Welcome to Knowledge Base!

KB at your finger tips

This is one stop global knowledge base where you can learn about all the products, solutions and support features.

Categories
All

Storage and Backups-Nutanix

Flow Virtual Networking Guide

Flow Virtual Networking pc.2022.6

Product Release Date: 2022-08-03

Last updated: 2022-12-09

Purpose

This Flow Virtual Networking Guide describes how to enable and deploy Nutanix Flow Virtual Networking on Prism Central.

Upgrading from EA Versions

If you have enabled the early access (EA) version of Flow Virtual Networking, disable it before upgrading the Prism Central and enabling the general availability (GA) version of Flow Virtual Networking.

Related Documentation

Links to Nutanix Support Portal software and documentation.

The Nutanix Support Portal provides software download pages, documentation, compatibility, and other information/

Documentation Description
Release Notes | Flow Virtual Networking Flow Virtual Networking Release Notes
Port Reference Port Reference: See this page for details of ports that must be open in the firewalls to enable Flow Virtual Networking to function.
Nutanix Security Guide Prism Element and Prism Central security, cluster hardening, and authentication.
AOS guides and release notes Covers AOS Administration, Hyper-V Administration for Acropolis, Command Reference, Powershell Cmdlets Reference, AOS Family Release Notes, and AOS release-specific Release Notes
Acropolis Upgrade Guide How to upgrade core and other Nutanix software.
AHV guides and release notes Administration and release information about AHV.
Prism Central and Web Console guides and release notes Administration and release information about Prism Central and Prism Element.

Flow Virtual Networking Overview

Enabled and administered from Prism Central, Flow Virtual Networking powers network virtualization to offer a seamless network experience with enhanced security. It is disabled by default.

To enable and use Flow Virtual Networking , ensure that you log on to Prism Central as a local account user with Prism Admin role. If you log on to Prism Central as a non-local account (IDP-based) user or without Prism Admin role privileges, then Prism Central does not allow you to enable or use Flow Virtual Networking . The task is reported as Failed with a User Denied Access message.

Note:

Nutanix deploys a number of ports and protocols in its software. ports that must be open in the firewalls to enable Flow Virtual Networking to function. To see the ports and protocols used Flow Virtual Networking , see Port Reference.

It is a software-defined network virtualization solution providing overlay capabilities for the on-prem AHV clusters. It integrates tools to deploy networking features like Virtual Private Cloud (VPC) and Virtual Private Network (VPN) to support flexible app-driven networking that focuses on VMs and applications instead of virtual LANs and network addresses.

After you enable it on Prism Central, Flow Virtual Networking delivers the following.

  • A simplified, Prism Central-based workflow that deploys the application-driven network virtualization feature.
  • A secure multi-tenancy solution allowing per-tenant isolation using VPC-based network segmentation and namespace isolation.
  • A secure VPN-based connectivity solution for multiple sites, with automated VPN bundle upgrades.
  • NAT-based secure egress to external networks, with IP address retention and policy-based routing.
  • Self-serve networking services using REST APIs.
  • Enhanced networking features for more effective disaster recovery.
    Note: You can enable network segmentation on a Layer 2 extended virtual subnet that does not have a gateway. For more information about Layer 2 subnet extensions, see Layer 2 Virtual Network Extension. For information about network segmentation of an extended layer 2 subnet, see Segmenting a Stretched L2 Network for Disaster Recovery in the Securing Traffic through Network Segmentation section of the Security Guide .

Deployment Workflow

You can enable Flow Virtual Networking using a simple Prism Central driven workflow, which installs the network controller. The network controller is a collection of containerized services that run directly on the Prism Central VM(s). The network controller orchestrates all the virtual networking operations.

  • Ensure that microservices infrastructure is enabled in Prism Central Settings > Prism Central Management . See Prism Central Guide for information about enabling microservices infrastructure.
  • Enable Flow Virtual Networking in Prism Central Settings > Advanced Networking . It is disabled by default. See Enabling Flow Virtual Networking

  • You can opt out of Flow Virtual Networking by disabling the Advanced Networking option subject to prerequisites to disable advanced networking. See Disabling Flow Virtual Networking.

  • You can deploy Flow Virtual Networking in a dark site (a site that does not have Internet access) environment. See the Deploying Flow Virtual Networking at a Dark Site topic for more information.

  • You can upgrade the Flow Virtual Networking controller. Nutanix releases an upgrade for the Flow Virtual Networking controller with AOS and Prism Central releases. See Upgrading Flow Virtual Networking.

    See the AOS Family Release Notes and Release Notes | Prism Central .

  • Flow Virtual Networking allows you to create and manage virtual private clouds (VPCs) and overlay subnets to leverage the underlying physical networks that connect clusters and datacenters. See Virtual Private Cloud.

  • You can upgrade the network gateway version. Network gateway is used to create VPN or VTEP gateways to connect subnets using VPN connections, or Layer 2 subnet extensions over VPN or VTEP.

Flow Virtual Networking Architecture

The Flow virtual networking architecture uses a three-plane approach to simplify network virtualization.

Prism Central provides the management plane, the network controller itself acts as the control plane while the AHV nodes provide the data plane. This architecture provides a strong foundation for Flow virtual networking. This architecture is depicted in the following chart.

Figure. Flow Virtual Networking Architecture Click to enlarge Flow virtual networking Architecture diagram

Deployment Scale

Flow virtual networking supports the following scale:

Entities Scale

Virtual Private Clouds

500

Subnets

5,000

Ports

50,000

Floating IPs

2,000 per networking controller-enabled Prism Central.

Routing Policies

1,000 per Virtual Private Cloud.

10,000 per networking controller-enabled Prism Central.

Essential Concepts

VPC

A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions as a logically isolated virtual network. A VPC could be made up of one or more subnets that are connected through a logical or virtual router. The IP addresses within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they are often referred to as the overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a VPC. Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure virtual network with enhanced automation and scaling. The isolation is done using network namespace techniques like IP-based subnets or VLAN based networking.

VPC Subnets

You can use IP address-based subnets to network virtual machines within a VPC. A VPC may use multiple subnets. VPC subnets use private IP address ranges. IP addresses within a single VPC must be unique, in other words, IP addresses inside the same VPC cannot be repeated. However, IP addresses can overlap across multiple VPCs. The following figure shows two VPCs named Blue and Green. Each VPC has two subnets, 192.168.1.0/24 and 192.168.2.0/24, that are connected by a logical router. Each subnet has a VM with an IP address assigned. The subnets and VM IP addresses overlap between the two VPCs.

Figure. VPC Subnet Click to enlarge Displaying an illustration of VPC networks

The communication between VMs in the same subnets or different subnets in the same VPC (also called East-West communication) is enabled using GEneric NEtwork Virtualization Encapsulation (GENEVE). If a Prism Central manages multiple clusters, then the VMs that belong to the same VPC could be deployed across different clusters. The virtual switch on the AHV nodes provide distributed virtual switching and distributed virtual routing for all VPCs.

The communication from a VM in a VPC to an endpoint outside the VPC (called external communication or North-South communication) is enabled by an external network connection. Such a connection may be secured using VPN. The following figure shows the logical connectivity of the VPCs to the external network, and subsequently to the Internet.
Note: You must configure the default route (0.0.0.0/0) to the external subnet as the next hop for connectivity outside the cluster (north-south connectivity).
Figure. External Communication Click to enlarge

External Subnets

Subnets outside a VPC are external subnets. External subnets may be subnets within the deployment but not included in a specific VPC. External subnets may also be subnets that connect to the endpoints outside the deployment such as another deployment or site.

External subnets can be deployed with NAT or without NAT. You can add a maximum of two external subnets - one external subnet with NAT and one external subnet without NAT to a VPC. Both external subnets cannot be of the same type. For example, you cannot add two external subnets, both with NAT. You can update an existing VPC similarly.

Primary and Secondary IP Addresses for VMs
See VM IP Address Management.
SNAT and Floating IP Address

SNAT and Floating IP addresses are used only when you use NAT for an external subnet.

In Source Network Address Translation (SNAT), the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.

For VMs within the VPC to communicate with the rest of the deployment, the VPC must be associated with an external network. In such a case, the VPC is assigned a unique IP address, called the SNAT IP, from the subnet prefix of the external network. When the traffic from a VM needs to be transmitted outside the VPC, the source IP address of the VM, which is a private IP address, is translated to the SNAT IP address. The reverse translation from SNAT IP to private IP address occurs for the return traffic. Since the SNAT IP is shared by multiple VMs within a VPC, only the VMs within the VPC can initiate connections to endpoints outside the VPC. The NAT gateway allows the return traffic for these connections only. Endpoints outside the VPC cannot initiate connections to VMs within a VPC.

In addition to the SNAT IP address, you can also request a Floating IP address — an IP from the external subnet prefix that is assigned to a VM via the VPC that manages the network of the VM. Unless the floating IP address is assigned to the private IP address (primary or secondary IP address) of the VM, the floating IP address is not reachable. When the VM transmits packets outside the VPC, the private IP of the VM is modified to the Floating IP. The reverse translation occurs on the return traffic. As the VM uses the Floating IP address, an endpoint outside the VPC can also initiate a connection to the VM with the floating IP address.

The translation of the private IP addresses to Floating IP or SNAT IP address, and vice versa, is performed in the hypervisor virtual switch. Therefore, the VM is not aware of this translation. Floating IP translation may be performed on the hypervisor that hosts the VM to which the floating IP is assigned to. However, SNAT translation is typically performed in a centralized manner on a specific host.

NAT Gateway

NAT Gateways are used only when you use NAT for an external subnet.

Network Address Translation (NAT) is a process for modifying the source or destination addresses in the headers of an IP packet while the packet is in transit. In general, the sender and receiver applications are not aware that the IP packets are being manipulated.

A NAT Gateway provides the entities inside an internal network with connectivity to the Internet without exposing the internal network and its entities.

A NAT Gateway is:

  • A node or a AHV host. You need a host or a node to implement a NAT Gateway because NAT gateways require operations like load balancing and routing that are automatically performed by Flow virtual networking.
  • Connected to the internal network with an internal subnet based IP address and to the external network with an externally-routable IP address.

    The externally-routable IP address may be an IP address from a private IP address space or an RFC1918 address that is used as a NAT gateway. The NAT Gateway IP address could be a static IP address or a DHCP assigned IP address.

Table 1. NAT Gateway Failover Time
Event Failover Time
Network controller stops on AHV Up to 45 seconds.
Node reboot Up to 45 seconds.
Node power off:

When NAT Gateway and network controller MSP worker VMs are not on the same node.

Up to 45 seconds.
Node power off:

When NAT Gateway and network controller MSP worker VMs are on the same node.

Up to 300 seconds (5 minutes).
Static IP Address

A static IP address is a fixed IP address that is manually assigned to an interface in a network. Static IP addresses provide stable routes that do not have to be updated frequently in the routing table since the static routes generated using static IP addresses do not need to be updated.

Usually in a large IP-based network (a network that uses IP addresses), a Dynamic Host Configuration Protocol or DHCP server assigns IP addresses to interfaces of an entity (using DHCP client service on the entity). However, some entities may require a static IP address that can be reached (manual remote access or via VPN) quickly. A static IP address can be reached quickly because the IP address is fixed, assigned manually and is stored in the routing table for a long duration. For example, a printer in an internal network would need a static IP address so that it can be connected reliably. Static IP addresses can be used to generate static routes which remain unchanged in routing tables, thus providing stable long-term connectivity to the entity that has the static IP address assigned.

Static Route

Static routes are fixed routes that are created manually by the network administrator. Static routes are more suited for small networks or subnets. Irrespective of the size of a network, static routes may be required in a variety of cases. For example, in VPCs where you use virtual private networks (VPNs) or Virtual Tunnel End Point (VTEP) over VxLAN transport connections to manage secure connections, you could use static routes for specific connections such as site-to-site connections for disaster recovery. In such a case it is necessary to have a known reliable route over which the disaster recovery operations can be performed smoothly. Static routes are primarily used for:

  • Facilitating the easy maintenance of the routing table in small networks that are not expected to grow.
  • Routing to and from other internal route or stub networks. A stub network or an internal route network is a network accessed using a single route and the router has only one neighbor.
  • Use as a default or backup route. Such a route is not expected to specifically match any other route in the routing table.

In a network that is not constantly changing, static routes can provide faster and more reliable services by avoiding the network overheads like route advertisement and routing table updates for specific routes.

Overlay networks

You can create an IP-based Overlay subnet for a VPC. An Overlay network is a virtualized network that is configured on top of an underlying virtual or physical network. A special purpose multicast network can be created as an Overlay network within an existing network. A peer-to-peer network or a VPN are also examples of Overlay networks. An important assumption for an Overlay network is that the underlying network is fully connected. Nutanix provides the capability to create Overlay network-based VPCs.

Comparing Overlay with VLAN

See how overlay networks compare with VLAN networks. A virtual local area network or VLAN network is a Layer 2 network that provides virtualized network segmentation solution. VLANs route and balance traffic in a network based on MAC addresses, Protocols such as Ethernet, ports or specific subnets. A VLAN creates a virtual Layer 3 network using Layer 2 addressing by separating broadcast domains virtually or logically. A VLAN configured network behaves as if the network is segmented using a physical layer 2 switch without implementing a layer 3 IP based subnet for the segmentation. VLAN traffic usually cannot traverse outside the VLAN.

The main advantage that VLAN networks provide is that VLAN networks require only layer 2 (L2) connectivity. VLANs do not require any of the layer 3 (L3) Flow virtual networking features.

Overlay networks can be laid on underlying physical network connections including VLAN networks. Overlay networks provide the following advantages and constraints:

  • IP address namespace is decoupled from the physical network.
  • You can create, update or delete overlay networks without requiring any configurations on the physical network and powering down the systems.
  • You can create overlay networks that can span across multiple clusters.
  • VLAN networks are necessary for Bootstrapping of Flow virtual networking.
    Note: Nutanix recommends using VLAN0 as the default untagged (also called native) VLAN for a CVM and AHV host. You can create VLANs for user VMs using the Network Configuration page. You can use the Create Virtual Switch dialog box from the Network Configuration page to create virtual switches for the user VM VLANs.
  • AHV Networking VLAN and Flow virtual networking VLAN: VLAN backed subnets for external connectivity are managed by the Flow virtual networking control plane. Traditional AHV VLAN IPAM networks are managed by Acropolis. Do not configure the same VLAN as both a Flow virtual networking external network and an AHV IPAM network, as this can lead to IP address conflicts.

Traffic Behavior

Broadcast Traffic

When all the guest VMs belonging to a subnet are in the same AHV: Flow virtual networking broadcasts the traffic to all guest VMs in the same subnet.

When some VMs belonging to a subnet are in other AHVs: Flow virtual networking tunnels the traffic to only those AHVs which have endpoints in the same subnet.

In other words, Flow virtual networking broadcasts traffic to all the guest VMs in the same subnet.

Unicast Traffic

Unicast traffic is traffic transmitted on a one-to-one basis between IP addresses and ports. There is only one sender and one receiver for the traffic. Unicast traffic is usually the most used form of traffic in any LAN network using Ethernet or IP networking. Flow virtual networking transmits unicast traffic based on the networking policies set.

Unknown Unicast Traffic

Flow virtual networking always drops unknown unicast traffic. It is not transmitted to any guest VM within or outside the source AHV.

Multicast Traffic

Flow virtual networking transmits the traffic to the VMs in the multicast group within the same subnet. If the VM is on another AHV, the destination AHV must have an endpoint in the subnet.

Multicast Group

A multicast group is defined by an IP address (called a multicast IP address, usually a Class D IP address) and a port number. Once a host has group membership, the host will receive any data packets that are sent to that group defined by an IP address/port number.

Prerequisites for Enabling Flow Virtual Networking

Make sure you meet these prerequisites before you enable Flow Virtual Networking on Prism Central.

Requirements

Important: Prism Central protection and recovery does not protect or recover Flow Virtual Networking services.

You must have the following fulfilled to enable Flow Virtual Networking :

  • Ensure that you log on to Prism Central as a local account user with Prism Admin role. If you log on to Prism Central as a non-local account (IDP-based) user or without Prism Admin role privileges, then Prism Central does not allow you to enable or use Flow Virtual Networking . The task is reported as Failed with a User Denied Access message.

  • Ensure that the Prism Central running Flow Virtual Networking is hosted on an AOS cluster running AHV.

    The network controller has a dependency only on the AHV version.

  • Ensure that microservices infrastructure on Prism Central is enabled. See Prism Central Guide for information about microservices infrastructure.
  • Choose the x-large PC VM size for Flow Virtual Networking deployments. Small or large PC VMs are not supported for Flow virtual networking.

    If you are running a small or large Prism Central VMs, upgrade the Prism Central VM resources to x-large PC VM. See Acropolis Upgrade Guide for procedure to install an x-large Prism Central deployment.

  • Although Flow Virtual Networking may be enabled on a single-node PC, Nutanix strongly recommends that you deploy a three-node scale-out Prism Central for production deployments. The availability of Flow Virtual Networking service in Prism Central is critical for performing operations on VMs that are connected to overlay networks. A three-node scale-out Prism Central ensures that Flow Virtual Networking continues to run even if one of the nodes with a PCVM fails.

  • Prism Central VM registration. You cannot unregister the Prism Element cluster that is hosting the Prism Central deployment where you have enabled Flow Virtual Networking . You can unregister other clusters being managed by this Prism Central deployment.

  • Ensure that Microservices Infrastructure (CMSP) is enabled on Prism Central before you enable Flow Virtual Networking . See the Prism Central Guide for more information.

    For the procedure to enable Microservices Infrastructure (including enable in dark site), see Enabling Micro Services Infrastructure section in the Prism Central Guide .

    Note: When you configure microservices infrastructure, ensure that the DNS name you configure for CMSP does not end with test . Flow Virtual Networking does not support test as a top level domain. For example, the following are valid domain configurations:
    • my.cluster.domain
    • my.test.cluster.test.domain
    However, the following are examples of domains that Flow Virtual Networking does not support:
    • my.cluster.test
    • my.cluster.domain.test
  • Ensure that you have created a virtual IP address (VIP) for Prism Central. The Acropolis Upgrade Guide describes how to set the VIP for the Prism Central VM. Once set, do not change this address.

  • Ensure connectivity:

    • Between Prism Central and its managed Prism Element clusters.

    • To the Internet for connectivity (not required for dark site) to:

      • ECR for Docker images
      • S3 storage for LCM portal
      Note: For dark site deployments, Nutanix provides a dark site bundle, which has the Docker images (normally hosted on ECR) and the network controller package (normally hosted on LCM portal). These dark site bundles can be downloaded using an internet-connected system outside the dark site.
  • Prism Central backup, restore, and migration. You cannot perform these operations on MSP-enabled Prism Central.
  • Nutanix recommends increasing the MTU to 9000 bytes on the virtual switch vs0 and ensure that the physical networking infrastructure supports higher MTU values (jumbo frame support). The recommended MTU range is 1600-9000 bytes.

    Nutanix CVMs use the standard Ethernet MTU (maximum transmission unit) of 1,500 bytes for all the network interfaces by default. The system advertises the MTU of 1442 bytes to guest VMs using DHCP to account for the extra 58 bytes used by Generic Network Virtualization Encapsulation (Geneve). However, some VMs ignore the MTU advertisements in the DHCP response. Therefore, to ensure that Flow Virtual Networking functions properly with such VMs, enable jumbo frame support on the physical network and the default virtual switch vs0.

    If you cannot increase the MTU of the physical network, decrease the MTU of every VM in a VPC to 1442 bytes in the guest VM console.

    Note: Do not change the MTU of the CVM.
    Figure. Sample Configurations with and without Higher MTU - VS0, CVM and UVMs Click to enlarge

Requirements for Upgrades

The following applies to upgrades of Flow Virtual Networking network controller ( Advanced Networking in Prism Control Settings ):

  • Ensure that the Prism Central host is running an AHV version compatible with the networking controller upgrade version. If necessary, upgrade the AHV version using LCM to the version compatible with the network controller upgrade version.
    Note:

    See Compatibility and Interoperability Matrix on the Nutanix Support portal for AOS and Prism Central compatibility.

  • Ensure that all the AHV hosts in the AOS cluster are running the version compatible with the network controller upgrade version.

    The network controller upgrade fails if any of the AHV hosts is running an incompatible version.

Limitations

Limitations for Flow Virtual Networking are as follows.
  • Flow Virtual Networking does not support Flow Network Security for guest VMs.

    You cannot configure rules for Flow Network Security if a guest VM has any NICs connected to VPCs.

  • Flow Virtual Networking is supported only on AHV clusters. It is not supported on ESXi or Hyper-V clusters.

  • Flow Virtual Networking is not enabled on the new PE cluster registering with the Flow Virtual Networking -enabled Prism Central if the Prism Element cluster has an incompatible AHV version.

  • Flow Virtual Networking does not support updating a VLAN-backed subnet as an external subnet.

    You cannot enable the external connectivity option in the Update Subnet dialog box. Therefore, you cannot modify an existing VLAN-backed subnet to add external connectivity.

    VLAN backed subnets for external connectivity are managed by the Flow Virtual Networking control plane. Traditional AHV VLAN IPAM networks are managed by acropolis.

    Note: Do not configure the same VLAN as both a Flow Virtual Networking external network and an AHV IPAM network, as this can lead to IP address conflicts.
  • Flow Virtual Networking cannot be disabled if any external subnets and VPCs are in use. Delete the external subnets and VPCs and then disable Flow Virtual Networking .

  • Disaster Recovery backup and migration: CMSP-enabled Prism Central does not support disaster recovery backup and migration operations both as a source and target host.

Flow Virtual Networking Configurations

Enabling Flow Virtual Networking

Before you begin

Ensure that microservices infrastructure is enabled on Prism Central. See Enabling Micro Services Infrastructure section in the Prism Central Guide .

About this task

Before you proceed to enable Flow virtual networking by enabling the Advanced Networking option, see Prerequisites for Enabling Flow Virtual Networking.

To enable Advanced Networking, go to Prism Central Settings > Advanced Networking and do the following.

Procedure

  • In the Advanced Networking pane, click Enable .

    Ensure that the prerequisites specified on the pane are fulfilled.

    Figure. Enabling Flow Virtual Networking Click to enlarge Displaying the Advanced Networking page.

    Prism Central displays the deployment in-progress.
    Figure. Deployment Progress Click to enlarge Displaying the Deployment Progress.

  • Flow virtual networking is enabled.
    Figure. Flow Virtual Networking Status Click to enlarge Displaying the enabled status of Flow virtual networking.

Disabling Flow Virtual Networking

About this task

You can disable Flow virtual networking. However, the network controller cannot be disabled if any external subnets and VPCs are in use. Delete the subnets and VPCs before you disable advanced networking.

Note:

Flow virtual networking cannot be disabled if any external subnets and VPCs are in use. Delete the external subnets and VPCs and then disable Flow virtual networking.

To disable Flow virtual networking, do the following.

Procedure

  1. On the Advanced Networking page, click Disable .
    Figure. Click to enlarge Displaying the highlighted Disable Advanced Networking link.

  2. On the confirmation message box, click Confirm to confirm disablement.

    To exit without disabling the Advanced Networking controller, click Cancel .

Unregistering a PE from the PC

Before unregistering a Prism Element from PC, disable Flow virtual networking on that Prism Element using network controller CLI (or atlas_cli).

About this task

When Flow virtual networking is enabled on a Prism Central, it propagates the capability to participate in VPC networking to all the registered Prism Elements that are running the required AHV version.

In cases where there are VMs on the Prism Element attached to the VPC network, or if the Prism Element is used to host one or more of the external VLAN networks attached to a VPC, Prism Central alerts you with a prompt. When being alerted about the aforementioned conditions, close the CLI and make adequate configuration to resolve the condition (for example, select a different cluster for the external VLAN network and delete the VMs attached to the VPC network running on the Prism Element). After making such configurations, execute the network controller CLI to disable Flow virtual networking. If the command goes through successfully, it is safe to unregister the Prism Element.

For example, in a deployment of three Prism Elements - PE1, PE2 and PE3 - registered to the Flow virtual networking-enabled PC, you want to unregister PE3 from the PC. You must first disable Flow virtual networking using the following steps:

Procedure

  1. SSH to PE3.
  2. Run the ncli cluster info or ncli cluster get-params command to get the cluster parameters.
    Copy the cluster UUID (For example: 017457d3-1012-465c-9c54-aa145f2da7d9) from the displayed cluster parameters.
  3. SSH to the Prism Central VM.
  4. Open the network controller console by executing the atlas_cli command.
    nutanix@cvm$ atlas_cli
    <atlas> 
  5. Execute the config.add_to_excluded_clusters <cluster uuid> command, providing the cluster UUID that you copied earlier.

    An example of the PC alert, for the condition that PE3 VM is attached to an external network, is as follows:

    <atlas> config.add_to_excluded_clusters 0005bf8d-2a7f-3b2e-0310-d8e34995511e 
    Cluster 0005bf8d-2a7f-3b2e-0310-d8e34995511e has 1 external subnet, 
    which will lose connectivity. Are you sure? (yes/no)
    Note: To enable Flow virtual networking on the cluster, execute the config.remove_from_excluded_clusters <cluster uuid> command, providing the cluster UUID.

What to do next

To verify if Flow virtual networking is disabled or enabled, SSH to PE3 and run the acli atlas_config.get command.

The output displays the enable_atlas_networking parameter as False if Flow virtual networking is disabled and as True if Flow virtual networking is enabled on the Prism Element.

nutanix@cvm$ acli atlas_config.get
config {
  anc_domain_name_server_list: “10.10.10.10”
  enable_atlas_networking: False
  logical_timestamp: 19
  minimum_ahv_version: “20190916.101588"
  ovn_cacert_path: “/home/certs/OvnController/ca.pem”
  ovn_certificate_path: “/home/certs/OvnController/OvnController.crt”
  ovn_privkey_path: “/home/certs/OvnController/OvnController.key”
  ovn_remote_address: “ssl:anc-ovn-external.default.anc.aj.domain:6652"
}

You can now unregister the PE from the PC.

Upgrading Flow Virtual Networking

You can upgrade the Flow virtual networking controller ( Advanced Networking Controller in Prism Central Settings ) using Life Cycle Manager (LCM) on Prism Central.

Before you begin

See Prerequisites for Enabling Flow Virtual Networking.

In case of upgrading the Flow virtual networking controller in a dark site, ensure that LCM is configured to reach the local web server that hosts the dark site upgrade bundles.

Note:

The network controller upgrade fails to start after the pre-check if one or more clusters have Flow virtual networking enabled and are running an AHV version incompatible with the new network controller upgrade version.

About this task

To upgrade the network controller using LCM, do the following.

Procedure

  1. Choose one of the following ways to reach the LCM page:
    • Go to Administration > LCM > Inventory
    • Click Check for Updates on the Advanced Networking page.

    Figure. Check for Updates Click to enlarge Displaying Check for Updates link on the Advanced Networking page.

  2. Click Perform Inventory .

    When you click Perform Inventory , the system scans the registered Prism Central cluster for software versions that are running currently. Then it checks for any available upgrades and displays the information on the LCM page under Software .

  3. Go to Updates > Software . Select the Advanced Networking Controller version you want to upgrade to and click Update .
    Figure. Networking Controller version Click to enlarge Displaying sample LCM dashboard with the available Advanced Networking Controller upgrade available

Deploying Flow Virtual Networking at a Dark Site

About this task

Dark sites are primarily on-premises installations which do not have access to the internet. Such sites are disconnected from the internet for a range of reasons including security. To deploy Flow virtual networking at such dark sites, you need to deploy the dark site bundle at the site.

This dark site deployment procedure includes downloading and deploying MSP and the network controller bundles.

Before you begin

  • See Prerequisites for Enabling Flow Virtual Networking.

  • You need access to the Nutanix Portal from an Internet-connected device to download the following dark site bundles:

    Note: For dark site deployments, Nutanix provides a dark site bundle, which has the Docker images (normally hosted on ECR) and the network controller package (normally hosted on LCM portal). These dark site bundles can be downloaded using an internet-connected system outside the dark site.
    • MSP dark site bundle: https://portal.nutanix.com/page/downloads/list > Microservices Platform (MSP)
    • Flow virtual network controller dark site bundle: See the Flow Virtual Networking Release Notes for the link to download the dark site bundle.
    • Network Gateway bundle: See the Flow Virtual Networking Release Notes for the link to download the dark site bundle with checksum text file. Also, see KB-12393 .

To deploy Flow virtual networking at a dark site, do the following.

Procedure

  1. Start a web server to host the dark site bundles and act as a source for the LCM downloads, if one is not already created.

    The web server can be a virtual machine on a cluster at the dark site. All the Prism Central VMs at the dark site must have access to this web server. This web server is used when you deploy any dark site bundle including the network controller darksite bundle.

    For more information about the server installation, see:

    • Linux web server

    • Windows web server

  2. In Prism Central, go to Administration > LCM > Inventory .

    Alternatively, SSH into the Prim Central VM as an admin user and run the following command.

    admin@pcvm$ mspctl controller airgap enable --url=http://<LCM-web-server-ip>/release

    Where <LCM-web-server-ip> is the IP address of the LCM web server and release is the name of the directory where the packages were extracted.

    For example, admin@pcvm$ mspctl controller airgap enable --url=http://10.48.111.33/release . Here, 10.48.111.33 is the IP address of the LCM web server and release is the name of the directory where the packages were extracted.

  3. Verify the configuration by running the following command:
    nutanix@cvm$ mspctl controller airgap get
  4. From a device that has public Internet access, click the Nutanix Compatibility Bundle link and down the bundle. Transfer this bundle to the LCM web server and extract the contents.
  5. From a device that has public Internet access, Nutanix recommends that you download and extract the latest MSP dark site bundle, transfer it to the LCM web server, and extract the contents.
  6. From a device that has public Internet access, download the Flow virtual networking dark site bundle (see Release Notes | Flow Virtual Networking for download links). Transfer the bundle to the LCM web server.
  7. Extract or unpack the Flow Virtual Networking dark site bundle on the LCM web server.

    After unpacking, check if the system shows a directory path that includes the following as per the example: http://<LCM-web-server-ip>/release/builds/msp-builds/msp-services/464585393164.dkr.ecr.us-west-2.amazonaws.com/nutanix-msp/atlas-hermes/ .

  8. Run the following command after unpacking to ensure that the file permissions are not disrupted during the unpacking:
    • Linux.
      chmod -R +r builds
    • Windows NTFS.
      
      $> takeown / R / F *
      $> icacls <Build-file-path> /t /grant:F 
      .
  9. Enable microservices infrastructure.

    See the Enabling Microservices Infrastructure section in the Prism Central Guide for details.

  10. Enable Flow virtual networking. See Enabling Flow Virtual Networking.

Troubleshooting Tips

This section provides information to assist troubleshooting of Flow virtual networking deployments. This is in addition to the information that the "Prism Central Guide" provides.

Audit Logs

Prism Central generates audit logs for all the flow networking activities like it does for other activities on Prism Central. See Audit Summary View in the Prism Central Guide , for more information about Audit log.

Support Bundle Collection

To support troubleshooting for Flow virtual networking, you can collect logs.

To collect the logs, run the following commands on the Prism Central VM console:

nutanix@cvm$ logbay collect -t msp,anc

An example of the command is as follows:

nutanix@cvm$ logbay collect -t msp,anc -O msp_pod=true,msp_systemd=true,kubectl_cmds=true,persistent=true --duration=-48h0m0s

Where:

  • -t flag indicates the tags to collect

    • msp tag will collect logs from the services running on MSP pods and persistent log volumes (application-level logs)

    • anc tag will collect the support bundle, which includes database dumps and OVN state

  • -O flag adds tag-level options

    • msp_pod=true collects logs from MSP service pods

      On the PC, these logs can be found under /var/log/containers .

    • persistent=true collects persistent log volumes (application-level logs for ANC)

      On the PC, these can be found under /var/log/ctrlog

    • kubectl_cmds=true runs kubectl commands to get the Kubernetes resource state

  • --duration sets the duration from the present to collect

The command run generates a zip file at a location, for example: /home/nutanix/data/logbay/bundles/<filename>.zip

Unzip the bundle and you'll find the anc logs under a directory specific to your MSP cluster, the worker VM where the pod is running, and the logging persistent volume of that pod. For example:

./msp/f9684be8-b4e8-4524-74b4-076ed53ca1fd/10.48.128.185__worker_master_etcd/persistent/default/ovn/anc-ovn_StatefulSet/

For more information about the task run, see the text file that the command generates at a location, for example: /home/nutanix/data/logbay/taskdata/<taskID>/collection_result.txt

For more information about the logbay collect command, see the Logbay Log Collection (Command Line) topic in the Nutanix Cluster Check Guide (NCC Guide).

Layer 2 Virtual Subnet Extension Alert

The L2StretchLocalIfConflict alert (Alert with Check ID - 801109) may occur while performing Layer 2 virtual subnet extensions. See KB-10395 for more information about its resolution.

Network Gateway Upgrades

Nutanix deployment can detect and install upgrades for the onprem Nutanix Gateways.

For information about identifying the current Nutanix Gateway version, see Identifying the Gateway Version.

For onprem Nutanix Gateways, the upgrades need to be detected and installed on the respective PC on which each Nutanix Gateway is installed.

For more information, see Detecting Upgrades for Gateways.

When Prism Central detects the upgrades, it displays a banner on the Gateways tab of the Connectivity page. The banner notifies you that a Gateway upgrade is available after you have run LCM inventory. The table on the Gateways tab also displays an alert (exclamation mark) icon for the network gateways that the upgrade applies to. The hover message for the icon informs you that an upgrade is available for that Gateway.

Figure. Upgrade Banner Click to enlarge Displaying sample VPN Gateway tab.

For more information about the upgrade procedure, see Upgrading the PC-managed Onprem Nutanix VPN Gateways.

Identifying the Gateway Version

About this task

To identify the current Nutanix Gateway version, do the following:

Procedure

  • Click the hamburger icon and Networking & Security > Connectivity .
  • On the Gateways tab, click the Gateway name link text to open the Gateway details page.

    In the Gateway table, the VPN Gateway name is a clickable link text.

    The Gateway Version is listed in the Properties widget.

    Figure. Gateway Version Click to enlarge Displays sample VPN Gateway details page with clickable version number.

Detecting Upgrades for Gateways

About this task

Prism Central can detect whether new Gateway upgrades are available, or not, for Nutanix Gateways using LCM. You can then install the upgrade.

Procedure

  • Click the hamburger icon of Dashboard .
  • Click Administration > LCM > Inventory .
  • Click Perform Inventory .
    Note:

    Nutanix recommends that you select Enable LCM Auto Inventory in the LCM page in Prism Central to continuously detect new Gateway upgrades as soon as they are available.

    The upgrade notification banner is displayed on the Gateways page.

Upgrading the PC-managed Onprem Nutanix VPN Gateways

About this task

Perform upgrades of PC-managed Nutanix Gateways using the respective PC on which the Gateway is created.

To upgrade the on-prem Nutanix Gateways, do the following:

Procedure

  1. Log on to the Prism Central as the admin user and click the gear icon.
  2. Go to Administration > LCM > Inventory .
  3. Click Perform Inventory .

    When you click Perform Inventory , the system scans the registered Prism Central cluster for software versions that are running currently. Then it checks for any available upgrades and displays the information on the LCM page under Software .

    Note:

    Skip this step if you have enabled auto-inventory in the LCM page in Prism Central.

  4. Go to Updates > Software . Select the Gateway version you want to upgrade to and click Update .

    LCM upgrades the Gateway version. This process takes sometime.

Network and Security View

The Network and Security category in the Entities Menu expands on-click to display the following networking and security entities that are configured for the registered clusters:

  1. Subnets : This dashboard displays the subnets and the operations you can perform on subnets.

  2. Virtual Private Clouds : This dashboard displays the VPCs and the operations you can perform on VPCs.

  3. Floating IPs : This dashboard displays a list of floating IP addresses that you are using in the network. It allows you to request for floating IP addresses from the free pool of I addresses available to the clusters managed by the Prism Central instance.

  4. Connectivity : This dashboard allows you to manage the following networking capabilities:

    • Gateways : This tab provides a list of network Gateways you have created and configured, and the operations you can perform on the network Gateways. You can check and upgrade the Gateway bundle in Administration > LCM > Inventory .

    • VPN Connections : This tab provides a list of VPN connections you have created and configured, and the operations you can perform on VPN connections.

    • Subnet Extensions : This tab provides a list of subnets that you have extended at the Layer 2 level using VPN (point-to-point over Nutanix VPN) or VTEP (point-to-multi-point including third party).

  5. Security Policies : This dashboard provides a list of security policies you configured using Flow Segmentation. For more information about Security Policies, see the Flow Microsegmentation Guide.

See Network Connections section for information on how to configure network connections.

Subnets (Overlay IP subnets), Virtual private clouds, floating IPs, and Connectivity are Flow virtual networking features. These features support flexible app-driven networking that focuses on VMs and applications instead of virtual LANs and network addresses. Flow virtual networking powers network virtualization to offer a seamless network experience with enhanced security. It is disabled by default. It is a software-defined network virtualization solution providing overlay capabilities for the on-premises AHV clusters.

Security policies drives the Flow Segmentation features for secure communications. See Flow Microsegmentation Guide.

Subnets

Manage subnets in the List view of Subnets dashboard in the Network and Security section.

To access the Subnets dashboard, select Subnets from the entities menu in Prism Central. The Subnets dashboard allows you to view information about the subnets configured for the registered clusters.

