonaws.com
Click
Create
.
Creating Users
As an infrastructure administrator, you can create infrastructure users or project users. Users without My Nutanix credentials log on as a local user.
Before you begin
You can also do this step from the Dashboard panel Getting Started.
Procedure
Click
Administration
>
Users
>
Create
.
Name
. Provide a name for the user.
Email
. Enter a user email address which will be the user name to log on to the cloud management console.
Password
. Enter a password to be used when logging on to the Karbon Platform Services management console.
Select a user role.
Infrastructure Admin
User
Click
Create
.
Repeat to add more users.
Certificates Used with MQTT Data Sources
Each Service Domain image is preconfigured with security certificates and
public/private keys.
When you create an MQTT data source, you generate and download a ZIP file that contains
X.509 sensor certificate (public key) and its private key and Root CA certificates. Install
these components on the MQTT enabled sensor device to securely authenticate the connection
between an MQTT enabled sensor device and Service Domain. See your vendor document for your MQTT
enabled sensor device for certificate installation details.
Certificates downloaded from the Karbon Platform Services management console have an expiration date 30 years
from the certificate creation date. Download the certificate ZIP file each time you create
an MQTT data source. Nutanix recommends that you use each unique set of these security
certificates and keys for any MQTT data sources you add.
Figure.
Certificate Download When Creating a Data Source
Click to enlarge
Onboard and Manage Your Service Domain
The Karbon Platform Services cloud management console provides a rich administrative control plane to
manage your Service Domain and its infrastructure. The topics in this section describe how to
create, add, and upgrade a Service Domain.
Checking Service Domain Details
In the cloud management console, go to
Infrastructure
>
Service Domains
to add a VM-based Service Domain. You can also view health status,
CPU/Memory/Storage usage, version details, and more information for every service
domain.
Upgrading a Service Domain
In the cloud management console, go to
Administration
>
Upgrades
to upgrade your existing Service Domains. This page provides you with various
levels of control and granularity over your maintenance process. At your convenience,
download new versions for all or specific Service Domains and upgrade them with "1-click".
Onboarding a Multinode Service Domain By Using Nutanix Karbon
You can now onboard a multinode Service Domain by using Nutanix Karbon as your
infrastructure provider to create a Service Domain Kubernetes cluster. To do this, use
Karbon on Prism Central with the kps command line and cloud management console Create a
Service Domain workflow. See Onboarding a Multinode Service Domain By Using Nutanix Karbon. (You can also
continue to use other methods to onboard and create a Service Domain, as described in Onboarding and Managing Your Service Domain.)
For advanced Service Domain settings, the Nutanix public Github repository includes a README file describing how to use the command line
and the required YAML configuration file for cluster.
This public Github repository at https://github.com/nutanix/karbon-platform-services/tree/master/cli also describes how to install the command line and includes sample YAML
files for use with applications, data pipelines, data sources, and functions.
About the Service Domain Image Files
The Karbon Platform Services Release Notes include information about any
new and updated features for the Service Domain. You can create one or more Service Domains
depending on your requirements and manage them from the Karbon Platform Services management
console.
The Service Domain is available as a qcow disk image provided by Nutanix for hosting the VM
in an AOS cluster running AHV.
The Service Domain is also available as an OVA disk image provided by Nutanix for hosting the
VM in a non-Nutanix VMware vSphere ESXi cluster. To deploy a VM from an OVA file on vSphere,
see the documentation at the VMware web site describing how to deploy a virtual machine from
an OVA file for your ESXi version
Each Service Domain you create by using these images are configured with X.509 security
certificates.
If your network requires that traffic flow through an HTTP/HTTPS proxy, see HTTP/HTTPS Proxy Support for a Service Domain VM.
Download the Service Domain VM image file from the Nutanix Support portal Downloads page.
This table describes the available image file types.
Table 1.
Service Domain Image Types
Service Domain Image Type
Use
QCOW2
Image file for hosting the Service Domain VM on an AHV cluster
OVA
Image file for hosting the Service Domain VM on vSphere.
EFI RAW compressed file
RAW file in GZipped TAR file format for bare metal installation, where the
hosting machine is using an Extensible Firmware Interface (EFI) BIOS
RAW compressed file
RAW file in GZipped TAR file format for bare metal installation, where the
hosting machine is using a legacy or non-EFI BIOS
AWS RAW uncompressed file
Uncompressed RAW file for hosting the Service Domain on Amazon Web Services
(AWS)
Service Domain VM Resource Requirements
As a default, in a single VM deployment, the Service Domain requires these resources to
support Karbon Platform Services features. You can download the Service Domain VM image file from the
Nutanix Support portal Downloads page.
References
AHV Administration Guide,
Host Network
Management
Prism Web Console Guide,
Network
Management
topic
Prism Web Console Guide,
Virtual Machine
Customization
topic (cloud-init)
Table 1.
Service Domain Infrastructure VM Cluster Requirements
VM Resource Requirements
Supported Clusters
Environment
AOS cluster running AHV (AOS-version-compatible version), where Service Domain
Infrastructure VM is running as a guest VM.
VMware vSphere ESXi 6.0 or later
cluster, where Service Domain Infrastructure VM is running as a guest VM (created
from an OVA image file provided by Nutanix). The OVA image as provided by Nutanix is
running virtual hardware version 11.
vCPUs
8 single core vCPUs
Memory
16 GiB memory. You might require more storage as determined by your applications.
Disk storage
Minimum 200 GB storage. The Service Domain Infrastructure VM image file provides
an initial disk size of 100 GiBs (gibibytes). You might require more storage as
determined by your applications. Before first power on of the VM, you can increase
(but not decrease) the VM disk size.
GPUs
[optional] GPUs as required by any application using them
Karbon Platform Services Port and Firewall Requirements
Service Domain Infrastructure VM Network Requirements and Recommendations
Note:
For more information about ports and protocols, see the Ports and Protocols Reference.
Table 1.
Network Requirements and Recommendations
Item
Requirement/Recommendation
Outbound port
Allow connection for applications requiring outbound connectivity.
Starting
with Service Domain 2.2.0, Karbon Platform Services now retrieves Service Domain
package images from these locations. Ensure that your firewall or proxy allows
outbound Internet access to the following.
https://gcr.io and *.gcr.io- Google container registry
Allow outbound port 443 for websocket connection to management console / cloud
providers
NTP
Allow outbound NTP connection For network time protocol server.
HTTPS proxy
Service Domain Infrastructure VM supports a network configuration that includes
an HTTPS proxy. Customers can now configure such a proxy as part of a cloud-init
based method when deploying Service Domain Infrastructure VMs.
Service Domain Infrastructure VM static IP address
The Service Domain Infrastructure VM requires a static IP address as provided
through a managed network when hosted on an AOS / AHV cluster.
Configured network with one or more configured domain name servers (DNS) and
optionally a DHCP server
Integrated IP address management (IPAM), which you can enable when creating
virtual networks for VMs in the Prism web console
(Optional) cloud-init script which specifies network details including a DNS
server
Miscellaneous
The cloud-init package is included in the Service Domain VM image to enable
support for Nutanix Calm and its associated deployment automation features.
Real Time Streaming protocol (rtsp)
Port 554 (default)
Create and Onboard the Service Domain VM
Onboarding the Service Domain VM is a three-step process:
For an AOS cluster running Nutanix AHV, log on to the Prism Element cluster web console
and upload the disk image through the image service. See Uploading the Service Domain Image.
Create and power on the Service Domain VM. See Creating and Starting the Service Domain VM.
If your network requires that traffic flow
through an HTTP/HTTPS proxy, see HTTP/HTTPS Proxy Support for a Service Domain VM.
Add this Service Domain VM to the Karbon Platform Services cloud management console. See:
Adding a Single Node Service Domain. This VM acts as a single node that stores
installation, configuration, and service/microservice data, metadata, and images, as
well as providing Service Domain computing and cloud infrastructure management.
Adding a Multinode Service Domain. Create an initial three-node
Service Domain to create a multinode Service Domain cluster.
See also:
Deploying the Service Domain Image on a Bare Metal Server
Deploying the Service Domain on Amazon Web Services
Uploading the Service Domain Image
How to upload the Service Domain VM disk image file on AHV running in an AOS cluster.
About this task
This topic describes how to initially install the Service Domain VM on an AOS cluster by
uploading the image file. For details about your cluster AOS version and the procedures, see
the Prism Web Console Guide.
To deploy a VM from an OVA file on vSphere, see the documentation at the VMware web site
describing how to deploy a virtual machine from an OVF or OVA file for your ESXi
version.
Procedure
Log on as an administrator to the Prism Element web console through the Chrome web browser.
Click the gear icon in the main menu and select
Image Configuration
.
The
Image Configuration
window appears.
Figure.
Image Configuration Window
Click to enlarge
Click
Upload Image
to launch the
Create Image
window.
Do the following in the indicated fields:
Figure.
Create Image Window
Click to enlarge
Name
: Enter a name for the image.
Annotation
(optional): Enter a description for the image.
Image Type
(optional): Select the image type
Disk
.
Storage Container
: Select the default
SelfServiceContainer
.
Image Source
: Click
Upload a file
, then
Choose File
to select the Service Domain VM disk image file (that you downloaded from the Nutanix Support portal) from the file search window.
When all the fields are correct, click the
Save
button.
The
Create Image
window closes after uploading the file and the
Image Configuration
window reappears with the new disk image appearing in the list. This window also displays the uploading progress and will show the image State as
INACTIVE
until uploading completes, where the State changes to
ACTIVE
.
What to do next
See the topic Creating and Starting the Service Domain.
Creating and Starting the Service Domain VM
After uploading the Service Domain VM disk image file, create the Service Domain VM
and power it on. After creating the Service Domain VM, note the VM IP address and ID in the
VM Details
panel. You will need this information to add your
Service Domain in the Karbon Platform Services management console
Service
Domains
page.
About this task
This topic describes how to create the Service Domain VM on an AOS cluster and power
it on. For details about your cluster's AOS version and VM management, see the Prism Web Console Guide.
To deploy a VM from an OVA file on vSphere, see the VMware
documentation for your ESXi version.
The most recent requirements for the Service Domain VM is listed in the Karbon Platform Services Release Notes.
If your network requires that traffic flow through an HTTP/HTTPS proxy, you can use a
cloud-init script. See HTTP/HTTPS Proxy Support for a Service Domain VM.
Procedure
Log on as an administrator to your cluster's web console through the Chrome web
browser.
Click
Home
>
VM
, then click
Create VM
.
The
Create VM
dialog box appears. You might need to
scroll down to see everything that is displayed here.
Figure.
Create VM Dialog Box 1
Click to enlarge
Figure.
Create VM Dialog Box 2
Click to enlarge
Figure.
Create VM Dialog Box 3
Click to enlarge
Do the following in the indicated fields.
You might require more memory and storage as determined by your
applications.
Name
: Enter a name for the VM.
Description
(optional): Enter a description for
the VM.
Use this VM as an agent VM
: Do not select. Not
used in this case.
vCPU(s)
: Enter the number of virtual CPUs to
allocate to this VM. For Karbon Platform Services, enter
8
.
Number of Cores per vCPU
: Enter the number of
cores assigned to each virtual CPU. For Karbon Platform Services, enter
1
.
Memory
: Enter the amount of memory (in GiBs) to
allocate to this VM. For Karbon Platform Services, enter
16
.
Click
Add Disk
to add the uploaded Karbon Platform Services image
file.
Figure.
Add Disk Dialog
Click to enlarge
Select
Type
>
DISK
.
Select
Operation
>
Clone from Image Service
.
Select
Bus Type
>
SCSI
.
Select the
Image
you uploaded in Uploading the Service Domain Image.
Keep the default
Index
selection.
Click
Add
.
Click
Add New Nic
to assign the VM network interface to
a vlan, then click
Add
.
Select
Legacy BIOS
to start the VM using legacy BIOS
firmware. This choice is selected by default on AHV clusters supporting legacy
or UEFI boot firmware.
(For GPU-enabled AHV clusters only) To configure GPU access, click
Add GPU
in the
Graphics
section,
and then do the following in the
Add GPU
dialog
box:
Figure.
Add GPU Dialog Box
Click to enlarge
Configure GPU pass-through by clicking
Passthrough
, selecting the GPU that you want
to allocate, and then clicking
Add
.
If you want to allocate additional GPUs to the VM, repeat the
procedure as many times as you need to. Make sure that all the allocated
pass-through GPUs are on the same host. If all specified GPUs of the
type that you want to allocate are in use, you can proceed to allocate
the GPU to the VM, but you cannot power on the VM until a VM that is
using the specified GPU type is powered off.
Click
Save
.
The VM creation task progress appears in
Tasks
at
the top of the web console.
Note:
You might require more storage as determined by
your applications. Before first power on of the Service Domain VM, you can
increase (but not decrease) the VM disk size.
When the VM creation task is completed (the VM is created
successfully), select the new Service Domain VM in the
Table
view, scroll to the bottom of the
VM page, and click
Update
.
Scroll to the disk, click the pencil icon to edit the disk, and
increase the disk
Size
, then click
Update
and
Save
.
When the VM creation task is completed (the VM is created successfully), select
the new Service Domain VM in the
Table
view, scroll to
the bottom of the VM page, and
Power On
the VM.
Note the VM IP address and ID in the
VM Details
panel.
You will need this information to add your Service Domain in the Karbon Platform Services
management console
Service Domains
page.
If you are creating a
multinode
Service Domain
, repeat these steps to create at least two more VMs
for a minimum of three VMs. The additional VMs you create here can become nodes
in a multinode Service Domain cluster, or remain unclustered individual/single
node Service Domains.
What to do next
Add the newly-created Service Domain VM in the Karbon Platform Services management console. See:
Getting Started - Infrastructure Administrator
Adding a Single Node Service Domain for single node service
domains
Manage a Multinode Service Domain for Service Domains of up to
three nodes
Deploying the Service Domain Image on a Bare Metal Server
Before you begin
For installing the Service Domain on bare metal, see About the Service Domain Image Files for available image types. In this
procedure, you can use a RAW or EFI RAW compressed Service Domain image
depending on the bare metal server BIOS type.
For a list of approved hardware for bare metal installation, contact Nutanix
Support or send email to kps@nutanix.com.
Before imaging the bare metal server, prepare it by updating any required
firmware and performing hardware RAID virtual disk configuration.
Minimum destination disk size is 200 GB.
Single node Service Domain support only. Multinode Service Domains are not
supported.
Procedure
Download and boot a live image.
You can image the bare metal serve by live-booting any Linux operating system
that includes destination driver support and these utilities or packages:
lshw
(list hardware),
tar
(tape
archive),
gzip
(GNU compression utilitiy),
dd
(file convert and copy). You can live-boot an image
through a USB or BMC connection. These steps use an Ubuntu distro and USB drive
as an example.
Use MacOS or Microsoft Windows, create an Ubuntu bootable USB
drive.
Download the Service Domain image and copy to the USB drive.
Boot from the Ubuntu bootable USB drive with the
Try
Ubuntu
option.
In Ubuntu, open Terminal, find the destination disk, and image it.
Find the destination disk.
$ sudo lshw -c disk
Go to the directory where you saved the Service Domain image. For
example, where
drive_label
is the USB drive:
service-domain-image.raw
.tgz. RAW or EFI RAW
compressed Service Domain image you downloaded and copied to the
USB drive.
destination_disk
. Destination disk. For
example,
/dev/sda
,
/dev/nvme0n1
, and so on.
When imaging is completed successfully, restart the baremetal server.
Connect the primary network interface to a network with DHCP.
Remove the USB drive.
Restart the bare metal server and note the IP address received from
DHCP on boot.
During startup (boot), note the IP address assigned by the DHCP server.
What to do next
See Adding a Single Node Service Domain
Deploying the Service Domain on Amazon Web Services
Before you begin
For installing the Service Domain on Amazon Web Services (AWS), see About the Service Domain Image Files for available image types. In this
procedure, you can use a RAW uncompressed Service Domain image.
You need an AWS account to deploy the Service Domain on AWS.
Nutanix recommends that you create a new dedicated Amazon S3 bucket for the
Service Domain. This procedure applies a new trust policy to the S3 bucket
storing the Service Domain. Creating a dedicated S3 bucket helps avoid other
policies or configurations being inadvertently being applied to the Service
Domain.
Install configure the AWS command line interface
aws
on your
local machine, so that you can communicate with AWS as required in these steps.
For convenience, download the Service Domain image to this machine.
Single node Service Domain support only. Multinode Service Domains are not
supported.
Procedure
Create an AWS S3 bucket and copy the Service Domain RAW image to it.
Create the bucket.
$ aws s3 mb s3://raw-image-bkt
raw-image-bkt
. Name of the your S3
bucket.
aws_region
. Your AWS Region.
Copy the Service Domain RAW image to the bucket you just created.
Attach the role policy in
role-policy.json
to the
vmimport
role.
$ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
Create a file named
container.json
.
Make sure you replace
raw-image-bkt
with the actual name of
your S3 bucket and
service-domain-image.raw
with the name of
the RAW uncompressed Service Domain
image.
snapshot_ID
. Snapshot ID from completed task
status output
In the EC2 console, go to
Images
>
AMIs
, and select the AMI you created.
Click
Launch
.
For
Choose Instance Type
, select an instance
with minimum 4 vCPUs and 16GiB memory.
Click through to
Add Storage
and create an
EBS volume with minimum disk size of 100 GiB and a device name of
/dev/xvdf
.
Proceed to
Review
.
In the
Select an existing key pair or create a new key
pair
dialog box, use an existing key pair or create
a new pair.
If you create a new key pair, download the corresponding .PEM
file.
Launch the AMI.
Return to the AWS CLI and get the Public and Private IP address of your
instance by using the instance ID
instance_id
.
$ aws ec2 describe-instances --instance-id instance_id --query 'Reservations[].Instances[].[PublicIpAddress]' --output text | sed '$!N;s/\n/ /'
Back at the EC2 console, select
Connect
and follow
the instructions to open an SSH session into your instance.
Next, you need the serial number and gateway/subnet address to add
your Service Domain to Karbon Platform Services.
Log on to the instance and run these commands, noting the serial number and
addresses:
$ cat /config/serial_number.txt
$ route -n
What to do next
See Adding a Single Node Service Domain
HTTP/HTTPS Proxy Support for a Service Domain VM
Attach a cloud-init script to configure HTTP/HTTPS proxy server support.
If your network policies require that all HTTP network traffic flow through a proxy server,
you can configure a Service Domain to use an HTTP proxy. When you create the service
domain VM, attach a cloud-init script with the proxy server details. When you then power on
the VM and it fully starts, it will include your proxy configuration.
If you require a secure proxy (HTTPS), use the cloud-init script to upload SSL certificates
to the Service Domain VM.
You can attach or copy the script in the
Custom Script
section of
the Nutanix AOS cluster
Create VM
dialog box.
Figure.
Create VM Cloud-Init for HTTP/HTTPS Proxy
Click to enlarge
Sample cloud-init Script for HTTPS Proxy Server Configuration
This script creates an HTTP/HTTPS proxy server configuration on the Service Domain VM after
you create and start the VM. Note that
CACERT_PATH=
in the first
content
spec is optional in this case, as it is already specified in the
second
path
spec.
Create and deploy a Service Domain cluster that consists of a single node.
About this task
To add (that is, create and deploy) a multinode Service Domain consisting of three or more
nodes, see Manage a Multinode Service Domain.
If you deploy the Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.
After adding a Service Domain, the status and dot color shows Service Domain status and
can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
Healthy (green). Service domain nodes started and connected.
Not Onboarded (gray). Service domain nodes have not started and are not yet
connected. Might be transitioning to Healthy.
Disconnected (red). Service domain nodes have not started and are not connected. VM
might be offline or unavailable.
Procedure
Log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
+ Service Domain
.
Select
Any other On-prem or Cloud Environment
and click
Next
.
Name
your Service Domain.
Starts and ends with a lowercase alphanumeric character
Maximum length of 63 lowercase alphanumeric characters
Dash (-) and dot (.) characters are allowed. For example, my-servicedomain.contoso.com is a valid Service Domain name.
Select
Single Node
to create a single-node Service Domain.
You cannot expand this Service Domain later by adding nodes.
Click
Add Node
and enter the following node details:
Serial Number
of your Service Domain node VM.
If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the
VM
page, select the Service Domain node VM, and note the ID.
You can also display the serial number by opening this URL in a browser. Use
your Service Domain node VM IP
address:
http://service-domain-node-ip-address:8080/v1/sn
Name
the node.
IP Address
of your Service Domain node VM.
Subnet Mask
and
Gateway
. Type the subnet mask and gateway IP address in these fields.
Click the check mark icon. To change the details, hover over the ellipses menu and click
Edit
.
Click
Add Category
.
See Creating a Category. You can create one or more categories to add them to a Service Domain.
Select a category and its associated value.
Click
Add
to select another category and value.
Click
Next
.
Enter environment variables as one or more key-value pairs for the service domain.
Click
Add Key-Value Pair
to additional pairs.
You can set environment variables and associated values for each Service Domain as a
key-value pair, which are available for use in Kubernetes apps.
For example, you could
set a secret variable key named
SD_PASSWORD
with a value of
passwd1234
.For an example of how to use existing environment
variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.
If your Service Domain includes a GPU/vGPU, choose its usage case.
To allow access by any Kubernetes app or data pipeline, choose
Use GPU
for Kubernetes Apps and Data Pipelines
.
To allow access by AI Inferencing API (for example, if you are using ML Models),
select
Use GPU for AI Inferencing
.
To provide limited secure shell (SSH) administrator access to your service domain to
manage Kubernetes pods. select
Enable SSH Access
.
SSH Service Domain access enables you to run Kubernetes
kubectl
commands to help you with application development, debugging, and pod troubleshooting. See
Secure Shell (SSH) Access to Service Domains.
Click
Add
.
What to do next
See Adding a Data Source and IoT Sensor.
See [Optional] Creating Your Cloud Profile
Manage a Multinode Service Domain
Create and deploy a Service Domain cluster that consists of three or more nodes.
Caution:
Nutanix does not support upgrading Tech Preview multinode Service Domains
to generally available Service Domain versions, then deploying those Service Domains in a
production environment. For example, upgrading a multinode Service Domain v1.18 to v2.0.0,
then using that Service Domain in production.
A multinode Service Domain is a cluster initially consisting of a minimum of three leader nodes. Each node is a single Service Domain VM hosted in an AHV cluster.
Creating and deploying a multinode Service Domain is a three-step process:
Log on to the AHV cluster web console and upload the Service Domain disk image to a Nutanix AHV cluster through the image service as described in Uploading the Service Domain Image.
Create three or more Service Domain VMs from this disk image, as described in Creating and Starting the Service Domain VM.
Add a multinode Service Domain in the Karbon Platform Services management console as described in Adding a Multinode Service Domain.
Multinode Service Domain Requirements and Limitations
The Service Domain image version where Karbon Platform Services introduces this feature is
described in the Karbon Platform Services Release Notes.
Service Domain VM hosting
Create and then start Service Domain VMs in a Nutanix AHV cluster only.
Single node Service Domain
You can create a single node Service Domain from a multinode compatible image
version. It must remain a single node Service Domain, as you cannot expand this
domain type.
You can upgrade an existing single node Service Domain to a multinode
compatible image version, but it is limited for use as a single node Service Domain
only.
Supported multinode Service Domain configuration
You can add a multinode Service Domain consisting of three Service Domain nodes
initially created from a multinode compatible image version only.
Each node in a multinode Service Domain must reside on the same subnet.
You cannot mix image versions. Create each node in a multinode Service Domain from
the same image version. You can also upgrade them to the same multinode compatible
version later.
Service Domain High Availability Kubernetes API Support
Starting with new Service Domain version 2.3.0 deployments, high availability support
for the Service Domain is now implemented through the Kubernetes API server
(kube-apiserver). This support is specific to new multinode Service Domain 2.3.0
deployments. When you create a multinode Service Domain to be hosted in a Nutanix AHV
cluster, you must specify a Virtual IP Address (VIP), which is typically the IP
address of the first node you add.
To enable the HA kube-apiserver support, ensure that the VIP address is part of
the same subnet for all Service Domain VMs and the VIP address has not already been
allocated to any VM. Otherwise, the Service Domain will not enable this
feature.
Also ensure that the VIP address in this case is not part of any cluster IP
address pool range that you have specified when you created a virtual network for
guest VMs in the AHV cluster. That is, the VIP address must be outside this IP pool
address range. Otherwise, creation of the Service Domain in this case will
fail.
Adding or removing nodes from a multinode Service Domain
You can add or remove nodes to an existing multinode Service Domain. However, you
cannot remove the first three nodes you add to the Service Domain. These nodes are
tagged as leader nodes. Each subsequent node you add is a worker node and is
removable.
Configuring Storage and Storage Infrastructure
Each node requires access to shared storage from an AOS cluster. Ensure that you meet
the following requirements to create a storage profile. Adding a Multinode Service Domain requires these details.
On your AOS cluster:
Create a
Cluster Administrator
user dedicated for use with
this feature. Do not use this admin user for day-to-day AOS cluster tasks. For
information about creating a user role, see Creating a User Account in the
Security Guide
.
You must configure the AOS cluster with a cluster virtual IP address and an iSCSI
Data Services IP address. See Modifying Cluster Details in the
Prism Web Console Guide
.
Ensure that the AOS cluster has at least one storage container available for
shared storage use by the nodes. If you want to optionally maintain a storage quota
for use by the nodes, create a new storage container. See Creating a Storage Container in the
Prism Web Console Guide
.
Get the storage container name from the Prism Element web console
Storage
dashboard. Do not use the
NutanixManagementShare
or
SelfServiceContainer
storage containers. AOS reserves these
storage containers for special use.
Unsupported multinode Service Domain configurations
Nutanix does not support the following configurations.
You cannot create (add) a multinode Service Domain where you have upgraded each
node to a multinode compatible version from a previous incompatible single-node-only
version.
For example, you have upgraded three older single-node Service Domains
to a multinode image version. You cannot create a multinode Service Domain from
these nodes.
In a multinode Service Domain, you cannot mix Service Domain nodes that you have
upgraded to a multinode compatible version with newly created multinode compatible
nodes.
For example, you have upgraded two older single-node Service Domains to a
multinode image version. You have a newly created multinode compatible single
node. You cannot add these together to form a new muiltinode service
domain.
Service domain version 1.14 and previous versions allow you to create single node
Service Domains only. These Service Domain nodes are not "multinode aware" but are
still useful as single node Service Domains.
Adding a Multinode Service Domain
Create and deploy a Service Domain cluster that consists of three or more
nodes.
Before you begin
See Multinode Service Domain Requirements and Limitations.
If you deploy each Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.
After adding a Service Domain, the status and dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
Healthy (green). Service domain nodes started and connected.
Not Onboarded (gray). Service domain nodes have not started and are not yet
connected. Might be transitioning to Healthy.
Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.
Adding Each Node
Procedure
Log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
+ Service Domain
.
Select
Any other On-prem or Cloud Environment
and click
Next
.
Name
your Service Domain.
Starts and ends with a lowercase alphanumeric character
Maximum length of 63 lowercase alphanumeric characters
Dash (-) and dot (.) characters are allowed. For example, my.service-domain is a valid Service Domain name.
Select
Multi-Node
to create a multinode Service Domain type.
Click
Add Node
and enter the following node details:
Name
the node.
Serial Number
of your Service Domain node VM.
If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the
VM
page, select the Service Domain node VM, and note the ID.
You can also display the serial number by opening this URL in a browser. Use
your Service Domain node VM IP
address:
http://service-domain-node-ip-address:8080/v1/sn
IP Address
of your Service Domain node VM.
The IP address of the first node you add becomes the
Service Domain Virtual IP Address
. By default, Karbon Platform Services uses this node IP address to represent the Service Domain cluster in the
Service Domains List
page.
Subnet Mask
and
Gateway
. Type the subnet mask and gateway IP address in these fields.
Click the check mark icon. To change the details, hover over the ellipses menu and click
Edit
.
Click
Add Node
and repeat these steps to add two leader
nodes and worker nodes.
The first three nodes are tagged as leader nodes and cannot be removed.
Nodes four and later are considered as worker nodes and can be removed.
Virtual IP Address
. The IP address of the first node you
add becomes the
Service Domain Virtual IP Address
. By default, this
node IP address represents the Service Domain cluster in the
Service
Domains List
page.
Starting with new Service Domain version 2.3.0 deployments, high availability
support for the Service Domain is now implemented through the Kubernetes API
server (kube-apiserver). This support is specific to new multinode Service Domain
2.3.0 deployments.
To enable the HA kube-apiserver support, ensure that the VIP address is part of
the same subnet as the Service Domain VMs and the VIP address is unique (that is,
has not already been allocated to any VM). Otherwise, the Service Domain will not
enable this feature.
Also ensure that the VIP address in this case is not part of any cluster IP
address pool range that you have specified when you created a virtual network for
guest VMs in the AHV cluster. That is, the VIP address must be outside this IP
pool address range. Otherwise, creation of the Service Domain in this case will
fail.
Adding Categories
Procedure
Click
Add Category
.
See Creating a Category. You can create one or more categories
to add them to a Service Domain.
Select a category and its associated value.
Click
Add
to select another category and value.
Click
Add
.
You can expand this Service Domain later by adding nodes. You can also remove nodes
from this Service Domain.
On the
Service Domains
page, you can add another Service Domain
by clicking
+ Service Domain
.
You can also
Edit
Service Domain properties
or
Remove
a Service Domain from
Service
Domains
by selecting it.
Click
Next
to configure storage and advanced settings.
Configuring Storage (Nutanix Volumes)
Before you begin
Each node requires access to shared storage from an AOS cluster. Ensure that you meet the following requirements to create a storage profile for the nodes. On your AOS cluster:
Create a
Cluster Administrator
user as described in the Nutanix Security Guide: Creating a User Account
.
Ensure that the AOS cluster is configured with a cluster virtual IP address and an iSCSI Data Services IP address. See the Prism Web Console Guide: Modifying Cluster Details.
Ensure that the AOS cluster has at least one storage container available for shared storage use by the nodes. If you want to optionally maintain a storage quota for use by the nodes, create a new storage container. See the Prism Web Console Guide: Creating a Storage Container.
Get the storage container name from the Prism Element web console
Storage
dashboard. Do not use the
NutanixManagementShare
or
SelfServiceContainer
storage containers. AOS reserves these storage containers for special use.
Procedure
From the
Storage Infrastructure
drop-down menu, select
Nutanix Volumes
.
In the
Nutanix Cluster Virtual IP Address
field, enter the AOS cluster virtual IP address.
In the
Username
and
Password
fields,
enter the AOS cluster administrator user credentials.
In the
Data Services IP Address
field, enter the iSCSI Data Services IP address.
In the
Storage Container Name
field, enter the cluster storage container name.