Note: This section describes the information and options that appear in the Network and Security dashboard. See Entity Exploring for instructions on how to view and organize that information in a variety of ways.
Figure. Subnets Dashboard Click to enlarge sample Subnets dashboard

The following table describes the fields that appear in the subnets list. A dash (-) is displayed in a field when a value is not available or applicable.

Table 1. Subnets Dashboard Fields
Parameter Description Values
Name Displays the subnet name. (subnet name)
External Connectivity Displays whether or not the subnet has external connectivity configured. (Yes/No)
Type Displays the subnet type. VLAN
VLAN ID Displays the VLAN identification number. (ID number)
VPC Displays the name of the VPC that the Subnet is used in. (Name of VPC)
Virtual Switch Displays the virtual switch that is configured for the VLAN you selected. The default value is the default virtual switch vs0 .
Note: The virtual switch name is displayed only if you add a VLAN ID in the VLAN ID field.
(virtual switch name)
IP Prefix Displays the IPv4 Address of the network with the prefix. (IPv4 Address/Prefix)
Cluster Displays the name of the cluster for which this subnet is configured. (cluster name)
Hypervisor Displays the hypervisor that the subnet is hosted on. (Hypervisor)

To filter the list by network name, enter a string in the filter field. (Ignore the Filters pane as it is blank.)

To view focused fields in the List, select the focus parameter from the Focus drop down list. You can create your own customised focus parameters by selecting Add custom from the drop down list and selecting the necessary fields after providing a Name , in the Subnet Columns .

There is a Network Config action button to configure a new network (see Configuring Network Connections)

The Actions menu appears when one or more networks are selected and includes a Manage Categories option (see Assigning a Category).

Go to the Subnets list view by clicking Network and Security > Subnets on the left side-bar.

Figure. Subnets Page Click to enlarge

To view or select actions you can perform on a subnet, select the subnet and click the Actions dropdown.

Figure. Subnet Actions Click to enlarge

Table 2. Subnet Actions
Action Description
Update Click this action to update the selected subnet. see Updating a Subnet.
Manage Extension Click this action to create a subnet extension. A subnet extension allows VMs to communicate over the same broadcast domain to a remote Xi availability zone (in case of Xi-Leap based disaster recovery) via the extension.
Manage Categories Click this action to associate the subnet with a category or change the categories that the subnet is associated with.
Delete Click this action to delete the selected subnet. See Deleting Subnets, Policies, or Routes.

You can also filter the list of subnets by clicking the Filters option and selecting the filtering parameters.

Subnet Summary View

View the details of a subnet listed on the Subnets page.

To view the details of a subnet, click the name of the subnet on the subnet list view.

Figure. Subnet Summary Page Click to enlarge Displaying sample subnets Summary view

The Summary page provides buttons for the actions you can perform on the subnet, at the top of the page. Buttons for the following actions are available: Update , Extend , Manage Categories , and Delete .

The subnet Summary page has the following widgets:

Widget Name Information provided
Subnet Details Provides the following:
  • Type — Displays the type of network like VLAN or Overlay.
  • VLAN ID — Displays the VLAN ID. This parameter is displayed only for VLAN networks.
  • VPC — Displays the VPC name. This parameter is displayed only for Overlay networks.
  • Cluster — Displays the cluster that the VLAN network is configured on. This parameter is displayed only for VLAN networks.
  • IP Prefix — Displays the IP address prefix configured for the network. This parameter is displayed for both VLAN and Overlay networks.
IP Pool Provides the IP address Pool Range assigned to the network.
External Connectivity Provides the following:
  • NAT — Displays whether NAT is enabled or disabled for VPCs connecting to the network. When you hover on the Enabled / Disabled status, the hover message displays details of VPCs connected to the external subnet.
  • Associated VPCs — Displays the VPCs associated with this external subnet.

Virtual Private Clouds

You can manage Virtual Private Clouds (VPCs) on the Virtual Private Clouds dashboard.

Go to the Virtual Private Clouds dashboard by clicking Network and Security > Virtual Private Clouds on the left side-bar.

Figure. Virtual Private Clouds dashboard Click to enlarge

You can configure the table columns for the VPC list table. The available column list includes Externally Routable IP Addresses that provides address space within the VPC that is reachable externally without NAT.. For the list of columns that you can add to the list table, see Customizing the VPC List View.

Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

To view or select actions you can perform on a VPC, select the VPC and click the Actions drop down.

You can also filter the list of VPC by clicking the Filters option and selecting the filtering parameters.

Customizing the VPC List View

About this task

You can customize the columns in the table. Click the View by drop down and select + Add custom .

In the Virtual Network Columns dialog box, do the following.

Procedure

  1. Enter a name for the view.
  2. Select the columns you want displayed in the table.

    During the column selection, the columns you select are moved under the Selected Columns list. The Name (of the VPC) column is the default column already selected. You can add a maximum of 10 columns (including the Name column) to the Selected Column list.

    Figure. Customizing Columns in VPC View Click to enlarge

    To arrange the order of the selected columns, hover on the column name and click the up or down arrow button as appropriate.

  3. Click Save .

VPC Details View

To view the details of a VPC, click the name of the VPC on the VPC list view.

The VPC details view has the following tabs:

  • Summary
    Figure. Summary Tab Click to enlarge Displaying the Summary tab in the VPC dashboard

    The Summary tab provides the following panes:

    • DNS Servers—Provides more information about the DNS Servers used by the VPC.
    • External Connectivity—Provides the name of the external subnet, NAT Gateway host details, router/SNAT IP address and the IP address spaces or ranges configured for the VPC.
    • Floating IP Addresses—Provides details of the floating IP addresses that the VPC uses.
  • Subnets
    Figure. Subnet Tab Click to enlarge Displaying the Subnet tab in the VPC dashboard

    The Subnet tab provides the following information for the subnets:

    • Name—Displays the name of the subnet.
    • IP Range—Displays the IP address range configured for the subnet.
    • DHCP IP Pool—Displays the DHCP IP address pool configured for the subnet.
    • Default Gateway IP—Displays the IP address used as the default gateway by the entities in the subnet.
    • Actions—Displays the actionable links to Edit or Delete the subnet.
  • Policies
    Figure. Policies Tab Click to enlarge Displaying the Policy tab in the VPC dashboard

    The Policies tab maps the following information about the security-based traffic shaping policies you configure:

    • Priority—The traffic priority.
    • Rule—The Allow or Deny rule set for the priority.
    • Traffic—The traffic type that the priority and rule should be applied to.
    • Actions—Actions you can take on the policy. You can perform three actions: Clear counters , Edit the policy or Delete the policy.
  • Routes
    Figure. Routes Tab Click to enlarge Displaying the Router tab in the VPC dashboard

    The Routes tab provides the following information about the routes:

The VPC details view has the following configuration options for the VPC:

  • Update : Use this option to update the VPC. For more information, see Updating Virtual Private Cloud.
  • Add Subnet : Use this option to add a subnet to the VPC. For more information, see Creating a Subnet.
  • Create Static Routes : Use this option to create a static route. For more information, Creating Static Routes.
  • Update Static Routes : Use this option to update static route configurations that you already created. For more information, see Updating Static Routes.
  • Create Policy : Use this option to create traffic policies in addition to the pre-configured default policy. When you create a VPC, there is one default policy that Advanced Networking creates for the VPC. This policy is pre-configured and cannot be edited. For more information, see Creating a Policy.
  • Clear All Counters : Allows you to clear all the counters for the VPC.
  • Delete : Allows you to delete the VPC. For more information, see Deleting a Virtual Private Cloud.

Floating IPs

You can access floating IPs on the Floating IPs dashboard or list view in the Network and Security section.

For information about floating IP addresses and their role in Flow virtual networking, see SNAT and Floating IP Address.

Go to the Floating IPs dashboard by clicking Network and Security > Floating IPs on the left side-bar.

Figure. Floating IPs dashboard Click to enlarge Displaying the Floating IP dashboard

To view or select actions you can perform on a floating IP address assigned, select the floating IP address and click the Actions drop down. The following actions are available for a selected floating IP address:

  • Update—Assign or change the assignment of the floating IP address. You can assign the floating IP address to a IP address such as a private IP address in a VPC or the primary IP address of a VM or a secondary IP address created on a VM.
  • Delete—Delete the floating IP address. The deleted IP address returns to the IP address pool as unused. Before you delete, ensure that it is not assigned to a private IP address or a VM. Change the assignment to None if it is already assigned, using the Update action.
Note: Floating IP addresses are not reachable (Pings fail) unless you associate them to primary or secondary IP addresses of VMs. For more information about assigning floating IP addresses to secondary IP addresses of VMs, see Assigning Secondary IP Addresses to Floating IPs .

To filter the list of floating IP address assignments, click the Filters option and select the appropriate filtering parameters.

To request floating IP addresses, see Requesting Floating IPs.

Connectivity

You can access network Gateways, VPN connections and subnet extensions on the Connectivity dashboard.

Click Network & Security > Connectivity to see the Connectivity dashboard.

The Connectivity dashboard opens on the Gateways tab. To see the VPN connections, click the VPN Connections tab. To see the subnets extended across AZs, click the Subnet Extensions tab.

Gateways Summary View

The Connectivity dashboard opens on the Gateways dashboard or summary view.

The Gateway dashboard provides a list of gateways created for the clusters managed by the Prism Central.

The Gateways dashboard provides a Create Gateway dropdown menu that lets you create a Local or a Remote gateway. You can create a local or remote gateway with VPN or VTEP service. For more information, see Creating a Network Gateway.

You can select a gateway from the list (select the checkbox provided for the gateway) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected gateway.

Figure. Gateways dashboard Click to enlarge Displaying the Connectivity dashboard with the Gateways dashboard

The Gateway summary list view provides the following details about the gateway.

Table 1. Gateway List Fields
Parameter Description Values
Name Displays the name of the gateway. (Name of gateway)
Type Displays the gateway type. (Local or Remote)
Service Displays the service that the gateway uses. (VPN or VTEP)
Service IP Displays the IP address used by the service. (IP address)
Status Displays the operational status of the gateway. (Up or Down)
Attachment Type/Vendor Displays the type of subnet associated with the gateway. (VLAN or Overlay-VPC name)
Connections Displays the number of service connections (such as VPN connections) configured and operational on the gateway. (number)

You can click the name of a gateway to open the gateway details page that presents the information about the gateway in widgets.

Gateway Details View

You can click the name of a gateway in the Gateway dashboard list to open the gateway details page that presents the information about the gateway in widgets.

The gateway details page displays the name of the gateway on the top left corner.

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update Gateway page. For more information, see Updating a Network Gateway in Flow Networking Guide .

  • The Delete button allows you to delete the gateway. For more information, see Deleting a Network Gateway in Flow Networking Guide .

Figure. Gateway Details View Click to enlarge Displays the gateway details page that provides details of the gateway in two widgets - Properties and Service configuration

The details about the gateway are organized in widgets as follows:

Table 1. Gateway Details
Parameter Description Values
Properties widget
Type Displays the gateway type. (Local or Remote)
Attachment Type Displays the network entity like VLAN or VPC that the gateway is attached to. (VLAN or VPC)
VPC or Subnet (VLAN) Displays the name of the attached VPC or VLAN subnet. (Name of VLAN or VPC)
Floating or Private IP Address Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to the gateway. (IP Address)
Status Displays the operational status of the gateway. (Up or Down)
Gateway Version Displays the version of the Nutanix gateway appliance deployed. (Version)
Cluster Displays the name of the cluster on which the gateway is created. (Cluster name)
Gateway VM Displays the name of the VM on which the gateway is created. (Name of VM - actionable link. Click the name-link to open the VM details page of the gateway VM.)
Service Configuration
Service Displays the service used by the gateway. (VPN or VTEP)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
Internal Routing Displays the type of routing associated with the gateway for internal traffic routing. (Static or eBGP with ASN)
VPN Connections Displays the total number of VPN connections associated with the gateway. (Number - actionable link. Click the link to open the VPN connection details page for the associated VPN connection.)
View VPN Connections Click this link to open the VPN Connections tab. -

VPN Connections Summary View

The Connectivity dashboard allows you to open the VPN Connections dashboard or summary view.

VPN Connection: Represents the VPN IPSec tunnel established between local gateway and remote gateway. When you create a VPN connection, you need to select two gateways between which you want to create the VPN connection.

The VPN Connections dashboard provides a list of VPN connections created for the clusters managed by the Prism Central.

The VPN Connections dashboard provides a Create VPN Connection button that opens the Create VPN Connection . For more information, see Creating a VPN Connection in Flow Networking Guide .

You can select a VPN connection from the list (select the checkbox provided for the VPN connection) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected VPN connection.

The VPN Connections summary list view provides the following details about the VPN connection.

Figure. VPN Connections dashboard Click to enlarge Displaying the VPN Connections dashboard.

Table 1. VPN Connections List Fields
Parameter Description Values
Name Displays the name of the connection. (gateway name)
IPSec Status Displays the connection status of IPSec tunnel. (Connected or Not Connected)
EBGP Status Displays the status of the EBGP gateway connection. (Established or Not Established)
Local Gateway Displays the name of the local gateway used for the connection. (Name of local gateway)
Remote Gateway Displays the name of the remote gateway used for the connection. (Name of remote gateway)
Dynamic Routing Priority Displays the dynamic routing priority assigned to the connection for throughput management. You can assign any value in the range of 100-1000. Flow Virtual Networking assigns the first VPN connection the value 500 by default. Thereafter, subsequent VPN connections are assigned values decremented by 50. For example, the first connections is assigned 500, then the second connection is assigned 450, the third one 400 and so on. (Number in the range of 100-1000. User assigned.)

VPN Connections Details View

You can click the name of a VPN connection in the VPN Connections dashboard list to open the VPN connection details page that presents the information about the VPN connection in widgets.

The VPN connection details page displays the name of the VPN connection on the top left corner.

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update VPN Connection page. For more information, see Updating a VPN Connection in Flow Networking Guide .

  • The Delete button allows you to delete the VPN connection. For more information, see Deleting a VPN Connection in Flow Networking Guide .

Figure. VPN Connection Details Click to enlarge Displaying the detailed view of the selected VPN connection with the information organized in widgets.

The details about the VPN connection are organized in widgets as follows:

  • Summary tab—See the VPN Connection Summary Tab Details table below.
  • Throughput tab—See the VPN Connection Throughput Tab Details table below.
  • IPSec Logging tab—Provides logs for the IPSec tunnel.
  • Routing Protocol Logging tab—Provides logs for the routing protocol used in the VPN connection.
Table 1. VPN Connection Summary Tab Details
Parameter Description Values
VPN Connection widget
IPSec Status Displays the connection status of IPSec tunnel. (Connected or Not Connected)
EBGP Status Displays the status of the EBGP gateway connection. (Established or Not Established)
Dynamic Routing Priority Displays the dynamic routing priority assigned to the connection for throughput management. You can assign any value in the range of 100-1000. Flow Virtual Networking assigns the first VPN connection the value 500 by default. Thereafter, subsequent VPN connections are assigned values decremented by 50. For example, the first connections is assigned 500, then the second connection is assigned 450, the third one 400 and so on. (Number in the range of 100-1000. User assigned.)
Local Gateway Properties
Gateway Name Displays the name of the local gateway used for the connection. (Name of local gateway)
Type Displays the type of gateway. (Local)
Attachment Type Displays the network entity like VLAN or VPC that the gateway is attached to. (VLAN or VPC)
VPC or Subnet (VLAN) Displays the name of the attached VPC or VLAN subnet. (Name of VLAN or VPC)
Tunnel IP Displays the Tunnel IP address of the local gateway. (IP Address)
Connection Type Displays the connection type you selected while creating the VPN connection. The connection type may be Initiator or Acceptor of a VPN connection between the local and remote gateways. T (Initiator or Acceptor)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
Internal Routing Displays the type of routing associated with the gateway for internal traffic routing. (Static or eBGP with ASN)
Floating or Private IP Address Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to the gateway. (IP Address that you assigned to the local gateway with /30 prefix when you configured the VPN connection.)
Status Displays the operational status of the gateway. (Up or Down)
Cluster Displays the name of the cluster on which the gateway is created. (Cluster name)
Gateway VM Displays the name of the VM on which the gateway is created. (Name of VM - actionable link. Click the name-link to open the VM details page of the gateway VM.)
Remote Gateway Properties
Gateway Name Displays the name of the remote gateway used for the connection. (Name of remote gateway)
Type Displays the type of gateway. (Remote)
Tunnel IP Displays the Tunnel IP address of the remote gateway. (IP Address)
Connection Type Displays the connection type you selected while creating the VPN connection. The connection type may be Initiator or Acceptor of a VPN connection between the local and remote gateways. T (Initiator or Acceptor)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
ASN Displays the ASN of the EBGP route. This information is only displayed if you configured EBGP as the External Routing protocol. (Number)
Vendor Displays the name of the vendor of the gateway appliance at the remote site. (Name of vendor of gateway appliance)
External IP Displays the IP address assigned to remote the gateway. (IP Address that you assigned to the remote gateway with /30 prefix when you configured the VPN connection.)
Status Displays the operational status of the gateway. -
Protocol Details
Service Displays the service used by the gateway. (VPN or VTEP)
Gateway Routes Displays the status of the routes used by the gateways. (Sent)

Subnet Extensions Summary View

The Connectivity dashboard opens on the Subnet Extensions dashboard or summary view.

This Guide does not provide detailed information about Security Policies . It only describes the Summary and Details views for the same. For detailed information about Security Policies , see Flow Microsegmentation Guide

The Subnet Extensions dashboard provides a list of subnet extensions created for the clusters managed by the Prism Central.

The Subnet Extensions dashboard provides a Create Subnet Extension dropdown menu that lets you extend a subnet Across Availability Zones or To a Third Party Data Center . You can extend a subnet using VPN or VTEP service. See Layer 2 Virtual Network Extension for more information.

You can select a subnet extension from the list (select the checkbox provided for the subnet extension) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected subnet extension.

Figure. Subnet Extensions dashboard Click to enlarge Displaying the Subnet Extension dashboard.

The Subnet Extensions summary list view provides the following details about the gateway.

Table 1. Subnet Extensions List Fields
Parameter Description Values
Name Displays the name of the subnet extension. (Name of subnet extension)
Type Displays the subnet extension type. ( Across Availability Zones or To a Third Party Data Center )
Extension Over Displays the service that the subnet extension uses. (VPN or VTEP)
Extension Uses Displays the name of the local network gateway that the subnet extension uses. (Name of local network gateway)
Local Subnet Displays the name of the local subnet that the subnet extension uses. (Name of local subnet)
Remote Site Displays the name of the remote network gateway that the subnet extension uses. (Name of remote network gateway)
Connection Status Displays the status of the connection that is created by the subnet extension. Not Available status indicates that Prism Central is unable to ascertain the status. (Not Available, Connected, or Disconnected)
Interface Status Displays the status of the interface that is used by the subnet extension. (Connected or Down)

You can click the name of a subnet extension to open the subnet extension details page that presents the information about the subnet extension in widgets.

Subnet Extensions Details View

You can click the name of a subnet extension in the Subnet Extensions dashboard list to open the subnet extension details page that presents the information about the subnet extension in widgets.

The subnet extension details page displays the name of the subnet extension on the top left corner. It has two tabs - Summary , Address Table and Throughput .

Summary

The Summary tab provides the information about the subnet extension in widgets. It also allows you to take the following actions:

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update Subnet Extension page. See Updating an Extended Subnet for more information.

  • The Delete button allows you to delete the subnet extension. See Removing an Extended Subnet for more information.

Figure. Subnet Extensions Details View - Summary tab sample for VTEP extension Click to enlarge Displays the subnet extension details page, Summary that provides details of the subnet extension in one extended widget with three sections - Properties, IP Address Pools and Subnet Extension properties.

Table 1. Subnet Extension Details - Summary Tab Fields
Parameter Description Values
Properties
Type Displays the subnet type. (VLAN or Overlay)
VLAN ID (For VLAN subnets only) Displays the VLAN ID of the VLAN subnet that is extended. (VLAN ID number)
VPC (For Overlay subnets only) Displays the name of the VPC subnet that is extended. (Name of VPC)
Cluster (For VLAN subnets only) Displays the cluster that the VLAN subnet belongs to. (Name of cluster)
IP Address Prefix Displays the network IP address with prefix, of the VLAN subnet that is extended. (IP Address with prefix)
Virtual Switch (For VLAN subnets only) Displays the virtual switch on which the VLAN subnet is configured. (Virtual Switch name such as vs0 or vs1)
IP Address Pools
Pool Range Displays the range of IP addresses in the pool configured in the subnet that is extended. (IP address range)
(Interactive Graphic Pie Chart) Displays a dynamic pie chart that displays the statistic you hover on. Displays the following IP address statistics outside the pie chart, that you can hover on:
  • Total number of IP addresses available.
  • Used IP addresses in the subnets
  • Used IP addresses in the IP address pools
  • Free IP addresses in the subnets
  • Free IP addresses in the IP address pools
(IP Address statistics)
Subnet Extension
Subnet Extension (properties) - Common
Type Displays the subnet extension type. ( Across Availability Zones or To a Third Party Data Center )
Interface Status Displays the status of the interface that is used by the subnet extension. (Connected or Down)
Connection Status Displays the status of the connection that is created by the subnet extension. Not Available status indicates that Prism Central is unable to ascertain the status. (Not Available, Connected, or Disconnected)
Local IP Address Displays the IP address that you entered in the Local IP Address field while creating the subnet extension. (IP Address)
Local Subnet Displays the name of the local subnet that the subnet extension uses. (Name of local subnet)
Subnet Extension (properties) - (Only for Across Availability Zones type)
Local Availability Zone (Only for Across Availability Zones type) Displays the name of the local AZ that is hosting the subnet that is extended. (Name of the local Availability Zone)
Remote Availability Zone (Only for Across Availability Zones type) Displays the name of the remote AZ that the subnet is extended to. (Name of the remote Availability Zone)
Remote Subnet (Only for Across Availability Zones type) Displays the name of the remote subnet that the subnet extension connects to. (Name of remote subnet)
Remote IP Address (Only for Across Availability Zones type) Displays the IP address that you entered in the Remote IP Address field while creating the subnet extension. (IP Address)
Subnet Extension (properties) - (Only for To a Third Party Data Center type)
Local Gateway (Only for To a Third Party Data Center type) Displays the name of the local gateway used for the subnet extension. (Name of local gateway)
Remote Gateway (Only for To a Third Party Data Center type) Displays the name of the remote gateway used for the subnet extension. (Name of remote gateway)

Address Table

The Address Table tab provides MAC Address information only when the subnet extension uses VTEP service. The tab provides the following information in the table:

  • MAC Address : This provides the MAC addresses of devices connected to the remote VTEP endpoint in the subnet extension.
  • Remote VTEP Endpoint : This provides the IP address of the remote VTEP endpoint in the subnet extension.
Figure. Subnet Extensions Details View - Address Table tab sample for VTEP extension Click to enlarge Displays the subnet extension details page, Address Table tab that provides details of the MAC Addresses in the subnet extension

Figure. Subnet Extensions Details View - Address Table tab sample for VPN-based Extension Click to enlarge Displays the subnet extension details page, Address Table tab that provides details of the MAC Addresses in the subnet extension

Throughput

The Throughput tab provides a graphical representation of the throughput of the subnet extension.

Figure. Subnet Extensions Details View - Throughput tab sample for VTEP Extension Click to enlarge Displays the subnet extension details page, Throughput tab that provides graphical representation of the throughput of the subnet extension

Security Policies Summary View

To access the security policies dashboard, select Policies > Security Policies from the entities menu (see Entities Menu). The security policies dashboard allows you to view summary information about defined security policies.

Note: This section describes the information and options that appear in the security policies dashboard.
  • See Entity Exploring for instructions on how to view and organize that information in a variety of ways.
  • See Flow Microsegmentation Guide for information about how to create and apply security policies.
Figure. Security Policies Dashboard Click to enlarge Security policies view of the Explore dashboard

The following table describes the fields that appear in the security policies list. A dash (-) is displayed in a field when a value is not available or applicable.

Table 1. Security Policies List Fields
Parameter Description Values
Name Displays the policy name. The policy is one of three types: application, quarantine, or isolation. (name), Application, Quarantine, Isolation
Purpose Describes (briefly) the policy's purpose. (text string)
Policy Displays (high level) what the policy does. (boxed text)
Status Displays the current status of the policy (either applied currently or in monitoring mode). Applied, Monitoring
Last Modified Displays the date the policy was last modified (or the creation date if the policy has never been modified). (date)

You can filter the security polices list based on several parameter values. The following table describes the filter options available when you open the Security Policies view Filter pane. To apply a filter, select a parameter and check the box of the desired value (or multiple values) you want to use as a filter. You can apply filters across multiple parameters.

Table 2. Filter Pane Fields
Parameter Description Values
Name Filters on the item name. Select a condition from the pull-down list ( Contains , Doesn't contain , Starts with , Ends with , or Equal to ) and enter a string in the field. It will return a list of security policies that satisfy the name condition/string. (policy name string)
Type Filters on the policy type. Check the box for one or more of the policy types (application, quarantine, isolation). It will limit the list to just those policy types. Application, Quarantine, Isolation
Status Filters on the policy status. Check the box for applied or monitoring. Applied, Monitoring

The security policies dashboard includes a Create Security Policy action button with a drop-down list to Secure an Application or Isolation Environments .

The Actions menu appears when one or more policies are selected. It includes options to update, apply, monitor, and delete. The available actions appear in bold; other actions are grayed out. (For grayed out options, a tool tip explaining the reason is provided.)

Security Policy Details View

This Guide does not provide detailed information about Security Policies . It only describes the Summary and Details views for the same. For detailed information about Security Policies , see Flow Microsegmentation Guide

To access the details page for a security policy, click on the desired security policy name in the list (see Security Policies Summary View). The Security Policy details page includes the following:

  • The policy name appears in the upper left. You can switch from one policy to another by selecting the policy name from the pull-down list.
  • The rule status appears below the name and indicates whether the policy is being applied currently or is in monitoring mode.
  • Three columns appear that specify the Inbound policy (on the left), the affected entities (in the middle), and the Outbound policy (on the right).
  • There are three action buttons (upper right).
    • Click the appropriate button to update, apply, monitor, or delete the policy (see Nutanix Security Guide for details). The available actions appear in bold; other actions are grayed out. (For grayed out options, a tool tip explaining the reason is provided.)
    • Click the question mark icon to open a help page in a separate tab or window.
    • Click the X icon to close the details page.
Figure. Security Policy Details View: Monitoring Rule Example Click to enlarge Security policies view of the Explore dashboard

Figure. Security Policy Details View: Applied Rule Example Click to enlarge Security policies view of the Explore dashboard

For more information about Security Policies, see Flow Microsegmentation Guide.

Virtual Private Cloud

A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions as a logically isolated virtual network. A VPC could be made up of one or more subnets that are connected through a logical or virtual router. The IP addresses within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they are often referred to as the overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a VPC.

Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure virtual network with enhanced automation and scaling. The isolation is done using network namespace techniques like IP-based subnets or VLAN based networking.

AHV provides the framework to deploy VPC on on-premises clusters using the following.

  • Advanced Networking subnets and DHCP management
  • Multiple uplink and bridge management via virtual switch (VS)
  • Virtual Private Network (VPN) gateways and connections

Flow Virtual Networking simplifies the deployment and configuration of overlay-based VPCs. It allows you to quickly:

  • Create, update and delete VPCs.
  • Create, update and delete subnets within VPCs.
    Note: Create subnets as necessary when you create VPCs.
  • Add network security policies and services.
  • Configure hybrid cloud connectivity with VPNs.

This section covers the concepts and procedures necessary to implement VPCs in the network.

VM IP Address Management

Primary Address

The primary IP address is assigned to a VM during initialization when the cluster provides any virtual NIC (NIC) to a VM.

  • Select Assign Static IP as the Assignment Type to add a static IP address as primary IP address of the VM, when you attach a subnet to a VM.
  • Select Assign with DHCP as the Assignment Type to allow DHCP to dynamically assign an IP address to the VM.
  • Select No Private IP as the Assignment Type if you do not want to assign an IP address to the vNIC of the VM.

For more information about attaching a subnet to a VM, see Creating a VM through Prism Central (AHV) in the Prism Central Guide .

Secondary IP Addresses (Overlay Networks only)

For your deployment, you may need to configure multiple (static) IP addresses to a single NIC. These IP addresses (other than the primary IP address) are secondary IP addresses. A secondary IP address can be permanently associated with a specific NIC or be changed to any other NIC. The NIC ownership of a secondary IP address is important for security routing policies.

Note: You can configure secondary IP addresses only for VMs in an Overlay network.

You can configure secondary IP addresses to a NIC when you want to:

  • Associate multiple floating IP addresses with one VM without creating multiple NICs (each with one primary IP address) for the VM. You can assign one floating IP address to one secondary IP address that you create for the single NIC. For information about floating IP addresses, see Requesting Floating IPs.
  • Run appliances, such as load balancers, that have multiple IP addresses on each interface.
  • Host applications in a High Availability (HA) configuration where the ownership of IP address moves from the active entity to the standby entity when the active entity goes down.
  • Host applications in a clustered configuration where the ownership of IP address follows the leader.
  • Host Nutanix Files service in a VPC as a case of clustered application.
Note:

In applications that use secondary IP addresses as virtual IP addresses and the NIC ownership of the secondary IP address changes dynamically from one NIC to another, configure the application to incorporate the ownership change in its settings or configuration. If the applications do not incorporate these ownership changes, the VPCs configured for such applications fail.

For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.

IP Address Information

You can view the IP addresses configured on a VM by clicking the See More link in the IP Address column in the VM details view to open the IP Address Information box.

Note: The See More link in the IP Address column in the VM details view and the IP Address Information box are available only if the VM has any secondary IP addresses configured.
Figure. IP Address Information Click to enlarge Displaying the IP Address Information box

Creating Secondary IP Addresses

You can assign multiple secondary IP addresses to a single vNIC.

About this task

You can add multiple secondary IP addresses to the vNIC configured on a VM. Add the secondary IP addresses to the vNIC in the Create VM or the Update VM page.

Procedure

  1. Go to the Networks section.
  2. Click the Edit icon for the subnet that you want to add the secondary IP addresses from.
    The Update NIC dialog box opens.
  3. Check the Add Secondary IPs check box in the Update NIC dialog box.
    Figure. Add Secondary IP Addresses Click to enlarge Displaying the Add Secondary IPs section in Update NIC page.

  4. Add a comma-separated list of the secondary IP addresses that you want to add to the vNIC of the VM.
    Note:

    Ensure that the secondary IP addresses are within the same subnet that the primary IP address of the NIC is from. The subnets are displayed in the Private IP Assignment section in the Update NIC dialog box.

    Ensure that the secondary IP address is not the same as the IP address provided in the Private IP Assignment field.

  5. Click Save .
  6. Click Next on the Resources and the Management tabs of the Update VM page.

    If you need to make any other changes on the Resources and the Management tabs for any configurations other than adding secondary IP addresses, make the changes and then click Next on these tabs.

  7. Click Launch VM on the Review tab after you review

What to do next

You can view the secondary IP addresses configured on the VM in the IP Address Information box.

Assigning Secondary IP Addresses to Interfaces

Assign the secondary IP addresses to interfaces or subinterfaces on the VM.

About this task

To assign the secondary IP addresses to virtual interfaces on the VM, do the following on the VM details page:

Procedure

  1. Click Console .
  2. Log in as a root user.
  3. Run the ifconfig command as follows:
    root@host$ ifconfig <interface> <secondary ip address> <network mask>

    Provide the following in the command:

Parameter Description
<interface> The interface of the VM such as eth0. You can provide subinterfaces such as eth0:1 and eth0:2.
<secondary IP address> The secondary IP address that you created and want to associate with the interface.
<network mask> The network mask that is an expansion of the network prefix of the network that the secondary IP address belongs to. For example, if the secondary IP address belongs to 10.0.0.0/24 then the network mask is 255.255.255.0.
  1. Repeat the aforementioned steps for all the secondary IP addresses you want to associate with interfaces on the VM.
  2. Exit from the Console.

Assigning Secondary IP Addresses to Floating IPs

Assign the secondary IP addresses to floating IP addresses on the VM.

About this task

After you assign secondary IP addresses to interfaces or subinterfaces on the VM, you can assign the secondary IP addresses to floating IP addresses that may be used for external connectivity.

Do one of the following:

Procedure

  • Assign floating IP addresses when you request floating IP addresses in the Assign Floating IPs section of the Request Floating IP dialog box.
    To assign floating IP addresses while requesting for them, you must have the secondary IP addresses configured and ready when you are requesting the floating IP addresses.
  • Select the floating IP address you want to assign, in the Floating IPs dashboard. Click the Update option in the Actions drop-down menu.
    Assign the secondary IP addresses you configured to the floating IP addresses you have.

VPC Workflow

A virtual private cloud (VPC) can be deployed on Nutanix cluster infrastructure to manage the internal and external networking requirements using Flow Virtual Networking. The workflow to create a complete network based on VPC is described below.

  1. Create a VPC—See Creating Virtual Private Cloud. See Updating Virtual Private Cloud to update a VPC you created.
  2. Add Subnets to the VPC—See Creating a Subnet to create a Subnet. See Updating a Subnet to update a subnet.
  3. Attach the Subnet to VMs—See Attaching a Subnet to a Virtual Machine.

VPC Management

This section provides information and procedures that you need to manage virtual private clouds using Flow Virtual Networking.

Creating Virtual Private Cloud

About this task

You can create VPCs on the Virtual Private Clouds page. Go to the Virtual Private Clouds page by clicking Virtual Infrastructure > Networking > Virtual Private Clouds .

To create a VPC, do the following.

Procedure

  1. On the VPC dashboard, click Create VPC .

    See Network and Security View for more information about the VPC dashboard.

    The Create Virtual Private Cloud (VPC) dialog box opens.
    Figure. Create Virtual Private Cloud Click to enlarge

  2. Provide the necessary values in respective fields in the Create Virtual Private Cloud (VPC) dialog box.
Fields Description and Values

Name

Provide a name for the VPC.

External Connectivity

This section takes you through configuration of the parameters necessary for connectivity to the Internet or clusters outside the VPC.

A subnet with external connectivity (External Subnet) is required if the VPC needs to send traffic to a destination outside of the VPC.

Note: You can add a maximum of two external subnets - one external subnet with NAT and one external subnet without NAT to a VPC. Both external subnets cannot be of the same type. For example, you cannot add two external subnets, both with NAT. You can update an existing VPC similarly.

Network address translation (NAT) Gateways perform the required IP-address translations required for external routing. You can also have external connectivity without NAT.

External Subnet

Select an external subnet from the drop down list. By associating the VPC with the external subnet you can provide external connectivity to the VPC.
Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

Externally Routable IP Addresses Provide IP addresses that are externally routable. Externally routable IP addresses are IP addresses that within the VPC which can communicate externally without NAT. These IP addresses are used when an external subnet without NAT is used.

Domain Name Servers (DNS)

(Optional) DNS is advertised to Guest VMs via DHCP. This can be overridden in the subnet configuration.

Click + Server IP to add DNS server IPs under IP Address and click the check mark.

You can Edit or Delete an IP address you added using the options under Actions .

  1. Click Save .

Requesting Floating IPs

About this task

Each VPN gateway requires a floating IP. If you do not provide one during the VPN gateway creation, then Flow Virtual Networking automatically allocates a floating IP to a VPN gateway. To provide floating IP during the VPN gateway creation, you can request floating IPs and assign them to VMs.

You can view the allocated floating IPs on the Floating IPs page. Click Networking > > Floating IPs .

To request a floating IP, do the following.

Procedure

  1. Click the Request Floating IP button on the Floating IPs page.
  2. On the Request Floating IP dialog box, provide the information in the respective fields.
    Figure. Request and Assign Floating IPs Click to enlarge

    Note:

    Uncheck the Assign Floating IPs box if you want to assign the requested IP addresses after you receive it.

    See Floating IPs for more information.

Fields Description and Values
External Subnet Select a subnet that you configured with external connectivity.
Number of Floating IPs Enter the number of floating IPs you want. You can request a maximum of 5 floating IP addresses.
Assign Floating IPs

Select this check box if you want to assign the floating IPs to specific VMs in the table.

Based on the number you entered in the Number of Floating IPs field, the system provides an equivalent number of rows of Search VMs and IP Address in the table.

Under Search VMs , select the VM to which you want to assign a floating IP address. Under IP Address , select the IP address on the VM (primary or secondary IP address) to which you want to assign the floating IP.

You can assign multiple floating IP addresses to multiple secondary IP addresses that you can create on the NIC of the VM.

For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.

Note:
  1. Click Save .

What to do next

When you receive the floating IP address you requested, you can see it, assign it (if not already assigned while requesting) or delete it in the Floating IPs view.

Creating a Subnet

About this task

You can create subnets on the Subnets page. Go to the Subnets page by clicking Virtual Infrastructure > Networking and open the Create Subnet dialog box.

You can also open the Create Subnet dialog box from the VPC details view by clicking the Add Subnet option.

To create a subnet, do the following.

Procedure

  1. Click Create Subnet .
    The Create Subnet dialog box opens. The following figure displays the Create Subnet dialog box with all the options. These options are displayed based on the values you select in the Type field.
    Figure. Create Subnet (With External Connectivity Disabled) Click to enlarge

    Figure. Create Subnet (With External Connectivity Enabled) Click to enlarge

Fields Description and Values
Name Provide a name for the subnet.
Type

Select the type of subnet you want to create.