Continue to
Advanced Settings
. Otherwise, click
Done
.
What to do next
See Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile.
See also Expanding a Multinode Service Domain or Removing a Worker Node from a Multinode Service Domain
Advanced Settings
Procedure
Enter environment variables as one or more key-value pairs for the service domain.
Click
Add Key-Value Pair
to additional pairs.
You can set environment variables and associated values for each Service Domain as a
key-value pair, which are available for use in Kubernetes apps.
For example, you
could set a secret variable key named
SD_PASSWORD
with a value of
passwd1234
.For an example of how to use existing environment
variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.
If your Service Domain includes a GPU/vGPU, choose its usage case.
To allow access by any Kubernetes app or data pipeline, choose
Use GPU
for Kubernetes Apps and Data Pipelines
.
To allow access by AI Inferencing API (for example, if you are using ML Models),
select
Use GPU for AI Inferencing
.
To provide limited secure shell (SSH) administrator access to your service domain to
manage Kubernetes pods. select
Enable SSH Access
.
SSH Service Domain access enables you to run Kubernetes
kubectl
commands to help you with application development, debugging, and pod troubleshooting.
See Secure Shell (SSH) Access to Service Domains.
Click
Done
.
What to do next
See Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile.
See also Expanding a Multinode Service Domain or Removing a Worker Node from a Multinode Service Domain
Expanding a Multinode Service Domain
Add nodes to an existing multinode Service Domain.
Before you begin
See Multinode Service Domain Requirements and Limitations.
You can add or remove nodes to an existing multinode Service Domain. However,
you cannot remove the first three nodes you add to the Service Domain. These
nodes are tagged as leader nodes. Each subsequent node you add is a worker node
and is removable.
If you deploy each Service Domain node as a VM, the procedure described
in Creating and Starting the Service Domain VM can provide the VM ID
(serial number) and IP address.
After adding a Service Domain, the status dot color shows Service Domain
status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
Healthy (green). Service domain nodes started and connected.
Not Onboarded (grey). Service domain nodes have not started and are not
yet connected. Might be transitioning to Healthy.
Disconnected (red). Service domain nodes have not started and are not
connected. VM might be offline or unavailable.
Procedure
log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
List
.
Select a multinode Service Domain, then click
Edit
.
You can also rename the Service Domain as part of this procedure.
Click
Add Node
and enter the following node
details:
Subnet Mask
and
Gateway
.
Type the subnet mask and gateway IP address in these fields.
Click the check mark icon. To change the details, hover over the
ellipses menu and click
Edit
.
To expand the Service Domain, click
Add Node
and enter
the following node details:
Name
the node.
Serial Number
of your Service Domain node
VM.
If a Nutanix AOS cluster hosts your Service Domain node VM: in
the cluster Prism web console, open
the
VM
page, select the service
domain node VM, and note the ID.
You can also display the serial number by opening this URL in a
browser. Use your Service Domain node VM IP
address:
http://service-domain-node-ip-address:8080/v1/sn
IP Address
of your Service Domain node VM.
Subnet Mask
and
Gateway
.
Type the subnet mask and gateway IP address in these fields.
Click the check mark icon. To change the details, hover over the
ellipses menu and click
Edit
.
Click
Add Node
and repeat these steps to add
more nodes.
Adding Categories and Updating the Service Domain
Procedure
Click
Add...
.
See Creating a Category. You can create one or more
categories to add them to a Service Domain.
Select a category and its associated value.
Click
Add
to select another category and
value.
To edit an existing category, select a category and value from the
drop-down menu.
To delete a category, click the trash can icon next to it.
When you finish adding or deleting categories,
click
Next
, the click
Update
.
Click
Update
.
On the
Service Domains
page, you can add another
Service Domain by clicking
+ Service Domain
.
You can also
Edit
Service Domain properties
or
Remove
a Service Domain from
Service
Domains
by selecting it.
What to do next
Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile. See also Removing a Worker Node from a Multinode Service Domain
.
Removing a Worker Node from a Multinode Service Domain
Remove worker nodes from a multinode Service Domain. Any node added to an existing three-node Service Domain is considered a worker node.
Before you begin
See Multinode Service Domain Requirements and Limitations.
You can add or remove nodes to an existing multinode Service Domain. However, you cannot remove the first three nodes you add to the Service Domain. These nodes are tagged as leader nodes. Each subsequent node you add is a worker node and is removable.
Before you remove a node, ensure that the remaining nodes in the Service Domain have enough CPU, storage, and memory capacity to run applications running on the removed node. The
Service Domains
dashboard shows health status, CPU/Memory/Storage usage, version details, and more information for every Service Domain.
After adding a Service Domain, the status dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
Healthy (green). Service domain nodes started and connected.
Not Onboarded (grey). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.
Procedure
log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
List
.
Select a multinode Service Domain, then click
Edit
.
You can also rename the Service Domain as part of this procedure.
In the Service Domain table, click the elipsis menu next to a node and select
Remove
.
This step removes the node.
Adding, Editing, or Deleting Categories and Updating the Service Domain
Procedure
Click
Add...
.
See Creating a Category. You can create one or more categories to add them to a Service Domain.
Select a category and its associated value.
Click
Add
to select another category and value.
To edit an existing category, select a category and value from the drop-down menu.
To delete a category, click the trash can icon next to it.
When you finish adding or deleting categories, click
Next
, the
click
Update
.
On the
Service Domains
page, you can add another Service Domain by clicking
+ Service Domain
.
You can also
Edit
Service Domain properties or
Remove
a Service Domain from
Service Domains
by selecting it.
What to do next
Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile. See also Expanding a Multinode Service Domain.
Onboarding a Multinode Service Domain By Using Nutanix Karbon
You can now onboard a multinode Service Domain by using Nutanix Karbon as your
infrastructure provider to create a Service Domain Kubernetes cluster.
About this task
For advanced Service Domain settings, the Nutanix public Github repository includes a
README file describing how to use the kps
command line and the required YAML configuration file for the cluster. This public
Github repository at https://github.com/nutanix/karbon-platform-services/tree/master/cli also describes how to install the kps command line and
includes sample YAML files for use with applications, data pipelines, data sources,
and functions.
Before you begin
This task requires the following.
Prism Central deployment managing at least one Prism Element Cluster running
AHV.
Nutanix Karbon installed on Prism Central. Ensure that you have downloaded the
ntnx-1.0 image. See Downloading Images in the
Nutanix Kubernetes Engine Guide
.
kps command line installed on a machine running Linux or MacOS, as described at
the Nutanix public Github repository.
Procedure
Log on to the cloud management console at https://karbon.nutanix.com/.
Click
Infrastructure
>
Service Domains
>
+ Service Domain
.
Select
Nutanix AOS
and click
Next
.
Download and configure the kps command line if you have not previously done
so.
See the README at https://github.com/nutanix/karbon-platform-services/tree/master/cli for details.
Name
your Service Domain.
Starts and ends with a lowercase alphanumeric character
Maximum length of 63 lowercase alphanumeric characters
Dash (-) and dot (.) characters are allowed. For example,
my-servicedomain.contoso.com is a valid Service Domain name.
Enter these details about your Prism Central, Prism Element, and Nutanix Karbon
deployments.
Prism Central IP Address. IP address of the Prism Central
cluster.
Prism Central Username. User name of a Prism Central admin user.
Prism Central Password. Password for the Prism Central admin
user.
Nutanix Cluster Name. Cluster name of the AHV cluster being managed by
Prism Central
Storage Container Name. Name of the storage container located on the
Prism Element AHV cluster.
Subnet Name. Name of the subnet configured on the Prism Element AHV
cluster.
Karbon Cluster Master VIP Address. Master VIP IP address for the
Kubernetes API server (kube-apiserver). AHV IP address management (IPAM)
provides an IP address for each node. Ensure that the VIP address has
not been already allocated and is not part of any cluster IP address
pool range that you have specified when you created a virtual network in
the AHV cluster. The VIP address must be outside this IP pool address
range but part of the same VLAN.
For more information about network, see Cluster Setup in the
Nutanix Kubernetes Engine Guide
.
This information
populates the kps command line options and parameters in next
step.
Figure.
Example Create Service Domain with Karbon Page
Click to enlarge
Click
Copy
next to the kps command line and run it on
the machine where you installed the kps command line.
For advanced Service Domain settings, the Nutanix public Github repository
includes a README file describing how to use the
kps command line and the required YAML configuration file for the
cluster.
Click
Close
.
Upgrade Service Domains
Your network bandwidth might affect how long it takes to completely download the latest
Service Domain version. Nutanix recommends that you perform any upgrades during your scheduled
maintenance window.
Note:
Each Kubernetes release potentially deprecates or removes support for API versions or
resources. To help ensure that your applications run correctly after upgrading your Service
Domain version, Nutanix recommends that you check the
Deprecated API Migration
Guide
available at the Kubernetes Documentation web site. Depending on the deprecated
or removed APIs, you might have to modify your Kubernetes App YAML files.
Upgrade your existing Service Domain VM by using the
Upgrades
page in
the cloud management console. From
Upgrades
, you can see available
updates that you can download and install on one or more Service Domains of your choosing.
Upgrading the Service Domain is a two-step process where you:
Download an available upgrade to one or more existing Service Domains.
Upgrade selected Service Domains to the downloaded version.
Upgrades
lets you choose how to upgrade your Service
Domains.
Note:
During a Service Domain upgrade operation, you might see service or app
related alerts such as Kafka is degraded, partitions are under-replicated, and others. These
messages are expected and can be safely ignored when you are upgrading your Service Domain.
Nutanix recommends that you perform installation and upgrades during your scheduled
maintenance window or outside your normal business hours.
Table 1.
Upgrades Page Links
Link
Use Case
Service Domains
"1-click" download or upgrade for all upgrade-eligible Service Domains.
Select the most recent available version (N) or the next most recent available
versions (N-1, and N-2). For example, if your current Service Domain version is
1.16, you can download, then upgrade your Service Domain to available versions
1.16.1, 1.17, and 1.18.
Upgrade all Service Domains where you have already downloaded the selected
available Service Domain version(s)
Download and upgrade on all eligible
Use this workflow to download an available version to all Service Domains
eligible to be upgraded. You can then decide when you want to upgrade the Service
Domain to the downloaded version. See Upgrading All Service Domains.
Download and upgrade on selected
Use this workflow to download an available version to one or more Service Domains
that you select and are eligible to be upgraded. This option appears after you select
one or more Service Domains. After downloading an available Service Domain version,
upgrade one or more Service Domains when convenient. See Upgrading Selected Service Domains.
Task History
View Recent
History
See Checking Upgrade Task History.
View Recent
History
appears in the
Service Domains
page
list for each Service Domain, and shows a status summary.
Upgrading All Service Domains
Before you begin
Note:
During a Service Domain upgrade operation, you might see service or app related alerts
such as Kafka is degraded, partitions are under-replicated, and others. These messages
are expected and can be safely ignored when you are upgrading your Service Domain.
Nutanix recommends that you perform installation and upgrades during your scheduled
maintenance window or outside your normal business hours.
Each Kubernetes release potentially deprecates or removes support for API versions or
resources. To help ensure that your applications run correctly after upgrading your
Service Domain version, Nutanix recommends that you check the
Deprecated API
Migration Guide
available at the Kubernetes Documentation web site. Depending
on the deprecated or removed APIs, you might have to modify your Kubernetes App YAML
files.
Log on to the cloud management console. Nutanix recommends that you perform any
upgrades during your scheduled maintenance window.
About this task
Download an available Service Domain version to all eligible Service Domains
Upgrade all Service Domains where you have already downloaded an available service
domain version
You can select the most recent available version (N) or the next most recent available
versions (N-1, and N-2). For example, if your current Service Domain version is 1.16, you
can download, then upgrade your Service Domain to available versions 1.16.1, 1.17, and
1.18.
Procedure
Go to
Administration
>
Upgrades
>
Service Domains
.
A Service Domain table lists each Service Domain, current status (Healthy, Not
Healthy, Disconnected), current installed version, and upgrade actions and
history.
To download a version to all eligible Service Domains, click
Download on all
eligible
and select a version (for example 1.18).
The
Download on all eligible
drop-down menu shows the latest
version as
vX.xx.x (Latest)
.
The
Download
popup window shows the eligible service
domains as selected. Clear (unselect) any Service Domain to prevent the bundle from
downloading onto it.
Click
Download
.
The Service Domain version downloads to all Healthy Service Domains. The
Actions
column shows a downloading message. Hover over the task
circle to see current progress. When the
Actions
column displays
Upgrade to vX.xx.x
, downloads are completed and you can upgrade
the Service Domains.
To upgrade the Service Domains when downloads are completed, click
Upgrade
all eligible to
and select a version.
In the
Upgrade Service Domains
popup window, click
Upgrade
. Clear (unselect) any Service Domain to prevent it from
being upgraded.
The
Actions
column shows upgrade progress similar to
download. When the
Actions
column displays
View Recent
History
and the Version column is updated, upgrade operations are complete.
See also Checking Upgrade Task History.
Upgrading Selected Service Domains
Before you begin
Note:
During a Service Domain upgrade operation, you might see service or app related alerts
such as Kafka is degraded, partitions are under-replicated, and others. These messages
are expected and can be safely ignored when you are upgrading your Service Domain.
Nutanix recommends that you perform installation and upgrades during your scheduled
maintenance window or outside your normal business hours.
Each Kubernetes release potentially deprecates or removes support for API versions or
resources. To help ensure that your applications run correctly after upgrading your
Service Domain version, Nutanix recommends that you check the
Deprecated API
Migration Guide
available at the Kubernetes Documentation web site. Depending
on the deprecated or removed APIs, you might have to modify your Kubernetes App YAML
files.
Log on to the cloud management console.
About this task
Use this workflow to download an available version to one or more Service Domains. You can then decide when you want to upgrade the Service Domain to the downloaded version. Your network bandwidth might affect how long it takes to completely download the latest Service Domain version. Nutanix recommends that you perform any upgrades during your scheduled maintenance window.
Procedure
Go to
Administration
>
Upgrades
>
Service Domains
.
A Service Domain table lists each Service Domain, current status (Healthy, Not
Healthy, Disconnected), current installed version, and upgrade actions and
history.
To download the upgrade to selected eligible Service Domains, do these steps.
Select one or more Service Domains in the table.
Click
Download on selected
num
and select a version (for example 1.18).
num
is the number of eligible Service Domains you selected. The drop-down menu shows the
latest version as
vX.xx.x (Latest)
The
Download
popup window shows the eligible service
domains as selected. Clear (unselect) any Service Domain to prevent the bundle from
downloading onto it.
Click
Download
.
The Service Domain version downloads to all Healthy Service Domains. The
Actions
column shows a downloading message. Hover over the task
circle to see current progress. When the
Actions
column displays
Upgrade to vX.xx.x
, downloads are completed and you can upgrade
the Service Domains.
To upgrade selected eligible Service Domains, do these steps.
Select one or more Service Domains where the
Actions
status
is
Upgrade to vX.xx.x
.
Click
Upgrade selected
num
.
num
is the number of eligible Service
Domains you selected.
The
Download
popup window shows the eligible service
domains as selected. Clear (unselect) any Service Domain to prevent the bundle from
downloading onto it.
Click
Upgrade
.
The
Actions
column shows upgrade progress similar to
download. When the
Actions
column displays
View Recent
History
and the Version column is updated, upgrade operations are complete.
See also Checking Upgrade Task History.
Checking Upgrade Task History
Before you begin
Log on to the cloud management console.
About this task
After downloading and upgrading an available Service Domain version, upgrade task
history is available in the console.