You can create a VLAN subnet or an Overlay subnet.

VLAN ID

(VLAN subnet only) Enter the number of the VLAN .

Enter just the number in this field, for example 1 or 27. Enter 0 for the native VLAN. The value is displayed as vlan.1 or vlan.27 in the View pages.

Note: Provision any single VLAN ID either in the AHV network stack or in the Flow Virtual Networking (brAtlas) networking stack. Do not use the same VLAN ID in both the stacks.
IP Address management

(Mandatory for Overlay type subnets) This section provides the Network IP Prefix and Gateway IP fields for the subnet.

(Optional for VLAN type subnet) Check this box to display the Network IP Prefix and Gateway IP fields and configure the IP address details.

Unchecking this box hides these fields. In this case, it is assumed that this virtual LAN is managed outside the cluster.

Note:

The DHCP Settings option is only available for VLAN subnets if you select this option.

DHCP Settings

(Optional for both VLAN and Overlay subnets) Check this box to display fields for defining a domain.

Checking this box displays fields to specify DNS servers and domains. Unchecking this box hides those fields.

See Settings the DHCP Options for more information.

Cluster (VLAN subnet only) (VLAN subnet only) This option is available only for VLAN subnet configuration. Select the cluster that you want to assign to the subnet.
External Connectivity (VLAN subnet only) Turn on this toggle switch if you want use this VLAN subnet for external connectivity.
Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

NAT (Option under External Connectivity ) If you turn on the External Connectivity toggle switch, then you can choose whether to connect to external networks with or without enabling NAT. Check the NAT check box to enable NAT for external connectivity for VPCs.

Virtual Switch (VLAN subnet only) Select the virtual switch that is configured for the VLAN you selected. The default value is the default virtual switch vs0. This option is displayed only if you add a VLAN ID in the VLAN ID field.
VPC (Overlay subnet only)

Select the Virtual Private Cloud (VPC) that you want to assign to the subnet from the drop down list.

You can create VPCs and assign them to Overlay subnets.

IP Address Pool

Defines a range of addresses for automatic assignment to virtual NICs.

This field is optional for both VLAN and Overlay . For VLAN , this field is displayed only if you select the IP Address Management option.

Note: Configure this field for VLAN or Overlay to complete the creation of the VPC, if you do not need external connectivity for this subnet. You must configure this field only if you need external connectivity for this subnet.

Click the Create Pool button and enter the following in the Add IP Pool page:

  • Enter the starting IP address of the range in the Start Address field.

  • Enter the ending IP address of the range in the End Address field.

  • Under Actions , click the check mark to submit the starting and ending IP addresses you entered.

    Click the X mark to remove the entries.

Override DHCP Server

(VLAN subnet only) To configure a DHCP server, check the Override DHCP Server box and enter an IP address in the DHCP Server IP Address field.

See Override DHCP Server (VLAN Only) in Settings the DHCP Options for information about this option.

  1. Click Save .

Settings the DHCP Options

About this task

Selecting the DHCP Settings checkbox in Create Subnet or Update Subnet allows you to configure the DHCP options for the VMs within the subnet. When DHCP settings are configured for a VM in a subnet and the VM is powered on, Flow Virtual Networking configures these options on the VM automatically. If you do not configure the DHCP settings, then these options are not available on the VM automatically when you power it on.

You can enable DHCP Settings when you create a subnet and configure the DHCP Settings for the new subnet. You could also update the DHCP Settings for an existing subnet.

DHCP Settings is common to and is available on both the Create Subnet and the Update Subnet dialog boxes.

To configure the DHCP Settings , do the following in the Create Subnet or the Update Subnet dialog box:

Procedure

  • Provide the information in the DHCP Settings fields.
    Figure. DHCP Settings Click to enlarge DHCP Settings display

Fields Description and Values
Domain Name Servers

Provide a comma-separated list of DNS IP addresses.

Example: 8.8.8.8, 9.9.9.9

Domain Search

Enter the VLAN domain name. Use only the domain name format.

Example: nutanix.com

TFTP Server Name

Enter a valid TFTP host server name of the TFTP server where you host the host boot file. The IP address of the TFTP server must be accessible to the virtual machines to download a boot file.

Example: tftp_vlan103

Boot File Name

The name of the boot file that the VMs need to download from the TFTP host server.

Example: boot_ahv2020xx

  • (Optional and for VLAN networks only) Check the Override DHCP Server dialog box and enter an IP address in the DHCP Server IP Address field.

    You can configure a DHCP server using the Override DHCP Server option only in case of VLAN networks.

    The DHCP Server IP address (reserved IP address for the Acropolis DHCP server) is visible only to VMs on this network and responds only to DHCP requests. If this box is not checked, the DHCP Server IP Address field is not displayed and the DHCP server IP address is generated automatically. The automatically generated address is network_IP_address_subnet.254 , or if the default gateway is using that address, network_IP_address_subnet.253 .

    Usually the default DHCP server IP is configured as the last usable IP in the subnet (For eg., its 10.0.0.254 for 10.0.0.0/24 subnet). If you want to use a different IP address in the subnet as the DHCP server IP, use the override option.

Attaching a Subnet to a Virtual Machine

About this task

To attach a subnet to a VM, go to the Virtual Infrastructure > VM > List view in Prism Central and do the following.

Procedure

  1. Select the VM you want to attach a subnet to. Click Actions > > Update .
  2. In the Update VM dialog box, click Add NIC .
    Figure. Click to enlarge

  3. Provide the necessary information in the indicated fields in the Create NIC dialog box.
    1. Select the Subnet Name from the drop down list.
    2. Select the Network Connection State as Connected or Disconnected .

      The Network Connection State selection defines the state of the connection after the NIC configuration is implemented.

    3. Select the Assignment Type .

      You can select Assign with DHCP to assign a DHCP based IP address to the VM.

      You can select Assign Static IP to assign a static IP address to the VM to reach the VM quickly from any endpoint in the network such as a laptop.

    4. Click Add .
  4. Click Save on the Update VM dialog box.

Creating a Policy

About this task

For Policy-based routing you need to create policies that route the traffic in the network.

When you create a VPC, there is one default policy that Flow Virtual Networking creates for the VPC. This policy is pre-configured with the Priority 1 and other default values to Deny traffic flow and service (see the table of field descriptions and values for this dialog box).
Note: You cannot update or delete the default policy.
  • Policies control the traffic flowing between subnets (inter-subnet traffic).

  • Policies control the traffic flowing in and out of the VPC.

  • Policies do not control the traffic within a subnet (intra-subnet traffic).

Figure. Policy Tab Click to enlarge

You can create a traffic policy using the Create Policy dialog box. You can open the Create Policy dialog box either from the VPC list view or the VPC list view.

  • On the VPC list view, select the VPC you want to update and click Create Policy in the Actions drop down menu.

  • On the VPC details view, click the Create Policy option in the More drop down menu.

To create a policy, do the following in the Create Policy dialog box.

Procedure

  1. Provide the necessary values in the respective fields.
    Figure. Create Policy Click to enlarge

Fields Description and Values Value in Default Policy
Priority The priority of the access list (ACL) determines which ACL is processed first. Priority is indicated by an integer number. A higher priority number indicates a higher priority.For example, if two ACLs have priority numbers 100 and 70 respectively, the ACL with priority 100 takes precedence over the ACl with priority 70.
Note:
  • Click the Understand Priorities link to see the Understand Priorities information box (see the image of this box below this table).
1
Source

The source indicates the source IP or subnet for which you want to manage traffic.

Source can be:

  • Any : Indicates any IP address.

  • External : Indicates an IP address that is outside the subnets configured for the VPC.

  • Custom : You can provide a specific Source Subnet IP with prefix.
Any
Source Subnet IP

Only required if you selected the Source as Custom . Provide the subnet IP and prefix that you want to designate as the source for the policy. Use the CIDR notation format to provide the subnet IP. For example, 10.10.10.0/24.

None
Destination

The destination is the destination IP or subnet for which you want to set the priority.

Destination can be:

  • Any : Indicates any IP address.

  • External : Indicates an IP address that is outside the subnets configured for the VPC.

  • Custom : You can provide a specific Destination Subnet IP with prefix.
Any
Destination Subnet IP

Only required if you selected the Destination as Custom .

None
Protocol You can also set the priority configure policy for certain protocols. You can select one of the following options:
  • Any : Indicates any IP address.

  • Protocol Number : Provide an integer number that indicates the protocol you want to prioritize.

    Provide the appropriate value in the Protocol Number field.
  • TCP
  • UDP
  • ICMP
Protocol Number

This field is displayed only if you select Protocol Number as the value in the Protocol field. The number you provide must be the IANA designated number that indicates respective protocol. See IANA Protocol Numbers .

None
Action

Assign the appropriate action for implementation of the policy.

  • Permit : Permits traffic and services based on the parameters set.

    If the Permit rule is set to override a Drop rule, then the Permit rule must be set in both the directions to allow bidirectional communication between the Source and Destination .

  • Deny : Denies traffic and service based on the parameters set.

  • Re-route :Sends matching traffic to the next-hop IP address specified by the Reroute IP . In case of reroute, you need to provide an IP address that the traffic needs to be re-routed to, in the Reroute IP field.
Permit
Figure. Understanding Priorities Click to enlarge Sample Understand Priorities information box.

  1. Click Save .

Creating Static Routes

About this task

You can create a static route using the Create Static Routes dialog box. You can open the Create Static Routes dialog box either from the VPC list view or the VPC details view.

  • On the VPC list view, select the VPC and click Create Static Routes in the Actions drop down menu.

  • On the VPC details view, click the Create Static Routes option in the More drop down menu.

Figure. Create Static Routes Click to enlarge

To create static route, do the following in the Create Static Routes dialog box:

Procedure

  1. Provide the necessary values in the respective fields.
Fields Description and Values
Destination Prefix Provide the IP address with prefix of the destination subnet.
Next Hop Link Select the next hop link from the drop down list. The next hop link is the IP address that the traffic must be sent for the static route you are configuring.
Add Prefix You can create multiple static routes using this option. Click this link to add another set of Destination Prefix and Next Hop Link to configure another static route.
  1. Click Save .

Updating Virtual Private Cloud

About this task

You can update a VPC using the Update Virtual Private Cloud (VPC) dialog box. You can open the Update Virtual Private Cloud (VPC) dialog box either from the VPC list view or the VPC details view.

  • On the VPC list view, select the VPC you want to update and click Update in the Actions drop down menu.

  • On the VPC details view, click the Update option.

The Update Virtual Private Cloud (VPC) dialog box is identical to the Create Virtual Private Cloud (VPC) dialog box.

Figure. Update VPC Click to enlarge Displaying Update VPC dialog box

For details about the parameters that you can update in the Update Virtual Private Cloud (VPC) dialog box, see Creating Virtual Private Cloud.

Procedure

  • Update the parameters in the Update Virtual Private Cloud (VPC) dialog box.
  • Click Save .

Updating a Subnet

About this task

You can update a subnet displayed on the Subnets page. Go to the Subnets page by clicking Virtual Infrastructure > Networking > Subnets and open the Update Subnet dialog box.

You can also open the Update Subnet dialog box from the VPC dashboard for a specific VPC. Click the Edit option for the subnet listed on the Subnets tab of the VPC dashboard.

The fields in the Update Subnet and the Create Subnet dialog boxes are the same.
Note: You cannot edit or update the subnet type. For example, if the subnet type is already configured as VLAN , you cannot modify it to an Overlay type subnet.

To update a subnets, do the following.

Procedure

  1. Select the subnet you want to update. Select Actions > Update Subnet .
  2. Update the necessary values in the respective fields in the Update Subnet dialog box.
    Figure. Update Subnet Click to enlarge

    The Update Subnet dialog box has the same fields as the Create Subnet dialog box. For details about the fields and the values that can be updated in the Update Subnet dialog box, see Creating a Subnet.

  3. Click Save to ensure that the updates are saved in the configuration.

Category Management

A category is a key-value pair that groups similar entities. Associating a policy with a category ensures that the policy applies to all the entities in the group regardless of how the group scales with time. For example, you can associate a group of VMs with the Department: Marketing category, where Department is a category that includes a value Marketing along with other values such as Engineering and Sales.

Currently, you can associate only VMs with a category. Categories are implemented in the same way on on-premises Prism Central instances and in Xi Cloud Services. For information about configuring categories, see the Prism Central Guide .

Updating a Policy

About this task

You can update a policy using the Update Policy dialog box. You can open the Update Policy dialog box in two ways in the VPC details view.

  • On the VPC details view, select the VPC you want to update and click the Update option in the top menu.
  • On the VPC details view, click the Edit option provided in the Actions menu for the selected VPC.
Note: You cannot update or delete the default policy.

The Update Policy dialog box has the same parameters as the Create Policy dialog box.

For details about the parameters that you can update in the Update Policy dialog box, see Creating a Policy.

Procedure

  • Update the parameters in the Update Policy dialog box.
  • Click Save .

Updating Static Routes

About this task

You can update a static route using the Update Static Routes dialog box. You can open the Update Static Routes dialog box either from the VPC list view or the VPC details view.

Note: You must configure the default route (0.0.0.0/0) to the external subnet as the next hop for connectivity outside the cluster (north-south connectivity).
  • On the VPC details view, select the VPC you want to update and click the Update option in the top menu.
  • On the VPC details view, click the Edit option provided in the Actions menu for the selected VPC.

The Update Static Routes dialog box has the same parameters as the Create Static Routes dialog box.

For details about the parameters that you can update in the Update Static Routes dialog box, see Creating Static Routes.

Procedure

  • Update the parameters in the Update Static Routes dialog box.
  • Click Save .

Deleting a Virtual Private Cloud

About this task

Prism Central does not allow you to delete a VPC if the VPC is associated with any subnets and/or VPNs. After you remove all the subnets or VPN associations from the VPC, delete the VPC.

You can delete a VPC from the VPC list view or the VPC details view.

Procedure

  • Do one of the following.
    • To delete a VPC from the VPC list view, select the VPC you want to delete and click Delete in the Actions drop down menu.
    • To delete a VPC from the VPC details view, click the VPC name to go to the VPC details view and click the Delete option in the More drop down menu.
  • In the confirmation dialog box, do the following.
    • Click Delete to delete the VPC.
    • Click Cancel to exit without deleting the VPC.

Deleting Subnets, Policies or Routes

About this task

You can delete VPC entities such as subnets, policies or routes from the VPC details page.

Note: You cannot update or delete the default policy.

Do the following.

Procedure

  1. Open the VPC details page and go to the respective tab like Subnets , Policies or Routes .
  2. Click the Delete option provided for the selected entity (subnet, policy or route respectively).
  3. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

Connections Management

This section covers the management of network gateways, VPN connections and subnet extensions including operations like create, update and delete network gateways and VPN connections, and extending subnets.

Network Gateway Management

You can create, update or delete network gateways that host one of VPN or VTEP service for connections.

Creating a Network Gateway

About this task

VPN or s connect two networks together, and can be used in both VLAN and VPC networks on AHV. In other words, you can extend the routing domain of a VLAN network or that of a VPC using a VPN. Accordingly, VPN gateways can be configured using VLANs or VPCs. You need VPN gateways on clusters to provide a gateway to the traffic between on-premise clusters or remote sites.

You can create multiple VPN gateways for a VPC. Since a VPC is configured only on a PC, the VPC is available to all the clusters registered to that PC.

A VPN gateway may be defined as a Local gateway or a Remote gateway based on where the traffic needs to be routed.

To create a VPN gateway, do the following on the Networking & Security > Connectivity > Gateways page.

Procedure

  1. Select Local or Remote in the Create Gateway drop-down menu.
    If you select Local in the drop-down menu, the Create Local Gateway dialog box opens. If you select Remote in the drop-down menu, the Create Remote Gateway dialog box opens.

  2. Provide the necessary values in the respective fields as described in the table.
    For example, if you select Local in the drop-down menu, then the Create Local Gateway dialog box opens. Provide the necessary values in the respective fields as described in the table.
    Figure. Sample Create Local Gateway - VM Deployment Click to enlarge

    Figure. Sample Create Local Gateway - VPN Service Configuration Click to enlarge

    Figure. Sample Create Local Gateway - VTEP Service Configuration Click to enlarge

    Figure. Sample Create Remote Gateway - VPN Gateway Service Click to enlarge

    Figure. Sample Create Remote Gateway - VTEP Gateway Service Click to enlarge

Table 1. Local Gateway Fields
Fields Description Values
VM Deployment
Name Enter a name for the network gateway. (Name)
Gateway Attachments (for Local gateway type only) Select the gateway attachment as VPC or VLAN . The VPN VM is deployed on a VPC VM or a cluster that has the selected VLAN respectively.
  1. If you select VPC , then VPC Attachment is displayed. VPC is the default value for the Gateway Attachments field. The Gateway VM is deployed on the cluster and associated with the VPC selected in the VPC Attachment section.

    VPC attachment mode provides the options of eBGP and Static routing methods for external routing (configured in the External Routing Configuration section).

  2. If you select VLAN , then the VLAN Attachment is displayed. The Gateway VM is deployed on the cluster that has the VLAN and the subnet specified in the VLAN Attachment section.

    VLAN attachment mode provides only the eBGP routing method for external routing.

(VLAN or VPC)
Gateway VM Deployment - VPC Attachment
Cluster Select the cluster on which you want to deploy the Gateway VM on. (Name of the cluster)
VPC (If Gateway Attachment type is VPC) Select the VPC configured on the selected cluster that you want to use for the Gateway VM deployment. (Name of the VPC selected)
Floating IP (Optional)

Select a floating IP for the network gateway configuration. If you do not select a floating IP address then Prism Central allocates a floating IP automatically. This allocated floating IP is deleted when you delete the gateway.

To request floating IPs and allocate them to subnets, see Requesting Floating IPs

(IP address)
Gateway VM Deployment - VLAN Attachment
Cluster Select the Cluster, from the drop down list, on which you want to deploy the Gateway VM on.
Note: Only clusters with VLANs are available in the list.
(Name of the cluster)
Subnet Select the subnet you want to attach the Gateway VM to, from the drop down list.
Note: The list includes all the subnets you created on the selected cluster.
After you select the subnet, the details of the subnet are displayed in a box below the Subnet field. The details include: VLAN ID, IPAM type being Managed or Unmanaged, and Network Address with Prefix.
(Name of the VLAN subnet)
Static IP Address for VPN Gateway VM Enter the static IP address that the Gateway VM needs to use. (IP Address with Prefix)
Default Gateway IP Enter the default gateway IP of the subnet for the Gateway VM. (IP Address)
Service Configuration
Gateway Service Select the gateway service you want to use for the gateway. (VPN or VTEP)
VPN Service Configuration - External Routing Configuration (This section is available for VLAN and VPC attachment types)
Routing Protocol
  1. For VPC gateway attachments: Select Static for static routing.
    Note: You need to create static routes (see Creating Static Routes) for external routing and attach the route to the VPC selected in this configuration.
  2. Select eBGP for eBGP based external routing.
  3. For VLAN gateway attachments: External routing protocol is pre-set to eBGP . You cannot change the routing protocol.
(Static or eBGP)
Redistribute Connected Routes (Applicable only if VLAN type gateway attachment is selected) ( VLAN only) Select this checkbox to enable the redistribution of connected routes into the eBGP. (Check mark or blank)
ASN (Only available if eBGP routing protocol is selected)

(For eBGP only) Enter the ASN for your on-prem gateway. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 65000 range.

Note: Make sure that this ASN does not conflict with any of the other on-premises BGP ASNs.

ASN must be distinct in case of eBGP.

(Number)
eBGP Password (For eBGP in Local gateway type only) Enter the eBGP password for the eBGP route. (Password: The password must be between 1 and 80 characters.
  • Characters allowed for Pre-Shared Key for IPSec

    • a-z

    • A-Z

    • 0-9

    • ~ ! @ # % ^ & * ( ) _ - + = : ; { } [ ] | < > , . / ? $

    • Password length: Minimum 1 and maximum 64 characters.

  • Characters allowed for BGP passwords
    • a-z

    • A-Z

    • 0-9

    • ~ ! @ # % ^ & * ( ) _ - + = : ; { } [ ] | < > , . / ? $

    • Password length: Minimum 1 and maximum 80 characters.

)
VPN Service Configuration - Internal Routing Configuration (This section is available for VLAN attachment type only.)
Routing Protocol (Between On-prem Gateway and On-prem Router) Select the Routing Protocol to be used between on-premises Nutanix gateway and on-premises router.

You can select:

  • Static : Select this protocol to provide a static route configuration for the VLAN gateway.

  • OSPF : Select this protocol to provide an OSPF routing configuration for the VLAN gateway.

  • iBGP : Select this protocol to provide a iBGP route configuration for the VLAN gateway.
    Note: For iBGP, the ASN must be the same between the Gateway appliance and the peer iBGP, when iBGP is selected as the internal routing protocol.
(Static or OSPF or iBGP)
+Add Prefix (Applicable to Static routing)

(For Static routing selected in Routing Protocol ) Click this to enter a Local Prefix and click the check mark under Actions to add the prefix.

If you click the X mark under Actions , the local prefix you entered is not added.

The prefixes you add are advertised to all the connected peers via eBGP.

The prefix must be a valid IP address with the host bits not set.

You can add multiple local prefix IP addresses.

(prefix like /24)
Area ID (Applicable to OSPF protocol) (OSPF only) Enter the OSPF area id in the IPv4 address format.
Password Type (OSPF only) Select the password type you want to set for the OSPF route. The options are:
  1. MD5 : Select this option to encrypt the packets with MD5 hash that can be decrypted with the MD5 password at the destination.

  2. Plain Text : Select this option to set a clear-text password.

  3. None : Select this if you do to set an open route without password protection

Password

(OSPF only) Enter a password for the MD5 or Plain Text password type you select in the Password Type field.

  • For MD5 : The password must be 1-16 characters long.

    Characters allowed for OSPF passwords (MD5)

    • a-z

    • A-Z

    • 0-9

  • For Plain Text : The password must be 1-8 characters long.

    Characters allowed for OSPF passwords (Plain text): a-z.

Peer IP (for iBGP) Enter the IP Address of the On-prem router used to exchange routes with the network gateway. (IP Address)
Password Enter a password with 1-80 characters. (Password)
VTEP Service Configurations
VxLAN (UDP) Port The default value provided is 4789. Do not change this. (Number. Default value is 4789)
Table 2. Remote Gateway Fields
Fields Description Values
Name Enter a name for the network gateway. (Name)
Gateway Service Select the gateway service you want to use for the gateway. (VPN or VTEP)
VPN Service Configurations
Public IP Address Enter the public IP address of the remote endpoint. If a Floating IP is not selected, a new Floating IP is automatically allocated for the Gateway. These allocated IP addresses are deleted when the network gateway is deleted. (IP Address)
Vendor Select the vendor of the third party gateway appliance. (Name of Vendor)
External Routing
Protocol
  1. Select Static for static routing.
    Note: You need to create static routes (see Creating Static Routes) for external routing and attach the route to the VPC selected in this configuration.
  2. Select eBGP for eBGP based external routing.
(Static or eBGP)
eBGP ASN (Only available if eBGP routing protocol is selected)

(For eBGP only) Enter the ASN for your on-prem gateway. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 1-65000 range.

Note: Make sure that this ASN does not conflict with any of the other on-premises BGP ASNs.

ASN must be distinct in case of eBGP.

(Number)
VTEP Service Configurations
VTEP IP Address Enter VTEP IP Addresses of the remote endpoints that you want to create the gateway for. You can add IP addresses of multiple endpoints in one remote gateway. (Comma separated list of IP Addresses)
VxLAN (UDP) Port The default value provided is 4789. Do not change this. (Number. Default value is 4789)
  1. Click Save .

What to do next

The Gateway you create is displayed in the Gateways page.

Updating a Network Gateway

About this task

You can update a network gateway using the Update Gateway dialog box.

You can open the Update Gateway dialog box. The parameters in the Update Gateway dialog box are the same as those in the Create Local Gateway or Create Remote Gateway dialog box.

Procedure

  1. Select the gateway you want to update on Gateways .
  2. Click Update in the Actions menu.
  3. Update the required details in the Update Gateway dialog box.
    You cannot modify some information. Such fields are greyed and in-actionable. If you need to modify such information, consider creating a new gateway with the updated parameters and deleting the current gateway.
  4. Click Save .

Deleting a Network Gateway

About this task

If you want to delete a network gateway, you must first delete all the VPN connections associated with the gateway and only then you can delete the network gateway.

To delete a network gateway, do the following on the Gateway page.

Procedure

  1. Do one of the following.
    • Select the check box next to the name of the gateway and, in the Actions drop-down list, click Delete .
    • Click the name of the gateway and, in the details page, click Delete .
  2. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

Virtual Network Connections

Virtual Private Network

You can use the Nutanix VPN solution to set up VPN between your on-prem clusters, which exist in distinct routing domains that are not directly connected. These distinct routing domains could either be VPCs within the same cluster or remote clusters or sites.

If you need to connect one Nutanix deployment in one site to another deployment in a different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists of a local VPN gateway, remote VPN gateway and VPN connection. Local VPN gateway can be instantiated in a VPC context or a legacy VLAN context. Launching the VPN gateway within a VPC allows stretching of the VPC. For example, in the figure, the Blue VPC is stretched between two sites with a VPN.

Figure. VPN Working Click to enlarge

VPN connections are useful in connecting two points. You can connect two VPCs in the same cluster using a VPN or VPCs in different clusters in the same site. However, VPN connection can connect only one endpoint to another endpoint. Flow virtual networking based VPN service allows you to only connect two endpoints that use Nutanix VPN based gateway service.

Virtual Tunnel End Points Based Network Extensions

To connect one endpoint to multiple endpoints or third party (non Nutanix) networks, use Virtual Tunnel End Point (VTEP) service based subnet extensions. For more information about VTEP, see Layer 2 Virtual Subnet Extension Over VTEP.

VPN Workflow

If you need to connect one Nutanix deployment in one site to another deployment in a different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists of a local VPN gateway, remote VPN gateway and VPN connection. You can configure multiple VPN endpoints for a site.

Each endpoint must have configurations for a local VPN gateway, remote VPN gateway (pointer information for the peer local VPN in the remote site endpoint) and a VPN connection (connecting the two endpoints). Then, based on the VPN connection configuration as initiator or acceptor, one endpoint initiates a tunnel and the endpoint at the other end accepts the tunnel connection and, thus, establishes the VPN tunnel.

  1. Gateways: Every VPN endpoint for each site consists of two VPN gateway configurations - Local and Remote.

    Local gateway is a VM that runs the VPN protocols (IKEv2, IPSec) and routing (BGP and OSPF). Remote gateway is a pointer - database entry - that provides information about the peer remote VPN endpoint. One of the key information contained in the remote gateway is the source IP of the remote VPN endpoint. For security reasons, the local VPN gateway will accept IKEv2 packets originating only from this Source IP.

    VPN gateways are of the following types:

    • On premises Nutanix VPN Gateway: Represents the VPN gateway appliance at your on-premises local or remote site if you are using the Nutanix VPN solution.

    • On premises Third Party Gateway: Represents the VPN gateway appliance at your on-prem site if you are using your own VPN solution (provided by a third-party vendor).

      To configure third party VPN Gateways, see the relevant third party documentation.

  2. VPN Connection: Represents the VPN IPSec tunnel established between local gateway and remote gateway. When you create a VPN connection, you need to select two gateways between which you want to create the VPN connection.

VPN appliances perform the following:

  1. Implementation of IKEv2 and IPSec protocols.
  2. Routing: Between remote sites, Flow virtual networking advertises prefixes using eBGP. Optionally it uses Static routing. Within a site, Flow virtual networking uses iBGP or OSPF to share prefixes between the Nutanix VPN appliance and the edge router.

Prerequisites for VPN Configurations

General Requirements

  • Ensure that you have enabled Flow virtual networking with microservices Infrastructure.

  • Ensure that you have floating IP addresses when you create VPN gateways.

    Flow virtual networking automatically allocates a floating IP to a VPN gateway if you do not provide one during the VPN gateway creation. To provide floating IP during the VPN gateway creation, you can request floating IPs. See Requesting Floating IPs.

  • Ensure that you have one of the following, depending on whether you are using iBGP or OSPF:

    • Peer IP (for iBGP): The IP address of the router to exchange routes with the VPN gateway VM.

    • Area ID (for OSPF): The OSPF area ID for the VPN gateway in the IP address format.

  • Ensure that you have the following details for the deployment of the VPN gateway VM:

    • Public IP address of the VPN Gateway Device: A public WAN IP address that you want the on-prem gateway to use to communicate with the Xi VPN gateway appliance.

    • Static IP Address: A static IP address that you want to allocate to the VPN gateway VM. Use a floating IP address requested as the static IP address.

    • IP Prefix Length: The subnet mask in CIDR format of the subnet on which you want to install the VPN gateway VM. You can use an overlay subnet used for a VPC and assigned to the VM that you are using for the VPN gateway.

    • Default Gateway IP: The gateway IP address for the on-premise VPN gateway appliance.

    • Gateway ASN: ASN must not be the same as any of your on-prem BGP ASNs. If you already have a BGP environment in your on-prem site, the customer gateway is the ASN for your organization. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 65000 range.

Ports and Protocols

Nutanix deploys a number of ports and protocols in its software. ports that must be open in the firewalls to enable Flow Virtual Networking to function. To see the ports and protocols used Flow Virtual Networking , see Port Reference.

Endpoints and Terminations

The following endpoints and terminations occur in the course of Flow virtual networking based connections. For information about creating, updating or deleting VPN connections, see Connections Management.

Note: In a VPN connection do not configure both the gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If you configure the local gateway as Initiator then configure the remote gateway as Acceptor in one endpoint and vice-versa in the (other) remote endpoint.
VPN Endpoint Behind a Network Address Translation or Firewall Device

In this scenario, the IPSec tunnel terminates behind a network address translation (NAT) or firewall device. For NAT to work, open UDP ports 500 and 4500 in both directions.

Figure. VPN Endpoint Behind NAT or Firewall Click to enlarge

Things to do in NAT Things to do in on-prem VPN GW
Open UDP ports 500 and 4500 on both directions

Enable the business application policies to Allow the commonly-used business application ports.

IPSec Terminates on the Firewall Device

In this scenario, you do not need to open the ports for NAT (500 and 4500).

However, enable the on-prem VPN gateway to allow the traffic from the PC subnet to the advertised load balancer route where the Source port is any and the Destination port may be in the range of 1024-1034.

The PC subnet refers to the subnet where your Prism Central is running.

Figure. Tunnel Terminates on NAT or Firewall Click to enlarge

Creating a VPN Connection

About this task

Create a VPN connection to establish a VPN IPSec tunnel between VPN gateways in your on-prem site. Select the gateways between which you want to create the VPN connection.

To create a VPN connection, do the following on the Networking > VPN Connections page.

Procedure

  1. Click the Create VPN Connection button on the VPN Connections page.
  2. In the Create VPN Connection dialog box, provide the values in the respective fields.
Fields Description and Values
Name Enter a name for the connection.
VPN Connection
IPSec Secret Enter a secret password for the IPSec connection. To see the password, click Show . To hide the password, click Hide .
Local Gateway Select the connection parameters on the local gateway as Initiator or Acceptor of VPN Tunnel connections.
VPN Gateway Select the appropriate VPN Gateway as the local gateway for the VPN connection
VTI Prefix - Local Gateway Enter a IPv4 Address with /<prefix>. Example: 10.25.25.2/30.

This is the VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

Connection Handshake This defines the type of handshake that the connection must use. There are two types of connection handshakes:
  1. Initiator : The local VPN gateway acts as the initiator of the connection and thus initializes the VPN tunnel.
  2. Acceptor : The local VPN gateway accepts or rejects incoming connection requests from other gateways.
Note: In a VPN connection do not configure both the gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If you configure the local gateway as Initiator then configure the remote gateway as Acceptor in one endpoint and vice-versa in the (other) remote endpoint.
Remote Gateway For a specific VPN connection, set the remote gateway as Initiator or Acceptor when you configure the VPN connection on the Remote Gateway.
VPN Gateway Select the appropriate VPN Gateway as the remote gateway for the VPN connection.
VTI Prefix - Remote Gateway The VPN Tunnel Interface IP address with prefix for the local gateway. Provide a IPv4 Address with /<prefix>. Example: 10.25.25.2/30.

This is the VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

Advanced Settings Set the traffic route priority for the VPN connection. The route priority uses Dynamic route priority because the priority is dependent on the routing protocol configured in the VPN gateway.
Route Priority - Dynamic Route Priority Set the route priority as an integer number. The greater the number, higher is the priority.
  1. Click Save .

What to do next

The VPN connection you create is displayed in the VPN Connections page.

Updating VPN Connection

About this task

You can update a VPN Connection using the Update VPN Connection dialog box.

You can open the Update VPN Connection dialog box. The parameters in the Update VPN Connection dialog box are the same as those in the Create VPN Connection dialog box.

Procedure

  1. Select the VPN Connection you want to update on the VPN Connection .
  2. Click Update in the Actions menu.
  3. Update the required details in the Update VPN Connection dialog box.
  4. Click Save .

Deleting a VPN Connection

About this task

To delete a VPN connection, do the following on the VPN Connection page.

Procedure

  1. Do one of the following.
    • Select the check box next to the name of the VPN connection and, in the Actions drop-down list, click Delete .
    • Click the name of the VPN connection and, in the details page, click Delete .
  2. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

VPN Connection within Same Prism Central

You can connect two VPCs within the same Prism Central availability zone using a VPN connection.

About this task

Assume that you have created two VPCs named vpc-a and vpc-b with overlay subnets named subnet-a and subnet-b .

To connect the two VPCs within the same Prism Central using a VPN connection, do the following.

Procedure

  1. Do the following for local gateways:
    1. Create a local VPN gateway with dynamically assigned address for vpc-a , for example, named local-vpn-a . Note or write down the assigned IP address.
    2. Create a local VPN gateway with dynamically assigned address for vpc-b , for example, named local-vpn-b . Note or write down the assigned IP address.

    See Creating a Network Gateway for more information about creating a VPN gateway.

  2. Do the following for remote gateways:
    1. Create a remote VPN gateway with the IP address noted in 1.a for vpc-a , for example, named remote-vpn-a .
    2. create a local VPN gateway with the IP address noted in 1.b for vpc-b , for example, named remote-vpn-b .

    See Creating a Network Gateway for more information about creating a VPN gateway.

  3. Create a VPN connection between vpc-a and vpc-b named, for example, vpn-conn-a-to-b .
    Ensure that the VTI IP addresses for the local and remote gateways is unique with /30 prefix.
    Note: The VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

    Ensure that you select local-vpn-a as the local gateway with Connection Handshake set as Acceptor .

    Ensure that you select remote-vpn-b as the remote gateway.

  4. Create a VPN connection between vpc-b and vpc-a named, for example, vpn-conn-b-to-a .
    Ensure that the VTI IP addresses with /30 prefix for local and remote gateways are the reverse (vice versa) of what you configured for the VPN connection in previous step. For example, if in previous step you configured the VTI IP addresses as 10.20.20.5/30 for local and 10.20.20.6/30 for remote then for VPN connection in this step, configure 10.20.20.6/30 for local gateway and 10.20.20.5/30 for remote gateway respectively. These IP addresses do not need to be reachable anywhere else in the network. However, ensure that these IP addresses do not overlap with any other IP addresses assigned in the network.

    Ensure that you select local-vpn-b as the local gateway with Connection Handshake set as Initiator .

    Ensure that you select remote-vpn-a as the remote gateway.

Layer 2 Virtual Network Extension

You can extend a subnet between on-prem local and remote clusters or sites (Availability Zones or AZs) to support seamless application migration between these clusters or sites.

Note: One or more on-prem cluster or sites managed by one Prism Central instance is defined as an Availability Zone or AZ. In this section, Availability Zone or AZ refers to and must be understood as one or more on-prem clusters or sites managed by one Prism Central. Local AZ refers to local on-prem clusters or sites managed by a Prism Central instance and remote AZ refers to another on-prem cluster or site managed by another Prism Central instance.

With Layer 2 subnet extension, you can migrate a set of applications to the remote AZ while retaining their network bindings such as IP address, MAC address, and default gateway. Since the subnet extension mechanism allows VMs to communicate over the same broadcast domain, it eliminates the need to re-architect the network topology, which could otherwise result in downtime.

Layer 2 extension assumes that there are underlying existing layer 3 connectivity already available between the Availability Zones. You can extend a subnet from a remote AZ to the primary (Local) AZ (and other remote AZs in case of VTEP-based subnet extensions)

  • You can extend a Layer 2 subnet across two Nutanix AZs over either VPN or Virtual tunnel End Point (VTEP). SeeLayer 2 Virtual Subnet Extension Over VPN.
  • You can extend a Layer 2 subnet between a Nutanix AZ and one or more non-Nutanix datacenters only over VTEP. See Layer 2 Virtual Subnet Extension Over VTEP.

You can extend subnets for the following configurations.

  • IPAM Type. Managed and unmanaged networks.
  • Subnet Type. On-prem VLAN subnets and VPC subnets.
  • Traffic Type. IPv4 unicast traffic and ARP.
  • On-prem Hypervisor. AHV and ESXi
    Note: If your cluster is ESXi, use vCenter Server to manually configure the port group attached to the subnet you want to extend. Set the security settings, Promiscuous mode and Forged transmits to Accept on the vSwitch as shown in the following image.
    Figure. ESXi Host Port Group Configuration Click to enlarge ESXi port group settings

Prerequisites for Setting Up Subnet Extension

Ensure the following before you configure Layer 2 subnet extension between your on-prem AZs.