View Recent History
appears in
the
Service Domains
page list for each Service Domain and shows a
status summary.
Procedure
To see Service Domain upgrade task history, go to
Administration
>
Upgrades
>
Task History
.
You can see status for single node and multinode Service Domains.
Version
. The available Service Domain version to which you
attempted to download or upgrade.
Status
. Downloaded (version download is complete), Upgraded
(Service Domain is upgraded), Upgrade Failed (Service Domain was not upgraded).
Completed on
. Date and time task occurred (Upgrade Failed)
or completed (Upgraded or Downloaded).
Service Domains
. Link to the Service Domain(s) where the
action occurred. This link is especially helpful with multinode Service Domains. After
you click the Service Domain link, a popup status windows shows for each service
domain. The window includes a filter field so you can see individual status.
Projects
A project is an infrastructure, apps, and data collection created by the infrastructure administrator for use by project users.
When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project. When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.
A project can consist of:
Existing administrator or project users
A Service Domain
Cloud profile
Container registry profile
When you add a Service Domain to a project, all resources such as data sources associated with the Service Domain are available to the users added to the project.
Projects Page
The
Projects
page lets an infrastructure administrator create a
new project and lists projects that administrators can update and view.
For project users, the
Projects
page lists projects created and
assigned by the infrastructure administrator that project users can view and add apps and
data. Project users can view and update any projects assigned by the administrator with
applications, data pipelines, and so on. Project users cannot remove a project.
When you click a project name, the project
Summary
dashboard is
displayed and shows resources in the project.
You can click any of the project resource menu links to edit or update existing resources, or
create and add resources to a project. For example, you can edit an existing data pipeline in
the project or create a new one and assign it to the project. For example, click
Kafka
to shows details for the Kafka data service associated with the
project. See Viewing Kafka Status.).
Figure.
Project Summary Dashboard
Click to enlarge
Creating a Project
As an infrastructure administrator, create a project. To complete this task, log on to
the cloud management console.
About this task
When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project.
When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.
Procedure
Click the menu button, then click
Projects
>
Create
.
Name
your project. Up to 200 alphanumeric characters are
allowed.
Description
. Provide a relevant description for your
project.
Click
Add Users
to add users to a project.
Click
Next
.
Add a Service Domain, which associates any resources available to the Service Domain to your project.
Select
Select By Category
to choose and apply one or more categories associated with a Service Domain.
Click the plus sign (
+
) to add more categories.
Select
Select Individually
to choose a Service Domain, then click
Add Service Domain
to select one or more Service Domains.
Select a
Cloud Profile
and
Container Registry
.
Click the plus sign (
+
) to select additional cloud profiles or
container registries.
Click
Next
to enable one or more project services.
Enabled
indicates that this service is available to all
projects.
Click
Enable
to enable a service for all project
users.
See Enabling or Disabling One or More Services for a Project.
Click
Create
.
Editing a Project
Update an existing project. To complete this task, log on to the cloud management
console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
The project dashboard is displayed along with
Edit
and
Manage Services
buttons. See Enabling or Disabling One or More Services for a Project.
Click
Edit
.
Update the projects general information by updating the name and description.
Click the trashcan to remove a user from the list. Click
Edit
to open the user dialog box where you add or remove
users associated with the project.
Click
Next
to update project resources.
Update the associated Service Domains.
Select
Select By Category
to add or remove one or more
categories associated with a Service Domain.
Click the trashcan to remove a category.
Click the plus sign (
+
) to add more categories.
Select
Select Individually
to remove or add a Service Domain. Do
one of the following.
Click the trashcan to remove a Service Domain in the list.
Click
Edit
to select one or more Service Domains.
For
Cloud Profile
and
Container
Registry
:
Click the trashcan to remove cloud profiles or container registries.
Click the plus sign (
+
) to add cloud profiles or container
registries.
Click
Next
to enable one or more project services.
Enabled
indicates that this service is available to all
projects.
Click
Enable
to enable a service for all project
users.
See Enabling or Disabling One or More Services for a Project.
Click
Update
.
Removing a Project
As an infrastructure administrator, delete a project. To complete this task, log on
to the cloud management console.
Procedure
Click the menu button, then click
Projects
.
Select a project in the list.
The project dashboard is displayed along with
Edit
,
Manage Services
, and
Remove
buttons. See Enabling or Disabling One or More Services for a Project.
If
Remove
does not appear as an option, you might need
to delete any apps associated with the project.
After removing associated apps, return to the
Projects
page and select the project.
Click
Remove
, then click
Delete
to confirm.
The
Projects
page lists any remaining
projects.
Managing Project Services
The Karbon Platform Services cloud infrastructure provides services that are enabled by default. It also
provides access to services that you can enable for your project.
The platform includes these ready-to-use services, which provide an advantage over
self-managed services:
Secure by design.
No life cycle management. Service Domains do not require any user intervention to maintain
or update service versions, patches, or other hands-on activities. For ease of use, all
projects using the Service Domain use the same service version.
Dedicated service resources. Your project uses isolated service resources. Service
resources are not shared with other projects. Applications within a project are not required
to authenticate to use the service.
Service-specific alerts. Like other Karbon Platform Services features, the Service Domain helps monitor
service health and raises service-specific alerts.
App Runtime Services
These services are enabled by default on each Service Domain.
Kubernetes Apps. Containers as a service. You can create and run Kubernetes apps
without having to manage the underlying infrastructure.
Functions and Data Pipelines. Run server-less functions based on data triggers, then
publish data to specific cloud or Service Domain endpoints.
AI Inferencing. Enable this service to use your machine learning (ML) models in your
project. The ML Model feature provides a common interface for functions (that is,
scripts) or applications.
Ingress Controller
Traefik or Nginx-Ingress. If your project requires Ingress controller routing, you can
choose the open source Traefik router or the NGINX Ingress controller to enable on your
Service Domain. See Enable an Ingress Controller.
Service Mesh
Istio. Provides secure connection, traffic management, and telemetry. See Istio Service Mesh.
Data Streaming | Messaging
Kafka. Available for use within project applications and data pipelines, running on
a Service Domain hosted in your environment. See Kafka as a Service.
NATS. Available for use within project applications and data pipelines. In-memory
high performance data streaming including pub/sub (publish/subscribe) and queue-based
messaging.
Logging | Monitoring | Alerting
Prometheus. Provides Kubernetes app monitoring and logging, alerting, metrics
collection, and a time series data model (suitable for graphing). See Prometheus Application Monitoring and Metrics as a Service.
Logging. Provides log monitoring and log bundling. See Audit Trail and Log Management.
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Enabling or Disabling One or More Services for a Project
Enable or disable services associated with your project.
Before you begin
You cannot disable the default Kubernetes Apps, Functions and Data Pipelines,
and AI Inferencing services.
Disabling Kafka. When you disable Kafka, data stored in PersistentVolumeClaim
(PVC) is not deleted and persists. If you later enable Kafka on the same Service
Domain, the data is reused.
Disabling Prometheus. When you disable Prometheus and then later enable it, the
service creates a new PVC and clears any previously-stored metrics data stored
in PVC.
Procedure
From the home menu, click
Projects
, then click a
project.
Depending on your role, you can also select a project from
Admin
Console
drop-down menu.
Click
Manage Services
.
Enable a service.
Click
Enable
in a service tile.
Click
Enable
service_name
.
For Istio, apps in this project restart.
Click
Confirm
.
If the minimum Service Domain version is detected, the service is
available for use in your project in a few minutes, after the service
initializes. Otherwise, an alert is triggered if the Service Domain does not
support the service.
Disable a service.
Click
Disable
in a service tile.
Click
Disable
service_name
.
For Istio, apps in this project restart.
Click
Confirm
.
The service is no longer available for use in your project.
Kafka as a Service
Kafka is available as a data service through your Service Domain.
The Kafka data service is available for use within a project's applications and data
pipelines, running on a Service Domain hosted in your environment. The Kafka service offering from
Karbon Platform Services provides the following advantages over a self-managed Kafka service:
Secure by design.
No need to explicitly declare Kafka topics. With Karbon Platform Services Kafka as a service, topics are
automatically created.
No life cycle management. Service Domains do not require any user intervention to
maintain or update service versions, patches, or other hands-on activities. For ease of
use, all projects using the Service Domain use the same service version.
Dedicated service resources. Your project uses isolated service resources. Service
resources are not shared with other projects. Applications within a project are not
required to authenticate to use the service.
Service-specific alerts. Like other Karbon Platform Services features, the Service Domain monitors service
health and raises service-specific alerts.
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Using Kafka in an Application
Information about application requirements and sample YAML application file
Create an application for your project as described in Creating an Application and specify the application attributes and configuration in a YAML file.
Information about data pipeline function requirements.
See Functions and Data Pipelines.
You can specify a Kafka endpoint type in a data pipeline. A data pipeline consists of:
Input. An existing data source or real-time data stream (output from another data
pipeline).
Transformation. A function (code block or script) to transform data from a data source
(or no function at all to pass data directly to the endpoint).
Output. An endpoint destination for the transformed or raw data.
Kafka Endpoint Function Requirements
For a data pipelines with a Kafka topic endpoint:
Language
. Select the golang scripting language for the
function.
Runtime Environment
. Select the golang runtime environment for
the function. A default runtime environment is already selected in most cases depending on
the
Language
you have selected.
Viewing Kafka Status
In the cloud management console, you can view Kafka data service status when you use
Kafka in an application or as a Kafka endpoint in a data pipeline as part of a project. This
task assumes you are logged in to the cloud management console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
The project dashboard is displayed along with
Edit
and
Manage Services
buttons.
Click
Kafka
.
This dashboard shows a consolidated, high-level view of all Kafka topics, deployments,
and related alerts. The default view is Topics.
To show all topics for this project, click
Topics
.
Topics. All Kafka topics used in this project.
Service Domain. Service Domains in the project employing Kafka messaging.
Bytes/sec produced and Bytes/sec consumed. Bandwidth use.
To view Service Domain status where Kafka is used, click
Deployments
.
List of Service Domains and provisioned status.
Brokers. A
No Brokers Available
message might mean the
Service Domain is not connected.
Alerts. Number of Critical (red) and Warning (yellow) alerts.
To see all alerts associated with Kafka for this project, click
Alerts
.
Enable an Ingress Controller
The Service Domain supports the Traefik open source router as the default Kubernetes
Ingress controller. You can also choose the NGINX ingress controller instead.
An infrastructure admin can enable an Ingress controller for your project through
Manage Services
as described in Managing Project Services. You can only enable one
Ingress controller per Service Domain.
When you include Ingress controller annotations as part of your application YAML file, Karbon Platform Services
uses Traefik as the default on-demand controller.
If your deployment requires it, you can alternately use NGINX (ingress-nginx) as a Kubernetes
Ingress controller instead of Traefik.
In your application YAML, specify two snippets:
Service snippet. Use annotations to define the HTTP or HTTPS host protocol, path, service
domain, and secret for each Service Domain to use as an ingress controller. You can specify
one more Service Domains.
Secret snippet. Use this snippet to specify the certificates used to secure app
traffic.
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Sample Ingress Controller Service Domain Configuration
To securely route application traffic with a Service Domain ingress controller, create
YAML snippets to define and specify the ingress controller for each Service Domain.
You can only enable and use one Ingress controller per Service Domain.
Create an application for your project as described in Creating an Application to specify the application attributes and configuration in a YAML file. You can include
these Service and Secret snippets Service Domain ingress controller annotations and
certificate information in this app deployment YAML file.
Ingress Controller Service Domain Host Annotations Specification
Specify the Kubernetes service. Here, use
Service
to indicate
that this snippet defines the ingress controller details.
apiVersion
v1
Here, the Kubernetes API version.
metadata
name
Provide an app name to which this controller applies.
annotations
These
annotations
define the
ingress controller encryption type and paths for Karbon Platform Services.
sherlock.nutanix.com/http-ingress-path: /notls
/notls
specifies no Transport Layer Security
encryption.
sherlock.nutanix.com/https-ingress-path: /tls
/tls
specifies Transport Layer Security encryption.
sherlock.nutanix.com/http-ingress-host:
DNS_name
Ingress service host path, where the service is bound to port 80.
DNS_name
. DNS name you can give to your application. For
example,
my.contoso.net
. Ensure that the DNS name resolves to the
Service Domain IP address.
sherlock.nutanix.com/https-ingress-host:
DNS_name
Ingress service host path, where the service is bound to port 443.
DNS_name
. DNS name you can give to your application. For
example,
my.contoso.net
. Ensure that the DNS name resolves to the
Service Domain IP address.
sherlock.nutanix.com/https-ingress-secret:
whoami
The
sherlock.nutanix.com/https-ingress-secret:
whoami
snippet links the authentication
Secret
information defined above to this
controller.
spec
Define the transfer protocol, port type, and port
for the application.
protocol: TCP
. Transfer protocol of TCP.
ports:
Define the port and type.
name: web
Port type.
port: 80
TCP port.
A selector to specify the application.
selector
app: whoami
Securing The Application Traffic
Use a Secret snippet to specify the certificates used to secure app traffic.
Specify the resource type. Here, use
Secret
to indicate that
this snippet defines the authentication details.
metadata
name
Provide an app name to which this certification applies.
type
Define the authentication type used to secure the app. Here,
kubernetes.io/tls
data
ca.crt
Add the keys for each certification type: certificate authority
certificate (ca.crt), TLS certificate (tls.crt), and TLS key (
tls.crt
tls.key
Viewing Ingress Controller Details
In the cloud management console, you can view Ingress controller status for any
controller used as part of a project. This task assumes you are logged in to the cloud
management console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
The project dashboard is displayed along with
Edit
and
Manage Services
buttons.
Depending on the deployed Ingress controller, click
Nginx-Ingress
or
Traefik
.
This dashboard shows a consolidated, high-level view of all rules,
deployments, and related alerts. The default view is Rules.
To show all rules for this project, click
Rules
.
Application. App where traffic is being routed.
Rules. Rules you have configured for this app. Here, Rules shows the
host and paths
Destination. Application and port number.
Service Domain. Service Domains in the project employing routing.
TLS. Transport Layer Security (TLS) protocol status.
On
indicates encrypted communication is
enabled.
Off
indicates it is not used.
To view Service Domain status where the controller is used, click
Deployments
.
List of Service Domains and provisioned status.
Alerts. Number of Critical (red) and Warning (yellow) alerts.
To see all alerts associated with the controller for this project, click
Alerts
.
Istio Service Mesh
Istio provides secure connection, traffic management, and telemetry.
Add the Istio Virtual Service and DestinationRules to an Application - Example
In the application YAML snippet or file, define the
VirtualService
and
DestinationRules
objects.
These objects specify traffic routing rules for the
recommendation-service
app host. If the traffic rules match, traffic flows to the named destination (or
subset/version of it) as defined here.
In this example, traffic is routed to the
recommendation-service
app host
if it is sent from the FireFox browser. The specific policy version
(
subset
) for each host helps you identify and manage routed data.
This
DestinationRule
YAML snippet defines a load-balancing traffic policy
for the policy versions (
subsets
), where any healthy host can service the
request.
In this YAML snipped, you can split traffic for each subset by specifying a
weight
of 30 in one case, and 70 in the other. You can also weight them
evenly by giving each a weight value of 50.
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Viewing Istio Details
In the cloud management console, you can view Istio service mesh status associated with applications in a project. This task assumes you are logged in to the cloud management console.
About this task
The Istio tabs show service resource and routing configuration information derived from project-related Kubernetes Apps YAML files and service status.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list, then click
Istio
in the navigation sidebar to show the default
Application Metrics
page.