  • Ensure that the Prism Central versions support Layer 2 virtual subnet extension as specified in the Release Notes. See AOS Family Release Notes and Release Notes | Prism Central as applicable.

    See the Prism Central Upgrade and Installation Guidelines and Requirements section of the Acropolis Upgrade Guide for instructions about how to upgrade a Prism Central instance through the Prism Central web console.

  • Ensure that you pair the Prism Central at the local AZ with the Prism Central at the remote AZ to use Create Subnet Extension wizard to extend a subnet across the AZs and facilitate bidirectional communication between these clusters or sites. Using paired availability zones it is possible to configure both VXLAN over VPN and VTEP based subnet extension. You can also extend subnets using the manual gateway and connection workflows instead of pairing the AZs.

    See the Pairing AZs (Nutanix Disaster Recovery) for instructions about how to pair the local and remote AZs.

  • Ensure that you set up a default static route with 0.0.0.0/0 prefix and the External Network next hop for the VPC you use for any subnet extension. This allows NTP and DNS access for the Network Gateway appliance.

Best Practices for Subnet Extension

Nutanix recommends the following configurations to allow IP address retention for VMs on extended subnets.

  • When using Nutanix IPAM ensure the address ranges in the paired subnets are unique to avoid conflict between VM IP addresses across extended subnets.
  • If the source and target sites use third-party IPAM, ensure that there are no conflicting IP address assignments across the two sites.
    Note: If the source and target sites use Nutanix IPAM, the Prism Central web console displays a message that indicates an IP address conflict if one exists.
  • If connectivity between sites already provides encryption, consider using VTEP only subnet extension to reduce encryption overhead.
  • Use the Subnet Extension to a Third Party Data-Center workflow in the following scenarios
    • To extend a subnet to more than one other AZ. This is also known as point to multi-point.
    • To extend subnets between clusters managed by the same Prism Central.

Subnet Extension Workflow

You can manage Layer 2 subnet extension on the Subnet Extensions tab of the Connectivity page. Open the Subnet Extensions by clicking the hamburger icon in the top-left corner of the Dashboard and then clicking Connectivity .

  • You can create point-to-point Layer 2 subnet extensions between two AZs over VPN or VTEP by opening the Create Subnet Extension Across Availability Zones dialog box. See Extending a Subnet Over VPN for VPN-based extensions. See Extending a Subnet Across Availability Zones Over VTEP for VTEP-based extensions.

  • You can create point-to-point or point-to-multipoint Layer 2 subnet extensions to third party datacenters over VTEP by opening the Create Subnet Extension To A Third Party Data-Center dialog box. See Extending a Subnet to Third Party Datacenters Over VTEP.

  • You can update a subnet extension that extends across AZs using the Update Subnet Extension Across Availability Zones dialog box. The Update Subnet Extension Across Availability Zones has the same parameters and fields as the Create Subnet Extension Across Availability Zones dialog box. You can open the Update Subnet Extension Across Availability Zones dialog box by:

    • Selecting the subnet extended across AZs in the Subnet Extensions and clicking the Update button.

    • Clicking the subnet extended across AZs in the Subnet Extensions and clicking the Update button on the Summary tab.

You can update a subnet extension that extends to multiple AZs or third party datacenters using the Update Subnet Extension To A Third Party Data-Center dialog box. Update Subnet Extension To A Third Party Data-Center dialog box has the same parameters and fields as the Create Subnet Extension To A Third Party Data-Center dialog box. You can open the Update Subnet Extension To A Third Party Data-Center dialog box by:

  • Selecting the subnet extended to third datacenters in the Subnet Extensions and clicking the Update button.

  • Clicking the subnet extended to third datacenters in the Subnet Extensions and clicking the Update button on the Summary tab.

See Updating an Extended Subnet.

Layer 2 Virtual Subnet Extension Over VPN

Subnet extension using VPN allows seamless, secure migration to a new datacenter or for disaster recovery. VPN based Layer 2 extension provides secure point to point connection to migrate workloads between Availability Zones. Consider VTEP-only Subnet Extension without VPN when encryption is not required.

Subnet extension using VPN is useful:

  • When the two Availability Zones (where the subnets to be extended belong) do not have any underlying secure connectivity. For example, when connecting over the Internet, VPN (IPSec) provides the necessary connectivity and encryption (security).
  • Sometimes when you need to move (lift-and-shift) workloads from a VLAN subnet to a VPC subnet retaining the same VM IP addresses . You need connectivity from other subnets to workloads that have already migrated to VPC. In such cases, VPN provides the Layer 3 connectivity and encryption between the VPC segment of extended subnet to other VLAN subnets.

Prerequisites for Setting Up Subnet Extension Over VPN

  • See Layer 2 Virtual Network Extension for general prerequisites to extend subnets.

  • Set up VPN gateway services and a VPN connection between local AZ and the remote AZ. The subnet extension feature supports only the Nutanix VPN solution (not a third-party VPN solution) at the both the local and remote AZs. See the Virtual Network Connections for instructions about how to upgrade the VPN gateway VM at the local and remote clusters or sites.
    Note: Ensure that the VPN gateway version is 5.0 or higher. See the Updating a Network Gateway section for instructions about how to upgrade the network gateway at the local and remote sites.
  • Configure subnets with the same IP CIDR prefix at the source and target sites. For example, if the IP prefix at one site is 30.0.0.0/24, the IP prefix at the other site must also be 30.0.0.0/24. The network and mask must match at both AZs.
  • Configure distinct DHCP pools for the source and target sites with no IP address overlap. Separate DHCP pools ensure no IP address conflicts occur for dynamically assigned IP addresses between the two AZs.
  • Procure two free IP addresses, one from each subnet, for the Network Gateway in the subnets to be extended. These IP addresses are configured as local IP address and remote IP address for the subnet extension in the Subnet Extension wizard. These two free IP addresses are the externally accessible IP addresses for the local gateway, and the remote gateway. Those two usable IP addresses are already contained inside the VPN connection and must not conflict with the following:
    • DHCP pools on any of the Availability Zones.
    • Gateway IP address on any of the Availability Zones.
    • IP addresses allocated to existing user VMs on any of the Availability Zones.
    • IP addresses used by Network Gateway Management NIC subnet (IP pool 100.64.1.0/24)

Limitation

To use subnet extension over a VPN, both sites must use the VPN service of the Nutanix Network Gateway. Consider VTEP-only subnet extension to connect to non-Nutanix third party sites.

Pairing AZs (Nutanix Disaster Recovery)

To replicate entities (protection policies, recovery plans, and recovery points) to different on-prem AZs (AZs) bidirectionally, pair the AZs with each other. To replicate entities to different Nutanix clusters at the same AZ bidirectionally, you need not pair the AZs because the primary and the recovery Nutanix clusters are registered to the same AZ (Prism Central). Without pairing the AZs, you cannot perform DR to a different AZ.

About this task

To pair an on-prem AZ with another on-prem AZ, perform the following procedure at either of the on-prem AZs.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the hamburger icon at the top-left corner of the window. Go to Administration > AZs in the left pane.
    Figure. Pairing AZ
    Click to enlarge Pairing AZ

  3. Click Connect to AZ .
    Specify the following information in the Connect to Availability Zone window.
    Figure. Connect to AZ
    Click to enlarge Connect to AZ

    1. AZ Type : Select Physical Location from the drop-down list.
      A physical location is an on-prem AZ (AZ). To pair the on-prem AZ with Xi Cloud Services, select XI from the drop-down list, and enter the credentials of your Xi Cloud Services account in step c and set d.
    2. IP Address for Remote PC : Enter the IP address of the recovery AZ Prism Central.
    3. Username : Enter the username of your recovery AZ Prism Central.
    4. Password : Enter the password of your recovery AZ Prism Central.
  4. Click Connect .
    Both the on-prem AZs are paired to each other.

Extending a Subnet Over VPN

The subnet extension allows VMs to communicate over the same broadcast domain to a remote site or Availability Zone (AZ).

Before you begin

See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VPN for information on prerequisites and best practices for extending a subnet.

About this task

Perform the following procedure to extend a subnet from the on-prem site.

Procedure

  1. Click the hamburger icon in the top-left corner of the Dashboard > Networking & Security > Connectivity > Subnet Extension .
  2. On the Subnet Extension page, select Create Subnet Extension > Across Availability Zones .
  3. In the Create Subnet Extension Across Availability Zones dialog box, enter the necessary details as described in the table.
    Figure. Create Subnet Extension Across Availability Zones Click to enlarge Create Subnet Extension Across Availability Zones using VPN service

Fields Description Values
Extend Subnet over a Select the gateway service you want to use for the subnet extension. (VPN or VTEP)
Note: Configure the following fields for the Local and the Remote sides of the dialog box.
Availability Zone (For Local) Local AZ is pre-selected default.

(For Remote) Select the appropriate AZ from the drop-down list of AZs.

(Local: Local AZ)

(Remote: Dropdown list of AZs.)

Subnet Type Select the type of subnet that you want to extend. (VLAN or Overlay)
Cluster Displayed if your selected VLAN subnet. Select the cluster from the dropdown list of clusters. (Name of cluster selected from dropdown list)
VPC Displayed if your selected Overlay subnet. Select the appropriate VPC from the dropdown list of VPCs. (Name of VPC selected from dropdown list)
Subnet Select the subnet that needs to be extended. (Name of subnet selected from dropdown list)
(Network Information frame) Displays the details of the VLAN or Overlay network that you selected in the preceding fields. (Network information)
Gateway IP Address/Prefix Displays the gateway IP address for the subnet. This field is already populated based on the subnet selected. (IP Address)
(Local or Remote) IP Address Enter a unique and available IP address that are externally accessible IP addresses in Local IP Address and Remote IP Address . (IP Address)
VPN Connection Select the appropriate VPN Connection from the dropdown list that Flow virtual networking must use for the subnet extension. See Creating a VPN Connection for instructions to create VPN connection. (Name of VPN connection selected from the dropdown list)
  1. Click Save .

    A successful subnet extension is listed on the Subnet Extension dashboard. See .

Layer 2 Virtual Subnet Extension Over VTEP

Subnet extension using Virtual tunnel End Point (VTEP) allows seamless migration to new datacenters or for disaster recovery. VTEP based Layer 2 extension provides point-to-multipoint connections to migrate workloads from one Availability Zone to multiple Availability Zones without encryption. If you need security and encryption, consider using Subnet Extension over VPN.

Subnet extension using VTEP is useful:

  • When both subnets that need to be stretched are Nutanix subnets (managed or unmanaged). VTEP provides an optimized workflow to stretch the two subnets.
  • When both subnets are connected over an existing private and secure link that does not need additional encryption.
  • When one Nutanix subnet needs to be stretched across one or more non-Nutanix networks, sites, or datacenters. Subnet Extension with third-party VTEPs provides point-to-multipoint connectivity to third party datacenters assuming that there is underlying layer 3 connectivity between these VTEPs.

VTEP-based Layer 2 Subnet Extension provides the following advantages:

  • Layer 2 subnet extension from one AZ to multiple AZs.
  • Layer 2 subnet extension between Nutanix AZs and non-Nutanix third party VTEP-based AZs.
  • The Remote VTEP Gateway is a set of endpoint IP addresses. You can add endpoint IP addresses to an existing operational Remote VTEP Gateway without stopping the subnet extension services. This on-the-fly addition enables you to extend the subnets to more AZs than originally planned, or perform maintenance, without disrupting the running services or configuring new remote VTEP gateways.

Prerequisite for Setting Up Subnet Extension Over VTEP

  • See Layer 2 Virtual Network Extension for general prerequisites to extend subnets.

  • Set up VTEP local and remote gateway services on local and remote AZs. In case of point-to-multipoint extension, ensure that you create local and remote VTEP gateways on all the remote AZs that the subnet needs to be extended to.

  • For each extended subnet within the same Network Gateway appliance ensure that you have unique VxLAN Network Identifiers (VNIs) that you can use for the VTEP subnet extensions. VNI may be any number between 0 and 16777215.

Extending a Subnet Across Availability Zones Over VTEP

The subnet extension over VTEP allows VMs to communicate two Availability Zones (AZ) without a VPN connection.

Before you begin

See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VTEP for information on prerequisites and best practices for extending a subnet.

About this task

To extend a subnet over VTEP across two availability zones (AZs), do the following.

Procedure

  1. Open the Create Subnet Extension Across Availability Zones in one of the following ways:
    • On the Subnet Extensions tab, click > Create Subnet Extension > Across Availability Zones > .

    • In the Subnets dashboard, select the subnet you want to extend and click Actions > Extend > Across Availability Zones

    • In the Subnets dashboard, click the subnet you want to extend. On the subnet details page, click Extend > Across Availability Zones .

    Figure. Example of Create VTEP Extension Across AZs with VLAN Subnet Click to enlarge Displaying example of Create Subnet Extension Across Availability Zones for VLAN Subnet over VTEP

  2. For Extend Subnet over a , select VTEP .
  3. Enter or select the necessary values for the parameters in the Local and Remote (AZ) sections as described in the table.
Parameters Description and Value
Availability Zone Displays the name of the paired availability zone at the local AZ.
Subnet Type Select the type of the subnet - VLAN or Overlay that you are extending.
Cluster Select the name of the cluster in the local AZ that the subnet is configured for.
Subnet Select the name of the subnet at the local AZ for network. The VLAN ID and the IPAM - managed or unmanaged are displayed in the box below the Subnet field.
Gateway IP Address. Enter the gateway IP address of the subnet you want to extend. Ensure that you provide the IP address in <IP-address/network-prefix> format. for example the gateway IP is 10.20.20.1 in a /24 subnet then provide the gateway IP address as 10.20.20.1/24 .
Note: For an unmanaged network, enter the gateway IP address of the created subnet.
Local IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet for the Network Gateway appliance.
Remote IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet for the remote Network Gateway appliance.
Local VTEP Gateway Select the local VTEP gateway you created on the local AZ. See Creating a Network Gateway for information about creating VTEP gateways.
Remote VTEP Gateway Select the VTEP gateway you created on the remote AZ. See Creating a Network Gateway for information about creating VTEP gateways.
Connection Properties
VxLAN Network Identifier (VNI) Enter a unique number from the range 0-16777215 as VNI. Ensure that this number is not reused anywhere in the local or remote VTEP Gateways.
MTU The default MTU is 1392 to account for 108 bytes of overhead and the standard physical MTU of 1500 bytes. VPC Geneve encapsulation requires 58 bytes and VXLAN encapsulation requires 50. However, you can enter any valid MTU value for the network, taking this overhead into account. For example, if the physical network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU can be set to 1492 to account for 108 bytes of overhead. Ensure that the MTU value does not exceed the MTU of the AHV Host interface and all the network interfaces between the local and remote AZs.
  1. Click Save .
    After the subnet is extended, the extension appears in the Subnet Extensions list view.

Extending a Subnet to Third Party Datacenters Over VTEP

The subnet extension over VTEP allows VMs to communicate with multiple remote sites or Availability Zones (AZ) that may be third party (non-Nutanix) networks, or datacenters. It also provides the flexibility of adding more remote AZs to the same VTEP-based extended Layer 2 subnet. Examples of compatible VTEP gateways are switches from Cisco, Juniper, Arista, and others that support plain VXLAN VTEP termination.

About this task

To extend a subnet over VTEP across multiple availability zones (AZs) or third party datacenters, do the following.

Procedure

  1. Open the Create Subnet Extension To A Third Party Data-Center in one of the following ways:
    • On the Subnet Extensions tab, click > Create Subnet Extension > To A Third Party Data-Center

    • In the Subnets dashboard, select the subnet you want to extend and click Actions > Extend > To A Third Party Data-Center

    • In the Subnets dashboard, click the subnet you want to extend. On the subnet details page, click Extend > To A Third Party Data-Center .

    Figure. Example of Create VTEP Extension To A Third Party Data-Center with VLAN Subnet Click to enlarge Displaying example of Create Subnet Extension To A Third Party Data-Center for VLAN subnet over VTEP

  2. Enter or select the necessary values for the parameters in the Local , Remote (AZ), and Connection Properties sections as described in the table.
Parameters Description and Value
Local
Availability Zone Displays the name of the paired availability zone at the local AZ.
Subnet Type Select the type of the subnet - VLAN or Overlay that you are extending.
Cluster Select the name of the cluster in the local AZ that the subnet is configured for.
Subnet Select the name of the subnet at the local AZ for network. The VLAN ID and the IPAM - managed or unmanaged are displayed in the box below the Subnet field.
Gateway IP Address Enter the gateway IP address of the subnet you want to extend. Ensure that you provide the IP address in <IP-address/network-prefix> format. for example the gateway IP is 10.20.20.1 in a .24 subnet then provide the gatewway IP address as 10.20.20.1/24 .
Note: For unmanaged network, enter the gateway IP address of the created subnet.
Local IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet .
Local VTEP Gateway Select the local VTEP gateway you created on the local AZ. See Creating a Network Gateway for more information about creating a local VTEP gateway.
Remote
Remote VTEP Gateway Select the remote VTEP gateway you created on the local AZ. See Creating a Network Gateway for more information about creating a remote VTEP gateway.
Connection Properties
VxLAN Network Identifier (VNI) Enter a unique number from the range 0-16777215 as VNI. Ensure that this number is not reused anywhere in the networks that the Prism Central and Cluster are a part of.
MTU

The default MTU is 1392 to account for 108 bytes of overhead and the standard physical MTU of 1500 bytes. VPC Geneve encapsulation requires 58 bytes and VXLAN encapsulation requires 50. However, you can enter any valid MTU value for the network, taking this overhead into account. For example, if the physical network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU can be set to 1492 to account for 108 bytes of overhead. Ensure that the MTU value does not exceed the MTU of the AHV Host interface and all the network interfaces between the local and remote AZs.

  1. Click Save .
    After the subnet is extended, the extension appears in the Subnet Extensions list view.

Updating an Extended Subnet

The Update Subnet Extension Across Availability Zones dialog box has the same parameters and fields as the Create Subnet Extension Across Availability Zones dialog box.

About this task

You can update a subnet extension that extends across AZs using the Update Subnet Extension Across Availability Zones or the Update Subnet Extension To A Third Party data center dialog box. The Update Subnet Extension Across Availability Zones or the Update Subnet Extension To A Third Party data center dialog box has the same parameters and fields as the Create Subnet Extension Across Availability Zones or the Create Subnet Extension To A Third Party data center dialog box, respectively.

Based on the type of the subnet extension that you want to modify, refer to the following:

Procedure

  • Extending a Subnet Over VPN
  • Extending a Subnet Across Availability Zones Over VTEP
  • Extending a Subnet to Third Party Datacenters Over VTEP

Removing an Extended Subnet

Perform this procedure to remove the subnet extension.

About this task

This procedure deletes the extended subnet between the two Availability Zones (AZs) or between one Nutanix AZ and one or more third party subnets. Deleting the subnet extension does not automatically remove the network gateways or VPN connections that may have automatically been created by the Subnet Extension wizard. You need to separately delete these entities created automatically when the subnet was extended.

Note: Removing an extended subnet from a cluster or AZ (either source or target AZs) automatically deletes the extended subnet from the corresponding source or target AZs.

Procedure

  1. Click the hamburger icon in the top-left corner of the Dashboard .
    The main feature list appears.
  2. Click Network & Security > Connectivity > > Subnet Extensions .
    The Subnet Extensions tab displays a list of the extended subnets.
    Figure. Sample Subnet Extensions dashboard Click to enlarge Displaying the Delete action button for selected subnet extension

  3. Select the subnet extension you want to remove.
  4. Click Actions > Delete
    The confirmation dialog box is displayed.
  5. Click Remove .
    Click Cancel to close the dialog box without removing the subnet extension.

What to do next

Check the list in the Subnet Extensions tab to confirm that the subnet extension is removed.

Flow Networking Guide

Flow Virtual Networking pc.2022.1

Product Release Date: 2022-02-24

Last updated: 2022-12-09

Purpose

This Flow Networking Guide describes how to enable and deploy Nutanix Flow Networking on Prism Central.

Upgrading from EA Versions

If you have enabled the early access (EA) version of Flow Networking, disable it before upgrading the Prism Central and enabling the general availability (GA) version of Flow Networking.

Related Documentation

Links to Nutanix Support Portal software and documentation.

The Nutanix Support Portal provides software download pages, documentation, compatibility, and other information/

Documentation Description
Release Notes | Flow Networking Flow Networking Release Notes
Port Reference Port Reference: See this page for details of ports that must be open in the firewalls to enable Flow Networking to function.
Nutanix Security Guide Prism Element and Prism Central security, cluster hardening, and authentication.
AOS guides and release notes Covers AOS Administration, Hyper-V Administration for Acropolis, Command Reference, Powershell Cmdlets Reference, AOS Family Release Notes, and AOS release-specific Release Notes
Acropolis Upgrade Guide How to upgrade core and other Nutanix software.
AHV guides and release notes Administration and release information about AHV.
Prism Central and Web Console guides and release notes Administration and release information about Prism Central and Prism Element.

Flow Networking Overview

Enabled and administered from Prism Central, Flow Networking powers network virtualization to offer a seamless network experience with enhanced security. It is disabled by default.

To enable and use Flow Networking, ensure that you log on to Prism Central as a local account user with Prism Admin role. If you log on to Prism Central as a non-local account (IDP-based) user or without Prism Admin role privileges, then Prism Central does not allow you to enable or use Flow Networking. The task is reported as Failed with a User Denied Access message.

Note:

Nutanix deploys a number of ports and protocols in its software. ports that must be open in the firewalls to enable Flow Networking to function. To see the ports and protocols used Flow Networking, see Port Reference.

It is a software-defined network virtualization solution providing overlay capabilities for the on-prem AHV clusters. It integrates tools to deploy networking features like Virtual Private Cloud (VPC) and Virtual Private Network (VPN) to support flexible app-driven networking that focuses on VMs and applications instead of virtual LANs and network addresses.

After you enable it on Prism Central, Flow Networking delivers the following.

  • A simplified, Prism Central-based workflow that deploys the application-driven network virtualization feature.
  • A secure multi-tenancy solution allowing per-tenant isolation using VPC-based network segmentation and namespace isolation.
  • A secure VPN-based connectivity solution for multiple sites, with automated VPN bundle upgrades.
  • NAT-based secure egress to external networks, with IP address retention and policy-based routing.
  • Self-serve networking services using REST APIs.
  • Enhanced networking features for more effective disaster recovery.
    Note: You can enable network segmentation on a Layer 2 extended virtual subnet that does not have a gateway. For more information about Layer 2 subnet extensions, see Layer 2 Virtual Network Extension. For information about network segmentation of an extended layer 2 subnet, see Segmenting a Stretched L2 Network for Disaster Recovery in the Securing Traffic through Network Segmentation section of the Security Guide .

Deployment Workflow

You can enable Flow Networking using a simple Prism Central driven workflow, which installs the network controller. The network controller is a collection of containerized services that run directly on the Prism Central VM(s). The network controller orchestrates all the virtual networking operations.

  • Ensure that microservices infrastructure is enabled in Prism Central Settings > Prism Central Management . See Prism Central Guide for information about enabling microservices infrastructure.
  • Enable Flow Networking in Prism Central Settings > Advanced Networking . It is disabled by default. See Enabling Flow Networking

  • You can opt out of Flow networking by disabling the Advanced Networking option subject to prerequisites to disable advanced networking. See Disabling Flow Networking.

  • You can deploy Flow Networking in a dark site (a site that does not have Internet access) environment. See the Deploying Flow Networking at a Dark Site topic for more information.

  • You can upgrade the Flow networking controller. Nutanix releases an upgrade for the Flow networking controller with AOS and Prism Central releases. See Upgrading Flow Networking.

    See the AOS Family Release Notes and Release Notes | Prism Central .

  • Flow networking allows you to create and manage virtual private clouds (VPCs) and overlay subnets to leverage the underlying physical networks that connect clusters and datacenters. See Virtual Private Cloud.

  • You can upgrade the network gateway version. Network gateway is used to create VPN or VTEP gateways to connect subnets using VPN connections, or Layer 2 subnet extensions over VPN or VTEP.

Flow Networking Architecture

The Flow Networking architecture uses a three-plane approach to simplify network virtualization.

Prism Central provides the management plane, the network controller itself acts as the control plane while the AHV nodes provide the data plane. This architecture provides a strong foundation for Flow Networking. This architecture is depicted in the following chart.

Figure. Flow Networking Architecture Click to enlarge Flow Networking Architecture diagram

Deployment Scale

Flow Networking supports the following scale:

Entities Scale

Virtual Private Clouds

500

Subnets

5,000

Ports

50,000

Floating IPs

2,000 per networking controller-enabled Prism Central.

Routing Policies

1,000 per Virtual Private Cloud.

10,000 per networking controller-enabled Prism Central.

Essential Concepts

VPC

A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions as a logically isolated virtual network. A VPC could be made up of one or more subnets that are connected through a logical or virtual router. The IP addresses within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they are often referred to as the overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a VPC. Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure virtual network with enhanced automation and scaling. The isolation is done using network namespace techniques like IP-based subnets or VLAN based networking.

VPC Subnets

You can use IP address-based subnets to network virtual machines within a VPC. A VPC may use multiple subnets. VPC subnets use private IP address ranges. IP addresses within a single VPC must be unique, in other words, IP addresses inside the same VPC cannot be repeated. However, IP addresses can overlap across multiple VPCs. The following figure shows two VPCs named Blue and Green. Each VPC has two subnets, 192.168.1.0/24 and 192.168.2.0/24, that are connected by a logical router. Each subnet has a VM with an IP address assigned. The subnets and VM IP addresses overlap between the two VPCs.

Figure. VPC Subnet Click to enlarge Displaying an illustration of VPC networks

The communication between VMs in the same subnets or different subnets in the same VPC (also called East-West communication) is enabled using GEneric NEtwork Virtualization Encapsulation (GENEVE). If a Prism Central manages multiple clusters, then the VMs that belong to the same VPC could be deployed across different clusters. The virtual switch on the AHV nodes provide distributed virtual switching and distributed virtual routing for all VPCs.

The communication from a VM in a VPC to an endpoint outside the VPC (called external communication or North-South communication) is enabled by an external network connection. Such a connection may be secured using VPN. The following figure shows the logical connectivity of the VPCs to the external network, and subsequently to the Internet.
Note: You must configure the default route (0.0.0.0/0) to the external subnet as the next hop for connectivity outside the cluster (north-south connectivity).
Figure. External Communication Click to enlarge

External Subnets

Subnets outside a VPC are external subnets. External subnets may be subnets within the deployment but not included in a specific VPC. External subnets may also be subnets that connect to the endpoints outside the deployment such as another deployment or site.

External subnets can be deployed with NAT or without NAT. You can add a maximum of two external subnets - one external subnet with NAT and one external subnet without NAT to a VPC. Both external subnets cannot be of the same type. For example, you cannot add two external subnets, both with NAT. You can update an existing VPC similarly.

Primary and Secondary IP Addresses for VMs
See VM IP Address Management.
SNAT and Floating IP Address

SNAT and Floating IP addresses are used only when you use NAT for an external subnet.

In Source Network Address Translation (SNAT), the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.

For VMs within the VPC to communicate with the rest of the deployment, the VPC must be associated with an external network. In such a case, the VPC is assigned a unique IP address, called the SNAT IP, from the subnet prefix of the external network. When the traffic from a VM needs to be transmitted outside the VPC, the source IP address of the VM, which is a private IP address, is translated to the SNAT IP address. The reverse translation from SNAT IP to private IP address occurs for the return traffic. Since the SNAT IP is shared by multiple VMs within a VPC, only the VMs within the VPC can initiate connections to endpoints outside the VPC. The NAT gateway allows the return traffic for these connections only. Endpoints outside the VPC cannot initiate connections to VMs within a VPC.

In addition to the SNAT IP address, you can also request a Floating IP address — an IP from the external subnet prefix that is assigned to a VM via the VPC that manages the network of the VM. Unless the floating IP address is assigned to the private IP address (primary or secondary IP address) of the VM, the floating IP address is not reachable. When the VM transmits packets outside the VPC, the private IP of the VM is modified to the Floating IP. The reverse translation occurs on the return traffic. As the VM uses the Floating IP address, an endpoint outside the VPC can also initiate a connection to the VM with the floating IP address.

The translation of the private IP addresses to Floating IP or SNAT IP address, and vice versa, is performed in the hypervisor virtual switch. Therefore, the VM is not aware of this translation. Floating IP translation may be performed on the hypervisor that hosts the VM to which the floating IP is assigned to. However, SNAT translation is typically performed in a centralized manner on a specific host.

NAT Gateway

NAT Gateways are used only when you use NAT for an external subnet.

Network Address Translation (NAT) is a process for modifying the source or destination addresses in the headers of an IP packet while the packet is in transit. In general, the sender and receiver applications are not aware that the IP packets are being manipulated.

A NAT Gateway provides the entities inside an internal network with connectivity to the Internet without exposing the internal network and its entities.

A NAT Gateway is:

  • A node or a AHV host. You need a host or a node to implement a NAT Gateway because NAT gateways require operations like load balancing and routing that are automatically performed by Flow Networking.
  • Connected to the internal network with an internal subnet based IP address and to the external network with an externally-routable IP address.

    The externally-routable IP address may be an IP address from a private IP address space or an RFC1918 address that is used as a NAT gateway. The NAT Gateway IP address could be a static IP address or a DHCP assigned IP address.

Table 1. NAT Gateway Failover Time
Event Failover Time
Network controller stops on AHV Up to 45 seconds.
Node reboot Up to 45 seconds.
Node power off:

When NAT Gateway and network controller MSP worker VMs are not on the same node.

Up to 45 seconds.
Node power off:

When NAT Gateway and network controller MSP worker VMs are on the same node.

Up to 300 seconds (5 minutes).
Static IP Address

A static IP address is a fixed IP address that is manually assigned to an interface in a network. Static IP addresses provide stable routes that do not have to be updated frequently in the routing table since the static routes generated using static IP addresses do not need to be updated.

Usually in a large IP-based network (a network that uses IP addresses), a Dynamic Host Configuration Protocol or DHCP server assigns IP addresses to interfaces of an entity (using DHCP client service on the entity). However, some entities may require a static IP address that can be reached (manual remote access or via VPN) quickly. A static IP address can be reached quickly because the IP address is fixed, assigned manually and is stored in the routing table for a long duration. For example, a printer in an internal network would need a static IP address so that it can be connected reliably. Static IP addresses can be used to generate static routes which remain unchanged in routing tables, thus providing stable long-term connectivity to the entity that has the static IP address assigned.

Static Route

Static routes are fixed routes that are created manually by the network administrator. Static routes are more suited for small networks or subnets. Irrespective of the size of a network, static routes may be required in a variety of cases. For example, in VPCs where you use virtual private networks (VPNs) or Virtual Tunnel End Point (VTEP) over VxLAN transport connections to manage secure connections, you could use static routes for specific connections such as site-to-site connections for disaster recovery. In such a case it is necessary to have a known reliable route over which the disaster recovery operations can be performed smoothly. Static routes are primarily used for:

  • Facilitating the easy maintenance of the routing table in small networks that are not expected to grow.
  • Routing to and from other internal route or stub networks. A stub network or an internal route network is a network accessed using a single route and the router has only one neighbor.
  • Use as a default or backup route. Such a route is not expected to specifically match any other route in the routing table.

In a network that is not constantly changing, static routes can provide faster and more reliable services by avoiding the network overheads like route advertisement and routing table updates for specific routes.

Overlay networks

You can create an IP-based Overlay subnet for a VPC. An Overlay network is a virtualized network that is configured on top of an underlying virtual or physical network. A special purpose multicast network can be created as an Overlay network within an existing network. A peer-to-peer network or a VPN are also examples of Overlay networks. An important assumption for an Overlay network is that the underlying network is fully connected. Nutanix provides the capability to create Overlay network-based VPCs.

Comparing Overlay with VLAN

See how overlay networks compare with VLAN networks. A virtual local area network or VLAN network is a Layer 2 network that provides virtualized network segmentation solution. VLANs route and balance traffic in a network based on MAC addresses, Protocols such as Ethernet, ports or specific subnets. A VLAN creates a virtual Layer 3 network using Layer 2 addressing by separating broadcast domains virtually or logically. A VLAN configured network behaves as if the network is segmented using a physical layer 2 switch without implementing a layer 3 IP based subnet for the segmentation. VLAN traffic usually cannot traverse outside the VLAN.

The main advantage that VLAN networks provide is that VLAN networks require only layer 2 (L2) connectivity. VLANs do not require any of the layer 3 (L3) Flow Networking features.

Overlay networks can be laid on underlying physical network connections including VLAN networks. Overlay networks provide the following advantages and constraints:

  • IP address namespace is decoupled from the physical network.
  • You can create, update or delete overlay networks without requiring any configurations on the physical network and powering down the systems.
  • You can create overlay networks that can span across multiple clusters.
  • VLAN networks are necessary for Bootstrapping of Flow Networking.
    Note: Nutanix recommends using VLAN0 as the default untagged (also called native) VLAN for a CVM and AHV host. You can create VLANs for user VMs using the Network Configuration page. You can use the Create Virtual Switch dialog box from the Network Configuration page to create virtual switches for the user VM VLANs.
  • AHV Networking VLAN and Flow Networking VLAN: VLAN backed subnets for external connectivity are managed by the Flow Networking control plane. Traditional AHV VLAN IPAM networks are managed by Acropolis. Do not configure the same VLAN as both a Flow Networking external network and an AHV IPAM network, as this can lead to IP address conflicts.

Traffic Behavior

Broadcast Traffic

When all the guest VMs belonging to a subnet are in the same AHV: Flow Networking broadcasts the traffic to all guest VMs in the same subnet.

When some VMs belonging to a subnet are in other AHVs: Flow Networking tunnels the traffic to only those AHVs which have endpoints in the same subnet.

In other words, Flow Networking broadcasts traffic to all the guest VMs in the same subnet.

Unicast Traffic

Unicast traffic is traffic transmitted on a one-to-one basis between IP addresses and ports. There is only one sender and one receiver for the traffic. Unicast traffic is usually the most used form of traffic in any LAN network using Ethernet or IP networking. Flow Networking transmits unicast traffic based on the networking policies set.

Unknown Unicast Traffic

Flow Networking always drops unknown unicast traffic. It is not transmitted to any guest VM within or outside the source AHV.

Multicast Traffic

Flow Networking transmits the traffic to the VMs in the multicast group within the same subnet. If the VM is on another AHV, the destination AHV must have an endpoint in the subnet.

Multicast Group

A multicast group is defined by an IP address (called a multicast IP address, usually a Class D IP address) and a port number. Once a host has group membership, the host will receive any data packets that are sent to that group defined by an IP address/port number.

Prerequisites for Enabling Flow Networking

Make sure you meet these prerequisites before you enable Flow networking on Prism Central.

Requirements

Important: Prism Central protection and recovery does not protect or recover Flow networking services.

You must have the following fulfilled to enable Flow networking:

  • Ensure that you log on to Prism Central as a local account user with Prism Admin role. If you log on to Prism Central as a non-local account (IDP-based) user or without Prism Admin role privileges, then Prism Central does not allow you to enable or use Flow Networking. The task is reported as Failed with a User Denied Access message.

  • Ensure that the Prism Central running Flow networking is hosted on an AOS cluster running AHV.

    The network controller has a dependency only on the AHV version.

  • Ensure that microservices infrastructure on Prism Central is enabled. See Prism Central Guide for information about microservices infrastructure.
  • Choose the x-large PC VM size for Flow networking deployments. Small or large PC VMs are not supported for Flow Networking.

    If you are running a small or large Prism Central VMs, upgrade the Prism Central VM resources to x-large PC VM. See Acropolis Upgrade Guide for procedure to install an x-large Prism Central deployment.

  • Although Flow networking may be enabled on a single-node PC, Nutanix strongly recommends that you deploy a three-node scale-out Prism Central for production deployments. The availability of Flow networking service in Prism Central is critical for performing operations on VMs that are connected to overlay networks. A three-node scale-out Prism Central ensures that Flow networking continues to run even if one of the nodes with a PCVM fails.

  • Prism Central VM registration. You cannot unregister the Prism Element cluster that is hosting the Prism Central deployment where you have enabled Flow Networking. You can unregister other clusters being managed by this Prism Central deployment.

  • Ensure that Microservices Infrastructure (CMSP) is enabled on Prism Central before you enable Flow Networking. See the Prism Central Guide for more information.

    For the procedure to enable Microservices Infrastructure (including enable in dark site), see Enabling Micro Services Infrastructure section in the Prism Central Guide .

    Note: When you configure microservices infrastructure, ensure that the DNS name you configure for CMSP does not end with test . Flow networking does not support test as a top level domain. For example, the following are valid domain configurations:
    • my.cluster.domain
    • my.test.cluster.test.domain
    However, the following are examples of domains that Flow networking does not support:
    • my.cluster.test
    • my.cluster.domain.test
  • Ensure that you have created a virtual IP address (VIP) for Prism Central. The Acropolis Upgrade Guide describes how to set the VIP for the Prism Central VM. Once set, do not change this address.

  • Ensure connectivity:

    • Between Prism Central and its managed Prism Element clusters.