Application Metrics shows initial details about the applications and related traffic metrics.
Name and Service Domain. Application name and Service Domain where the application is deployed and the Istio service is enabled.
Workloads. One or more workloads associated with the application. For example, Kubernetes Deployments, StatefulSets, DaemonSets, and so on.
Inbound Request Volume / Outbound Request Volume. Inbound/Outbound HTTP requests per second for the last 5 minutes
To see details about any traffic routing configurations associated with the application, click
Virtual Services
.
An application can specify one or more virtual services, which you can deploy across one or more Service Domains.
Application and Virtual Services. Application and service name.
Service Domains. Number and name of the Service Domains where the service is deployed.
Matches. Lists matching traffic routes.
Destinations. Number of service destination host connection or request routes. Expand the number to show any destinations served by the virtual service (v1, v2, and so on) where traffic is routed. If specified in the Virtual Service YAML file, Weight indicates the proportion of traffic routed to each host. For example, Weight: 50 indicates that 50 percent of the traffic is routed to that host.
To see rules associated with Destinations, click
Destination Rules
.
An application can specify one or more destination rules, which you can deploy across one or more Service Domains. A destination rule is a policy that is applied after traffic is routed (for example, a load balancing configuration).
Application. Application where the rule applies.
Destination Rules. Rules by name.
Service Domains. Number and name of the Service Domains where the rule is deployed.
Subsets. Name and number of the specific policies (subsets). Expand the number to show any pod labels (v1, v2, and so on), service versions (v1, v2, and so on), and traffic weighting, where rules apply and traffic is routed.
To view Service Domain status where Istio is used, click
Deployments
.
List of Service Domains where the service is deployed and status.
PROVISIONED. The service has been successfully installed and enabled.
PROVISIONING. The service initialization and provisioning state is in progress.
UNPROVISIONED. The service has been successfully disabled (uninstalled).
FAILED. The service provisioning has failed.
Alerts. Number of Critical (red) and Warning (yellow) alerts.
To see all alerts associated with the controller for this project, click
Alerts
.
Prometheus Application Monitoring and Metrics as a Service
Note:
When you disable Prometheus and then later enable it, the service creates a new PersistentVolumeClaim (PVC) and clears any previously-stored metrics data stored in PVC.
The Prometheus service included with Karbon Platform Services enables you to monitor
endpoints you define in your project's Kubernetes apps. Karbon Platform Services allows one
instance of Prometheus per project.
Prometheus collects metrics in your app endoints. The Prometheus Deployments dashboard
displays Service Domains where the service is deployed, service status, endpoints, and
alerts. See Viewing Prometheus Service Status.
You can then decide how to view the collected metrics, through graphs or other
Prometheus-supported means. See Create Prometheus Graphs with Grafana - Example.
Default Service Settings
Table 1.
Prometheus Default Settings
Setting
Default Value or Description
Frequency interval to collect and store metrics (also known as scrape and
store)
Every 60 seconds
1
Collection endpoint
/metrics
1
Default collection app
collect-metrics
Data storage retention time
10 days
You can create a customized
ServiceMonitor
YAML snippet to
change this default setting. See Enable Prometheus App Monitoring and Metric Collection - Examples.
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Enable Prometheus App Monitoring and Metric Collection - Examples
Monitor an Application with Prometheus - Default Endpoint
This sample app YAML specifies an app named
metricsmatter-sample-app
and creates one instance of this containerized app (
replicas: 1
) from the managed Amazon Elastic Container Registry.
Next, in the same application YAML file, create a Service snippet. Add the default
collect-metrics
app label to the
Service
object. When you add
app: collect-metrics
, Prometheus scrapes the default
/metrics
endpoint every 60 seconds, with metrics exposed on port 8010.
Monitor an Application with Prometheus - Custom Endpoint and Interval Example
Add a ServiceMonitor snippet to the app YAML above to customize the endpoint to scrape and change the interval to collect and store metrics. Make sure you include the Deployment and Service snippets.
Here, change the endpoint to
/othermetrics
and the collection interval to 15 seconds (
15s
).
Prometheus discovers all ServiceMonitors in a given namespace (that is, each project app) where it is installed.
You can also use endpoint environment variables in an application template for the service and AlertManager.
{{.Services.Prometheus.Endpoint}}
defines the service endpoint.
{{.Services.AlertManager.Endpoint}}
defines a custom Alert Manager endpoint.
Configure Service Domain Environment Variables describes how to use these environment variables.
Viewing Prometheus Service Status
The Prometheus Deployments dashboard displays Service Domains where the service is
deployed, service status, Prometheus endpoints, and alerts.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
The project dashboard is displayed along with
Edit
and
Manage Services
buttons.
Click
Prometheus
to view the default
Deployments
page.
Service Domain and Status. Service Domains where the Prometheus service is deployed and status.
PROVISIONED. The service has been successfully installed and enabled.
PROVISIONING. The service initialization and provisioning state is in progress.
UNPROVISIONED. The service has been successfully disabled (uninstalled).
FAILED. The service provisioning has failed.
Prometheus Endpoints. Endpoints that the service is scraping, by ID.
Alert Manager. Alert Manager shows alerts associated with the Prometheus endpoints,
by ID.
Alerts. Number of Critical (red) and Warning (yellow) alerts.
To see all alerts associated with Prometheus for this project, click
Alerts
.
Create Prometheus Graphs with Grafana - Example
This example shows how you can set up a Prometheus metrics dashboard with
Grafana.
This topic provides examples to help you expose Prometheus endpoints to Grafana, an
open-source analytics and monitoring visualization application. You can then view scraped
Prometheus metrics graphically.
Define Prometheus as the Data Source for Grafana
The first ConfigMap YAML snippet example uses the environment variable
{{.Services.Prometheus.Endpoint}}
to define the service endpoint. If this
YAML snippet is part of an application template created by an infra admin, a project user
can then specify these per-Service Domain variables in their application.
The second snippet provides configuration information for the Grafana server web page. The
host name in this example is woodkraft2.ntnxdomain.com
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
Kubernetes Apps
You can create intelligent applications to run on the Service Domain infrastructure or the cloud where you have pushed collected data. You can implement application YAML files to use as a template, where you can customize the template by passing existing Categories associated with a Service Domain to it.
You need to create a project with at least one user to create an app.
You can undeploy and deploy any applications that are running on Service Domains or in the
cloud. See Deploying and Undeploying a Kubernetes Application.
Privileged Kubernetes Apps
Important:
The privileged mode is deprecated. Nutanix plans to remove this feature
in an upcoming release.
For Kubernetes apps running as privileged, you might have to specify the Kubernetes
namespace where the application is deployed. You can do this by using the
{{
.Namespace }}
variable you can define in app YAML template file.
In this example, the resource kind of ClusterRoleBinding specifies the
{{
.Namespace }}
variable as the namespace where the subject ServiceAccount is
deployed. As all app resources are deployed in the project namespace, specify the project
name as well (here, name: my-sa).
Create a Kubernetes application that you can associate with a project.
Before you begin
To complete this task, log on to the cloud management console.
About this task
If your app requires a service, make sure you enable it in the associated project.
Application YAML files can also be a template where you can customize the template by passing existing Categories associated with a Service Domain to it.
See also Configure Service Domain Environment Variables to set and use
environment variables in your app.
Nutanix recommends that you do not reuse application names after creating and then deleting (removing) an application. If you subsequently create an application with the same name as a deleted application, your application might re-use stale data from the deleted application.
Procedure
From the home menu, click
Projects
, then click a project.
Click
Kubernetes Apps
>
Create Kubernetes App
.
Name
your application. Up to 200 alphanumeric characters are allowed.
Description
. Provide a relevant description for your application.
Select one or more Service Domains, individually or by category.
How your Service Domain was added in your project determines what you can select in
this step. See Creating a Project.
For
Select Individually
, click
Add Service
Domains
to select one or more Service Domains.
For
Select By Category
, select to choose and apply one or
more categories associated with a Service Domain.
Click the plus sign (
+
) to add more categories.
Click
Next
.
To use an application YAML file or template, select
YAML based
configuration
, then click
Choose File
to navigate to
a YAML file or template.
After uploading the file, you can edit the file contents. You can also choose
the contrast levels
Normal
,
Dark
,
or
High Contrast Dark
.
To define an application with a Helm chart, select
Upload a Helm
Chart
. See Helm Chart Support and Requirements.
Helm Chart File
. Browse to a Helm Chart package file.
Values Override File (Optional)
. You also can optionally
browse to a values YAML file to override the values you specified in the Helm Chart
package.
View Generated YAML File
. After uploading these files, you
can view the generated YAML configuration by clicking
Show
YAML
.
Click
Create
.
If your app requires a service, make sure you enable it in the associated
project.
The
Kubernetes Apps
page lists the application you just
created as well as any existing applications. Apps start automatically after
creation.
Editing an Application
Update an existing Kubernetes application.
Before you begin
To complete this task, log on to the cloud management console.
About this task
Application YAML files can also be a template where you can customize the
template by passing existing Categories associated with a Service Domain to it.
To set and use environment variables in your app, see Configure Service Domain Environment Variables.
Procedure
From the home menu, click
Projects
, then click a
project.
Click
Kubernetes Apps
, then click an application in the
list.
The application dashboard is displayed along with an
Edit
button.
Click
Edit
.
Name
. Update the application name. Up to 200 alphanumeric
characters are allowed.
Description
. Provide a relevant description for your
application.
You cannot change the application's
Project
.
Update the associated Service Domains.
How your Service Domain was added in your project determines what you can
select in this step. See Creating a Project.
If
Select Individually
is selected:
Click
X
to remove a Service Domain in the
list.
Click
Edit
to select or deselect one or
more Service Domains.
If
Select By Category
is selected, add or remove
one or more categories associated with a Service Domain.
Select a category and value.
Click
X
to remove a category.
Click the plus sign (
+
) to add more
categories and values.
Click
Next
.
To use an application YAML file or template, select
YAML based
configuration
, then click
Choose File
to
navigate to a YAML file or template.
You can edit the file directly on the
Yaml
Configuration
page.
Click
Choose File
to navigate to a YAML file or
template.
After uploading the file, you can also edit the file contents. You can
choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
To define an application with a Helm chart, select
Upload a Helm
Chart
. See Helm Chart Support and Requirements.
Helm Chart File
. Browse to a Helm Chart package
file.
Values Override File (Optional)
. You also can
optionally browse to a YAML file to override the values you specified in
the Helm Chart package. Use this option to update your application
without having to re-upload a new chart.
View Generated YAML File
. After uploading these
files, you can view the generated YAML configuration by clicking
Show YAML
.
Click
Update
.
The
Kubernetes Apps
page lists the application
you just updated as well as any existing applications.
Removing an Application
Delete an existing Kubernetes application.
About this task
To complete this task, log on to the cloud management console.
Nutanix recommends that you do not reuse application names after creating and
then deleting (removing) an application. If you subsequently create an
application with the same name as a deleted application, your application might
re-use stale data from the deleted application.
Procedure
From the home menu, click
Projects
, then click a
project.
Click
Kubernetes Apps
, then select an application in the
list.
Click
Actions
>
Remove
, then click
Delete
to confirm.
The
Kubernetes Apps
page lists any remaining
applications.
Deploying and Undeploying a Kubernetes Application
You can undeploy and deploy any applications that are running on Service Domains or
in the cloud. You can choose the Service Domains where you want the app to deploy or
undeploy. Select the table or tile view on this page by clicking one of the view
icons.
Before you begin
Undeploying a Kubernetes app deletes all config objects
directly
created
for the app, including PersistentVolumeClaim data. Your app can create a
PersistentVolumeClaim
indirectly
through StatefulSets. The following
points describe scenarios when data is deleted and when data is preserved after you
undeploy an app.
If your application specifies an explicit PersistentVolumeClaim object, when the
app is undeployed, data stored in PersistentVolumeClaim is deleted. This data is
not available if you then deploy the app.
If your application specifies a VolumeClaimTemplates object, when the app is
undeployed, data stored in PersistentVolumeClaim persists. This data is
available for reuse if you later deploy the app. If you plan to redeploy apps,
Nutanix recommends using VolumeClaimTemplates to implement StatefulSets with
stable storage.
Procedure
From the home menu, click
Projects
, then click a
project.
Click
Kubernetes Apps
, then select an application in the
list.
To undeploy a running application, select an application, then click
Actions
>
Undeploy
To undeploy every instance of the app running on all Service Domains,
select
Undeploy All
, then click
Undeploy
.
To undeploy the app running on specific Service Domains, select
Undeploy Selected
, select one or more Service
Domains, then click
Undeploy
.
Click
Undeploy App
to confirm.
To deploy an undeployed application, select an application, then click
Actions
>
Deploy
, then click
Deploy
to confirm.
To deploy every instance of the app running on all Service Domains,
select
Deploy All
, then click
Deploy
.
To deploy the app running on specific Service Domains, select
Deploy Selected
, select one or more Service
Domains, then click
Deploy
.
Helm Chart Support and Requirements
Helm Chart Format
When you create a Kubernetes app in the cloud management console, you can upload a
Helm chart package in a gzipped TAR file (.TGZ format) that describes your app. For
example, it can include:
Helm chart definition YAML file
App YAML template files that define your application (deployment, service, and so
on). See also Privileged Kubernetes Apps
Values YAML file where you declare variables to pass to your app templates. For
example, you can specify Ingress controller annotations, cloud repository details,
and other required settings
Supported Helm Version
Karbon Platform Services supports Helm version 3.
Kubernetes App Support
Karbon Platform Services supports the same Kubernetes resources in Helm charts as in application YAML
files. For example, daemonsets, deployment, secrets, services, statefulsets, and so on
are supported when defined in a Helm chart.
Data Pipelines
The Data Pipelines page enables you to create and view data pipelines, and also see any alerts associated with existing pipelines.
A data pipeline is a path for data that includes:
Input
. An existing data source or real-time data stream.
Transformation
. Code block such as a script defined in a Function to process or transform input data.
Output
. A destination for your data. Publish data to the Service Domain, cloud, or cloud data service (such as AWS Simple Queue Service).
It also enables you to process and transform captured data for further consumption or processing.
To create a data pipeline, you must have already created or defined at least one of the following:
Project
Category
Data source
Function
Cloud profile. Required for cloud data destinations or Service Domain endpoints
When you create, clone, or edit a function, you can define one or more parameters. When you create a data pipeline, you define the values for the parameters when you specify the function in the pipeline.
Data pipelines can share functions, but you can specify unique parameter values for the function in each data pipeline.
You can also stop and start a data pipeline. See Stopping and Starting a Data Pipeline.
Creating a Data Pipeline
Create a data pipeline, with a data source or real-time data source as input and
infrastructure or external cloud as the output.
Before you begin
You must have already created at least one of each: project, data source, function, and
category. Also, a cloud profile is required for cloud data destinations or Service Domain
endpoints. See also Naming Guidelines.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Data Pipelines
.
Click
Create
.
Data Pipeline Name
. Name your data pipeline. Up to 63 lowercase
alphanumeric characters and the dash character (-) are allowed.
Input - Add a Data Source
Procedure
Click
Add Data Source
, then select
Data
Source
.
Select a data source
Category
and one related
Value
.
[Optional] Click
Add new
to add another
Category
and
Value
. Continue adding
as many as you have defined.
Click the trashcan to delete a data source category and value.
Input - Add a Real-Time Data Stream
Procedure
Click
Add Data Source
, then select
Real-Time Data
Stream
.