    • To the Internet for connectivity (not required for dark site) to:

      • ECR for Docker images
      • S3 storage for LCM portal
      Note: For dark site deployments, Nutanix provides a dark site bundle, which has the Docker images (normally hosted on ECR) and the network controller package (normally hosted on LCM portal). These dark site bundles can be downloaded using an internet-connected system outside the dark site.
  • Prism Central backup, restore, and migration. You cannot perform these operations on MSP-enabled Prism Central.
  • Nutanix recommends increasing the MTU to 9000 bytes on the virtual switch vs0 and ensure that the physical networking infrastructure supports higher MTU values (jumbo frame support). The recommended MTU range is 1600-9000 bytes.

    Nutanix CVMs use the standard Ethernet MTU (maximum transmission unit) of 1,500 bytes for all the network interfaces by default. The system advertises the MTU of 1442 bytes to guest VMs using DHCP to account for the extra 58 bytes used by Generic Network Virtualization Encapsulation (Geneve). However, some VMs ignore the MTU advertisements in the DHCP response. Therefore, to ensure that Flow networking functions properly with such VMs, enable jumbo frame support on the physical network and the default virtual switch vs0.

    If you cannot increase the MTU of the physical network, decrease the MTU of every VM in a VPC to 1442 bytes in the guest VM console.

    Note: Do not change the MTU of the CVM.
    Figure. Sample Configurations with and without Higher MTU - VS0, CVM and UVMs Click to enlarge

Requirements for Upgrades

The following applies to upgrades of Flow networking network controller ( Advanced Networking in Prism Control Settings ):

  • Ensure that the Prism Central host is running an AHV version compatible with the networking controller upgrade version. If necessary, upgrade the AHV version using LCM to the version compatible with the network controller upgrade version.
    Note:

    See Compatibility and Interoperability Matrix on the Nutanix Support portal for AOS and Prism Central compatibility.

  • Ensure that all the AHV hosts in the AOS cluster are running the version compatible with the network controller upgrade version.

    The network controller upgrade fails if any of the AHV hosts is running an incompatible version.

Limitations

Limitations for Flow networking are as follows.
  • Flow networking does not support Flow security for guest VMs.

    You cannot configure rules for Flow security if a guest VM has any NICs connected to VPCs.

  • Flow networking is supported only on AHV clusters. It is not supported on ESXi or Hyper-V clusters.

  • Flow networking is not enabled on the new PE cluster registering with the Flow networking-enable Prism Central if the Prism Element cluster has an incompatible AHV version.

  • Flow networking does not support updating a VLAN-backed subnet as an external subnet.

    You cannot enable the external connectivity option in the Update Subnet dialog box. Therefore, you cannot modify an existing VLAN-backed subnet to add external connectivity.

    VLAN backed subnets for external connectivity are managed by the Flow networking control plane. Traditional AHV VLAN IPAM networks are managed by acropolis.

    Note: Do not configure the same VLAN as both a Flow networking external network and an AHV IPAM network, as this can lead to IP address conflicts.
  • Flow networking cannot be disabled if any external subnets and VPCs are in use. Delete the external subnets and VPCs and then disable Flow Networking.

  • Disaster Recovery backup and migration: CMSP-enabled Prism Central does not support disaster recovery backup and migration operations both as a source and target host.

Flow Networking Configurations

Enabling Flow Networking

Before you begin

Ensure tha microservices infrastructure is enabled on Prism Central. See Enabling Micro Services Infrastructure section in the Prism Central Guide .

About this task

Before you proceed to enable Flow Networking by enabling the Advanced Networking option, see Prerequisites for Enabling Flow Networking.

To enable Advanced Networking, go to Prism Central Settings > Advanced Networking and do the following.

Procedure

  • In the Advanced Networking pane, click Enable .

    Ensure that the prerequisites specified on the pane are fulfilled.

    Figure. Enabling Flow Networking Click to enlarge Displaying the Advanced Networking page.

    Prism Central displays the deployment in-progress.
    Figure. Deployment Progress Click to enlarge Displaying the Deployment Progress.

  • Flow Networking is enabled.
    Figure. Flow Networking Status Click to enlarge Displaying the enabled status of Flow Networking.

Disabling Flow Networking

About this task

You can disable Flow Networking. However, the network controller cannot be disabled if any external subnets and VPCs are in use. Delete the subnets and VPCs before you disable advanced networking.

Note:

Flow Networking cannot be disabled if any external subnets and VPCs are in use. Delete the external subnets and VPCs and then disable Flow Networking.

To disable Flow Networking, do the following.

Procedure

  1. On the Advanced Networking page, click Disable .
    Figure. Click to enlarge Displaying the highlighted Disable Advanced Networking link.

  2. On the confirmation message box, click Confirm to confirm disablement.

    To exit without disabling the Advanced Networking controller, click Cancel .

Unregistering a PE from the PC

Before unregistering a Prism Element from PC, disable Flow Networking on that Prism Element using network controller CLI (or atlas_cli).

About this task

When Flow Networking is enabled on a Prism Central, it propagates the capability to participate in VPC networking to all the registered Prism Elements that are running the required AHV version.

In cases where there are VMs on the Prism Element attached to the VPC network, or if the Prism Element is used to host one or more of the external VLAN networks attached to a VPC, Prism Central alerts you with a prompt. When being alerted about the aforementioned conditions, close the CLI and make adequate configuration to resolve the condition (for example, select a different cluster for the external VLAN network and delete the VMs attached to the VPC network running on the Prism Element). After making such configurations, execute the network controller CLI to disable Flow Networking. If the command goes through successfully, it is safe to unregister the Prism Element.

For example, in a deployment of three Prism Elements - PE1, PE2 and PE3 - registered to the Flow Networking-enabled PC, you want to unregister PE3 from the PC. You must first disable Flow Networking using the following steps:

Procedure

  1. SSH to PE3.
  2. Run the ncli cluster info or ncli cluster get-params command to get the cluster parameters.
    Copy the cluster UUID (For example: 017457d3-1012-465c-9c54-aa145f2da7d9) from the displayed cluster parameters.
  3. SSH to the Prism Central VM.
  4. Open the network controller console by executing the atlas_cli command.
    nutanix@cvm$ atlas_cli
    <atlas> 
  5. Execute the config.add_to_excluded_clusters <cluster uuid> command, providing the cluster UUID that you copied earlier.

    An example of the PC alert, for the condition that PE3 VM is attached to an external network, is as follows:

    <atlas> config.add_to_excluded_clusters 0005bf8d-2a7f-3b2e-0310-d8e34995511e 
    Cluster 0005bf8d-2a7f-3b2e-0310-d8e34995511e has 1 external subnet, 
    which will lose connectivity. Are you sure? (yes/no)
    Note: To enable Flow Networking on the cluster, execute the config.remove_from_excluded_clusters <cluster uuid> command, providing the cluster UUID.

What to do next

To verify if Flow Networking is disabled or enabled, SSH to PE3 and run the acli atlas_config.get command.

The output displays the enable_atlas_networking parameter as False if Flow Networking is disabled and as True if Flow Networking is enabled on the Prism Element.

nutanix@cvm$ acli atlas_config.get
config {
  anc_domain_name_server_list: “10.10.10.10”
  enable_atlas_networking: False
  logical_timestamp: 19
  minimum_ahv_version: “20190916.101588"
  ovn_cacert_path: “/home/certs/OvnController/ca.pem”
  ovn_certificate_path: “/home/certs/OvnController/OvnController.crt”
  ovn_privkey_path: “/home/certs/OvnController/OvnController.key”
  ovn_remote_address: “ssl:anc-ovn-external.default.anc.aj.domain:6652"
}

You can now unregister the PE from the PC.

Upgrading Flow Networking

You can upgrade the Flow networking controller ( Advanced Networking Controller in Prism Central Settings ) using Life Cycle Manager (LCM) on Prism Central.

Before you begin

See Prerequisites for Enabling Flow Networking.

In case of upgrading the Flow networking controller in a dark site, ensure that LCM is configured to reach the local web server that hosts the dark site upgrade bundles.

Note:

The network controller upgrade fails to start after the pre-check if one or more clusters have Flow Networking enabled and are running an AHV version incompatible with the new network controller upgrade version.

About this task

To upgrade the network controller using LCM, do the following.

Procedure

  1. Choose one of the following ways to reach the LCM page:
    • Go to Administration > LCM > Inventory
    • Click Check for Updates on the Advanced Networking page.

    Figure. Check for Updates Click to enlarge Displaying Check for Updates link on the Advanced Networking page.

  2. Click Perform Inventory .

    When you click Perform Inventory , the system scans the registered Prism Central cluster for software versions that are running currently. Then it checks for any available upgrades and displays the information on the LCM page under Software .

  3. Go to Updates > Software . Select the Advanced Networking Controller version you want to upgrade to and click Update .
    Figure. Networking Controller version Click to enlarge Displaying sample LCM dashboard with the available Advanced Networking Controller upgrade available

Deploying Flow Networking at a Dark Site

About this task

Dark sites are primarily on-premises installations which do not have access to the internet. Such sites are disconnected from the internet for a range of reasons including security. To deploy Flow networking at such dark sites, you need to deploy the dark site bundle at the site.

This dark site deployment procedure includes downloading and deploying MSP and the network controller bundles.

Before you begin

  • See Prerequisites for Enabling Flow Networking.

  • You need access to the Nutanix Portal from an Internet-connected device to download the following dark site bundles:

    Note: For dark site deployments, Nutanix provides a dark site bundle, which has the Docker images (normally hosted on ECR) and the network controller package (normally hosted on LCM portal). These dark site bundles can be downloaded using an internet-connected system outside the dark site.
    • MSP dark site bundle: https://portal.nutanix.com/page/downloads/list > Microservices Platform (MSP)
    • Flow Networking network controller dark site bundle: See the Flow Networking Release Notes for the link to download the dark site bundle.
    • Network Gateway bundle: See the Flow Networking Release Notes for the link to download the dark site bundle with checksum text file. Also, see KB-12393 .

To deploy Flow Networking at a dark site, do the following.

Procedure

  1. Start a web server to host the dark site bundles and act as a source for the LCM downloads, if one is not already created.

    The web server can be a virtual machine on a cluster at the dark site. All the Prism Central VMs at the dark site must have access to this web server. This web server is used when you deploy any dark site bundle including the network controller darksite bundle.

    For more information about the server installation, see:

    • Linux web server

    • Windows web server

  2. In Prism Central, go to Administration > LCM > Inventory .

    Alternatively, SSH into the Prim Central VM as an admin user and run the following command.

    admin@pcvm$ mspctl controller airgap enable --url=http://<LCM-web-server-ip>/release

    Where <LCM-web-server-ip> is the IP address of the LCM web server and release is the name of the directory where the packages were extracted.

    For example, admin@pcvm$ mspctl controller airgap enable --url=http://10.48.111.33/release . Here, 10.48.111.33 is the IP address of the LCM web server and release is the name of the directory where the packages were extracted.

  3. Verify the configuration by running the following command:
    nutanix@cvm$ mspctl controller airgap get
  4. From a device that has public Internet access, click the Nutanix Compatibility Bundle link and down the bundle. Transfer this bundle to the LCM web server and extract the contents.
  5. From a device that has public Internet access, Nutanix recommends that you download and extract the latest MSP dark site bundle, transfer it to the LCM web server, and extract the contents.
  6. From a device that has public Internet access, download the Flow networking dark site bundle (see Release Notes | Flow Networking for download links). Transfer the bundle to the LCM web server.
  7. Extract or unpack the Flow networking dark site bundle on the LCM web server.

    After unpacking, check if the system shows a directory path that includes the following as per the example: http://<LCM-web-server-ip>/release/builds/msp-builds/msp-services/464585393164.dkr.ecr.us-west-2.amazonaws.com/nutanix-msp/atlas-hermes/ .

  8. Run the following command after unpacking to ensure that the file permissions are not disrupted during the unpacking:
    • Linux.
      chmod -R +r builds
    • Windows NTFS.
      
      $> takeown / R / F *
      $> icacls <Build-file-path> /t /grant:F 
      .
  9. Enable microservices infrastructure.

    See the Enabling Microservices Infrastructure section in the Prism Central Guide for details.

  10. Enable Flow Networking. See Enabling Flow Networking.

Troubleshooting Tips

This section provides information to assist troubleshooting of Flow Networking deployments. This is in addition to the information that the "Prism Central Guide" provides.

Audit Logs

Prism Central generates audit logs for all the flow networking activities like it does for other activities on Prism Central. See Audit Summary View in the Prism Central Guide , for more information about Audit log.

Support Bundle Collection

To support troubleshooting for Flow Networking, you can collect logs.

To collect the logs, run the following commands on the Prism Central VM console:

nutanix@cvm$ logbay collect -t msp,anc

An example of the command is as follows:

nutanix@cvm$ logbay collect -t msp,anc -O msp_pod=true,msp_systemd=true,kubectl_cmds=true,persistent=true --duration=-48h0m0s

Where:

  • -t flag indicates the tags to collect

    • msp tag will collect logs from the services running on MSP pods and persistent log volumes (application-level logs)

    • anc tag will collect the support bundle, which includes database dumps and OVN state

  • -O flag adds tag-level options

    • msp_pod=true collects logs from MSP service pods

      On the PC, these logs can be found under /var/log/containers .

    • persistent=true collects persistent log volumes (application-level logs for ANC)

      On the PC, these can be found under /var/log/ctrlog

    • kubectl_cmds=true runs kubectl commands to get the Kubernetes resource state

  • --duration sets the duration from the present to collect

The command run generates a zip file at a location, for example: /home/nutanix/data/logbay/bundles/<filename>.zip

Unzip the bundle and you'll find the anc logs under a directory specific to your MSP cluster, the worker VM where the pod is running, and the logging persistent volume of that pod. For example:

./msp/f9684be8-b4e8-4524-74b4-076ed53ca1fd/10.48.128.185__worker_master_etcd/persistent/default/ovn/anc-ovn_StatefulSet/

For more information about the task run, see the text file that the command generates at a location, for example: /home/nutanix/data/logbay/taskdata/<taskID>/collection_result.txt

For more information about the logbay collect command, see the Logbay Log Collection (Command Line) topic in the Nutanix Cluster Check Guide (NCC Guide).

Layer 2 Virtual Subnet Extension Alert

The L2StretchLocalIfConflict alert (Alert with Check ID - 801109) may occur while performing Layer 2 virtual subnet extensions. See KB-10395 for more information about its resolution.

Network Gateway Upgrades

Nutanix deployment can detect and install upgrades for the onprem Nutanix Gateways.

For information about identifying the current Nutanix Gateway version, see Identifying the Gateway Version.

For onprem Nutanix Gateways, the upgrades need to be detected and installed on the respective PC on which each Nutanix Gateway is installed.

For more information, see Detecting Upgrades for Gateways.

When PC detects the upgrades, it displays a banner on the Gateways tab of the Connectivity page. The banner notifies you that a Gateway upgrade is available after you have run LCM inventory. The table on the Gateways tab also displays an alert (exclamation mark) icon for the network gateways that the upgrade applies to. The hover message for the icon informs you that an upgrade is available for that Gateway.

Figure. Upgrade Banner Click to enlarge Displaying sample VPN Gateway tab.

For more information about the upgrade procedure, see Upgrading the PC-managed Onprem Nutanix VPN Gateways.

Identifying the Gateway Version

About this task

To identify the current Nutanix Gateway version, do the following:

Procedure

  • Click the hamburger icon and Networking & Security > Connectivity .
  • On the Gateways tab, click the Gateway name link text to open the Gateway details page.

    In the Gateway table, the VPN Gateway name is a clickable link text.

    The Gateway Version is listed in the Properties widget.

    Figure. Gateway Version Click to enlarge Displays sample VPN Gateway details page with clickable version number.

Detecting Upgrades for Gateways

About this task

Prism Central can detect whether new Gateway upgrades are available, or not, for Nutanix Gateways using LCM. You can then install the upgrade.

Procedure

  • Click the hamburger icon of Dashboard .
  • Click Administration > LCM > Inventory .
  • Click Perform Inventory .
    Note:

    Nutanix recommends that you select Enable LCM Auto Inventory in the LCM page in Prism Central to continuously detect new Gateway upgrades as soon as they are available.

    The upgrade notification banner is displayed on the Gateways page.

Upgrading the PC-managed Onprem Nutanix VPN Gateways

About this task

Perform upgrades of PC-managed Nutanix Gateways using the respective PC on which the Gateway is created.

To upgrade the on-prem Nutanix Gateways, do the following:

Procedure

  1. Log on to the Prism Central as the admin user and click the gear icon.
  2. Go to Administration > LCM > Inventory .
  3. Click Perform Inventory .

    When you click Perform Inventory , the system scans the registered Prism Central cluster for software versions that are running currently. Then it checks for any available upgrades and displays the information on the LCM page under Software .

    Note:

    Skip this step if you have enabled auto-inventory in the LCM page in Prism Central.

  4. Go to Updates > Software . Select the Gateway version you want to upgrade to and click Update .

    LCM upgrades the Gateway version. This process takes sometime.

Network and Security View

The Network and Security category in the Entities Menu expands on-click to display the following networking and security entities that are configured for the registered clusters:

  1. Subnets : This dashboard displays the subnets and the operations that you can perform on subnets.

  2. Virtual Private Clouds : This dashboard displays the VPCs and the operations that you can perform on VPCs.

  3. Floating IPs : This dashboard displays a list of floating IP addresses that you are using in the network. It allows you to request for floating IP addresses from the free pool of I addresses available to the clusters managed by the Prism Central instance.

  4. Connectivity : This dashboard allows you to manage the following networking capabilities:

    • Gateways : This tab provides a list of network gateways that you have created and configured, and the operations you can perform on the network gateways. You can check and upgrade the Gateway bundle in Administration > LCM > Inventory .

    • VPN Connections : This tab provides a list of VPN connections that you have created and configured, and the operations you can perform on VPN connections.

    • Subnet Extensions : This tab provides a list of subnets that you have extended at the Layer 2 level using VPN (point-to-point over Nutanix VPN) or VTEP (point-to-multi-point including third party).

  5. Security Policies : This dashboard provides a list of security policies you configured using Flow Segmentation. For more information about Security Policies, see the Flow Microsegmentation Guide.

See "Network Connections" section for information on how to configure network connections.

Subnets (Overlay IP subnets), Virtual private clouds, floating IPs, and Connectivity are Flow Networking features. These features support flexible app-driven networking that focuses on VMs and applications instead of virtual LANs and network addresses. Flow Networking powers network virtualization to offer a seamless network experience with enhanced security. It is disabled by default. It is a software-defined network virtualization solution providing overlay capabilities for the on-premises AHV clusters.

Security policies drives the Flow Segmentation features for secure communications. See Flow Microsegmentation Guide.

Subnets

Manage subnets in the List view of Subnets dashboard in the Network and Security section.

To access the Subnets dashboard, select Subnets from the entities menu in Prism Central. The Subnets dashboard allows you to view information about the subnets configured for the registered clusters.

Note: This section describes the information and options that appear in the Network and Security dashboard. See Entity Exploring for instructions on how to view and organize that information in a variety of ways.
Figure. Subnets Dashboard Click to enlarge sample Subnets dashboard

The following table describes the fields that appear in the subnets list. A dash (-) is displayed in a field when a value is not available or applicable.

Table 1. Subnets Dashboard Fields
Parameter Description Values
Name Displays the subnet name. (subnet name)
External Connectivity Displays whether or not the subnet has external connectivity configured. (Yes/No)
Type Displays the subnet type. VLAN
VLAN ID Displays the VLAN identification number. (ID number)
VPC Displays the name of the VPC that the Subnet is used in. (Name of VPC)
Virtual Switch Displays the virtual switch that is configured for the VLAN you selected. The default value is the default virtual switch vs0 .
Note: The virtual switch name is displayed only if you add a VLAN ID in the VLAN ID field.
(virtual switch name)
IP Prefix Displays the IPv4 Address of the network with the prefix. (IPv4 Address/Prefix)
Cluster Displays the name of the cluster for which this subnet is configured. (cluster name)
Hypervisor Displays the hypervisor that the subnet is hosted on. (Hypervisor)

To filter the list by network name, enter a string in the filter field. (Ignore the Filters pane as it is blank.)

To view focused fields in the List, select the focus parameter from the Focus drop down list. You can create your own customised focus parameters by selecting Add custom from the drop down list and selecting the necessary fields after providing a Name , in the Subnet Columns .

There is a Network Config action button to configure a new network (see Configuring Network Connections

The Actions menu appears when one or more networks are selected and includes a Manage Categories option (see Assigning a Category ).

Go to the Subnets list view by clicking Network and Security > Subnets on the left side-bar.

Figure. Subnets Page Click to enlarge

To view or select actions you can perform on a subnet, select the subnet and click the Actions dropdown.

Figure. Subnet Actions Click to enlarge

Table 2. Subnet Actions
Action Description
Update Click this action to update the selected subnet. see Updating a Subnet in the Flow Networking Guide.
Manage Extension Click this action to create a subnet extension. A subnet extension allows VMs to communicate over the same broadcast domain to a remote Xi availability zone (in case of Xi-Leap based disaster recovery) via the extension.
Manage Categories Click this action to associate the subnet with a category or change the categories that the subnet is associated with.
Delete Click this action to delete the selected subnet. See Deleting Subnets, Policies, or Routes in the Flow Networking Guide .

You can also filter the list of subnets by clicking the Filters option and selecting the filtering parameters.

Subnet Summary View

View the details of a subnet listed on the Subnets page.

To view the details of a subnet, click the name of the subnet on the subnet list view.

Figure. Subnet Summary Page Click to enlarge Displaying sample subnets Summary view

The Summary page provides buttons for the actions you can perform on the subnet, at the top of the page. Buttons for the following actions are available: Update , Extend , Manage Categories , and Delete .

The subnet Summary page has the following widgets:

Widget Name Information provided
Subnet Details Provides the following:
  • Type — Displays the type of network like VLAN or Overlay.
  • VLAN ID — Displays the VLAN ID. This parameter is displayed only for VLAN networks.
  • VPC — Displays the VPC name. This parameter is displayed only for Overlay networks.
  • Cluster — Displays the cluster that the VLAN network is configured on. This parameter is displayed only for VLAN networks.
  • IP Prefix — Displays the IP address prefix configured for the network. This parameter is displayed for both VLAN and Overlay networks.
IP Pool Provides the IP address Pool Range assigned to the network.
External Connectivity Provides the following:
  • NAT — Displays whether NAT is enabled or disabled for VPCs connecting to the network. When you hover on the Enabled / Disabled status, the hover message displays details of VPCs connected to the external subnet.
  • Associated VPCs — Displays the VPCs associated with this external subnet.

Virtual Private Clouds

You can manage Virtual Private Clouds (VPCs) on the Virtual Private Clouds dashboard.

Go to the Virtual Private Clouds dashboard by clicking Network and Security > Virtual Private Clouds on the left side-bar.

Figure. Virtual Private Clouds dashboard Click to enlarge

You can configure the table columns for the VPC list table. The available column list includes Externally Routable IP Addresses that provides address space within the VPC that is reachable externally without NAT.. For the list of columns that you can add to the list table, see Customizing the VPC List View.

Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

To view or select actions you can perform on a VPC, select the VPC and click the Actions drop down.

You can also filter the list of VPC by clicking the Filters option and selecting the filtering parameters.

Customizing the VPC List View

About this task

You can customize the columns in the table. Click the View by drop down and select + Add custom .

In the Virtual Network Columns dialog box, do the following.

Procedure

  1. Enter a name for the view.
  2. Select the columns you want displayed in the table.

    During the column selection, the columns you select are moved under the Selected Columns list. The Name (of the VPC) column is the default column already selected. You can add a maximum of 10 columns (including the Name column) to the Selected Column list.

    Figure. Customizing Columns in VPC View Click to enlarge

    To arrange the order of the selected columns, hover on the column name and click the up or down arrow button as appropriate.

  3. Click Save .

VPC Details View

To view the details of a VPC, click the name of the VPC on the VPC list view.

The VPC details view has the following tabs:

  • Summary
    Figure. Summary Tab Click to enlarge Displaying the Summary tab in the VPC dashboard

    The Summary tab provides the following panes:

    • DNS Servers —Provides more information about the DNS Servers used by the VPC.
    • External Connectivity —Provides the name of the external subnet, NAT Gateway host details, router/SNAT IP address and the IP address spaces or ranges configured for the VPC.
    • Floating IP Addresses —Provides details of the floating IP addresses that the VPC uses.
  • Subnets
    Figure. Subnet Tab Click to enlarge Displaying the Subnet tab in the VPC dashboard

    The Subnet tab provides the following information for the subnets:

    • Name —Displays the name of the subnet.
    • IP Range —Displays the IP address range configured for the subnet.
    • DHCP IP Pool —Displays the DHCP IP address pool configured for the subnet.
    • Default Gateway IP —Displays the IP address used as the default gateway by the entities in the subnet.
    • Actions —Displays the actionable links to Edit or Delete the subnet.
  • Policies
    Figure. Policies Tab Click to enlarge Displaying the Policy tab in the VPC dashboard

    The Policies tab maps the following information about the security-based traffic shaping policies you configure:

    • Priority —The traffic priority.
    • Rule —The Allow or Deny rule set for the priority.
    • Traffic —The traffic type that the priority and rule should be applied to.
    • Actions —Actions you can take on the policy. You can perform three actions: Clear counters , Edit the policy or Delete the policy.
  • Routes
    Figure. Routes Tab Click to enlarge Displaying the Router tab in the VPC dashboard

    The Routes tab provides the following information about the routes:

The VPC details view has the following configuration options for the VPC:

  • Update : Use this option to update the VPC. For more information, see Updating Virtual Private Cloud.
  • Add Subnet : Use this option to add a subnet to the VPC. For more information, see Creating a Subnet.
  • Create Static Routes : Use this option to create a static route. For more information, Creating Static Routes.
  • Update Static Routes : Use this option to update static route configurations that you already created. For more information, see Updating Static Routes.
  • Create Policy : Use this option to create traffic policies in addition to the pre-configured default policy. When you create a VPC, there is one default policy that Advanced Networking creates for the VPC. This policy is pre-configured and cannot be edited. For more information, see Creating a Policy.
  • Clear All Counters : Allows you to clear all the counters for the VPC.
  • Delete : Allows you to delete the VPC. For more information, see Deleting a Virtual Private Cloud.

Floating IPs

You can access floating IPs on the Floating IPs dashboard or list view in the Network and Security section.

For information about floating IP addresses and their role in Flow Networking, see SNAT and Floating IP Address.

Go to the Floating IPs dashboard by clicking Network and Security > Floating IPs on the left side-bar.

Figure. Floating IPs dashboard Click to enlarge Displaying the Floating IP dashboard

To view or select actions you can perform on a floating IP address assigned, select the floating IP address and click the Actions drop down. The following actions are available for a selected floating IP address:

  • Update—Assign or change the assignment of the floating IP address. You can assign the floating IP address to a IP address such as a private IP address in a VPC or the primary IP address of a VM or a secondary IP address created on a VM.
  • Delete—Delete the floating IP address. The deleted IP address returns to the IP address pool as unused. Before you delete, ensure that it is not assigned to a private IP address or a VM. Change the assignment to None if it is already assigned, using the Update action.
Note: Floating IP addresses are not reachable (Pings fail) unless you associate them to primary or secondary IP addresses of VMs. For more information about assigning floating IP addresses to secondary IP addresses of VMs, see Assigning Secondary IP Addresses to Floating IPs .

To filter the list of floating IP address assignments, click the Filters option and select the appropriate filtering parameters.

To request floating IP addresses, see Requesting Floating IPs.

Connectivity

You can access network Gateways, VPN connections and subnet extensions on the Connectivity dashboard.

Click Network & Security > Connectivity to see the Connectivity dashboard.

The Connectivity dashboard opens on the Gateways tab. To see the VPN connections, click the VPN Connections tab. To see the subnets extended across AZs, click the Subnet Extensions tab.

Gateways Summary View

The Connectivity dashboard opens on the Gateways dashboard or summary view.

The Gateway dashboard provides a list of gateways created for the clusters managed by the Prism Central.

The Gateways dashboard provides a Create Gateway dropdown menu that lets you create a Local or a Remote gateway. You can create a local or remote gateway with VPN or VTEP service. For more information, see Creating a Network Gateway.

You can select a gateway from the list (select the checkbox provided for the gateway) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected gateway.

Figure. Gateways dashboard Click to enlarge Displaying the Connectivity dashboard with the Gateways dashboard

The Gateway summary list view provides the following details about the gateway.

Table 1. Gateway List Fields
Parameter Description Values
Name Displays the name of the gateway. (Name of gateway)
Type Displays the gateway type. (Local or Remote)
Service Displays the service that the gateway uses. (VPN or VTEP)
Service IP Displays the IP address used by the service. (IP address)
Status Displays the operational status of the gateway. (Up or Down)
Attachment Type/Vendor Displays the type of subnet associated with the gateway. (VLAN or Overlay-VPC name)
Connections Displays the number of service connections (such as VPN connections) configured and operational on the gateway. (number)

You can click the name of a gateway to open the gateway details page that presents the information about the gateway in widgets.

Gateway Details View

You can click the name of a gateway in the Gateway dashboard list to open the gateway details page that presents the information about the gateway in widgets.

The gateway details page displays the name of the gateway on the top left corner.

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update Gateway page. See Updating Gateways for more information.

  • The Delete button allows you to delete the gateway. See Deleting Gateways for more information.

Figure. Gateway Details View Click to enlarge Displays the gateway details page that provides details of the gateway in two widgets - Properties and Service configuration

The details about the gateway are organized in widgets as follows:

Table 1. Gateway Details
Parameter Description Values
Properties widget
Type Displays the gateway type. (Local or Remote)
Attachment Type Displays the network entity like VLAN or VPC that the gateway is attached to. (VLAN or VPC)
VPC or Subnet (VLAN) Displays the name of the attached VPC or VLAN subnet. (Name of VLAN or VPC)
Floating or Private IP Address Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to the gateway. (IP Address)
Status Displays the operational status of the gateway. (Up or Down)
Gateway Version Displays the version of the Nutanix gateway appliance deployed. (Version)
Cluster Displays the name of the cluster on which the gateway is created. (Cluster name)
Gateway VM Displays the name of the VM on which the gateway is created. (Name of VM - actionable link. Click the name-link to open the VM details page of the gateway VM.)
Service Configuration
Service Displays the service used by the gateway. (VPN or VTEP)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
Internal Routing Displays the type of routing associated with the gateway for internal traffic routing. (Static or eBGP with ASN)
VPN Connections Displays the total number of VPN connections associated with the gateway. (Number - actionable link. Click the link to open the VPN connection details page for the associated VPN connection.)
View VPN Connections Click this link to open the VPN Connections tab. -

VPN Connections Summary View

The Connectivity dashboard allows you to open the VPN Connections dashboard or summary view.

VPN Connection: Represents the VPN IPSec tunnel established between local gateway and remote gateway. When you create a VPN connection, you need to select two gateways between which you want to create the VPN connection.

The VPN Connections dashboard provides a list of VPN connections created for the clusters managed by the Prism Central.

The VPN Connections dashboard provides a Create VPN Connection button that opens the Create VPN Connection . For more information, see Creating a VPN Connection.

You can select a VPN connection from the list (select the checkbox provided for the VPN connection) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected VPN connection.

The VPN Connections summary list view provides the following details about the VPN connection.

Figure. VPN Connections dashboard Click to enlarge Displaying the VPN Connections dashboard.

Table 1. VPN Connections List Fields
Parameter Description Values
Name Displays the name of the connection. (gateway name)
IPSec Status Displays the connection status of IPSec tunnel. (Connected or Not Connected)
EBGP Status Displays the status of the EBGP gateway connection. (Established or Not Established)
Local Gateway Displays the name of the local gateway used for the connection. (Name of local gateway)
Remote Gateway Displays the name of the remote gateway used for the connection. (Name of remote gateway)
Dynamic Routing Priority Displays the dynamic routing priority assigned to the connection for throughput management. You can assign any value in the range of 100-1000. Flow networking assigns the first VPN connection the value 500 by default. Thereafter, subsequent VPN connections are assigned values decremented by 50. For example, the first connections is assigned 500, then the second connection is assigned 450, the third one 400 and so on. (Number in the range of 100-1000. User assigned.)

VPN Connections Details View

You can click the name of a VPN connection in the VPN Connections dashboard list to open the VPN connection details page that presents the information about the VPN connection in widgets.

The VPN connection details page displays the name of the VPN connection on the top left corner.

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update VPN Connection page. For more information, see Updating a VPN Connection.

  • The Delete button allows you to delete the VPN connection. For more information, see Deleting a VPN Connection.

Figure. VPN Connection Details Click to enlarge Displaying the detailed view of the selected VPN connection with the information organized in widgets.

The details about the VPN connection are organized in widgets as follows:

  • Summary tab—See the VPN Connection Summary Tab Details table below.
  • Throughput tab—See the VPN Connection Throughput Tab Details table below.
  • IPSec Logging tab—Provides logs for the IPSec tunnel.
  • Routing Protocol Logging tab—Provides logs for the routing protocol used in the VPN connection.
Table 1. VPN Connection Summary Tab Details
Parameter Description Values
VPN Connection widget
IPSec Status Displays the connection status of IPSec tunnel. (Connected or Not Connected)
EBGP Status Displays the status of the EBGP gateway connection. (Established or Not Established)
Dynamic Routing Priority Displays the dynamic routing priority assigned to the connection for throughput management. You can assign any value in the range of 100-1000. Flow networking assigns the first VPN connection the value 500 by default. Thereafter, subsequent VPN connections are assigned values decremented by 50. For example, the first connections is assigned 500, then the second connection is assigned 450, the third one 400 and so on. (Number in the range of 100-1000. User assigned.)
Local Gateway Properties
Gateway Name Displays the name of the local gateway used for the connection. (Name of local gateway)
Type Displays the type of gateway. (Local)
Attachment Type Displays the network entity like VLAN or VPC that the gateway is attached to. (VLAN or VPC)
VPC or Subnet (VLAN) Displays the name of the attached VPC or VLAN subnet. (Name of VLAN or VPC)
Tunnel IP Displays the Tunnel IP address of the local gateway. (IP Address)
Connection Type Displays the connection type you selected while creating the VPN connection. The connection type may be Initiator or Acceptor of a VPN connection between the local and remote gateways. T (Initiator or Acceptor)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
Internal Routing Displays the type of routing associated with the gateway for internal traffic routing. (Static or eBGP with ASN)
Floating or Private IP Address Displays the Floating (for VPC) or Private (for VLAN) IP address assigned to the gateway. (IP Address that you assigned to the local gateway with /30 prefix when you configured the VPN connection.)
Status Displays the operational status of the gateway. (Up or Down)
Cluster Displays the name of the cluster on which the gateway is created. (Cluster name)
Gateway VM Displays the name of the VM on which the gateway is created. (Name of VM - actionable link. Click the name-link to open the VM details page of the gateway VM.)
Remote Gateway Properties
Gateway Name Displays the name of the remote gateway used for the connection. (Name of remote gateway)
Type Displays the type of gateway. (Remote)
Tunnel IP Displays the Tunnel IP address of the remote gateway. (IP Address)
Connection Type Displays the connection type you selected while creating the VPN connection. The connection type may be Initiator or Acceptor of a VPN connection between the local and remote gateways. T (Initiator or Acceptor)
External Routing Displays the type of routing associated with the gateway for external traffic routing. (Static or eBGP with ASN)
ASN Displays the ASN of the EBGP route. This information is only displayed if you configured EBGP as the External Routing protocol. (Number)
Vendor Displays the name of the vendor of the gateway appliance at the remote site. (Name of vendor of gateway appliance)
External IP Displays the IP address assigned to remote the gateway. (IP Address that you assigned to the remote gateway with /30 prefix when you configured the VPN connection.)
Status Displays the operational status of the gateway. -
Protocol Details
Service Displays the service used by the gateway. (VPN or VTEP)
Gateway Routes Displays the status of the routes used by the gateways. (Sent)

Subnet Extensions Summary View

The Connectivity dashboard opens on the Subnet Extensions dashboard or summary view.

The Subnet Extensions dashboard provides a list of subnet extensions created for the clusters managed by the Prism Central.

The Subnet Extensions dashboard provides a Create Subnet Extension dropdown menu that lets you extend a subnet Across Availability Zones or To a Third Party Data Center . You can extend a subnet using VPN or VTEP service. See Layer 2 Virtual Network Extension for more information.

You can select a subnet extension from the list (select the checkbox provided for the subnet extension) and then perform an action provided in the Actions dropdown list. The Actions dropdown list allows you to Update or Delete the selected subnet extension.

Figure. Subnet Extensions dashboard Click to enlarge Displaying the Subnet Extension dashboard.

The Subnet Extensions summary list view provides the following details about the gateway.

Table 1. Subnet Extensions List Fields
Parameter Description Values
Name Displays the name of the subnet extension. (Name of subnet extension)
Type Displays the subnet extension type. ( Across Availability Zones or To a Third Party Data Center )
Extension Over Displays the service that the subnet extension uses. (VPN or VTEP)
Extension Uses Displays the name of the local network gateway that the subnet extension uses. (Name of local network gateway)
Local Subnet Displays the name of the local subnet that the subnet extension uses. (Name of local subnet)
Remote Site Displays the name of the remote network gateway that the subnet extension uses. (Name of remote network gateway)
Connection Status Displays the status of the connection that is created by the subnet extension. Not Available status indicates that Prism Central is unable to ascertain the status. (Not Available, Connected, or Disconnected)
Interface Status Displays the status of the interface that is used by the subnet extension. (Connected or Down)

You can click the name of a subnet extension to open the subnet extension details page that presents the information about the subnet extension in widgets.