Select an existing pipeline as a
Real-Time Data
Stream
.
Transformation - Add a Function
Procedure
Click
Add Function
and select an existing Function.
Define a data
Sampling Interval
by selecting
Enable
.
Enter a interval value.
Select an interval:
Millisecond
,
Second
,
Minute
,
Hour
, or
Day
.
Enter a value for any parameters defined in the function.
If no parameters are defined, this field's name is shown as parens characters.
( )
[Optional] Click the plus sign (
+
) to add another
function.
This step is useful if you want to chain functions together, feeding transformed
data from one function to another, and so on.
You can also create a function here by clicking
Upload
, which
displays the
Create Function
page.
Name
your function. Up to 200 alphanumeric characters are
allowed.
Description
. Provide a relevant description for the
function.
Language
. Select the scripting language for the function:
golang, python, node.
Runtime Environment
. Select the runtime environment for
the function. A default runtime environment is already selected in most cases
depending on the
Language
you have selected.
Click
Next
.
Click
Choose File
to navigate to a file containing your
function code.
After uploading the file, you can edit the file contents. You can also
choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
Click
Add Parameter
to define and use any parameters for
the data transformation in the function.
Click
Create
.
Output - Add a Destination
Procedure
Click
Add Destination
to specify where the transformed data is
to be output:
Publish to Service Domain
or
Publish to
External Cloud
.
If you select
Destination
>
Service Domain
:
Endpoint Type
. Select
Kafka
,
MQTT
,
Realtime Data Stream
, or
Data Interface
.
Data Interface Name
. If shown, name your data
interface.
Endpoint Name
. If shown, name your endpoint.
If you select
Destination
>
External Cloud
and Cloud Type as
AWS
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
Endpoint Type
. Select an existing endpoint type.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
Region
. Select an AWS region.
If you select
Destination
>
External Cloud
and Cloud Type as
Azure
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
EndpointType
. Select an existing stream type, such as
Blob Storage
.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
If you select
Destination
>
External Cloud
and Cloud Type as
GCP
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
d
Endpoint Type
. Select an existing endpoint type.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
Region
. Select a GCP region.
Click
Create
.
Editing a Data Pipeline
Update a data pipeline, including data source, function, and output destination. See
also Naming Guidelines.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Data Pipelines
.
Select a data pipeline in the list, then click
Actions
>
Edit
You cannot update the data pipeline name.
Input - Edit a Data Source
Procedure
You can do any of the following:
Select a different
Data Source
to change the data pipeline
Input source (or keep the existing one).
Select a different value for an existing Category.
Click the trashcan to delete a data source category and value.
Click
Add new
to add another
Category
and
Value
. Continue adding
as many as you have defined.
Select a different category.
Input - Edit a Real-Time Data Stream
Procedure
Select a different
Realtime Data Stream
to change the data
pipeline Input source.
Transformation - Edit a Function
About this task
You can do any of the following tasks.
Procedure
Select a different
Function
.
Add or update the
Sampling Interval
for any new or existing
function.
If not selected, create a
Sampling Interval
by selecting
Enable
Enter a interval value.
Select an interval:
Millisecond
,
Second
,
Minute
,
Hour
, or
Day
.
Enter a value for any parameters defined in the function.
If no parameters are defined, this field's name is shown as parens characters.
( )
[Optional] Click the plus sign (
+
) to add another
function.
This step is useful if you want to chain functions together, feeding transformed
data from one function to another, and so on.
You can also create a function here by clicking
Upload
, which
displays the
Add Function
page.
Name
your function. Up to 200 alphanumeric characters are
allowed.
Description
. Provide a relevant description for the
function.
Language
. Select the scripting language for the function:
golang, python, node.
Runtime Environment
. Select the runtime environment for
the function. A default runtime environment is already selected in most cases
depending on the
Language
you have selected.
Click
Next
.
Click
Choose File
to navigate to a file containing your
function code.
After uploading the file, you can edit the file contents. You can also
choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
Click
Add Parameter
to define and use any parameters for
the data transformation in the function.
Click
Create
.
Click
Create
.
Output - Edit a Destination
About this task
You can do any of the following tasks.
Procedure
Select a
Infrastructure
or
External
Cloud
Destination
to specify where the transformed data is to be
output.
If you select
Destination
>
Infrastructure
:
Endpoint Type
. Select
MQTT
,
Realtime Data Stream
,
Kafka
, or
Data Interface
.
Data Interface Name
. If shown, name your data
interface.
Endpoint Name
. If shown, name your endpoint.
If you select
Destination
>
External Cloud
and Cloud Type as
AWS
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
Endpoint Type
. Select an existing endpoint type.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
Region
. Select an AWS region.
If you select
Destination
>
External Cloud
and Cloud Type as
GCP
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
Endpoint Type
. Select an existing endpoint type.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
Region
. Select a GCP region.
If you select
Destination
>
External Cloud
and Cloud Type as
Azure
, complete the following
fields:
Cloud Profile
. Select your existing profile.
See the topic Creating Your Cloud Profile in the
Karbon Platform Services Administration Guide
.
EdType
. Select an existing stream type, such as
Blob Storage
.
Endpoint Name
. Name your endpoint. Up to 200 alphanumeric
characters and the dash character (-) are allowed.
Click
Update
.
Removing a Data Pipeline
About this task
To complete this task, log on to the cloud management console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Data Pipelines
.
Select a data pipeline, click
Actions
>
Remove
, then click
Delete
again to confirm.
The
Data Pipelines
page lists any remaining data
pipelines.
Stopping and Starting a Data Pipeline
About this task
You can stop and start a data pipeline.
You can select the table or tile view on this page by clicking one of the view icons.
Figure.
View Icons
Click to enlarge
About this task
Procedure
Click the menu button, then click
Projects
.
Click a project in the list, then click
Functions and Data
Pipelines
.
To stop an active data pipeline, select a data pipeline, then click
Actions
>
Stop
.
You can also click a data pipeline, then click
Stop
or
Start
, depending on the data pipeline state.
Stop
stops any data from being transformed or processed, and terminates any data transfer to your data destination.
To start the data pipeline, select
Start
(after stopping a data pipeline) from the
Actions
drop-down menu.
Functions
A function is code used to perform one or more tasks. Script languages include Python,
Golang, and Node.js. A script can be as simple as text processing code or it could be advanced
code implementing artificial intelligence, using popular machine learning frameworks like
Tensorflow.
An infrastructure administrator or project user can create a function, and later can edit or
clone it. You cannot edit a function that is used by an existing data pipeline. In this case,
you can clone it to make an editable copy.
You can use ML models in your function code. Use the ML Model API to call the model and
version.
When you create, clone, or edit a function, you can define one or more parameters.
When you create a data pipeline, you define the values for the parameters when you specify
the function in the pipeline.
Data pipelines can share functions, but you can specify unique parameter values for the
function in each data pipeline.
Creating a Function
About this task
To complete this task, log on to the cloud management console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Functions
>
Create
.
Name
. Name the function. Up to 200 alphanumeric
characters are allowed.
Description
. Provide a relevant description for your
function.
Language
. Select the scripting language for the
function: golang, python, node.
Runtime Environment
. Select the runtime environment for
the function. A default runtime environment is already selected in most cases
depending on the
Language
you have selected.
Click
Next
.
Add function code.
Click
Choose File
to navigate to a file
containing your function code.
After uploading the file, you can edit the file contents. You
can also choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
Click
Add Parameter
to define and use one or
more parameters for data transformation in the function. Click the check
icon to add each parameter.
Click
Create
.
Editing a Function
Edit an existing function. To complete this task, log on to the cloud management
console.
About this task
Other than the name and description, you cannot edit a function that is in use by an
existing data pipeline. In this case, you can clone a function to duplicate it. See
Cloning a Function.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Functions
.
Select a function in the list, then click
Edit
.
Name
. Update the function name. Up to 200 alphanumeric
characters are allowed.
Description
. Provide a relevant description for your
function.
You cannot change the function's
Project
.
Language
. Select the scripting language for the
function: golang, python, node.
Runtime Environment
. Select the runtime environment for
the function. A default runtime environment is already selected in most cases
depending on the
Language
you have selected.
Click
Next
.
If you want to choose a different file or edit the existing function
code:
Click
Choose File
to navigate to a file
containing your function code.
After uploading the file, you can edit the file contents. You
can also choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
Click
Add Parameter
to define and use one or
more parameters for data transformation in the function. Click the
check icon to add each parameter.
Click
Update
.
Cloning a Function
Clone an existing function. To complete this task, log on to the cloud management
console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Functions
.
Select a function in the list, then click
Clone
.
Name
. Update the function name. Up to 200 alphanumeric
characters are allowed.
Description
. Provide a relevant description for your
function.
You cannot change the function's
Project
.
Language
. Select the scripting language for the
function: golang, python, node.
Runtime Environment
. Select the runtime
environment for the function. A default runtime environment is already
selected in most cases depending on the
Language
you have selected.
Click
Next
.
If you want to choose a different file or edit the existing function
code:
Click
Choose File
to navigate to a file
containing your function code.
After uploading the file, you can edit the file contents. You
can also choose the contrast levels
Normal
,
Dark
, or
High Contrast
Dark
.
Click
Add Parameter
to define and use one or
more parameters for data transformation in the function. Click the check
icon to add each parameter.
Click
Next
to update a data pipeline with this function,
if desired.
Click
Create
, then click
Confirm
in response to the data pipeline warning.
An updated function can cause data pipelines to break (that is, stop
collecting data correctly).
Removing a Function
About this task
To complete this task, log on to the cloud management console. You cannot remove a
function that is associated with a data pipeline or realtime data stream.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
>
Functions
.
Select a function, click
Remove
, then click
Delete
again to confirm.
The
Functions
page lists any remaining
functions.
AI Inferencing and ML Model Management
You can create machine learning (ML) models to enable AI inferencing for your projects.
The ML Model feature provides a common interface for functions (that is, scripts) or
applications to use the ML model Tensorflow runtime environment on the Service Domain.
The Karbon Platform Services Release Notes list currently supported ML model
types.
An infrastructure admin can enable the AI Inferencing service for your project through
Manage Services
as described in Managing Project Services.
You can add multiple models and model versions to a single ML Model instance that you create.
In this scenario, multiple client projects can access any model configured in the single ML
model instance.
Before You Begin
To allow access by the AI Inferencing API, ensure that the infrastructure admin
selects
Use GPU for AI Inferencing
in the associated project
Service Domain Advanced Settings.
Ensure that the infrastructure admin has enabled the AI Inferencing service for your
project.
ML Models Guidelines and Limitations
The maximum ML model zip file size you can upload is 1 GB.
Each ML model zip file must contain a binary file and metadata file.
You can use ML models in your function code. Use the ML Model API to call the model
and version.
ML Model Validation
The Karbon Platform Services platform validates any ML model that you upload. It checks the following:
The uploaded model is a ZIP file, with the correct folder of file structure in
the ZIP file.
The ML model binaries in the ZIP file are valid and in the required format.
TensorFlow ML model binaries in the ZIP file are valid and in the required
format.
Adding an ML Model
About this task
To complete this task, log on to the cloud management console.
Before you begin
An infrastructure admin can allow access to the AI Inferencing API by selecting
Use GPU for AI Inferencing
in the associated project Service
Domain Advanced Settings.
An infrastructure admin can enable the AI Inferencing service for your project through
Manage Services
as described in Managing Project Services.
Procedure
From the home menu, click
Projects
, then click a project.
Click
AI Inferencing
>
Add Model
.
Name
. Name the ML model. Up to 200 alphanumeric characters are allowed.
Description
. Provide a relevant description.
Select a specific project to make your ML model available to that project.
Select a
Framework Type
from the drop-down menu. For
example,
Tensorflow 2.1.0
.
Click
Add Version
in the List of Model Versions panel.
Type an
ML Model Version
number, such as 1, 2, 3 and so on.
Click
Choose File
and navigate to a model ZIP file stored on your local machine.
The maximum zip file size you can upload is 1 GB.
The console validates the file as it uploads it.
Uploading a file is a background task and might take a few moments depending on file size. Do not close your browser.
Type any relevant
Version Information
, then
click
Upload
.
[Optional] Click
Add new
to add another model version to the model.
A single ML model can consist of multiple model versions.
Click
Done
.
The
ML Model
page displays the added ML model. It might also show the ML model as continuing to upload.
What to do next
Check ML model status in the ML Model page.
Editing an ML Model
About this task
To complete this task, log on to the cloud management console.
You cannot change the name or framework type associated with an ML model.
Procedure
From the home menu, click
Projects
, then click a project.
Click
AI Inferencing
, select a model in the list, and click
Edit
.
Description
. Update an existing description.
Edit
or
Remove
an existing model version from the
List of Model Versions.
[Optional] Click
Add new
to add another model version.
A single ML model can consist of multiple model versions.
Type an
ML Model Version
number, such as 1, 2, 3 and so
on.
Click
Choose File
and navigate to a model ZIP file stored on
your local machine.
The maximum zip file size you can upload is 1 GB.
The console validates the file as it uploads it.
Uploading a file is a background task and might take a few moments depending on
file size. Do not close your browser.
Type any relevant
Version Information
, then
click
Upload
.
Click
Done
.
The
ML Model
page displays the added ML model. It might also show the ML model as continuing to upload.
What to do next
Check ML model status in the ML Model page.
Removing an ML Model
How to delete an ML model.
About this task
To complete this task, log on to the cloud management console.
Procedure
From the home menu, click
Projects
, then click a project.
Click
AI Inferencing
and select a model in the list.
Cick
Remove
, then click
Delete
again to
confirm.
The
ML Models
page lists any remaining ML
models.
What to do next
Check ML model status in the ML Model page.
Viewing ML Model Status
The ML Models page in the Karbon Platform Services management console shows version and activity status
for all models.
Procedure
From the home menu, click
Projects
, then click a project.
Click
AI Inferencing
to show model information like Version,
File Size, and Framework Type.
To see where a model is deployed, click the model name.
This page shows a list of associated Service Domains.
Runtime Environments
A runtime environment is a command execution environment to run applications written in
a particular language or associated with a Docker registry or file.
Karbon Platform Services includes standard runtime environments including but not limited to the following.
These runtimes are read-only and cannot be edited, updated, or deleted by users. They are
available to all projects, functions, and associated container registries.
Golang
NodeJS
Python 2
Python 3
Tensorflow Python
You can add your own custom runtime environment for use by all or specific projects,
functions, and container registries.
Note:
Custom Golang runtime environments are not
supported. Use the provided standard Golang runtime environment in this case.
Creating a Runtime Environment
How to create a user-added runtime environment for use with your project.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
, then click the
Runtime Environments
tab.
Click
Create
.
Name
. Name the runtime environment. Up to 75
alphanumeric characters are allowed.
Description
. Provide a relevant description.
Container Registry Profile
. Click
Add
Profile
to create a new container registry profile or use an
existing profile. Do one of the following sets of steps.
Select
Add New
.
Name
your profile.
Description
. Describe the profile. Up to 75
alphanumeric characters are allowed.
Container Registry Host Address
. Provide a
public or private registry host address. The host address can be in the
format
host.domain:port_number/repository_name
For example,
https://index.docker.io/v1/
or
registry-1.docker.io/distribution/registry:2.1
Username
. Enter the user name credential for the
profile.
Password
. Enter the password credential for the
profile. Click
Show
to display the password as
you type.
Email Address
. Add an email address in this
field.
Select
Use Existing cloud profile
and elect an
existing profile from
Cloud Profile
.
Name
your profile.
Description
. Describe the profile. Up to 75
alphanumeric characters are allowed.
Server
. Provide a server URL to the container
registry in the format used by your cloud provider.
For example, an Amazon AWS Elastic Container Registry (ECR) URL might
be:
https://
aws_account_id
.dkr.ecr.
region
.amazonaws.com
Click
Done
.
Container Image Path
. Provide a container image URL. For
example,
https://
aws_account_id
.dkr.ecr.
region
.amazonaws.com/
image
:
imagetag
Languages
. Select the scripting language for the
runtime: golang, python, node.
[Optional] Click
Add Dockerfile
to choose and upload a
Dockerfile for the container image, then click
Done
.
A Dockerfile typically includes instructions used to build images
automatically or run commands.
Click
Create
.
Editing a Custom Runtime Environment
How to edit a user-added runtime environment from the cloud management console. You
cannot edit the included read-only runtime environments.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
, then click the
Runtime Environments
tab.
Select a runtime environment in the list, then click
Edit
.
Name
. Name the runtime environment. Up to 75
alphanumeric characters are allowed.
Description
. Provide a relevant description.
Container Registry Profile
. Select an existing container
registry profile.
Container Image Path
. Provide a container image URL. For
example,
https://
aws_account_id
.dkr.ecr.
region
.amazonaws.com/
image
:
imagetag
Languages
. Select the scripting language for the
runtime: golang, python, node.
[Optional]
Remove
or
Edit
any
existing Docker file.
After editing a file, click
Done
.
Click
Add Docker Profile
to choose a Docker file for the
container image.
Click
Update
.
Removing a Runtime Environment
How to remove a user-added runtime environment from the cloud management console. To
complete this task, log on to the cloud management console.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
Click
Functions and Data Pipelines
, then click the
Runtime Environments
tab.
Select a runtime environment, click
Remove
, then click
Delete
again to confirm.
The
Runtime Environments
page lists any remaining
runtime environments.
Audit Trail and Log Management
Logging
provides a consolidated landing page enabling you to
collect, forward, and manage logs from selected Service Domains.
From
Logging
or
System Logs
>
Logging
or the summary page for a specific project, you can:
Run Log Collector on every or selected Service Domains (admins only)
See created log bundles, which you can then download or delete
Create, edit, and delete log forwarding policies to help make collection more granular and then forward those logs to the cloud
View alerts
View an audit trail of any operations performed by users in the last 30 days
You can also collect logs and stream them to a cloud profile by using the kps command line available from the Nutanix public Github channel https://github.com/nutanix/karbon-platform-services/tree/master/cli. Readme documentation available there describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.
Audit Trail Dashboard
Access the Audit Log dashboard to view the most recent operations performed by
users.
Karbon Platform Services maintains an audit trail of any operations performed by users in
the last 30 days and displays them in an
Audit Trail
dashboard in the
cloud management console. To display the dashboard, log on to the console, open the
navigation menu, and click
Audit Trail
.
Click
Filters
to display operations by Operation Type, User Name,
Resource Name, Resource Type, Time Range, and other filter types so you can narrow your
search. Filter Operation Type by CREATE, UPDATE, and DELETE actions.
Running Log Collector - Service Domains
Log Collector examines the selected Service Domains and collects logs and
configuration information useful for troubleshooting issues and finding out details about
any Service Domain.
Procedure
Go to
System Logs
>
Logging
from the
Dashboard
in the navigation
sidebar menu.
Click
Run Log Collector
.
To collect log bundles for every Service Domain, choose
Select all Service Domains
, then click
Select Logs
.
To collector log bundles for specific Service Domains, choose them,
then click
Collect Logs
The table displays the collection status.
Collecting
. Depending on how many Service Domains
you have chosen, it can take a few minutes to collect the logs.
Success
. All logs are collected. You can now
Download
them or
Delete
them.
Failed
. Logs could not be collected. Click
Details
to show error messages relating to
this collection attempt.
After downloading the log bundle, you can delete it from the console.
What to do next
The downloaded log bundle is in a gzipped TAR file. Extract the TAR
file, then untar or unzip the TAR file to see the collected
logs.
You can also forward logs to the cloud based on your cloud profile.
See Creating and Updating a Log Forwarding Policy.
Running Log Collector - Kubernetes Apps
Log Collector examines the selected project application and collects logs and
configuration information useful for troubleshooting issues and finding out details about an
app.
Procedure
Click the menu button, then click
Projects
.
Click a project in the list.
The project dashboard and navigation sidebar is displayed.
Click
Kubernetes Apps
, then click an app in the
list.
Select the
Log Bundles
tab, then click
Run
Log Collector
.
To collect log bundles for every Service Domain, choose
Select all Service Domains
, then click
Select Logs
.
To collector log bundles for specific Service Domains, choose them,
then click
Collect Logs
The table displays the collection status.
Collecting
. Depending on how many Service Domains
you have chosen, it can take a few minutes to collect the logs.
Success
. All logs are collected. You can now
Download
them or
Delete
them.
Failed
. Logs could not be collected. Click
Details
to show error messages relating to
this collection attempt.
After downloading the log bundle, you can delete it from the console.
What to do next
The downloaded log bundle is in a gzipped TAR file. Extract the TAR
file, then untar or unzip the TAR file to see the collected
logs.
You can also forward logs to the cloud based on your cloud profile.
See Creating and Updating a Log Forwarding Policy.
Creating and Updating a Log Forwarding Policy
Create, edit, and delete log forwarding policies to help make collection more
granular and then forward those Service Domain logs to the cloud.
Before you begin
Make sure your infrastructure admin has created a cloud profile first.
Procedure
Go to
System Logs
>
Logging
from
Dashboard
or the summary page for a
specific project.
Click
Log Forwarding Policy
>
Create New Policy
.
Name
. Name your policy.
Select a Service Domain.
Select All
. Logs for all Service Domains are
forwarded to the cloud destination.
Select
Select By Category
to choose and apply
one or more categories associated with a Service Domain. Click the plus
sign (
+
) to add more categories.
Select
Select Individually
to choose a Service
Domain, then click
Add Service Domain
to select
one or more Service Domains.
Select a destination.
Select Profile
. Choose an existing cloud
profile.
Select Service
. Choose a cloud service. For
example, choose
Cloudwatch
to stream logs to
Amazon CloudWatch. Other services include
Kinesis
and
Firehose
.
Select Region
. Enter a valid AWS region name or
CloudWatch endpoint fully qualified domain name. For example,
us-west-2
or
monitoring.us-west-2.amazonaws.com
Select Stream
. Enter a log stream name.
Select Groups
. (CloudWatch only) Enter a Log
group name.
Click
Done
.
The dashboard or summary page shows the policy tile.
From the Logging dashboard, you can edit or delete a policy.
Click
Edit
and change any of the fields, then
click
Done
.
To delete a policy, click
Delete
, then click
Delete
again to confirm.
Creating a Log Collector for Log Forwarding - Command Line
Create a log collector for log forwarding by using the kps command line.
Nutanix has released the kps command line on its public Github channel. https://github.com/nutanix/karbon-platform-services/tree/master/cli describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.
Each sample YAML file defines a log collector. Log collectors can be:
Infrastructure-based: collects infrastructure-related (Service Domain) information. For
use by infra admins.
Project-based: project-related information (applications, data pipelines, and so on). For
use by project users and infra admins (with assigned projects).
See the most up-to-date sample YAML files and descriptions at https://github.com/nutanix/karbon-platform-services/tree/master/cli.
This sample infrastructure log collector collects logs for a specific tenant, then forwards them to a specific cloud profile (for example:
AWS CloudWatch
).
To enable AWS CloudWatch log streaming, you must specify awsRegion, cloudwatchStream, and
cloudwatchGroup.
Specify an existing Karbon Platform Services cloud profile
awsRegion
For example,
us-west-2
or
monitoring.us-west-2.amazonaws.com
Valid AWS region name or CloudWatch endpoint fully qualified domain
name
cloudwatchGroup
cloudwatch-group-name
Log group name
cloudwatchStream
cloudwatch-stream-name
Log stream name
filterSourceCode
Specify the log conversion code
Stream Real-Time Application and Pipeline Logs
Real-Time Log Monitoring built into Karbon Platform Services provides real-time log monitoring and lets
you view application and data pipeline log messages securely in real time.
Note:
Infrastructure administrators can stream logs if they have been added to a project.
Viewing the most recent log messages as they occur helps you see and troubleshoot application
or data pipeline operations. Messages stream securely over an encrypted channel and are
viewable only by authenticated clients (such as an existing user logged on to the Karbon Platform Services cloud
platform).
The cloud management console shows the most recent log messages, up to 2 MB. To get the full
logs, collect and then download the log bundles by Running Log Collector - Service Domains.
Displaying Real-Time Logs
View the most recent real-time logs for applications and data pipelines.
About this task
To complete this task, log on to the cloud management console.
Procedure
Go to the
Deployments
page for an application or data
pipeline.
From the home menu, click
Projects
, then click a
project.
Click
Kubernetes Apps
or
Functions and Data
Pipelines
.
Click an app name or data pipeline name, then click
Deployments
.
Click an application or a data pipeline in the table, then
click
Deployments
.
A table shows each Service Domain deploying the application or data
pipeline.
Select a Service Domain, then click
View Real-time Logs
.
The window displays streaming log messages and shows the most recent 2 MB of log
messages from a container associated with your data pipeline function or application, from
the Service Domain.
What to do next
Real-Time Log Monitoring Console describes what you see in the terminal-style
display.
Real-Time Log Monitoring Console
The Karbon Platform Services real-time log monitoring console is a terminal-style display that streams
log entries as they occur.
After you do the steps in Displaying Real-Time Logs, a terminal-style window is
displayed in one or more tabs. Each tab is streaming log messages and shows the most recent
2 MB of log messages from a container associated with your data pipeline function or
application.
Your application or data pipeline function generates the log messages. That is, the console
shows log messages that you have written into your application or function.
Figure.
Real-Time Log Monitoring Console
Click to enlarge
No Logs Message
If your Karbon Platform Services Service Domain is connected and your application or function is not logging
anything, the console might show a
No Logs
message. In this case, the message
means that the application or function is idle and not generating any log messages.
Errors
You might see one or more error messages in the following cases. As a result, Real-Time Log
Monitoring cannot retrieve any logs.
If your application, function, or other resource fails
Network connectivity fails or is highly intermittent between the Karbon Platform
Services Service Domain or your browser and karbon.nutanix.com
Tips for Real-Time Log Monitoring for Applications
The first tab shows the first container associated with the application running on the
Karbon Platform Services Service Domain. The console shows one tab for each container associated with the
application, including a tab for each container replicated in the same application.
Each tab displays the application and container name as
app_name
:
container_id
) and might be truncated. To
see the full name on the tab, hover over it.
Reordering tabs is not available. Unlike your usual tabbed browser experience, you
cannot reorder or move the tabs.
Tips for Real-Time Log Monitoring for Functions in Data Pipelines
The first tab shows the first function deployed in the data pipeline running on the
Service Domain. The console shows one tab for each function deployed in the data
pipeline.
Reordering tabs is not available. Unlike your usual tabbed browser experience, you
cannot reorder or move the tabs. For data pipelines, the displayed tab order is the order
of the functions (that is, scripts of transformations) in the data pipeline.
Duplicate function names. If you use the same function more than once in the data
pipeline, you will see duplicate tabs. That is, one tab for each function instance.
Each tab displays the data pipeline and function name as
data_pipeline_
:
function
) and might be truncated.
To see the full name on the tab, hover over it.
Managing API Keys
Simplifies authentication when you use the Karbon Platform Services API by enabling you to manage your keys from the Karbon Platform Services management console. This topic also describes API key guidelines.
As a user (infrastructure or project), you can manage up to two API keys through the Karbon Platform Services management console. After logging on to the management console, click your user name in the management console, then click
Manage API Keys
to create, disable, or delete these keys.
Number of API Keys Per Users and Expiration
Each user can create and use two API keys.
Keys do not have an expiration date.
Deleting and Reusing API Keys
You can delete an API key at any time.
You cannot use or reuse a key after deleting it.
Creating and Securing the API Keys
When you create a key, the
Manage API Keys
dialog box displays the key.
When you create a key, make a copy of the key and secure it. You cannot see the key later. It is not recoverable at any time.
Do not share the key with anyone, including other users.
Read more about the Karbon Platform Services API at nutanix.dev. For Karbon Platform Services Developers describes
related information and links to resources for Karbon Platform Services developers.
Using API Keys With HTTPS API Requests
Example API request using an API key.
After you create an API key, use it with your Karbon Platform Services API HTTPS Authorization requests. In
the request, specify an Authorization header including
Bearer
and the
key you generated and copied from the Karbon Platform Services management console.
For example, here is an example Node JS code snippet:
Create one or more API keys through the Karbon Platform Services management console.
Procedure
After logging on to the management console, click your user name, then click
Manage API Keys
.
Figure.
Manage API Keys
Click to enlarge
Click
Create API Key
.
Manage API Keys
shows that the key is created. Keys do
not have an expiration date.
Click
Copy to Clipboard
.
Make a copy of the API key and secure it. It is not recoverable at any
time.
Click
View
to see the key value. You cannot see
the key later.
Copy to Clipboard
is a mandatory step. The
Close
button is inactive until you click
Copy to Clipboard
.
To create another key, click
Create API Key
and
Copy to Clipboard
.
Make a copy of the key and secure it. It is not recoverable at any time. Click
View
to see the key value. You cannot see the key
later.
Note that
Status
for each key is
Active
.
Figure.
Key Creation
Click to enlarge
Click
Close
.
Disabling, Enabling, or Deleting API Keys
Create one or more API keys through the Karbon Platform Services management console.
Procedure
After logging on to the management console, click your user name, then click
Manage API Keys
.
Figure.
Manage API Keys
Click to enlarge
Manage API Keys
shows information about each API key:
Create Time, Last Accessed, Status (Active or Disabled).
Depending on the current state of the API key, you can disable, enable,
or delete it.
Figure.
API Keys
Click to enlarge
Disable an enabled API key.
Click
Disable
.
Note that
Status
for the API key is now
Disabled
.
Click
Close
.
Enable a disabled API key.
Click
Enable
.
Note that
Status
for the API key is now
Active
.
Click
Close
.
Delete an API Key.
Click
Delete
, then click
Delete
again to confirm.
Click
Close
.
You cannot use or reuse a key after deleting it. Any client
authenticating with this now-deleted API key will need a new key to
authenticate again.
Secure Shell (SSH) Access to Service Domains
Karbon Platform Services provides limited secure shell (SSH) access to your cloud-connected service
domain to manage Kubernetes pods.
Note:
To enable this feature, contact Nutanix Support so they can set your profile accordingly.
Setting Privileged Mode shows how you can check your Service Domain
effectiveProfile
setting.
Caution:
Nutanix recommends limiting your use of this feature in production
deployments. Do not enable SSH access in production deployments unless you have exhausted all
other troubleshooting or debugging alternatives.
The Karbon Platform Services cloud management console provides limited secure shell (SSH) access to your
cloud-connected Service Domain to manage Kubernetes pods. SSH Service Domain access enables
you to run Kubernetes
kubectl
commands to help you with application
development, debugging, and pod troubleshooting.
As Karbon Platform Services is secure by design, dynamically generated public/private key pairs with a default
expiration of 30 minutes secure your SSH connection. When you start an SSH session from the
cloud management console, you automatically log on as user
kubeuser
.