Subnet Extensions Details View

You can click the name of a subnet extension in the Subnet Extensions dashboard list to open the subnet extension details page that presents the information about the subnet extension in widgets.

The subnet extension details page displays the name of the subnet extension on the top left corner. It has two tabs - Summary and Address Table . The Summary tab provides the information about the subnet extension in widgets. The Address Table tab provides MAC Address information only when the subnet extension uses VTEP service.

  • On the top right corner, the close button (X) allows you to close the details page.

  • The Update button opens the Update Subnet Extension page. See Updating an Extended Subnet for more information.

  • The Delete button allows you to delete the subnet extension. See Removing an Extended Subnet for more information.

Figure. Subnet Extensions Details View - Summary Tab Click to enlarge Displays the subnet extension details page, Summary that provides details of the subnet extension in one extended widget with three sections - Properties, IP Address Pools and Subnet Extension properties.

Figure. Subnet Extensions Details View - Address Table Tab for VPN-based Extension Click to enlarge Displays the subnet extension details page, Address Table tab that provides details of the MAC Addresses in the subnet extension

Figure. Subnet Extensions Details View - Address Table Tab for VTEP-based Extension Click to enlarge Displays the subnet extension details page, Address Table tab that provides details of the MAC Addresses in the subnet extension

The details about the subnet extension are organized in two tabs. The Summary tab organizes the subnet extension details in the extended widget as provided in the table. The Address Table tab provides details about the MAC addresses in a list.

Table 1. Subnet Extension Details - Summary Tab Fields
Parameter Description Values
Properties
Type Displays the subnet type. (VLAN or Overlay)
VLAN ID (For VLAN subnets only) Displays the VLAN ID of the VLAN subnet that is extended. (VLAN ID number)
VPC (For Overlay subnets only) Displays the name of the VPC subnet that is extended. (Name of VPC)
Cluster (For VLAN subnets only) Displays the cluster that the VLAN subnet belongs to. (Name of cluster)
IP Address Prefix Displays the network IP address with prefix, of the VLAN subnet that is extended. (IP Address with prefix)
Virtual Switch (For VLAN subnets only) Displays the virtual switch on which the VLAN subnet is configured. (Virtual Switch name such as vs0 or vs1)
IP Address Pools
Pool Range Displays the range of IP addresses in the pool configured in the subnet that is extended. (IP address range)
(Interactive Graphic Pie Chart) Displays a dynamic pie chart that displays the statistic you hover on. Displays the following IP address statistics outside the pie chart, that you can hover on:
  • Total number of IP addresses available.
  • Used IP addresses in the subnets
  • Used IP addresses in the IP address pools
  • Free IP addresses in the subnets
  • Free IP addresses in the IP address pools
(IP Address statistics)
Subnet Extension
Subnet Extension (properties) - Common
Type Displays the subnet extension type. ( Across Availability Zones or To a Third Party Data Center )
Interface Status Displays the status of the interface that is used by the subnet extension. (Connected or Down)
Connection Status Displays the status of the connection that is created by the subnet extension. Not Available status indicates that Prism Central is unable to ascertain the status. (Not Available, Connected, or Disconnected)
Local IP Address Displays the IP address that you entered in the Local IP Address field while creating the subnet extension. (IP Address)
Local Subnet Displays the name of the local subnet that the subnet extension uses. (Name of local subnet)
Subnet Extension (properties) - (Only for Across Availability Zones type)
Local Availability Zone (Only for Across Availability Zones type) Displays the name of the local AZ that is hosting the subnet that is extended. (Name of the local Availability Zone)
Remote Availability Zone (Only for Across Availability Zones type) Displays the name of the remote AZ that the subnet is extended to. (Name of the remote Availability Zone)
Remote Subnet (Only for Across Availability Zones type) Displays the name of the remote subnet that the subnet extension connects to. (Name of remote subnet)
Remote IP Address (Only for Across Availability Zones type) Displays the IP address that you entered in the Remote IP Address field while creating the subnet extension. (IP Address)
Subnet Extension (properties) - (Only for To a Third Party Data Center type)
Local Gateway (Only for To a Third Party Data Center type) Displays the name of the local gateway used for the subnet extension. (Name of local gateway)
Remote Gateway (Only for To a Third Party Data Center type) Displays the name of the remote gateway used for the subnet extension. (Name of remote gateway)

Security Policies Summary View

To access the security policies dashboard, select Policies > Security Policies from the entities menu (see Entities Menu). The security policies dashboard allows you to view summary information about defined security policies.

Note: This section describes the information and options that appear in the security policies dashboard.
  • See Entity Exploring for instructions on how to view and organize that information in a variety of ways.
  • See Flow Microsegmentation Guide for information about how to create and apply security policies.
Figure. Security Policies Dashboard Click to enlarge Security policies view of the Explore dashboard

The following table describes the fields that appear in the security policies list. A dash (-) is displayed in a field when a value is not available or applicable.

Table 1. Security Policies List Fields
Parameter Description Values
Name Displays the policy name. The policy is one of three types: application, quarantine, or isolation. (name), Application, Quarantine, Isolation
Purpose Describes (briefly) the policy's purpose. (text string)
Policy Displays (high level) what the policy does. (boxed text)
Status Displays the current status of the policy (either applied currently or in monitoring mode). Applied, Monitoring
Last Modified Displays the date the policy was last modified (or the creation date if the policy has never been modified). (date)

You can filter the security polices list based on several parameter values. The following table describes the filter options available when you open the Security Policies view Filter pane. To apply a filter, select a parameter and check the box of the desired value (or multiple values) you want to use as a filter. You can apply filters across multiple parameters.

Table 2. Filter Pane Fields
Parameter Description Values
Name Filters on the item name. Select a condition from the pull-down list ( Contains , Doesn't contain , Starts with , Ends with , or Equal to ) and enter a string in the field. It will return a list of security policies that satisfy the name condition/string. (policy name string)
Type Filters on the policy type. Check the box for one or more of the policy types (application, quarantine, isolation). It will limit the list to just those policy types. Application, Quarantine, Isolation
Status Filters on the policy status. Check the box for applied or monitoring. Applied, Monitoring

The security policies dashboard includes a Create Security Policy action button with a drop-down list to Secure an Application or Isolation Environments .

The Actions menu appears when one or more policies are selected. It includes options to update, apply, monitor, and delete. The available actions appear in bold; other actions are grayed out. (For grayed out options, a tool tip explaining the reason is provided.)

Security Policy Details View

To access the details page for a security policy, click on the desired security policy name in the list (see Security Policies Summary View). The Security Policy details page includes the following:

  • The policy name appears in the upper left. You can switch from one policy to another by selecting the policy name from the pull-down list.
  • The rule status appears below the name and indicates whether the policy is being applied currently or is in monitoring mode.
  • Three columns appear that specify the Inbound policy (on the left), the affected entities (in the middle), and the Outbound policy (on the right).
  • There are three action buttons (upper right).
    • Click the appropriate button to update, apply, monitor, or delete the policy (see Nutanix Security Guide for details). The available actions appear in bold; other actions are grayed out. (For grayed out options, a tool tip explaining the reason is provided.)
    • Click the question mark icon to open a help page in a separate tab or window.
    • Click the X icon to close the details page.
Figure. Security Policy Details View: Monitoring Rule Example Click to enlarge Security policies view of the Explore dashboard

Figure. Security Policy Details View: Applied Rule Example Click to enlarge Security policies view of the Explore dashboard

For more information about Security Policies, see Flow Microsegmentation Guide.

Virtual Private Cloud

A Virtual Private Cloud (VPC) is an independent and isolated IP address space that functions as a logically isolated virtual network. A VPC could be made up of one or more subnets that are connected through a logical or virtual router. The IP addresses within a VPC must be unique. However, IP addresses may overlap across VPCs. As VPCs are provisioned on top of another IP-based infrastructure (connecting AHV nodes), they are often referred to as the overlay networks. Tenants may spin up VMs and connect them to one or more subnets within a VPC.

Virtual Private Cloud (VPC) is a virtualized network of resources that are specifically isolated from the rest of the resource pool. VPC allows you to manage the isolated and secure virtual network with enhanced automation and scaling. The isolation is done using network namespace techniques like IP-based subnets or VLAN based networking.

AHV provides the framework to deploy VPC on on-premises clusters using the following.

  • Advanced Networking subnets and DHCP management
  • Multiple uplink and bridge management via virtual switch (VS)
  • Virtual Private Network (VPN) gateways and connections

Flow Networking simplifies the deployment and configuration of overlay-based VPCs. It allows you to quickly:

  • Create, update and delete VPCs.
  • Create, update and delete subnets within VPCs.
    Note: Create subnets as necessary when you create VPCs.
  • Add network security policies and services.
  • Configure hybrid cloud connectivity with VPNs.

This section covers the concepts and procedures necessary to implement VPCs in the network.

VM IP Address Management

Primary Address

The primary IP address is assigned to a VM during initialization when the cluster provides any virtual NIC (NIC) to a VM.

  • Select Assign Static IP as the Assignment Type to add a static IP address as primary IP address of the VM, when you attach a subnet to a VM.
  • Select Assign with DHCP as the Assignment Type to allow DHCP to dynamically assign an IP address to the VM.
  • Select No Private IP as the Assignment Type if you do not want to assign an IP address to the vNIC of the VM.

For more information about attaching a subnet to a VM, see Creating a VM through Prism Central (AHV) in the Prism Central Guide .

Secondary IP Addresses (Overlay Networks only)

For your deployment, you may need to configure multiple (static) IP addresses to a single NIC. These IP addresses (other than the primary IP address) are secondary IP addresses. A secondary IP address can be permanently associated with a specific NIC or be changed to any other NIC. The NIC ownership of a secondary IP address is important for security routing policies.

Note: You can configure secondary IP addresses only for VMs in an Overlay network.

You can configure secondary IP addresses to a NIC when you want to:

  • Associate multiple floating IP addresses with one VM without creating multiple NICs (each with one primary IP address) for the VM. You can assign one floating IP address to one secondary IP address that you create for the single NIC. For information about floating IP addresses, see Requesting Floating IPs.
  • Run appliances, such as load balancers, that have multiple IP addresses on each interface.
  • Host applications in a High Availability (HA) configuration where the ownership of IP address moves from the active entity to the standby entity when the active entity goes down.
  • Host applications in a clustered configuration where the ownership of IP address follows the leader.
  • Host Nutanix Files service in a VPC as a case of clustered application.
Note:

In applications that use secondary IP addresses as virtual IP addresses and the NIC ownership of the secondary IP address changes dynamically from one NIC to another, configure the application to incorporate the ownership change in its settings or configuration. If the applications do not incorporate these ownership changes, the VPCs configured for such applications fail.

For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.

IP Address Information

You can view the IP addresses configured on a VM by clicking the See More link in the IP Address column in the VM details view to open the IP Address Information box.

Note: The See More link in the IP Address column in the VM details view and the IP Address Information box are available only if the VM has any secondary IP addresses configured.
Figure. IP Address Information Click to enlarge Displaying the IP Address Information box

Creating Secondary IP Addresses

You can assign multiple secondary IP addresses to a single vNIC.

About this task

You can add multiple secondary IP addresses to the vNIC configured on a VM. Add the secondary IP addresses to the vNIC in the Create VM or the Update VM page.

Procedure

  1. Go to the Networks section.
  2. Click the Edit icon for the subnet that you want to add the secondary IP addresses from.
    The Update NIC dialog box opens.
  3. Check the Add Secondary IPs check box in the Update NIC dialog box.
    Figure. Add Secondary IP Addresses Click to enlarge Displaying the Add Secondary IPs section in Update NIC page.

  4. Add a comma-separated list of the secondary IP addresses that you want to add to the vNIC of the VM.
    Note:

    Ensure that the secondary IP addresses are within the same subnet that the primary IP address of the NIC is from. The subnets are displayed in the Private IP Assignment section in the Update NIC dialog box.

    Ensure that the secondary IP address is not the same as the IP address provided in the Private IP Assignment field.

  5. Click Save .
  6. Click Next on the Resources and the Management tabs of the Update VM page.

    If you need to make any other changes on the Resources and the Management tabs for any configurations other than adding secondary IP addresses, make the changes and then click Next on these tabs.

  7. Click Launch VM on the Review tab after you review

What to do next

You can view the secondary IP addresses configured on the VM in the IP Address Information box.

Assigning Secondary IP Addresses to Interfaces

Assign the secondary IP addresses to interfaces or subinterfaces on the VM.

About this task

To assign the secondary IP addresses to virtual interfaces on the VM, do the following on the VM details page:

Procedure

  1. Click Console .
  2. Log in as a root user.
  3. Run the ifconfig command as follows:
    root@host$ ifconfig <interface> <secondary ip address> <network mask>

    Provide the following in the command:

Parameter Description
<interface> The interface of the VM such as eth0. You can provide subinterfaces such as eth0:1 and eth0:2.
<secondary IP address> The secondary IP address that you created and want to associate with the interface.
<network mask> The network mask that is an expansion of the network prefix of the network that the secondary IP address belongs to. For example, if the secondary IP address belongs to 10.0.0.0/24 then the network mask is 255.255.255.0.
  1. Repeat the aforementioned steps for all the secondary IP addresses you want to associate with interfaces on the VM.
  2. Exit from the Console.

Assigning Secondary IP Addresses to Floating IPs

Assign the secondary IP addresses to floating IP addresses on the VM.

About this task

After you assign secondary IP addresses to interfaces or subinterfaces on the VM, you can assign the secondary IP addresses to floating IP addresses that may be used for external connectivity.

Do one of the following:

Procedure

  • Assign floating IP addresses when you request floating IP addresses in the Assign Floating IPs section of the Request Floating IP dialog box.
    To assign floating IP addresses while requesting for them, you must have the secondary IP addresses configured and ready when you are requesting the floating IP addresses.
  • Select the floating IP address you want to assign, in the Floating IPs dashboard. Click the Update option in the Actions drop-down menu.
    Assign the secondary IP addresses you configured to the floating IP addresses you have.

VPC Workflow

A virtual private cloud (VPC) can be deployed on Nutanix cluster infrastructure to manage the internal and external networking requirements using Flow Networking. The workflow to create a complete network based on VPC is described below.

  1. Create a VPC—See Creating Virtual Private Cloud. See Updating Virtual Private Cloud to update a VPC you created.
  2. Add Subnets to the VPC—See Creating a Subnet to create a Subnet. See Updating a Subnet to update a subnet.
  3. Attach the Subnet to VMs—See Attaching a Subnet to a Virtual Machine.

VPC Management

This section provides information and procedures that you need to manage virtual private clouds using Flow networking.

Creating Virtual Private Cloud

About this task

You can create VPCs on the Virtual Private Clouds page. Go to the Virtual Private Clouds page by clicking Virtual Infrastructure > Networking > Virtual Private Clouds .

To create a VPC, do the following.

Procedure

  1. On the VPC dashboard, click Create VPC .

    See Network and Security View for more information about the VPC dashboard.

    The Create Virtual Private Cloud (VPC) dialog box opens.
    Figure. Create Virtual Private Cloud Click to enlarge

  2. Provide the necessary values in respective fields in the Create Virtual Private Cloud (VPC) dialog box.
Fields Description and Values

Name

Provide a name for the VPC.

External Connectivity

This section takes you through configuration of the parameters necessary for connectivity to the Internet or clusters outside the VPC.

A subnet with external connectivity (External Subnet) is required if the VPC needs to send traffic to a destination outside of the VPC.

Note: You can add a maximum of two external subnets - one external subnet with NAT and one external subnet without NAT to a VPC. Both external subnets cannot be of the same type. For example, you cannot add two external subnets, both with NAT. You can update an existing VPC similarly.

Network address translation (NAT) Gateways perform the required IP-address translations required for external routing. You can also have external connectivity without NAT.

External Subnet

Select an external subnet from the drop down list. By associating the VPC with the external subnet you can provide external connectivity to the VPC.
Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

Externally Routable IP Addresses Provide IP addresses that are externally routable. Externally routable IP addresses are IP addresses that within the VPC which can communicate externally without NAT. These IP addresses are used when an external subnet without NAT is used.

Domain Name Servers (DNS)

(Optional) DNS is advertised to Guest VMs via DHCP. This can be overridden in the subnet configuration.

Click + Server IP to add DNS server IPs under IP Address and click the check mark.

You can Edit or Delete an IP address you added using the options under Actions .

  1. Click Save .

Requesting Floating IPs

About this task

Each VPN gateway requires a floating IP. If you do not provide one during the VPN gateway creation, then Flow Networking automatically allocates a floating IP to a VPN gateway. To provide floating IP during the VPN gateway creation, you can request floating IPs and assign them to VMs.

You can view the allocated floating IPs on the Floating IPs page. Click Networking > > Floating IPs .

To request a floating IP, do the following.

Procedure

  1. Click the Request Floating IP button on the Floating IPs page.
  2. On the Request Floating IP dialog box, provide the information in the respective fields.
    Figure. Request and Assign Floating IPs Click to enlarge

    Note:

    Uncheck the Assign Floating IPs box if you want to assign the requested IP addresses after you receive it.

    See Floating IPs for more information.

Fields Description and Values
External Subnet Select a subnet that you configured with external connectivity.
Number of Floating IPs Enter the number of floating IPs you want. You can request a maximum of 5 floating IP addresses.
Assign Floating IPs

Select this check box if you want to assign the floating IPs to specific VMs in the table.

Based on the number you entered in the Number of Floating IPs field, the system provides an equivalent number of rows of Search VMs and IP Address in the table.

Under Search VMs , select the VM to which you want to assign a floating IP address. Under IP Address , select the IP address on the VM (primary or secondary IP address) to which you want to assign the floating IP.

You can assign multiple floating IP addresses to multiple secondary IP addresses that you can create on the NIC of the VM.

For information about configuring secondary IP addresses, see Creating Secondary IP Addresses.

Note:
  1. Click Save .

What to do next

When you receive the floating IP address you requested, you can see it, assign it (if not already assigned while requesting) or delete it in the Floating IPs view.

Creating a Subnet

About this task

You can create subnets on the Subnets page. Go to the Subnets page by clicking Virtual Infrastructure > Networking and open the Create Subnet dialog box.

You can also open the Create Subnet dialog box from the VPC details view by clicking the Add Subnet option.

To create a subnet, do the following.

Procedure

  1. Click Create Subnet .
    The Create Subnet dialog box opens. The following figure displays the Create Subnet dialog box with all the options. These options are displayed based on the values you select in the Type field.
    Figure. Create Subnet (With External Connectivity Disabled) Click to enlarge

    Figure. Create Subnet (With External Connectivity Enabled) Click to enlarge

Fields Description and Values
Name Provide a name for the subnet.
Type

Select the type of subnet you want to create.

You can create a VLAN subnet or an Overlay subnet.

VLAN ID

(VLAN subnet only) Enter the number of the VLAN .

Enter just the number in this field, for example 1 or 27. Enter 0 for the native VLAN. The value is displayed as vlan.1 or vlan.27 in the View pages.

Note: Provision any single VLAN ID either in the AHV network stack or in the Flow Networking (brAtlas) networking stack. Do not use the same VLAN ID in both the stacks.
IP Address management

(Mandatory for Overlay type subnets) This section provides the Network IP Prefix and Gateway IP fields for the subnet.

(Optional for VLAN type subnet) Check this box to display the Network IP Prefix and Gateway IP fields and configure the IP address details.

Unchecking this box hides these fields. In this case, it is assumed that this virtual LAN is managed outside the cluster.

Note:

The DHCP Settings option is only available for VLAN subnets if you select this option.

DHCP Settings

(Optional for both VLAN and Overlay subnets) Check this box to display fields for defining a domain.

Checking this box displays fields to specify DNS servers and domains. Unchecking this box hides those fields.

See Settings the DHCP Options for more information.

Cluster (VLAN subnet only) (VLAN subnet only) This option is available only for VLAN subnet configuration. Select the cluster that you want to assign to the subnet.
External Connectivity (VLAN subnet only) Turn on this toggle switch if you want use this VLAN subnet for external connectivity.
Note:

Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for different VPCs do not overlap.

Configure the routes for the external connectivity subnets with next hop as the Router or SNAT IP address. Also configure the routes on the router for the return traffic to reach the VPC. See External Connectivity panel in VPC Details View.

NAT (Option under External Connectivity ) If you turn on the External Connectivity toggle switch, then you can choose whether to connect to external networks with or without enabling NAT. Check the NAT check box to enable NAT for external connectivity for VPCs.

Virtual Switch (VLAN subnet only) Select the virtual switch that is configured for the VLAN you selected. The default value is the default virtual switch vs0. This option is displayed only if you add a VLAN ID in the VLAN ID field.
VPC (Overlay subnet only)

Select the Virtual Private Cloud (VPC) that you want to assign to the subnet from the drop down list.

You can create VPCs and assign them to Overlay subnets.

IP Address Pool

Defines a range of addresses for automatic assignment to virtual NICs.

This field is optional for both VLAN and Overlay . For VLAN , this field is displayed only if you select the IP Address Management option.

Note: Configure this field for VLAN or Overlay to complete the creation of the VPC, if you do not need external connectivity for this subnet. You must configure this field only if you need external connectivity for this subnet.

Click the Create Pool button and enter the following in the Add IP Pool page:

  • Enter the starting IP address of the range in the Start Address field.

  • Enter the ending IP address of the range in the End Address field.

  • Under Actions , click the check mark to submit the starting and ending IP addresses you entered.

    Click the X mark to remove the entries.

Override DHCP Server

(VLAN subnet only) To configure a DHCP server, check the Override DHCP Server box and enter an IP address in the DHCP Server IP Address field.

See Override DHCP Server (VLAN Only) in Settings the DHCP Options for information about this option.

  1. Click Save .

Settings the DHCP Options

About this task

Selecting the DHCP Settings checkbox in Create Subnet or Update Subnet allows you to configure the DHCP options for the VMs within the subnet. When DHCP settings are configured for a VM in a subnet and the VM is powered on, Flow Networking configures these options on the VM automatically. If you do not configure the DHCP settings, then these options are not available on the VM automatically when you power it on.

You can enable DHCP Settings when you create a subnet and configure the DHCP Settings for the new subnet. You could also update the DHCP Settings for an existing subnet.

DHCP Settings is common to and is available on both the Create Subnet and the Update Subnet dialog boxes.

To configure the DHCP Settings , do the following in the Create Subnet or the Update Subnet dialog box:

Procedure

  • Provide the information in the DHCP Settings fields.
    Figure. DHCP Settings Click to enlarge DHCP Settings display

Fields Description and Values
Domain Name Servers

Provide a comma-separated list of DNS IP addresses.

Example: 8.8.8.8, 9.9.9.9

Domain Search

Enter the VLAN domain name. Use only the domain name format.

Example: nutanix.com

TFTP Server Name

Enter a valid TFTP host server name of the TFTP server where you host the host boot file. The IP address of the TFTP server must be accessible to the virtual machines to download a boot file.

Example: tftp_vlan103

Boot File Name

The name of the boot file that the VMs need to download from the TFTP host server.

Example: boot_ahv2020xx

  • (Optional and for VLAN networks only) Check the Override DHCP Server dialog box and enter an IP address in the DHCP Server IP Address field.

    You can configure a DHCP server using the Override DHCP Server option only in case of VLAN networks.

    The DHCP Server IP address (reserved IP address for the Acropolis DHCP server) is visible only to VMs on this network and responds only to DHCP requests. If this box is not checked, the DHCP Server IP Address field is not displayed and the DHCP server IP address is generated automatically. The automatically generated address is network_IP_address_subnet.254 , or if the default gateway is using that address, network_IP_address_subnet.253 .

    Usually the default DHCP server IP is configured as the last usable IP in the subnet (For eg., its 10.0.0.254 for 10.0.0.0/24 subnet). If you want to use a different IP address in the subnet as the DHCP server IP, use the override option.

Attaching a Subnet to a Virtual Machine

About this task

To attach a subnet to a VM, go to the Virtual Infrastructure > VM > List view in Prism Central and do the following.

Procedure

  1. Select the VM you want to attach a subnet to. Click Actions > > Update .
  2. In the Update VM dialog box, click Add NIC .
    Figure. Click to enlarge

  3. Provide the necessary information in the indicated fields in the Create NIC dialog box.
    1. Select the Subnet Name from the drop down list.
    2. Select the Network Connection State as Connected or Disconnected .

      The Network Connection State selection defines the state of the connection after the NIC configuration is implemented.

    3. Select the Assignment Type .

      You can select Assign with DHCP to assign a DHCP based IP address to the VM.

      You can select Assign Static IP to assign a static IP address to the VM to reach the VM quickly from any endpoint in the network such as a laptop.

    4. Click Add .
  4. Click Save on the Update VM dialog box.

Creating a Policy

About this task

For Policy-based routing you need to create policies that route the traffic in the network.

When you create a VPC, there is one default policy that Flow Networking creates for the VPC. This policy is pre-configured with the Priority 1 and other default values to Deny traffic flow and service (see the table of field descriptions and values for this dialog box).
Note: You cannot update or delete the default policy.
  • Policies control the traffic flowing between subnets (inter-subnet traffic).

  • Policies control the traffic flowing in and out of the VPC.

  • Policies do not control the traffic within a subnet (intra-subnet traffic).

Figure. Policy Tab Click to enlarge

You can create a traffic policy using the Create Policy dialog box. You can open the Create Policy dialog box either from the VPC list view or the VPC list view.

  • On the VPC list view, select the VPC you want to update and click Create Policy in the Actions drop down menu.

  • On the VPC details view, click the Create Policy option in the More drop down menu.

To create a policy, do the following in the Create Policy dialog box.

Procedure

  1. Provide the necessary values in the respective fields.
    Figure. Create Policy Click to enlarge

Fields Description and Values Value in Default Policy
Priority The priority of the access list (ACL) determines which ACL is processed first. Priority is indicated by an integer number. A higher priority number indicates a higher priority.For example, if two ACLs have priority numbers 100 and 70 respectively, the ACL with priority 100 takes precedence over the ACl with priority 70.
Note:
  • Click the Understand Priorities link to see the Understand Priorities information box (see the image of this box below this table).
1
Source

The source indicates the source IP or subnet for which you want to manage traffic.

Source can be:

  • Any : Indicates any IP address.

  • External : Indicates an IP address that is outside the subnets configured for the VPC.

  • Custom : You can provide a specific Source Subnet IP with prefix.
Any
Source Subnet IP

Only required if you selected the Source as Custom . Provide the subnet IP and prefix that you want to designate as the source for the policy. Use the CIDR notation format to provide the subnet IP. For example, 10.10.10.0/24.

None
Destination

The destination is the destination IP or subnet for which you want to set the priority.

Destination can be:

  • Any : Indicates any IP address.

  • External : Indicates an IP address that is outside the subnets configured for the VPC.

  • Custom : You can provide a specific Destination Subnet IP with prefix.
Any
Destination Subnet IP

Only required if you selected the Destination as Custom .

None
Protocol You can also set the priority configure policy for certain protocols. You can select one of the following options:
  • Any : Indicates any IP address.

  • Protocol Number : Provide an integer number that indicates the protocol you want to prioritize.

    Provide the appropriate value in the Protocol Number field.
  • TCP
  • UDP
  • ICMP
Protocol Number

This field is displayed only if you select Protocol Number as the value in the Protocol field. The number you provide must be the IANA designated number that indicates respective protocol. See IANA Protocol Numbers .

None
Action

Assign the appropriate action for implementation of the policy.

  • Permit : Permits traffic and services based on the parameters set.

    If the Permit rule is set to override a Drop rule, then the Permit rule must be set in both the directions to allow bidirectional communication between the Source and Destination .

  • Deny : Denies traffic and service based on the parameters set.

  • Re-route :Sends matching traffic to the next-hop IP address specified by the Reroute IP . In case of reroute, you need to provide an IP address that the traffic needs to be re-routed to, in the Reroute IP field.
Permit
Figure. Understanding Priorities Click to enlarge Sample Understand Priorities information box.

  1. Click Save .

Creating Static Routes

About this task

You can create a static route using the Create Static Routes dialog box. You can open the Create Static Routes dialog box either from the VPC list view or the VPC details view.

  • On the VPC list view, select the VPC and click Create Static Routes in the Actions drop down menu.

  • On the VPC details view, click the Create Static Routes option in the More drop down menu.

Figure. Create Static Routes Click to enlarge

To create static route, do the following in the Create Static Routes dialog box:

Procedure

  1. Provide the necessary values in the respective fields.
Fields Description and Values
Destination Prefix Provide the IP address with prefix of the destination subnet.
Next Hop Link Select the next hop link from the drop down list. The next hop link is the IP address that the traffic must be sent for the static route you are configuring.
Add Prefix You can create multiple static routes using this option. Click this link to add another set of Destination Prefix and Next Hop Link to configure another static route.
  1. Click Save .

Updating Virtual Private Cloud

About this task

You can update a VPC using the Update Virtual Private Cloud (VPC) dialog box. You can open the Update Virtual Private Cloud (VPC) dialog box either from the VPC list view or the VPC details view.

  • On the VPC list view, select the VPC you want to update and click Update in the Actions drop down menu.

  • On the VPC details view, click the Update option.

The Update Virtual Private Cloud (VPC) dialog box is identical to the Create Virtual Private Cloud (VPC) dialog box.

Figure. Update VPC Click to enlarge Displaying Update VPC dialog box

For details about the parameters that you can update in the Update Virtual Private Cloud (VPC) dialog box, see Creating Virtual Private Cloud.

Procedure

  • Update the parameters in the Update Virtual Private Cloud (VPC) dialog box.
  • Click Save .

Updating a Subnet

About this task

You can update a subnet displayed on the Subnets page. Go to the Subnets page by clicking Virtual Infrastructure > Networking > Subnets and open the Update Subnet dialog box.

You can also open the Update Subnet dialog box from the VPC dashboard for a specific VPC. Click the Edit option for the subnet listed on the Subnets tab of the VPC dashboard.

The fields in the Update Subnet and the Create Subnet dialog boxes are the same.
Note: You cannot edit or update the subnet type. For example, if the subnet type is already configured as VLAN , you cannot modify it to an Overlay type subnet.

To update a subnets, do the following.

Procedure

  1. Select the subnet you want to update. Select Actions > Update Subnet .
  2. Update the necessary values in the respective fields in the Update Subnet dialog box.
    Figure. Update Subnet Click to enlarge

    The Update Subnet dialog box has the same fields as the Create Subnet dialog box. For details about the fields and the values that can be updated in the Update Subnet dialog box, see Creating a Subnet.

  3. Click Save to ensure that the updates are saved in the configuration.

Category Management

A category is a key-value pair that groups similar entities. Associating a policy with a category ensures that the policy applies to all the entities in the group regardless of how the group scales with time. For example, you can associate a group of VMs with the Department: Marketing category, where Department is a category that includes a value Marketing along with other values such as Engineering and Sales.

Currently, you can associate only VMs with a category. Categories are implemented in the same way on on-premises Prism Central instances and in Xi Cloud Services. For information about configuring categories, see the Prism Central Guide .

Updating a Policy

About this task

You can update a policy using the Update Policy dialog box. You can open the Update Policy dialog box in two ways in the VPC details view.

  • On the VPC details view, select the VPC you want to update and click the Update option in the top menu.
  • On the VPC details view, click the Edit option provided in the Actions menu for the selected VPC.
Note: You cannot update or delete the default policy.

The Update Policy dialog box has the same parameters as the Create Policy dialog box.

For details about the parameters that you can update in the Update Policy dialog box, see Creating a Policy.

Procedure

  • Update the parameters in the Update Policy dialog box.
  • Click Save .

Updating Static Routes

About this task

You can update a static route using the Update Static Routes dialog box. You can open the Update Static Routes dialog box either from the VPC list view or the VPC details view.

Note: You must configure the default route (0.0.0.0/0) to the external subnet as the next hop for connectivity outside the cluster (north-south connectivity).
  • On the VPC details view, select the VPC you want to update and click the Update option in the top menu.
  • On the VPC details view, click the Edit option provided in the Actions menu for the selected VPC.

The Update Static Routes dialog box has the same parameters as the Create Static Routes dialog box.

For details about the parameters that you can update in the Update Static Routes dialog box, see Creating Static Routes.

Procedure

  • Update the parameters in the Update Static Routes dialog box.
  • Click Save .

Deleting a Virtual Private Cloud

About this task

Prism Central does not allow you to delete a VPC if the VPC is associated with any subnets and/or VPNs. After you remove all the subnets or VPN associations from the VPC, delete the VPC.

You can delete a VPC from the VPC list view or the VPC details view.

Procedure

  • Do one of the following.
    • To delete a VPC from the VPC list view, select the VPC you want to delete and click Delete in the Actions drop down menu.
    • To delete a VPC from the VPC details view, click the VPC name to go to the VPC details view and click the Delete option in the More drop down menu.
  • In the confirmation dialog box, do the following.
    • Click Delete to delete the VPC.
    • Click Cancel to exit without deleting the VPC.

Deleting Subnets, Policies or Routes

About this task

You can delete VPC entities such as subnets, policies or routes from the VPC details page.

Note: You cannot update or delete the default policy.

Do the following.

Procedure

  1. Open the VPC details page and go to the respective tab like Subnets , Policies or Routes .
  2. Click the Delete option provided for the selected entity (subnet, policy or route respectively).
  3. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

Connections Management

This section covers the management of network gateways, VPN connections and Subnet Extensions including operations like create, update and delete network gateways and VPN connections, and extending subnets.

Network Gateway Management

You can create, update or delete network gateways that host one of VPN or VTEP service for connections.

Creating a Network Gateway

About this task

VPN or s connect two networks together, and can be used in both VLAN and VPC networks on AHV. In other words, you can extend the routing domain of a VLAN network or that of a VPC using a VPN. Accordingly, VPN gateways can be configured using VLANs or VPCs. You need VPN gateways on clusters to provide a gateway to the traffic between on-premise clusters or remote sites.

You can create multiple VPN gateways for a VPC. Since a VPC is configured only on a PC, the VPC is available to all the clusters registered to that PC.

A VPN gateway may be defined as a Local gateway or a Remote gateway based on where the traffic needs to be routed.

To create a VPN gateway, do the following on the Networking & Security > Connectivity > Gateways page.

Procedure

  1. Select Local or Remote in the Create Gateway drop-down menu.
    If you select Local in the drop-down menu, the Create Local Gateway dialog box opens. If you select Remote in the drop-down menu, the Create Remote Gateway dialog box opens.

  2. Provide the necessary values in the respective fields as described in the table.
    For example, if you select Local in the drop-down menu, then the Create Local Gateway dialog box opens. Provide the necessary values in the respective fields as described in the table.
    Figure. Sample Create Local Gateway - VM Deployment Click to enlarge

    Figure. Sample Create Local Gateway - VPN Service Configuration Click to enlarge

    Figure. Sample Create Local Gateway - VTEP Service Configuration Click to enlarge

    Figure. Sample Create Remote Gateway - VPN Gateway Service Click to enlarge

    Figure. Sample Create Remote Gateway - VTEP Gateway Service Click to enlarge

Table 1. Local Gateway Fields
Fields Description Values
VM Deployment
Name Enter a name for the network gateway. (Name)
Gateway Attachments (for Local gateway type only) Select the gateway attachment as VPC or VLAN . The VPN VM is deployed on a VPC VM or a cluster that has the selected VLAN respectively.
  1. If you select VPC , then VPC Attachment is displayed. VPC is the default value for the Gateway Attachments field. The Gateway VM is deployed on the cluster and associated with the VPC selected in the VPC Attachment section.

    VPC attachment mode provides the options of eBGP and Static routing methods for external routing (configured in the External Routing Configuration section).

  2. If you select VLAN , then the VLAN Attachment is displayed. The Gateway VM is deployed on the cluster that has the VLAN and the subnet specified in the VLAN Attachment section.

    VLAN attachment mode provides only the eBGP routing method for external routing.

(VLAN or VPC)
Gateway VM Deployment - VPC Attachment
Cluster Select the cluster on which you want to deploy the Gateway VM on. (Name of the cluster)
VPC (If Gateway Attachment type is VPC) Select the VPC configured on the selected cluster that you want to use for the Gateway VM deployment. (Name of the VPC selected)
Floating IP (Optional)

Select a floating IP for the network gateway configuration. If you do not select a floating IP address then Prism Central allocates a floating IP automatically. This allocated floating IP is deleted when you delete the gateway.

To request floating IPs and allocate them to subnets, see Requesting Floating IPs

(IP address)
Gateway VM Deployment - VLAN Attachment
Cluster Select the Cluster, from the drop down list, on which you want to deploy the Gateway VM on.
Note: Only clusters with VLANs are available in the list.
(Name of the cluster)
Subnet Select the subnet you want to attach the Gateway VM to, from the drop down list.
Note: The list includes all the subnets you created on the selected cluster.
After you select the subnet, the details of the subnet are displayed in a box below the Subnet field. The details include: VLAN ID, IPAM type being Managed or Unmanaged, and Network Address with Prefix.
(Name of the VLAN subnet)
Static IP Address for VPN Gateway VM Enter the static IP address that the Gateway VM needs to use. (IP Address with Prefix)
Default Gateway IP Enter the default gateway IP of the subnet for the Gateway VM. (IP Address)
Service Configuration
Gateway Service Select the gateway service you want to use for the gateway. (VPN or VTEP)
VPN Service Configuration - External Routing Configuration (This section is available for VLAN and VPC attachment types)
Routing Protocol
  1. For VPC gateway attachments: Select Static for static routing.
    Note: You need to create static routes (see Creating Static Routes) for external routing and attach the route to the VPC selected in this configuration.
  2. Select eBGP for eBGP based external routing.
  3. For VLAN gateway attachments: External routing protocol is pre-set to eBGP . You cannot change the routing protocol.
(Static or eBGP)
Redistribute Connected Routes (Applicable only if VLAN type gateway attachment is selected) ( VLAN only) Select this checkbox to enable the redistribution of connected routes into the eBGP. (Check mark or blank)
ASN (Only available if eBGP routing protocol is selected)

(For eBGP only) Enter the ASN for your on-prem gateway. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 65000 range.