Infrastructure administrators have SSH access to Service Domains. Project users do not have
access.
kubeuser Restrictions
Limited to running
kubectl
CLI commands
No superuser or sudo access: No
/root
file access, unable to issue
privileged commands
Opening a Secure Session (SSH) Console to a Service Domain
Access a Service Domain through SSH to manage Kubernetes pods with kubectl CLI
commands. This feature is disabled by default. To enable this feature, contact Nutanix
Support.
Before you begin
To complete this task, log on to the cloud management console as an infrastructure
administrator user.
Caution:
Nutanix recommends limiting your use of this feature in production
deployments. Do not enable SSH access in production deployments unless you have exhausted
all other troubleshooting or debugging alternatives.
Procedure
Click
Infrastructure
>
Service Domains
.
In the table, click a Service Domain
Name
, then click
Console
to connect to the Service Domain.
A terminal window connects as the kubeuser user for 30 minutes.
To activate the cursor, click the terminal window.
After 30 minutes, you can choose to stay connected or disconnect.
After 30 minutes, you can remain connected by clicking
Reconnect
to reestablish the SSH connection.
To disconnect an active connection, click
Back to Service
Domains
or another link on this page (
Summary
,
Nodes
, or any others except
SSH
).
What to do next
For example commands, see Using kubectl to Manage Service Domain Kubernetes Pods.
Using kubectl to Manage Service Domain Kubernetes Pods
Use kubectl commands to manage Kubernetes pods on the Service Domain.
Example kubectl Commands
List all running pods.
kubeuser@host$ kubectl get pods
List all pod services.
kubeuser@host$ kubectl get services
Get logs for a specific pod named
pod_name
.
kubeuser@host$ kubectl logs pod_name
Run a command for a specific pod named
pod_name
.
kubeuser@host$ kubectl exec pod_namecommand_name
Attach a shell to a container
container_name
in a pod named
pod_name
.
The Alerts page and the Alerts
Dashboard
panel show any alerts triggered by Karbon Platform Services depending on your role.
Infrastructure Administrator
. All alerts associated with Projects, Apps & Data, Infrastructure
Project User Alerts
. All alerts associated with Projects and Apps & Data
To see alert details:
On the Alerts page, click the alert
Description
to see details about that alert.
From the Alerts
Dashboard
panel, click
View Details
, then click the alert
Description
to see details.
Click
Filters
to sort the alerts by:
Severity
. Critical or Warning.
Time Range
. Select All, Last 1 Hour, Last 1 Day, or Last 1 Week.
An
Alert
link is available on each
Apps & Data
and
Infrastructure
page.
Figure.
Sorting and Filtering Alerts
Click to enlarge
For Karbon Platform Services Developers
Information and links to resources for Karbon Platform Services developers.
This section contains information about Karbon Platform Services development.
API Reference
Go to https://www.nutanix.dev/api-reference/ for API references, code samples, blogs , and more for Karbon Platform Services and other Nutanix
products.
Karbon Platform Services Public Github Repository
The Karbon Platform Services public Github repository https://github.com/nutanix/karbon-platform-services includes
sample application YAML files, instructions describing external client access to
services, Karbon Platform Services kps CLI samples, and so on.
Karbon Platform Services Command Line
Nutanix has released the kps command line on its public Github repository. https://github.com/nutanix/karbon-platform-services/tree/master/cli describes how to install the command line and includes sample YAML
files for use with applications, data pipelines, data sources, and functions.
Ingress Controller Support - Command Line
Karbon Platform Services supports the Traefik open source router as the default Kubernetes Ingress
controller and NGINX (ingress-nginx) as a Kubernetes Ingress controller. For full
details, see https://github.com/nutanix/karbon-platform-services/tree/master/services/ingress.
Kafka Data Service Support - Command Line
Kafka is available as a data service through your Service Domain. Clients can manage,
publish and subscribe to topics using the native Kafka protocol. Data Pipelines can use
Kafka as destination. Applications can also use a Kafka client of choice to access the
Kafka data service.
For full details, see https://github.com/nutanix/karbon-platform-services/tree/master/services/kafka. See alsoKafka as a Service.
Free Karbon Platform Services Trial
Sign up for a free Karbon Platform Services Trial at https://www.nutanix.com/products/iot/try.
Set Privileged Mode For Applications
Enable a container application to run with elevated privileges.
Important:
The privileged mode is deprecated. Nutanix plans to remove this feature
in an upcoming release.
Note:
To enable this feature, contact Nutanix Support so they can set your profile accordingly.
In your profile, this feature is disabled by default. After privileged mode is enabled in your
profile, you can configure a container application to run with elevated privileges.
Caution:
Nutanix recommends that you use this feature sparingly and only when
necessary. To keep Karbon Platform Services secure by design, as a general rule, Nutanix also recommends your
run your applications at user level.
For information about installing the kps command line, see For Karbon Platform Services Developers.
Karbon Platform Services enables you to develop an application which requires elevated privileges to run
successfully. By using the kps command line, you can set your Service Domain to enable an
application running in a container to run in privileged mode.
Setting Privileged Mode
Configure your Service Domain to enable a container application to run with elevated
privileges.
Before you begin
Important:
The privileged mode is deprecated. Nutanix plans to remove this
feature in an upcoming release.
Ensure that you have created an infrastructure administrator or project user
with associated resources (Service Domain, project, applications, and so
on).
To enable this feature, contact Nutanix Support so they can set your profile
accordingly. In your profile, this feature is disabled by default. After
privileged mode is enabled in your profile, you can configure a container
application to run with elevated privileges.
Caution:
Nutanix recommends that you use this feature sparingly and only
when necessary. To keep Karbon Platform Services secure by design, as a general rule, Nutanix also
recommends your run your applications at user level.
Procedure
Install the kps command line as described at GitHub: https://github.com/nutanix/karbon-platform-services/tree/master/cli
From your terminal window, create a Karbon Platform Services context to associate with an
existing Karbon Platform Services user.
context_name
. A context name to associate with the
specified
user_email_address
and related Karbon Platform Services
resources.
user_email_address
. Email address of an existing
Karbon Platform Services user. This email address can be a My Nutanix account
address or local user address.
password
. Password for the Karbon Platform Services user.
Verify that the context is created.
user@host$ kps config get-contexts
The terminal displays CURRENT CONTEXT as the
context_name
. It also displays the NAME, URL, TENANT-ID,
and Karbon Platform Services email and password.
Get the Service Domain names (displayed in YAML format) where the container
application needs to run with elevated privileges.
user@host$ kps get svcdomain -o yaml
Set privilege mode for a specific Service Domain
svc_domain_name
.
effectiveProfile
privileged
set to
true
indicates that Nutanix
Support has enabled this feature. If the setting is
false
,
contact Nutanix Support to enable this feature. In this example, Nutanix has
also enabled SSH access to this Service Domain (see
Secure Shell (SSH) Access to Service
Domains
in
Karbon Platform Services Administration
Guide
).
What to do next
See Using Privileged Mode with an Application (Example).
Using Privileged Mode with an Application (Example)
Important:
The privileged mode is deprecated. Nutanix plans to remove this feature
in an upcoming release.
After elevating privilege as described in Setting Privileged Mode, elevate the application privilege. This sample enables USB device access for an application running in a container on elevated Service Domain
YAML Snippet, Sample Privileged Mode USB Device Access Application
Add a tag similar to the following in the Deployment section in your application YAML file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: usb
annotations:
sherlock.nutanix.com/privileged: "true"
Full YAML File, Sample Privileged Mode USB Device Access Application
apiVersion: v1
kind: ConfigMap
metadata:
name: usb-scripts
data:
entrypoint.sh: |-
apk add python3
apk add libusb
pip3 install pyusb
echo Read from USB keyboard
python3 read-usb-keyboard.py
read-usb-keyboard.py: |-
import usb.core
import usb.util
import time
USB_IF = 0 # Interface
USB_TIMEOUT = 10000 # Timeout in MS
USB_VENDOR = 0x627
USB_PRODUCT = 0x1
# Find keyboard
dev = usb.core.find(idVendor=USB_VENDOR, idProduct=USB_PRODUCT)
endpoint = dev[0][(0,0)][0]
try:
dev.detach_kernel_driver(USB_IF)
except Exception as err:
print(err)
usb.util.claim_interface(dev, USB_IF)
while True:
try:
control = dev.read(endpoint.bEndpointAddress, endpoint.wMaxPacketSize, USB_TIMEOUT)
print(control)
except Exception as err:
print(err)
time.sleep(0.01)
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: usb
annotations:
sherlock.nutanix.com/privileged: "true"
spec:
replicas: 1
selector:
matchLabels:
app: usb
template:
metadata:
labels:
app: usb
spec:
terminationGracePeriodSeconds: 0
containers:
- name: alpine
image: alpine
volumeMounts:
- name: scripts
mountPath: /scripts
command:
- sh
- -c
- cd /scripts && ./entrypoint.sh
volumes:
- name: scripts
configMap:
name: usb-scripts
defaultMode: 0766
Configure Service Domain Environment Variables
Define environment variables for an individual Service Domain. After defining them, any
Kubernetes app that specifies that Service Domain can access them as part of a container spec in
the app YAML.
As an infrastructure administrator, you can set environment variables and associated values
for each Service Domain, which are available for use in Kubernetes apps. For example:
You can provide environment variables and values by using a Helm chart you upload when
you create an app. See Creating an Application and Helm Chart Support and Requirements.
You can also set specific environment variables per Service Domain by updating a Service
Domain in the cloud management console or by using the
kps update
svcdomain
command line.
See also Privileged Kubernetes Apps.
As a project user, you can then specify these per-Service Domain variables set by the infra
admin in your app. If you do not include the variable name in your app YAML file but you
pass it as a variable to run in your app, Karbon Platform Services can inject this variable value.
Setting and Clearing Service Domain Environment Variables - Command Line
How to set environment variables for a Service Domain.
Before you begin
You must be an infrastructure admin to set variables and values.
Procedure
Install the kps command line as described at GitHub: https://github.com/nutanix/karbon-platform-services/tree/master/cli
From your terminal window, create a Karbon Platform Services context to associate with an
existing infra admin user.
context_name
. A context name to associate with the
specified
user_email_address
and related Karbon Platform Services
resources.
user_email_address
. Email address of an existing
Karbon Platform Services user. This email address can be a My Nutanix account
address or local user address.
password
. Password for the Karbon Platform Services user.
Verify that the context is created.
user@host$ kps config get-contexts
The terminal displays CURRENT CONTEXT as the
context_name
. It also displays the NAME, URL, TENANT-ID,
and Karbon Platform Services email and password.
Get the Service Domain names (displayed in YAML format) to find the service
domain where you set the environment variables.
user@host$ kps get svcdomain -o yaml
For a Service Domain named
my-svc-domain
, for example, set the
Service Domain environment variable. In this example, set a secret variable
named
SD_PASSWORD
with a value of
passwd1234
.
The Service Domain is updated. Any infra admin or project user can
deploy an app to a Service Domain where you can refer to the secret by using the
variable
$(SD_PASSWORD)
.
You can continue to add environment variables by using the
kps update
svcdomain my-svc-domain --set-env '{"
variable_name
":
"
variable_value
"}'
command.
You an also clear one or all variables for Service Domain
svc_domain_name
.
To update an app, restart it. See also Deploying and Undeploying a Kubernetes Application.
What to do next
Using Service Domain Environment Variables - Example
Using Service Domain Environment Variables - Example
Example: how to use existing environment variables for a Service Domain in
application YAML.
About this task
You must be an infrastructure admin to set variables and values. See Setting and Clearing Service Domain Environment Variables - Command Line.
In this example, an infra admin has created these environment variables: a Kafka
endpoint that requires a secret (authentication) to authorize the Kafka
broker.
As a project user, you can then specify these per-Service Domain variables set
by the infra admin in your app. If you do not include the variable name in your
app YAML file but you pass it as a variable to run in your app, Karbon Platform Services can
inject this variable value.
Procedure
In your app YAML, add a container snippet similar to the following.
Use this app YAML snippet when you create a Kubernetes app in Karbon Platform Services as
described in Kubernetes Apps.
Karbon Platform Services Terminology
Category
Logically grouped Service Domain, data sources, and other items. Applying a category to an entity applies any values and attributes associated with the category to the entity.
Cloud Connector
Built-in Karbon Platform Services platform feature to publish data to a public cloud like Amazon Web Services or Google Cloud Platform. Requires a customer-owned secured public cloud account and configuration in the Karbon Platform Services management console.
Cloud Profile
Cloud provider service account (Amazon Web Services, Google Cloud Platform, and so on) where acquired data is transmitted for further processing.
Container Registry Profile
Credentials and location of the Docker container registry hosted on a cloud provider service account. Can also be an existing cloud profile.
Data Pipeline
Path for data that includes input, processing, and output blocks. Enables you to process and transform captured data for further consumption or processing.
Input. An existing data stream or data source, identified according to a Category
Transformation. Code block such as a script defined in a Function to process or transform input data.
Output. A destination for data. Publish data to the cloud or cloud service (such as AWS Simple Queue Service) at the edge.
Data Service
Data service such as Kafka as a Service or Real-Time Stream Processing as a Service.
Data Source
A collection of sensors, gateways, or other input devices to associate with a node or Service Domain (previously known as an edge). Enables you to manage and monitor sensor integration and connectivity.
A node minimally consists of a node (also known as edge device) and a data source. Any location (hospital, parking lot, retail store, oil rig, factory floor, and so on) where sensors or other input devices are installed and collecting data. Typical sensors measure (temperature, pressure, audio, and so on) or stream (for example, an IP-connected video camera).
Functions
Code used to perform one or more tasks. A script can be as simple as text processing code or it could be advanced code implementing artificial intelligence, using popular machine learning frameworks like Tensorflow.
Infrastructure Administrator
User who creates and administers most aspects of Karbon Platform Services. The infrastructure administrator provisions physical resources, Service Domains, data sources and public cloud profiles. This administrator allocates these resources by creating projects and assigning project users to them.
Project
A collection of infrastructure (Service Domain, data source, project users) plus code
and data (Kubernetes apps, data pipelines, functions, run-time environments), created
by the infrastructure administrator for use by project users.
Project User
User who views and uses projects created by the infrastructure administrator. This user can view everything that an infrastructure administrator assigns to a project. Project users can utilize physical resources, as well as deploy and monitor data pipelines and applications. This user has
project-specific
CRUD permissions: the project user can create, read, update, and delete assigned applications, scripts, data pipelines, and other project users.
Real-time Data Stream
Data Pipeline output endpoint type with a Service Domain as an existing destination.
An existing data pipeline real-time data stream that is used as the input to another data pipeline.
Run-time Environment
A run-time environment is a command execution environment to run applications written in a particular language or associated with a Docker registry or file.
Service Domain
Intelligent Platform as a Service (PaaS) providing the Karbon Platform Services Service Domain infrastructure (consisting of a full software stack combined with a hardware device). It enables customers to deploy intelligent applications (powered by AI/artificial intelligence) to process and transform data ingested by sensors. This data can be published selectively to public clouds.
Karbon Platform Services Management Console
Browser-based console where you can manage the Karbon Platform Services platform and related infrastructure, depending on your role (infrastructure administrator or project user).
Karbon Platform Services
Software as a Service (SaaS)/Platform as a Service (PaaS) based management platform and cloud IoT services. Includes the Karbon Platform Services management console.
Version
Copyright 2022 Nutanix, Inc. Nutanix, the
Nutanix logo and all Nutanix product and service names mentioned herein are registered
trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other
brand names used herein are for identification purposes only and may be the trademarks of
their respective holder(s) and no claim of rights is made therein.