Note: Make sure that this ASN does not conflict with any of the other on-premises BGP ASNs.

ASN must be distinct in case of eBGP.

(Number)
eBGP Password (For eBGP in Local gateway type only) Enter the eBGP password for the eBGP route. (Password: The password must be between 1 and 80 characters.
  • Characters allowed for Pre-Shared Key for IPSec

    • a-z

    • A-Z

    • 0-9

    • ~ ! @ # % ^ & * ( ) _ - + = : ; { } [ ] | < > , . / ? $

    • Password length: Minimum 1 and maximum 64 characters.

  • Characters allowed for BGP passwords
    • a-z

    • A-Z

    • 0-9

    • ~ ! @ # % ^ & * ( ) _ - + = : ; { } [ ] | < > , . / ? $

    • Password length: Minimum 1 and maximum 80 characters.

)
VPN Service Configuration - Internal Routing Configuration (This section is available for VLAN attachment type only.)
Routing Protocol (Between On-prem Gateway and On-prem Router) Select the Routing Protocol to be used between on-premises Nutanix gateway and on-premises router.

You can select:

  • Static : Select this protocol to provide a static route configuration for the VLAN gateway.

  • OSPF : Select this protocol to provide an OSPF routing configuration for the VLAN gateway.

  • iBGP : Select this protocol to provide a iBGP route configuration for the VLAN gateway.
    Note: For iBGP, the ASN must be the same between the Gateway appliance and the peer iBGP, when iBGP is selected as the internal routing protocol.
(Static or OSPF or iBGP)
+Add Prefix (Applicable to Static routing)

(For Static routing selected in Routing Protocol ) Click this to enter a Local Prefix and click the check mark under Actions to add the prefix.

If you click the X mark under Actions , the local prefix you entered is not added.

The prefixes you add are advertised to all the connected peers via eBGP.

The prefix must be a valid IP address with the host bits not set.

You can add multiple local prefix IP addresses.

(prefix like /24)
Area ID (Applicable to OSPF protocol) (OSPF only) Enter the OSPF area id in the IPv4 address format.
Password Type (OSPF only) Select the password type you want to set for the OSPF route. The options are:
  1. MD5 : Select this option to encrypt the packets with MD5 hash that can be decrypted with the MD5 password at the destination.

  2. Plain Text : Select this option to set a clear-text password.

  3. None : Select this if you do to set an open route without password protection

Password

(OSPF only) Enter a password for the MD5 or Plain Text password type you select in the Password Type field.

  • For MD5 : The password must be 1-16 characters long.

    Characters allowed for OSPF passwords (MD5)

    • a-z

    • A-Z

    • 0-9

  • For Plain Text : The password must be 1-8 characters long.

    Characters allowed for OSPF passwords (Plain text): a-z.

Peer IP (for iBGP) Enter the IP Address of the On-prem router used to exchange routes with the network gateway. (IP Address)
Password Enter a password with 1-80 characters. (Password)
VTEP Service Configurations
VxLAN (UDP) Port The default value provided is 4789. Do not change this. (Number. Default value is 4789)
Table 2. Remote Gateway Fields
Fields Description Values
Name Enter a name for the network gateway. (Name)
Gateway Service Select the gateway service you want to use for the gateway. (VPN or VTEP)
VPN Service Configurations
Public IP Address Enter the public IP address of the remote endpoint. If a Floating IP is not selected, a new Floating IP is automatically allocated for the Gateway. These allocated IP addresses are deleted when the network gateway is deleted. (IP Address)
Vendor Select the vendor of the third party gateway appliance. (Name of Vendor)
External Routing
Protocol
  1. Select Static for static routing.
    Note: You need to create static routes (see Creating Static Routes) for external routing and attach the route to the VPC selected in this configuration.
  2. Select eBGP for eBGP based external routing.
(Static or eBGP)
eBGP ASN (Only available if eBGP routing protocol is selected)

(For eBGP only) Enter the ASN for your on-prem gateway. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 1-65000 range.

Note: Make sure that this ASN does not conflict with any of the other on-premises BGP ASNs.

ASN must be distinct in case of eBGP.

(Number)
VTEP Service Configurations
VTEP IP Address Enter VTEP IP Addresses of the remote endpoints that you want to create the gateway for. You can add IP addresses of multiple endpoints in one remote gateway. (Comma separated list of IP Addresses)
VxLAN (UDP) Port The default value provided is 4789. Do not change this. (Number. Default value is 4789)
  1. Click Save .

What to do next

The Gateway you create is displayed in the Gateways page.

Updating a Network Gateway

About this task

You can update a network gateway using the Update Gateway dialog box.

You can open the Update Gateway dialog box. The parameters in the Update Gateway dialog box are the same as those in the Create Local Gateway or Create Remote Gateway dialog box.

Procedure

  1. Select the gateway you want to update on Gateways .
  2. Click Update in the Actions menu.
  3. Update the required details in the Update Gateway dialog box.
    You cannot modify some information. Such fields are greyed and in-actionable. If you need to modify such information, consider creating a new gateway with the updated parameters and deleting the current gateway.
  4. Click Save .

Deleting a Network Gateway

About this task

If you want to delete a network gateway, you must first delete all the VPN connections associated with the gateway and only then you can delete the network gateway.

To delete a network gateway, do the following on the Gateway page.

Procedure

  1. Do one of the following.
    • Select the check box next to the name of the gateway and, in the Actions drop-down list, click Delete .
    • Click the name of the gateway and, in the details page, click Delete .
  2. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

Virtual Network Connections

Virtual Private Network

You can use the Nutanix VPN solution to set up VPN between your on-prem clusters, which exist in distinct routing domains that are not directly connected. These distinct routing domains could either be VPCs within the same cluster or remote clusters or sites.

If you need to connect one Nutanix deployment in one site to another deployment in a different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists of a local VPN gateway, remote VPN gateway and VPN connection. Local VPN gateway can be instantiated in a VPC context or a legacy VLAN context. Launching the VPN gateway within a VPC allows stretching of the VPC. For example, in the figure, the Blue VPC is stretched between two sites with a VPN.

Figure. VPN Working Click to enlarge

VPN connections are useful in connecting two points. You can connect two VPCs in the same cluster using a VPN or VPCs in different clusters in the same site. However, VPN connection can connect only one endpoint to another endpoint. Flow networking based VPN service allows you to only connect two endpoints that use Nutanix VPN based gateway service.

Virtual Tunnel End Points Based Network Extensions

To connect one endpoint to multiple endpoints or third party (non Nutanix) networks, use Virtual Tunnel End Point (VTEP) service based subnet extensions. For more information about VTEP, see .

VPN Workflow

If you need to connect one Nutanix deployment in one site to another deployment in a different site, you can create a VPN endpoint in each of the sites. A VPN endpoint consists of a local VPN gateway, remote VPN gateway and VPN connection. You can configure multiple VPN endpoints for a site.

Each endpoint must have configurations for a local VPN gateway, remote VPN gateway (pointer information for the peer local VPN in the remote site endpoint) and a VPN connection (connecting the two endpoints). Then, based on the VPN connection configuration as initiator or acceptor, one endpoint initiates a tunnel and the endpoint at the other end accepts the tunnel connection and, thus, establishes the VPN tunnel.

  1. Gateways: Every VPN endpoint for each site consists of two VPN gateway configurations - Local and Remote.

    Local gateway is a VM that runs the VPN protocols (IKEv2, IPSec) and routing (BGP and OSPF). Remote gateway is a pointer - database entry - that provides information about the peer remote VPN endpoint. One of the key information contained in the remote gateway is the source IP of the remote VPN endpoint. For security reasons, the local VPN gateway will accept IKEv2 packets originating only from this Source IP.

    VPN gateways are of the following types:

    • On premises Nutanix VPN Gateway: Represents the VPN gateway appliance at your on-premises local or remote site if you are using the Nutanix VPN solution.

    • On premises Third Party Gateway: Represents the VPN gateway appliance at your on-prem site if you are using your own VPN solution (provided by a third-party vendor).

      To configure third party VPN Gateways, see the relevant third party documentation.

  2. VPN Connection: Represents the VPN IPSec tunnel established between local gateway and remote gateway. When you create a VPN connection, you need to select two gateways between which you want to create the VPN connection.

VPN appliances perform the following:

  1. Implementation of IKEv2 and IPSec protocols.
  2. Routing: Between remote sites, Flow Networking advertises prefixes using eBGP. Optionally it uses Static routing. Within a site, Flow Networking uses iBGP or OSPF to share prefixes between the Nutanix VPN appliance and the edge router.

Prerequisites for VPN Configurations

General Requirements

  • Ensure that you have enabled Flow Networking with microservices Infrastructure.

  • Ensure that you have floating IP addresses when you create VPN gateways.

    Flow Networking automatically allocates a floating IP to a VPN gateway if you do not provide one during the VPN gateway creation. To provide floating IP during the VPN gateway creation, you can request floating IPs. See Requesting Floating IPs.

  • Ensure that you have one of the following, depending on whether you are using iBGP or OSPF:

    • Peer IP (for iBGP): The IP address of the router to exchange routes with the VPN gateway VM.

    • Area ID (for OSPF): The OSPF area ID for the VPN gateway in the IP address format.

  • Ensure that you have the following details for the deployment of the VPN gateway VM:

    • Public IP address of the VPN Gateway Device: A public WAN IP address that you want the on-prem gateway to use to communicate with the Xi VPN gateway appliance.

    • Static IP Address: A static IP address that you want to allocate to the VPN gateway VM. Use a floating IP address requested as the static IP address.

    • IP Prefix Length: The subnet mask in CIDR format of the subnet on which you want to install the VPN gateway VM. You can use an overlay subnet used for a VPC and assigned to the VM that you are using for the VPN gateway.

    • Default Gateway IP: The gateway IP address for the on-premise VPN gateway appliance.

    • Gateway ASN: ASN must not be the same as any of your on-prem BGP ASNs. If you already have a BGP environment in your on-prem site, the customer gateway is the ASN for your organization. If you do not have a BGP environment in your on-prem site, you can choose any number. For example, you can choose a number in the 65000 range.

Ports and Protocols

Nutanix deploys a number of ports and protocols in its software. ports that must be open in the firewalls to enable Flow Networking to function. To see the ports and protocols used Flow Networking, see Port Reference.

Endpoints and Terminations

The following endpoints and terminations occur in the course of Flow networking based connections. For information about creating, updating or deleting VPN connections, see Connections Management.

Note: In a VPN connection do not configure both the gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If you configure the local gateway as Initiator then configure the remote gateway as Acceptor in one endpoint and vice-versa in the (other) remote endpoint.
VPN Endpoint Behind a Network Address Translation or Firewall Device

In this scenario, the IPSec tunnel terminates behind a network address translation (NAT) or firewall device. For NAT to work, open UDP ports 500 and 4500 in both directions.

Figure. VPN Endpoint Behind NAT or Firewall Click to enlarge

Things to do in NAT Things to do in on-prem VPN GW
Open UDP ports 500 and 4500 on both directions

Enable the business application policies to Allow the commonly-used business application ports.

IPSec Terminates on the Firewall Device

In this scenario, you do not need to open the ports for NAT (500 and 4500).

However, enable the on-prem VPN gateway to allow the traffic from the PC subnet to the advertised load balancer route where the Source port is any and the Destination port may be in the range of 1024-1034.

The PC subnet refers to the subnet where your Prism Central is running.

Figure. Tunnel Terminates on NAT or Firewall Click to enlarge

Creating a VPN Connection

About this task

Create a VPN connection to establish a VPN IPSec tunnel between VPN gateways in your on-prem site. Select the gateways between which you want to create the VPN connection.

To create a VPN connection, do the following on the Networking > VPN Connections page.

Procedure

  1. Click the Create VPN Connection button on the VPN Connections page.
  2. In the Create VPN Connection dialog box, provide the values in the respective fields.
Fields Description and Values
Name Enter a name for the connection.
VPN Connection
IPSec Secret Enter a secret password for the IPSec connection. To see the password, click Show . To hide the password, click Hide .
Local Gateway Select the connection parameters on the local gateway as Initiator or Acceptor of VPN Tunnel connections.
VPN Gateway Select the appropriate VPN Gateway as the local gateway for the VPN connection
VTI Prefix - Local Gateway Enter a IPv4 Address with /<prefix>. Example: 10.25.25.2/30.

This is the VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

Connection Handshake This defines the type of handshake that the connection must use. There are two types of connection handshakes:
  1. Initiator : The local VPN gateway acts as the initiator of the connection and thus initializes the VPN tunnel.
  2. Acceptor : The local VPN gateway accepts or rejects incoming connection requests from other gateways.
Note: In a VPN connection do not configure both the gateways (local gateway and remote gateway) in an endpoint as Initiators or as Acceptors. If you configure the local gateway as Initiator then configure the remote gateway as Acceptor in one endpoint and vice-versa in the (other) remote endpoint.
Remote Gateway For a specific VPN connection, set the remote gateway as Initiator or Acceptor when you configure the VPN connection on the Remote Gateway.
VPN Gateway Select the appropriate VPN Gateway as the remote gateway for the VPN connection.
VTI Prefix - Remote Gateway The VPN Tunnel Interface IP address with prefix for the local gateway. Provide a IPv4 Address with /<prefix>. Example: 10.25.25.2/30.

This is the VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

Advanced Settings Set the traffic route priority for the VPN connection. The route priority uses Dynamic route priority because the priority is dependent on the routing protocol configured in the VPN gateway.
Route Priority - Dynamic Route Priority Set the route priority as an integer number. The greater the number, higher is the priority.
  1. Click Save .

What to do next

The VPN connection you create is displayed in the VPN Connections page.

Updating VPN Connection

About this task

You can update a VPN Connection using the Update VPN Connection dialog box.

You can open the Update VPN Connection dialog box. The parameters in the Update VPN Connection dialog box are the same as those in the Create VPN Connection dialog box.

Procedure

  1. Select the VPN Connection you want to update on the VPN Connection .
  2. Click Update in the Actions menu.
  3. Update the required details in the Update VPN Connection dialog box.
  4. Click Save .

Deleting a VPN Connection

About this task

To delete a VPN connection, do the following on the VPN Connection page.

Procedure

  1. Do one of the following.
    • Select the check box next to the name of the VPN connection and, in the Actions drop-down list, click Delete .
    • Click the name of the VPN connection and, in the details page, click Delete .
  2. In the confirmation dialog box, do the following.
    • Click Delete to delete the entity.
    • Click Cancel to exit without deleting the entity.

VPN Connection within Same Prism Central

You can connect two VPCs within the same Prism Central availability zone using a VPN connection.

About this task

Assume that you have created two VPCs named vpc-a and vpc-b with overlay subnets named subnet-a and subnet-b .

To connect the two VPCs within the same Prism Central using a VPN connection, do the following.

Procedure

  1. Do the following for local gateways:
    1. Create a local VPN gateway with dynamically assigned address for vpc-a , for example, named local-vpn-a . Note or write down the assigned IP address.
    2. Create a local VPN gateway with dynamically assigned address for vpc-b , for example, named local-vpn-b . Note or write down the assigned IP address.

    See Creating a Network Gateway for more information about creating a VPN gateway.

  2. Do the following for remote gateways:
    1. Create a remote VPN gateway with the IP address noted in 1.a for vpc-a , for example, named remote-vpn-a .
    2. create a local VPN gateway with the IP address noted in 1.b for vpc-b , for example, named remote-vpn-b .

    See Creating a Network Gateway for more information about creating a VPN gateway.

  3. Create a VPN connection between vpc-a and vpc-b named, for example, vpn-conn-a-to-b .
    Ensure that the VTI IP addresses for the local and remote gateways is unique with /30 prefix.
    Note: The VPN Tunnel Interface IP address with prefix for the local gateway. The subnet for this IP address must be a /30 subnet with two usable IP addresses. One of the IP addresses is used for Local Gateway. Use the other IP address for the Remote Gateway.

    Ensure that you select local-vpn-a as the local gateway with Connection Handshake set as Acceptor .

    Ensure that you select remote-vpn-b as the remote gateway.

  4. Create a VPN connection between vpc-b and vpc-a named, for example, vpn-conn-b-to-a .
    Ensure that the VTI IP addresses with /30 prefix for local and remote gateways are the reverse (vice versa) of what you configured for the VPN connection in previous step. For example, if in previous step you configured the VTI IP addresses as 10.20.20.5/30 for local and 10.20.20.6/30 for remote then for VPN connection in this step, configure 10.20.20.6/30 for local gateway and 10.20.20.5/30 for remote gateway respectively. These IP addresses do not need to be reachable anywhere else in the network. However, ensure that these IP addresses do not overlap with any other IP addresses assigned in the network.

    Ensure that you select local-vpn-b as the local gateway with Connection Handshake set as Initiator .

    Ensure that you select remote-vpn-a as the remote gateway.

Layer 2 Virtual Network Extension

You can extend a subnet between on-prem local and remote clusters or sites (Availability Zones or AZs) to support seamless application migration between these clusters or sites.

Note: One or more on-prem cluster or sites managed by one Prism Central instance is defined as an Availability Zone or AZ. In this section, Availability Zone or AZ refers to and must be understood as one or more on-prem clusters or sites managed by one Prism Central. Local AZ refers to local on-prem clusters or sites managed by a Prism Central instance and remote AZ refers to another on-prem cluster or site managed by another Prism Central instance.

With Layer 2 subnet extension, you can migrate a set of applications to the remote AZ while retaining their network bindings such as IP address, MAC address, and default gateway. Since the subnet extension mechanism allows VMs to communicate over the same broadcast domain, it eliminates the need to re-architect the network topology, which could otherwise result in downtime.

Layer 2 extension assumes that there are underlying existing layer 3 connectivity already available between the Availability Zones. You can extend a subnet from a remote AZ to the primary (Local) AZ (and other remote AZs in case of VTEP-based subnet extensions)

  • You can extend a Layer 2 subnet across two Nutanix AZs over either VPN or Virtual tunnel End Point (VTEP). SeeLayer 2 Virtual Subnet Extension Over VPN.
  • You can extend a Layer 2 subnet between a Nutanix AZ and one or more non-Nutanix datacenters only over VTEP. See Layer 2 Virtual Subnet Extension Over VTEP.

You can extend subnets for the following configurations.

  • IPAM Type. Managed and unmanaged networks.
  • Subnet Type. On-prem VLAN subnets and VPC subnets.
  • Traffic Type. IPv4 unicast traffic and ARP.
  • On-prem Hypervisor. AHV and ESXi
    Note: If your cluster is ESXi, use vCenter Server to manually configure the port group attached to the subnet you want to extend. Set the security settings, Promiscuous mode and Forged transmits to Accept on the vSwitch as shown in the following image.
    Figure. ESXi Host Port Group Configuration Click to enlarge ESXi port group settings

Prerequisites for Setting Up Subnet Extension

Ensure the following before you configure Layer 2 subnet extension between your on-prem AZs.

  • Ensure that the Prism Central versions support Layer 2 virtual subnet extension as specified in the Release Notes. See AOS Family Release Notes and Release Notes | Prism Central as applicable.

    See the Prism Central Upgrade and Installation Guidelines and Requirements section of the Acropolis Upgrade Guide for instructions about how to upgrade a Prism Central instance through the Prism Central web console.

  • Ensure that you pair the Prism Central at the local AZ with the Prism Central at the remote AZ to use Create Subnet Extension wizard to extend a subnet across the AZs and facilitate bidirectional communication between these clusters or sites. Using paired availability zones it is possible to configure both VXLAN over VPN and VTEP based subnet extension. You can also extend subnets using the manual gateway and connection workflows instead of pairing the AZs.

    See the Pairing Availability Zones for instructions about how to pair the local and remote AZs.

  • Ensure that you set up a default static route with 0.0.0.0/0 prefix and the External Network next hop for the VPC you use for any subnet extension. This allows NTP and DNS access for the Network Gateway appliance.

Best Practices for Subnet Extension

Nutanix recommends the following configurations to allow IP address retention for VMs on extended subnets.

  • When using Nutanix IPAM ensure the address ranges in the paired subnets are unique to avoid conflict between VM IP addresses across extended subnets.
  • If the source and target sites use third-party IPAM, ensure that there are no conflicting IP address assignments across the two sites.
    Note: If the source and target sites use Nutanix IPAM, the Prism Central web console displays a message that indicates an IP address conflict if one exists.
  • If connectivity between sites already provides encryption, consider using VTEP only subnet extension to reduce encryption overhead.
  • Use the Subnet Extension to a Third Party Data-Center workflow in the following scenarios
    • To extend a subnet to more than one other AZ. This is also known as point to multi-point.
    • To extend subnets between clusters managed by the same Prism Central.

Subnet Extension Workflow

You can manage Layer 2 subnet extension on the Subnet Extensions tab of the Connectivity page. Open the Subnet Extensions by clicking the hamburger icon in the top-left corner of the Dashboard and then clicking Connectivity .

  • You can create point-to-point Layer 2 subnet extensions between two AZs over VPN or VTEP by opening the Create Subnet Extension Across Availability Zones dialog box. See Extending a Subnet Over VPN for VPN-based extensions. See Extending a Subnet Across Availability Zones Over VTEP for VTEP-based extensions.

  • You can create point-to-point or point-to-multipoint Layer 2 subnet extensions to third party datacenters over VTEP by opening the Create Subnet Extension To A Third Party Data-Center dialog box. See Extending a Subnet to Third Party Datacenters Over VTEP.

  • You can update a subnet extension that extends across AZs using the Update Subnet Extension Across Availability Zones dialog box. The Update Subnet Extension Across Availability Zones has the same parameters and fields as the Create Subnet Extension Across Availability Zones dialog box. You can open the Update Subnet Extension Across Availability Zones dialog box by:

    • Selecting the subnet extended across AZs in the Subnet Extensions and clicking the Update button.

    • Clicking the subnet extended across AZs in the Subnet Extensions and clicking the Update button on the Summary tab.

You can update a subnet extension that extends to multiple AZs or third party datacenters using the Update Subnet Extension To A Third Party Data-Center dialog box. Update Subnet Extension To A Third Party Data-Center dialog box has the same parameters and fields as the Create Subnet Extension To A Third Party Data-Center dialog box. You can open the Update Subnet Extension To A Third Party Data-Center dialog box by:

  • Selecting the subnet extended to third datacenters in the Subnet Extensions and clicking the Update button.

  • Clicking the subnet extended to third datacenters in the Subnet Extensions and clicking the Update button on the Summary tab.

See Updating an Extended Subnet.

Layer 2 Virtual Subnet Extension Over VPN

Subnet extension using VPN allows seamless, secure migration to a new datacenter or for disaster recovery. VPN based Layer 2 extension provides secure point to point connection to migrate workloads between Availability Zones. Consider VTEP-only Subnet Extension without VPN when encryption is not required.

Subnet extension using VPN is useful:

  • When the two Availability Zones (where the subnets to be extended belong) do not have any underlying secure connectivity. For example, when connecting over the Internet, VPN (IPSec) provides the necessary connectivity and encryption (security).
  • Sometimes when you need to move (lift-and-shift) workloads from a VLAN subnet to a VPC subnet retaining the same VM IP addresses . You need connectivity from other subnets to workloads that have already migrated to VPC. In such cases, VPN provides the Layer 3 connectivity and encryption between the VPC segment of extended subnet to other VLAN subnets.

Prerequisites for Setting Up Subnet Extension Over VPN

  • See Layer 2 Virtual Network Extension for general prerequisites to extend subnets.

  • Set up VPN gateway services and a VPN connection between local AZ and the remote AZ. The subnet extension feature supports only the Nutanix VPN solution (not a third-party VPN solution) at the both the local and remote AZs. See the Virtual Network Connections for instructions about how to upgrade the VPN gateway VM at the local and remote clusters or sites.
    Note: Ensure that the VPN gateway version is 5.0 or higher. See the Updating a Network Gateway section of the Nutanix Flow Networking Guide for instructions about how to upgrade the network gateway at the local and remote sites.
  • Configure subnets with the same IP CIDR prefix at the source and target sites. For example, if the IP prefix at one site is 30.0.0.0/24, the IP prefix at the other site must also be 30.0.0.0/24. The network and mask must match at both AZs.
  • Configure distinct DHCP pools for the source and target sites with no IP address overlap. Separate DHCP pools ensure no IP address conflicts occur for dynamically assigned IP addresses between the two AZs.
  • Procure two free IP addresses, one from each subnet, for the Network Gateway in the subnets to be extended. These IP addresses are configured as local IP address and remote IP address for the subnet extension in the Subnet Extension wizard. These two free IP addresses are the externally accessible IP addresses for the local gateway, and the remote gateway. Those two usable IP addresses are already contained inside the VPN connection and must not conflict with the following:
    • DHCP pools on any of the Availability Zones.
    • Gateway IP address on any of the Availability Zones.
    • IP addresses allocated to existing user VMs on any of the Availability Zones.
    • IP addresses used by Network Gateway Management NIC subnet (IP pool 100.64.1.0/24)

Limitation

To use subnet extension over a VPN, both sites must use the VPN service of the Nutanix Network Gateway. Consider VTEP-only subnet extension to connect to non-Nutanix third party sites.

Pairing AZs (Nutanix Disaster Recovery)

To replicate entities (protection policies, recovery plans, and recovery points) to different on-prem AZs (AZs) bidirectionally, pair the AZs with each other. To replicate entities to different Nutanix clusters at the same AZ bidirectionally, you need not pair the AZs because the primary and the recovery Nutanix clusters are registered to the same AZ (Prism Central). Without pairing the AZs, you cannot perform DR to a different AZ.

About this task

To pair an on-prem AZ with another on-prem AZ, perform the following procedure at both the AZs.

Procedure

  1. Log on to the Prism Central web console.
  2. Click the hamburger icon at the top-left corner of the window. Go to Administration > AZs in the left pane.
    Figure. Pairing AZ
    Click to enlarge Pairing AZ

  3. Click Connect to AZ .
    Specify the following information in the Connect to Availability Zone window.
    Figure. Connect to AZ
    Click to enlarge Connect to AZ

    1. AZ Type : Select Physical Location from the drop-down list.
      A physical location is an on-prem AZ (AZ). To pair the on-prem AZ with Xi Cloud Services, select XI from the drop-down list, and enter the credentials of your Xi Cloud Services account in step c and set d.
    2. IP Address for Remote PC : Enter the IP address of the recovery AZ Prism Central.
    3. Username : Enter the username of your recovery AZ Prism Central.
    4. Password : Enter the password of your recovery AZ Prism Central.
  4. Click Connect .

Extending a Subnet Over VPN

The subnet extension allows VMs to communicate over the same broadcast domain to a remote site or Availability Zone (AZ).

Before you begin

See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VPN for information on prerequisites and best practices for extending a subnet.

About this task

Perform the following procedure to extend a subnet from the on-prem site.

Procedure

  1. Click the hamburger icon in the top-left corner of the Dashboard > Networking & Security > Connectivity > Subnet Extension .
  2. On the Subnet Extension page, select Create Subnet Extension > Across Availability Zones .
  3. In the Create Subnet Extension Across Availability Zones dialog box, enter the necessary details as described in the table.
    Figure. Create Subnet Extension Across Availability Zones Click to enlarge Create Subnet Extension Across Availability Zones using VPN service

Fields Description Values
Extend Subnet over a Select the gateway service you want to use for the subnet extension. (VPN or VTEP)
Note: Configure the following fields for the Local and the Remote sides of the dialog box.
Availability Zone (For Local) Local AZ is pre-selected default.

(For Remote) Select the appropriate AZ from the drop-down list of AZs.

(Local: Local AZ)

(Remote: Dropdown list of AZs.)

Subnet Type Select the type of subnet that you want to extend. (VLAN or Overlay)
Cluster Displayed if your selected VLAN subnet. Select the cluster from the dropdown list of clusters. (Name of cluster selected from dropdown list)
VPC Displayed if your selected Overlay subnet. Select the appropriate VPC from the dropdown list of VPCs. (Name of VPC selected from dropdown list)
Subnet Select the subnet that needs to be extended. (Name of subnet selected from dropdown list)
(Network Information frame) Displays the details of the VLAN or Overlay network that you selected in the preceding fields. (Network information)
Gateway IP Address/Prefix Displays the gateway IP address for the subnet. This field is already populated based on the subnet selected. (IP Address)
(Local or Remote) IP Address Enter a unique and available IP address that are externally accessible IP addresses in Local IP Address and Remote IP Address . (IP Address)
VPN Connection Select the appropriate VPN Connection from the dropdown list that Flow networking must use for the subnet extension. See Creating a VPN Connection for instructions to create VPN connection. (Name of VPN connection selected from the dropdown list)
  1. Click Save .

    A successful subnet extension is listed on the Subnet Extension dashboard. See .

Layer 2 Virtual Subnet Extension Over VTEP

Subnet extension using Virtual tunnel End Point (VTEP) allows seamless migration to new datacenters or for disaster recovery. VTEP based Layer 2 extension provides point-to-multipoint connections to migrate workloads from one Availability Zone to multiple Availability Zones without encryption. If you need security and encryption, consider using Subnet Extension over VPN.

Subnet extension using VTEP is useful:

  • When both subnets that need to be stretched are Nutanix subnets (managed or unmanaged). VTEP provides an optimized workflow to stretch the two subnets.
  • When both subnets are connected over an existing private and secure link that does not need additional encryption.
  • When one Nutanix subnet needs to be stretched across one or more non-Nutanix networks, sites, or datacenters. Subnet Extension with third-party VTEPs provides point-to-multipoint connectivity to third party datacenters assuming that there is underlying layer 3 connectivity between these VTEPs.

VTEP-based Layer 2 Subnet Extension provides the following advantages:

  • Layer 2 subnet extension from one AZ to multiple AZs.
  • Layer 2 subnet extension between Nutanix AZs and non-Nutanix third party VTEP-based AZs.
  • The Remote VTEP Gateway is a set of endpoint IP addresses. You can add endpoint IP addresses to an existing operational Remote VTEP Gateway without stopping the subnet extension services. This on-the-fly addition enables you to extend the subnets to more AZs than originally planned, or perform maintenance, without disrupting the running services or configuring new remote VTEP gateways.

Prerequisite for Setting Up Subnet Extension Over VTEP

  • See Layer 2 Virtual Network Extension for general prerequisites to extend subnets.

  • Set up VTEP local and remote gateway services on local and remote AZs. In case of point-to-multipoint extension, ensure that you create local and remote VTEP gateways on all the remote AZs that the subnet needs to be extended to.

  • For each extended subnet within the same Network Gateway appliance ensure that you have unique VxLAN Network Identifiers (VNIs) that you can use for the VTEP subnet extensions. VNI may be any number between 0 and 16777215.

Extending a Subnet Across Availability Zones Over VTEP

The subnet extension over VTEP allows VMs to communicate two Availability Zones (AZ) without a VPN connection.

Before you begin

See Layer 2 Virtual Network Extension and Layer 2 Virtual Subnet Extension Over VTEP for information on prerequisites and best practices for extending a subnet.

About this task

To extend a subnet over VTEP across two availability zones (AZs), do the following.

Procedure

  1. Open the Create Subnet Extension Across Availability Zones in one of the following ways:
    • On the Subnet Extensions tab, click > Create Subnet Extension > Across Availability Zones > .

    • In the Subnets dashboard, select the subnet you want to extend and click Actions > Extend > Across Availability Zones

    • In the Subnets dashboard, click the subnet you want to extend. On the subnet details page, click Extend > Across Availability Zones .

    Figure. Example of Create VTEP Extension Across AZs with VLAN Subnet Click to enlarge Displaying example of Create Subnet Extension Across Availability Zones for VLAN Subnet over VTEP

  2. For Extend Subnet over a , select VTEP .
  3. Enter or select the necessary values for the parameters in the Local and Remote (AZ) sections as described in the table.
Parameters Description and Value
Availability Zone Displays the name of the paired availability zone at the local AZ.
Subnet Type Select the type of the subnet - VLAN or Overlay that you are extending.
Cluster Select the name of the cluster in the local AZ that the subnet is configured for.
Subnet Select the name of the subnet at the local AZ for network. The VLAN ID and the IPAM - managed or unmanaged are displayed in the box below the Subnet field.
Gateway IP Address. Enter the gateway IP address of the subnet you want to extend. Ensure that you provide the IP address in <IP-address/network-prefix> format. for example the gateway IP is 10.20.20.1 in a /24 subnet then provide the gateway IP address as 10.20.20.1/24 .
Note: For an unmanaged network, enter the gateway IP address of the created subnet.
Local IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet for the Network Gateway appliance.
Remote IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet for the remote Network Gateway appliance.
Local VTEP Gateway Select the local VTEP gateway you created on the local AZ. See Creating a Network Gateway for information about creating VTEP gateways.
Remote VTEP Gateway Select the VTEP gateway you created on the remote AZ. See Creating a Network Gateway for information about creating VTEP gateways.
Connection Properties
VxLAN Network Identifier (VNI) Enter a unique number from the range 0-16777215 as VNI. Ensure that this number is not reused anywhere in the local or remote VTEP Gateways.
MTU The default MTU is 1392 to account for 108 bytes of overhead and the standard physical MTU of 1500 bytes. VPC Geneve encapsulation requires 58 bytes and VXLAN encapsulation requires 50. However, you can enter any valid MTU value for the network, taking this overhead into account. For example, if the physical network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU can be set to 1492 to account for 108 bytes of overhead. Ensure that the MTU value does not exceed the MTU of the AHV Host interface and all the network interfaces between the local and remote AZs.
  1. Click Save .
    After the subnet is extended, the extension appears in the Subnet Extensions list view.

Extending a Subnet to Third Party Datacenters Over VTEP

The subnet extension over VTEP allows VMs to communicate with multiple remote sites or Availability Zones (AZ) that may be third party (non-Nutanix) networks, or datacenters. It also provides the flexibility of adding more remote AZs to the same VTEP-based extended Layer 2 subnet. Examples of compatible VTEP gateways are switches from Cisco, Juniper, Arista, and others that support plain VXLAN VTEP termination.

About this task

To extend a subnet over VTEP across multiple availability zones (AZs) or third party datacenters, do the following.

Procedure

  1. Open the Create Subnet Extension To A Third Party Data-Center in one of the following ways:
    • On the Subnet Extensions tab, click > Create Subnet Extension > To A Third Party Data-Center

    • In the Subnets dashboard, select the subnet you want to extend and click Actions > Extend > To A Third Party Data-Center

    • In the Subnets dashboard, click the subnet you want to extend. On the subnet details page, click Extend > To A Third Party Data-Center .

    Figure. Example of Create VTEP Extension To A Third Party Data-Center with VLAN Subnet Click to enlarge Displaying example of Create Subnet Extension To A Third Party Data-Center for VLAN subnet over VTEP

  2. Enter or select the necessary values for the parameters in the Local , Remote (AZ), and Connection Properties sections as described in the table.
Parameters Description and Value
Local
Availability Zone Displays the name of the paired availability zone at the local AZ.
Subnet Type Select the type of the subnet - VLAN or Overlay that you are extending.
Cluster Select the name of the cluster in the local AZ that the subnet is configured for.
Subnet Select the name of the subnet at the local AZ for network. The VLAN ID and the IPAM - managed or unmanaged are displayed in the box below the Subnet field.
Gateway IP Address Enter the gateway IP address of the subnet you want to extend. Ensure that you provide the IP address in <IP-address/network-prefix> format. for example the gateway IP is 10.20.20.1 in a .24 subnet then provide the gatewway IP address as 10.20.20.1/24 .
Note: For unmanaged network, enter the gateway IP address of the created subnet.
Local IP Address Enter a unique and available (unused) IP address from the subnet provided in Subnet .
Local VTEP Gateway Select the local VTEP gateway you created on the local AZ. See Creating a Network Gateway for more information about creating a local VTEP gateway.
Remote
Remote VTEP Gateway Select the remote VTEP gateway you created on the local AZ. See Creating a Network Gateway for more information about creating a remote VTEP gateway.
Connection Properties
VxLAN Network Identifier (VNI) Enter a unique number from the range 0-16777215 as VNI. Ensure that this number is not reused anywhere in the networks that the Prism Central and Cluster are a part of.
MTU

The default MTU is 1392 to account for 108 bytes of overhead and the standard physical MTU of 1500 bytes. VPC Geneve encapsulation requires 58 bytes and VXLAN encapsulation requires 50. However, you can enter any valid MTU value for the network, taking this overhead into account. For example, if the physical network MTU and vs0 MTU are 1600 bytes, the Network Gateway MTU can be set to 1492 to account for 108 bytes of overhead. Ensure that the MTU value does not exceed the MTU of the AHV Host interface and all the network interfaces between the local and remote AZs.

  1. Click Save .
    After the subnet is extended, the extension appears in the Subnet Extensions list view.

Updating an Extended Subnet

The Update Subnet Extension Across Availability Zones has the same parameters and fields as the Create Subnet Extension Across Availability Zones dialog box.

About this task

You can update a subnet extension that extends across AZs using the Update Subnet Extension Across Availability Zones or the Update Subnet Extension To A Third Party data center dialog box. The Update Subnet Extension Across Availability Zones or the Update Subnet Extension To A Third Party data center dialog box has the same parameters and fields as the Create Subnet Extension Across Availability Zones or the Create Subnet Extension To A Third Party data center dialog box, respectively.

Based on the type of the subnet extension that you want to modify, refer to the following:

Procedure

  • Extending a Subnet Over VPN
  • Extending a Subnet Across Availability Zones Over VTEP
  • Extending a Subnet to Third Party Datacenters Over VTEP

Removing an Extended Subnet

About this task

Perform the following procedure to remove the subnet extension. This procedure deletes the extended subnet between the two Availability Zones (AZs) or between one Nutanix AZ and one or more third party subnets. Deleting the subnet extension does not automatically remove the network gateways or VPN connections that may have automatically been created by the Subnet Extension wizard. You need to separately delete these entities created automatically when the subnet was extended.

Note: Removing an extended subnet from a cluster or AZ (either source or target AZs) automatically deletes the extended subnet from the corresponding source or target AZs.

Procedure

  1. Click the hamburger icon in the top-left corner of the Dashboard .
    The main feature list appears.
  2. Click Network & Security > Connectivity > > Subnet Extensions .
    The Subnet Extensions tab displays a list of the extended subnets.
    Figure. Sample Subnet Extensions dashboard Click to enlarge Displaying the Delete action button for selected subnet extension

  3. Select the subnet extension you want to remove.
  4. Click Actions > Delete
    The confirmation dialog box is displayed.
  5. Click Remove .
    Click Cancel to close the dialog box without removing the subnet extension.

What to do next

Check the list in the Subnet Extensions tab to confirm that the subnet extension is removed.
Read article

Foundation Open Source Software

Foundation 5.3.x

Product Release Date: 2022-09-28

Last updated: 2022-09-28

Open Source Software For Foundation 5.3.1

For more information about Foundation 5.3.1 open source licensing details, see Open Source Licenses for Foundation 5.3.1.

Open Source Software For Foundation 5.3

For more information about Foundation 5.3 open source licensing details, see Open Source Licenses for Foundation 5.3.

Read article

Foundation Platforms Submodule Open Source Software

Foundation Platforms 2.12.x

Product Release Date: 2022-09-28

Last updated: 2022-09-28

Open Source Software For Foundation Platforms Submodule 2.12.1

For more information about Foundation Platforms Submodule 2.12.1 open source licensing details, see Open Source Licenses for Foundation Platforms 2.12.1 .

Open Source Software For Foundation Platforms Submodule 2.12

For more information about Foundation Platforms Submodule 2.12 open source licensing details, see Open Source Licenses for Foundation Platforms 2.12 .

Read article

Frame Documentation

Frame Hosted

Last updated: 2022-02-21

Frame Documentation

For Frame documentation, see https://docs.frame.nutanix.com/

Read article

Karbon Platform Services Administration Guide

Karbon Platform Services Hosted

Last updated: 2022-11-24

Karbon Platform Services Overview

Karbon Platform Services is a Kubernetes-based multicloud platform as a service that enables rapid development and deployment of microservice-based applications. These applications can range from simple stateful containerized applications to complex web-scale applications across any cloud.

In its simplest form, Karbon Platform Services consists of a Service Domain encapsulating a project, application, and services infrastructure, and other supporting resources. It also incorporates project and administrator user access and cloud and data pipelines to help converge edge and cloud data.

With Karbon Platform Services, you can:

  • Quickly build and deploy intelligent applications across a public or private cloud infrastructure.
  • Connect various mobile, highly distributed data sensors (like video cameras, temperature or pressure sensors, streaming devices, and so on) to help collect data.
  • Create intelligent applications using data connectors and machine learning modules (for example, implementing object recognition) to transform the data. An application can be as simple as text processing code or it could be advanced code implementing AI by using popular machine learning frameworks like TensorFlow.
  • Push this data to your Service Domain or the public cloud to be stored or otherwise made available.

This data can be stored at the Service Domain or published to the cloud. You can then create intelligent applications using data connectors and machine learning modules to consume the collected data. These applications can run on the Service Domain or the cloud where you have pushed collected data.

Nutanix provides the Service Domain initially as a VM appliance hosted in an AOS AHV or ESXi cluster. You manage infrastructure, resources, and Karbon Platform Services capabilities in a console accessible through a web browser.

Cloud Management Console and User Experience

As part of initial and ongoing configuration, you can define two user types: an infrastructure administrator and a project user . The cloud management console and user experience help create a more intuitive experience for infrastructure administrators and project users.

  • Admin Console drop-down menu for infra admins and Home Console drop-down menu for project users. Both menus provide a list of all current projects and 1-click access to an individual project. In the navigation sidebar, Projects also provides a navigation path to the overall list of projects.
  • Vertical tabs for most pages and dashboards. For example, clicking Administration > Logging shows the Logging dashboard with related task and Alert tabs. The left navigation menu remains persistent to help eliminate excessive browser refreshes and help overall navigation.
  • Simplified Service Domain Management . In addition to the standard Service Domain list showing all Service Domains, a consolidated dashboard for each Service Domain is available from Infrastructure > Service Domain . Karbon Platform Services also simplifies upgrade operations available from Administration > Upgrades . For convenience, infra admins can choose when to download available versions to all or selected Service Domains, when to upgrade them, and check status for all or individual Service Domains.
  • Updated Workflows for Infrastructure Admins and Project Users . Apart from administration operations such as Service Domain, user management, and resource management, the infra admin and project user work flow is project-centric. A project encapsulates everything required to successfully implement and monitor the platform.
  • Updated GPU/vGPU Configuration Support . If your Service Domain includes access to a GPU/vGPU, you can choose its use case. When you create or update a Service Domain, you can specify exclusive access by any Kubernetes app or data pipeline or by the AI Inferencing API (for example, if you are using ML Models).

Built-In App Services, Logging, and Alerting

Karbon Platform Services includes these ready-to-use built-in services, which provide an advantage over self-managed services:

  • Secure by design.
  • No life cycle management. Service Domains do not require any user intervention to maintain or update service versions, patches, or other hands-on activities. For ease of use, all projects using the Service Domain use the same service version.
  • Dedicated service resources. Your project uses isolated service resources. Service resources are not shared with other projects. Applications within a project are not required to authenticate to use the service.
  • Service-specific alerts. Like other Karbon Platform Services features, the Service Domain helps monitor service health and raises service-specific alerts.

App Runtime Service

These services are enabled by default on each Service Domain. All services now have monitoring and status capabilities

  • Kubernetes Apps. Container-as-a-Service to manage and run Kubernetes apps without worrying about Kubernetes complexity and having to manage the underlying infrastructure.
  • Functions and Data Pipelines. Function-as-a-Service to run serverless functions. Invoke functions based on data triggers and publish to service end points.
  • AI Inferencing - updated in this release. ML model management and AI Inferencing runtime, pooled though an abstraction of GPUs and hardware accelerators. Enable this service to use your machine learning (ML) models in your project.

Ingress Controller

Ingress controller configuration and management is now available from the cloud management console (as well as from the Karbon Platform Services kps command line). Options to enable and disable the Ingress controller are available in the user interface.

Traefik or Nginx-Ingress. Content-based routing, load balancing, SSL/TLS termination. If your project requires Ingress controller routing, you can choose the open source Traefik router or the NGINX Ingress controller to enable on your Service Domain. You can only enable one Ingress controller per Service Domain.

Service Mesh

Istio. Provides traffic management, secure connection, and telemetry collection for your applications.

Data Streaming | Messaging

  • Kafka. Options to enable and disable Kafka are available in the user interface. Persistent, high performance data streaming with publish/subscribe and queue based messaging. Available for use within project applications and data pipelines, running on a Service Domain hosted in your environment.
  • NATS. In-memory, high performance data streaming with publish/subscribe and queue based messaging. Available for use within project applications and data pipelines. In-memory high performance data streaming including pub/sub (publish/subscribe) and queue-based messaging.

Logging | Monitoring | Alerting | Audit Trail

  • Prometheus. Provides Kubernetes app monitoring and logging, alerting, metrics collection, and a time series data model (suitable for graphing).
  • Logging. Centralized real-time log monitoring, log bundle collection, and external log forwarding.
  • Log forwarding policies for all users. Create, edit, and delete log forwarding policies to help make collection more granular, and then forward those Service Domain logs to the cloud - for example, AWS CloudWatch.
  • Audit trail. Karbon Platform Services maintains an audit trail of any operations performed by users in the last 30 days and displays them in an Audit Log dashboard in the cloud management console.

Infrastructure Administrator Role

Karbon Platform Services allows and defines two user types: an infrastructure administrator and a project user. An infrastructure administrator can create both user types.

Infrastructure administrator creates and administers most aspects of Karbon Platform Services. The infrastructure administrator provisions physical resources, Service Domains, services, data sources, and public cloud profiles. This administrator allocates these resources by creating projects and assigning project users to them. This user has create/read/update/delete (CRUD) permissions for:

  • Categories
  • Cloud profiles
  • Container registry profiles
  • Data sources
  • Service Domains
  • Projects
  • Users
  • Logs

When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project.

When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.

Figure. Infrastructure Administrator Click to enlarge Infrastructure Administrator Role Capabilities

Project User Role

A project user can view and use projects created by the infrastructure administrator. This user can view everything that an infrastructure administrator assigns to a project. Project users can utilize physical resources, as well as deploy and monitor data pipelines and Kubernetes applications.

Karbon Platform Services allows and defines two user types: an infrastructure administrator and a project user. An infrastructure administrator can create both user types.

The project user has project-specific create/read/update/delete (CRUD) permissions: the project user can create, read, update, and delete the following and associate it with an existing project:

  • Kubernetes Apps
  • Functions (scripts)
  • Data pipelines
  • Runtime environments

When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project.

When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.

Figure. Project User Click to enlarge

Naming Guidelines

Data Pipelines and Functions
  • When you create, clone, or edit a function, you can define one or more parameters. When you create a data pipeline, you define values for the parameters when you specify the function in the pipeline.
  • Data pipelines can share functions, but you can specify unique parameter values for the function in each data pipeline.
Service Domain, Data Source, and Data Pipeline Naming
  • Starts and ends with a lowercase alphanumeric character
  • Dash (-) and dot (.) characters are allowed.For example, my.service-domain is a valid Service Domain name.
  • Maximum length of 63 characters
Data Source Topic and Field Naming
Topic and field naming must be unique across the same data source types. You are allowed to duplicate names across different data source types. For example, an MQTT topic name and RTSP protocol stream name can share /temperature/frontroom.
  • An MQTT topic name must be unique when creating an MQTT data source. You cannot duplicate or reuse an MQTT topic name for multiple MQTT data sources.
  • An RTSP protocol stream name must be unique when creating an RTSP data source. You cannot duplicate or reuse an RTSP protocol stream name for multiple RTSP data sources.
  • A GigE Vision data source name must be unique when creating a GigE Vision data source. You cannot duplicate or reuse a GigE Vision data source name for multiple GigE Vision data sources.
Container Registry Profile Naming
  • Starts and ends with a lowercase alphanumeric character
  • Dash (-) and dot (.) characters are allowed.
  • Maximum length of 200 characters
All Other Resource Naming
  • Starts and ends with a lowercase alphanumeric character
  • Dash (-) and dot (.) characters are allowed. For example, my.service-domain is a valid Service Domain name
  • Maximum length of 200 characters

Karbon Platform Services Cloud Management Console

The web browser-based Karbon Platform Services cloud management console enables you to manage infrastructure and related projects, with specific management capability dependent on your role (infrastructure administrator or project user).

You can log on with your My Nutanix or local user credentials.

Logging On to The Cloud Management Console

Before you begin

  • The supported web browser is the current and two previous versions of Google Chrome.
  • If you are logging on for the first time, you might experience a guided onboarding workflow.
  • After three failed login attempts in one minute, you are locked out of your account for 30 minutes.
  • Users without My Nutanix credentials log on as a local user.

Procedure

  1. Open https://karbon.nutanix.com/ in a web browser.
  2. Choose one of the following to log on:
    • Click Login with My Nutanix and log on with your My Nutanix credentials.
    • Click Log In with Local User Account and log on with your project user or infrastructure administrator user name and password in the Username / Password fields.
    The web browser displays role-specific dashboard.

Infrastructure Admin View

The default view for an infrastructure administrator is the Dashboard . Click the menu button in the view to expand and display all available pages in this view.

Figure. Default Infrastructure Administrator View Click to enlarge This images shows the dashboard view for an administrator.

Admin Console / Projects
Drop-down menu that lets you quickly navigate to the Admin Console (home Dashboard) or any project.
Dashboard
Customized widget panel view of your infrastructure, projects, Service Domains, and alerts. Includes the Onboarding Dashboard panel, with links to create projects and project components such as Service Domains, cloud profiles, categories, and so on. Click Projects or Infrastructure to change the user dashboard view.
Services
Managed services dashboard. Add a service such as Istio to a project.
Alerts
Displays the Alerts page, which displays a sortable table of alerts associated with your Karbon Platform Services deployment.
Audit Trail
Access the Audit Log dashboard to view the most recent events or tasks performed in the console.
Projects
  • Displays a list of all projects.
  • Create projects from this page.
Infrastructure Submenu
Service Domains
  • Displays a list of available Service Domains.
  • Add an internet-connected Service Domain device or appliance.
  • You can create one or more Service Domains depending on your requirements and manage them from the Karbon Platform Services management console.
Data Sources and IoT Sensors
  • Displays a list of available or created data sources sensors
  • Create and define a data source (sensor or gateway) and associate it with a Service Domain.
Administration Submenu
Categories
  • Displays a list of available categories.
  • Create and define a category to logically group Service Domains, data sources, and other items.
Cloud Profiles
  • Displays a list of cloud profiles.
  • Add and define a cloud profile (Amazon Web Services, Google Cloud Platform, and so on) where acquired data is to be stored.
Container Registry Profiles
  • Displays a list of Docker container registry profiles.
  • Add and define a Docker container registry profile. This profile can optionally be associated with an existing cloud profile.
Users
  • Displays a list of users.
  • Create infrastructure administrators and project users.
System Logs
Run Log Collector on one or more connected Service Domains and then download the collected log bundle.
Upgrades
Apply software updates for your Service Domain when updates are available.
Help
Provides a link to the latest online documentation.

Project User View

The default view for a project user is the Dashboard .

  • Click the menu button in the view to expand and display all available pages in this view.
Figure. Default Project User View Click to enlarge Page shows the project user dashboard including an onboarding widget

Dashboard
Customized widget panel view of your infrastructure, projects, Service Domains, and alerts. Includes the Onboarding Dashboard panel, with links to create projects and project components such as Service Domains, cloud profiles, categories, and so on. The user view indicate displays Project for project users.
Projects
  • Displays a list of all projects created by the infrastructure administrator.
  • Edit an existing project.
Alerts
Displays the Alerts page, which displays a sortable table of alerts associated with your Karbon Platform Services deployment.

Kubernetes Apps, Logging, and Services

Kubernetes Apps
  • Displays a list of available Kubernetes applications.
  • Create an application and associate it with a project.
Functions and Data Pipelines
  • Displays a list of available data pipelines.
  • Create a data pipeline and associate it with a project.
  • Create a visualization, a graphical representation of a data pipeline including data sources and Service Domain or cloud data destinations.
  • Displays a list of scripts (code used to perform one or more tasks) available for use in a project.
  • Create a function by uploading a script, and then associate it with a project.
  • Displays a list of available runtime environments.
  • Create an runtime environment and associate it with a project and a container registry.
AI Inferencing
  • Create and display machine learning models (ML Models) available for use in a project.
Services and Related Alerts
  • Kafka. Configured and deployed data streaming and messaging topics.
  • Istio. Defined secure traffic management service.
  • Prometheus. Defined app monitoring and metrics collection.
  • Nginx-Ingress. Configured and deployed ingress controllers.

Viewing Dashboards

After you log on to the cloud management console, you are presented with the main Dashboard page as a role-specific landing page. You can also show this information at any time by clicking Dashboard under the main menu.

Each Karbon Platform Services element (Service Domain, function, data pipeline, and so on) includes a dashboard page that includes information about that element. It might also include information about elements associated with that element.

The element dashboard view also enables you to manage that element. For example, click Projects and select a project. Click Kubernetes Apps and click an application in the list. The application dashboard is displayed along with an Edit button.

Example: Managing a Service Domain From Its Dashboard

About this task

To complete this task, log on to the cloud management console.

To delete a service domain that does not have any associated data sources, click Infrastructure > Service Domains , select a Service Domain from the list, then click Remove . Deleting a multinode Service Domain deletes all nodes in that Service Domain.

Procedure

  1. Click Infrastructure > Service Domains , then click a Service Domain in the list.
    The Service Domain dashboard is displayed along with an Edit button.
    Figure. Service Domain Dash board Click to enlarge Service Domain dashboard with Edit button and management links.

  2. Click Edit to update Service Domain properties, such as its name, serial number, network settings, and so on. See Adding a Single Node Service Domain for information about these fields.
  3. Click Nodes to view nodes associated with the service domain.
  4. Click Data Sources .
    1. View any associated data sources.
    2. Delete a data source: Select it, then click Remove .
    3. Click Add Data Source to add another data source to the Service Domain. See Adding a Data Source and IoT Sensor.
  5. Click Alerts to show available or active alerts.

Quick Start Menu

The Karbon Platform Services management console includes a Quick Start menu next to your user name. Depending on your role (infrastructure administrator or project user), you can quickly create infrastructure or apps and data. Scroll down to see items you can add for use with projects.

Figure. Quick Start Menu Click to enlarge The quick start menu is at the top right of the console.

Getting Started - Infrastructure Administrator

These tasks assume you have already done the following. Ensure that any network-connected devices are assigned static IP addresses.

  1. Deployed data sources (sensors, gateways, other input devices) reachable by the Service Domain.
  2. Deployed an internet-connected Service Domain as a VM hosted in an AHV cluster.
  3. [Optional] Created an account with a supported cloud provider, where acquired data is transmitted for further processing.
  4. [Optional] Create a container registry with profile (public or private/on-premise registry).
  5. Obtained infrastructure administrator credentials for the Karbon Platform Services management console.

The Quick Start Menu lists the common onboarding tasks for the infrastructure administrator. It includes links to infrastructure-related resource pages. You can also go directly to any infrastructure resource from the Infrastructure menu item. As the infrastructure administrator, you need to create the following minimum infrastructure.

  1. Add a Service Domain and add categories.
  2. Add a data source to associate with a Service Domain.

Adding a Single Node Service Domain

Create and deploy a Service Domain cluster that consists of a single node.

About this task

To add (that is, create and deploy) a multinode Service Domain consisting of three or more nodes, see Manage a Multinode Service Domain.

If you deploy the Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.

  • After adding a Service Domain, the status and dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
    • Healthy (green). Service domain nodes started and connected.
    • Not Onboarded (gray). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
    • Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.

Procedure

  1. Log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > + Service Domain .
  3. Select Any other On-prem or Cloud Environment and click Next .
  4. Name your Service Domain.
    • Starts and ends with a lowercase alphanumeric character
    • Maximum length of 63 lowercase alphanumeric characters
    • Dash (-) and dot (.) characters are allowed. For example, my-servicedomain.contoso.com is a valid Service Domain name.
  5. Select Single Node to create a single-node Service Domain.
    1. You cannot expand this Service Domain later by adding nodes.
  6. Click Add Node and enter the following node details:
    1. Serial Number of your Service Domain node VM.
      • If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the VM page, select the Service Domain node VM, and note the ID.
      • You can also display the serial number by opening this URL in a browser. Use your Service Domain node VM IP address: http://service-domain-node-ip-address:8080/v1/sn
    2. Name the node.
    3. IP Address of your Service Domain node VM.
    4. Subnet Mask and Gateway . Type the subnet mask and gateway IP address in these fields.
    5. Click the check mark icon. To change the details, hover over the ellipses menu and click Edit .
  7. Click Add Category .
    See Creating a Category. You can create one or more categories to add them to a Service Domain.
    1. Select a category and its associated value.
    2. Click Add to select another category and value.
  8. Click Next .
  9. Enter environment variables as one or more key-value pairs for the service domain. Click Add Key-Value Pair to additional pairs.
    You can set environment variables and associated values for each Service Domain as a key-value pair, which are available for use in Kubernetes apps.

    For example, you could set a secret variable key named SD_PASSWORD with a value of passwd1234 .For an example of how to use existing environment variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.

  10. If your Service Domain includes a GPU/vGPU, choose its usage case.
    1. To allow access by any Kubernetes app or data pipeline, choose Use GPU for Kubernetes Apps and Data Pipelines .
    2. To allow access by AI Inferencing API (for example, if you are using ML Models), select Use GPU for AI Inferencing .
  11. To provide limited secure shell (SSH) administrator access to your service domain to manage Kubernetes pods. select Enable SSH Access .
    SSH Service Domain access enables you to run Kubernetes kubectl commands to help you with application development, debugging, and pod troubleshooting. See Secure Shell (SSH) Access to Service Domains.
  12. Click Add .

What to do next

See Adding a Data Source and IoT Sensor.
See [Optional] Creating Your Cloud Profile

Creating Your Cloud Profile

Procedure

  1. Click Administration > Cloud Profiles > Create .
  2. Select a Cloud Type (your cloud service provider).
  3. If you selected Amazon Web Services , complete the following fields:
    1. Cloud Profile Name . Name your profile.
    2. Cloud Profile Description . Describe the profile - for example, profile for car recognition apps. Up to 200 alphanumeric characters are allowed.
    3. Access Key . Enter the AWS access key ID.
    4. Secret . Enter the AWS secret access key.
  4. If you selected Azure , complete the following fields:
    1. Cloud Profile Name . Name your profile.
    2. Cloud Profile Description . Describe the profile - for example, profile for car recognition apps. Up to 200 alphanumeric characters are allowed.
    3. Storage Account Name .
    4. Storage Key . Copy your key into this field.
  5. If you selected Google Cloud Platform , complete the following fields:
    1. Cloud Profile Name . Name your profile.
    2. Cloud Profile Description . Describe the profile - for example, profile for car recognition apps. Up to 200 alphanumeric characters are allowed.
    3. GCP Service Account Info JSON . Download your Google Cloud Platform service account key as a JSON file, open the file in a text editor, and copy its contents into this field.
  6. Click Create .
  7. On the Your Cloud Profile page that is now displayed, you can add another profile by clicking Add Cloud Profile .
  8. You can also Edit profile properties or Remove a profile from Your Cloud Profile .

Creating a Category

About this task

Create categories of grouped attributes you can specify when you create a data source or pipeline.

Procedure

  1. Click Administration > Categories > Create .
  2. Name your category. Up to 200 alphanumeric characters are allowed.
  3. Purpose . Describe the category. Up to 200 alphanumeric characters are allowed.
  4. Click Add Value and type a category component name in the text field.
  5. Click the check icon to add the data source field.
  6. Click Add Value to add more category components in the text field, clicking the check icon to add each one.
  7. Click Create when you are finished.
  8. Repeat to add more categories.

What to do next

  • Use these categories as attributes when adding a data source or data pipeline.
  • See also Adding a Single Node Service Domain or Manage a Multinode Service Domain, where you can add these categories to a Service Domain.

Adding a Data Source and IoT Sensor

You can add one or more data sources (a collection of sensors, gateways, or other input devices providing data) to associate with a Service Domain.

Each defined data source consists of the following:

  • Data source type (sensor, input device like a camera, or gateway) - the origin of the data
  • Communication protocol typically associated with the data source
  • Authentication type to secure access to the data source and data
  • One or more fields specifying the data extraction method - the data pipeline specification
  • Categories which are attributes that can be metadata you define to associate with the captured data

Add a Data Source - MQTT

About this task

Add one or more data sources using the Message Queuing Telemetry Transport lightweight messaging protocol (MQTT) to associate with a Service Domain.

Certificates downloaded from the cloud management console have an expiration date 30 years from the certificate creation date. Download the certificate ZIP file each time you create an MQTT data source. Nutanix recommends that you use each unique set of these security certificates and keys for any MQTT data sources you add.

When naming entities, Up to 200 alphanumeric characters are allowed.

Procedure

  1. Click Infrastructure > Data Sources and IoT Sensors > Add Data Source .
  2. Select a data source type: Sensor or Gateway .
    1. Name your data source.
    2. Associated Service Domain . Select a Service Domain for your data source.
    3. Select Protocol > MQTT .
    4. Authentication type . When you select the MQTT protocol, the Certificate authentication type is selected automatically to authenticate the connection between your data source and the Service Domain.
    5. Click Generate Certificates , then click Download to download a ZIP file that contains X.509 sensor certificate (public key) and its private key and Root CA certificates.
      See Certificates Used with MQTT Data Sources.
  3. Click Next to go to Data Extraction to specify the data fields to extract from the data source.

Data Extraction - MQTT

Procedure

  1. Click Add New Field .
    1. Name . Enter a relevant name for the data source field.
    2. Add MQTT Topic . Enter a topic (a case-sensitive UTF-8 string). For example, /temperature/frontroom for a temperature sensor located in a specific room.
      An MQTT topic name must be unique when creating an MQTT data source. You cannot duplicate or reuse an MQTT topic name for multiple MQTT data sources.
    3. Click the check icon to add the data source field.
  2. Click Add New Field to add another topic or click Next to go to the Category Assignment panel.

Category Assignment - MQTT

About this task

Categories enable you to define metadata associated with captured files from the data source.

Procedure

  1. Select All Fields from Select Fields .
  2. Select Category > Data Type .
  3. Select one of the Categories (as defined by Categories you have created) in the third selection menu.
  4. Click Add .

Add a Data Source - RTSP

About this task

Add one or more data sources using the Real Time Streaming protocol (RTSP) to associate with a Service Domain.

Procedure

  1. Click Infrastructure > Data Sources > Add Data Source .
  2. Select a data source type: Sensor or Gateway .
    1. Name your data source. Up to 200 alphanumeric characters are allowed.
    2. Associated Service Domain . Select a service domain for your data source.
    3. Select Protocol > RTSP .
    4. Authentication type . When you select RTSP , the Username and Password authentication type is selected automatically to authenticate the connection between your data source and the service domain.
    5. IP address . Enter the sensor / gateway IP address.
    6. Port . Specify a port number for the streaming device. Default port is 554.
    7. User Name . Enter the user name credential for the data source.
    8. Password . If your data source requires it, enter the password credential for the data source. Click Show to display the password as you type.
  3. Click Next to go to Data Extraction to specify the data fields to extract from the data source.
    These steps create an RTSP URL in the format rtsp://username:password@ip-address/ . For example: rstp://userproject2:

    In the next step, you will specify one or more streams.

Data Extraction - RTSP

Procedure

  1. Click Add New Field on the Data Extraction page depending on your data source type.
    1. Name . Enter a relevant name for the data source.
    2. Complete the RTSP URL field by specifying a named protocol stream. For example, BackRoomCam1 .
      An RTSP protocol stream name must be unique when creating an RTSP data source. You cannot duplicate or reuse an RTSP protocol stream name for multiple RTSP data sources.
    3. Click the check icon to add the data source.
  2. Click Add New Field to add another stream or click Next to go to the Category Assignment panel.

Category Assignment- RTSP

About this task

Categories enables you to define metadata associated with captured files from the data source.

Procedure

  1. Select All Fields from Select Fields .
  2. Select Category > Data Type .
  3. Select one of the Categories (as defined by Categories you have created) in the third selection menu.
  4. Click Add .

Add a Data Source - GigE Vision

About this task

Add one or more data sources using the GigE Vision camera protocol to associate with a Service Domain.

Before you begin

GigE Vision data sources must be on the same subnet as the Service Domain.

Procedure

  1. Click Infrastructure > Data Sources and IoT Sensors > Add Data Source .
  2. Select a data source type: Sensor or Gateway .
    1. Name your data source. Up to 200 alphanumeric characters are allowed.
    2. Associated Service Domain . Select a Service Domain for your data source.
    3. Select Protocol > GigE Vision .
    4. Authentication type . When you select GigE Vision , the None authentication type is selected automatically.
    5. IP address . Enter the sensor / gateway IP address.
  3. Click Next to go to Data Extraction to specify the data fields to extract from the data source.

Data Extraction

Procedure

Click Add New Field on the Data Extraction page depending on your data source type.
  1. Name . Enter a relevant name for the data source.
  2. Click the check icon to add the data source.
    A GigE Vision data source name must be unique when creating a GigE Vision data source. You cannot duplicate or reuse a GigE Vision data source name for multiple GigE Vision data sources.

Category Assignment

About this task

Categories enables you to define metadata associated with captured files from the data source.

Procedure

  1. Select All Fields from Select Fields .
  2. Select Category > Data Type .
  3. Select one of the Categories (as defined by Categories you have created) in the third selection menu.
  4. Click Add .

Adding a Container Registry Profile

About this task

Create a new container registry profile or associate an existing cloud profile. This profile stores container images which can be public (for example, Docker Hub) or private (an on-premise registry).

Procedure

  1. Click Administration > Container Registry Profiles > Add Profile .
  2. To add a new profile:
    1. Select Add New .
    2. Name your profile.
      • Up to 200 alphanumeric characters are allowed
      • Starts and ends with a lowercase alphanumeric character
      • Dash (-) and dot (.) characters are allowed
    3. Description . Describe the profile. Up to 75 alphanumeric characters are allowed.
    4. Container Registry Host Address . Provide a public or private registry host address. The host address can be in the format host.domain:port_number/repository_name
    For example, https://index.docker.io/v1/ or registry-1.docker.io/distribution/registry:2.1
    1. Username . Enter the user name credential for the profile.
    2. Password . Enter the password credential for the profile. Click Show to display the password as you type.
    3. Email Address . Add an email address in this field.
  3. To use an existing cloud profile that you have already added (see Creating Your Cloud Profile):
    1. Select Use Existing cloud profile :
    2. Select an existing profile from Cloud Profile .
    3. Enter the Name of your container registry profile.
      • Up to 200 alphanumeric characters are allowed
      • Starts and ends with a lowercase alphanumeric character
      • Dash (-) and dot (.) characters are allowed
    4. Description . Describe the profile. Up to 75 alphanumeric characters are allowed.
    5. Server . Provide a server URL to the container registry in the format used by your cloud provider.
      For example, an Amazon AWS Elastic Container Registry (ECR) URL might be: https:// aws_account_id .dkr.ecr. region .amazonaws.com
  4. Click Create .

Creating Users

As an infrastructure administrator, you can create infrastructure users or project users. Users without My Nutanix credentials log on as a local user.

Before you begin

You can also do this step from the Dashboard panel Getting Started.

Procedure

  1. Click Administration > Users > Create .
  2. Name . Provide a name for the user.
  3. Email . Enter a user email address which will be the user name to log on to the cloud management console.
  4. Password . Enter a password to be used when logging on to the Karbon Platform Services management console.
  5. Select a user role.
    1. Infrastructure Admin
    2. User
  6. Click Create .
  7. Repeat to add more users.

Certificates Used with MQTT Data Sources

Each Service Domain image is preconfigured with security certificates and public/private keys.

When you create an MQTT data source, you generate and download a ZIP file that contains X.509 sensor certificate (public key) and its private key and Root CA certificates. Install these components on the MQTT enabled sensor device to securely authenticate the connection between an MQTT enabled sensor device and Service Domain. See your vendor document for your MQTT enabled sensor device for certificate installation details.

Certificates downloaded from the Karbon Platform Services management console have an expiration date 30 years from the certificate creation date. Download the certificate ZIP file each time you create an MQTT data source. Nutanix recommends that you use each unique set of these security certificates and keys for any MQTT data sources you add.

Figure. Certificate Download When Creating a Data Source Click to enlarge Download a certificate

Onboard and Manage Your Service Domain

The Karbon Platform Services cloud management console provides a rich administrative control plane to manage your Service Domain and its infrastructure. The topics in this section describe how to create, add, and upgrade a Service Domain.

Checking Service Domain Details

In the cloud management console, go to Infrastructure > Service Domains to add a VM-based Service Domain. You can also view health status, CPU/Memory/Storage usage, version details, and more information for every service domain.

Upgrading a Service Domain

In the cloud management console, go to Administration > Upgrades to upgrade your existing Service Domains. This page provides you with various levels of control and granularity over your maintenance process. At your convenience, download new versions for all or specific Service Domains and upgrade them with "1-click".

Onboarding a Multinode Service Domain By Using Nutanix Karbon

You can now onboard a multinode Service Domain by using Nutanix Karbon as your infrastructure provider to create a Service Domain Kubernetes cluster. To do this, use Karbon on Prism Central with the kps command line and cloud management console Create a Service Domain workflow. See Onboarding a Multinode Service Domain By Using Nutanix Karbon. (You can also continue to use other methods to onboard and create a Service Domain, as described in Onboarding and Managing Your Service Domain.)

For advanced Service Domain settings, the Nutanix public Github repository includes a README file describing how to use the command line and the required YAML configuration file for cluster.

This public Github repository at https://github.com/nutanix/karbon-platform-services/tree/master/cli also describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.

About the Service Domain Image Files

The Karbon Platform Services Release Notes include information about any new and updated features for the Service Domain. You can create one or more Service Domains depending on your requirements and manage them from the Karbon Platform Services management console.

The Service Domain is available as a qcow disk image provided by Nutanix for hosting the VM in an AOS cluster running AHV.

The Service Domain is also available as an OVA disk image provided by Nutanix for hosting the VM in a non-Nutanix VMware vSphere ESXi cluster. To deploy a VM from an OVA file on vSphere, see the documentation at the VMware web site describing how to deploy a virtual machine from an OVA file for your ESXi version

Each Service Domain you create by using these images are configured with X.509 security certificates.

If your network requires that traffic flow through an HTTP/HTTPS proxy, see HTTP/HTTPS Proxy Support for a Service Domain VM.

Download the Service Domain VM image file from the Nutanix Support portal Downloads page. This table describes the available image file types.

Table 1. Service Domain Image Types
Service Domain Image Type Use
QCOW2 Image file for hosting the Service Domain VM on an AHV cluster
OVA Image file for hosting the Service Domain VM on vSphere.
EFI RAW compressed file RAW file in GZipped TAR file format for bare metal installation, where the hosting machine is using an Extensible Firmware Interface (EFI) BIOS
RAW compressed file RAW file in GZipped TAR file format for bare metal installation, where the hosting machine is using a legacy or non-EFI BIOS
AWS RAW uncompressed file Uncompressed RAW file for hosting the Service Domain on Amazon Web Services (AWS)

Service Domain VM Resource Requirements

As a default, in a single VM deployment, the Service Domain requires these resources to support Karbon Platform Services features. You can download the Service Domain VM image file from the Nutanix Support portal Downloads page.

References
  • AHV Administration Guide, Host Network Management
  • Prism Web Console Guide, Network Management topic
  • Prism Web Console Guide, Virtual Machine Customization topic (cloud-init)
Table 1. Service Domain Infrastructure VM Cluster Requirements
VM Resource Requirements Supported Clusters
Environment AOS cluster running AHV (AOS-version-compatible version), where Service Domain Infrastructure VM is running as a guest VM.

VMware vSphere ESXi 6.0 or later cluster, where Service Domain Infrastructure VM is running as a guest VM (created from an OVA image file provided by Nutanix). The OVA image as provided by Nutanix is running virtual hardware version 11.

vCPUs 8 single core vCPUs
Memory 16 GiB memory. You might require more storage as determined by your applications.
Disk storage Minimum 200 GB storage. The Service Domain Infrastructure VM image file provides an initial disk size of 100 GiBs (gibibytes). You might require more storage as determined by your applications. Before first power on of the VM, you can increase (but not decrease) the VM disk size.
GPUs [optional] GPUs as required by any application using them

Karbon Platform Services Port and Firewall Requirements

Service Domain Infrastructure VM Network Requirements and Recommendations

Note: For more information about ports and protocols, see the Ports and Protocols Reference.
Table 1. Network Requirements and Recommendations
Item Requirement/Recommendation
Outbound port Allow connection for applications requiring outbound connectivity.

Starting with Service Domain 2.2.0, Karbon Platform Services now retrieves Service Domain package images from these locations. Ensure that your firewall or proxy allows outbound Internet access to the following.

  • *.dkr.ecr.us-west-2.amazonaws.com - Amazon Elastic Container Registry
  • https://gcr.io and *.gcr.io- Google container registry
Allow outbound port 443 for websocket connection to management console / cloud providers
NTP Allow outbound NTP connection For network time protocol server.
HTTPS proxy Service Domain Infrastructure VM supports a network configuration that includes an HTTPS proxy. Customers can now configure such a proxy as part of a cloud-init based method when deploying Service Domain Infrastructure VMs.
Service Domain Infrastructure VM static IP address The Service Domain Infrastructure VM requires a static IP address as provided through a managed network when hosted on an AOS / AHV cluster.
Configured network with one or more configured domain name servers (DNS) and optionally a DHCP server
Integrated IP address management (IPAM), which you can enable when creating virtual networks for VMs in the Prism web console
(Optional) cloud-init script which specifies network details including a DNS server
Miscellaneous The cloud-init package is included in the Service Domain VM image to enable support for Nutanix Calm and its associated deployment automation features.
Real Time Streaming protocol (rtsp) Port 554 (default)

Create and Onboard the Service Domain VM

Onboarding the Service Domain VM is a three-step process:

  1. For an AOS cluster running Nutanix AHV, log on to the Prism Element cluster web console and upload the disk image through the image service. See Uploading the Service Domain Image.
  2. Create and power on the Service Domain VM. See Creating and Starting the Service Domain VM.

    If your network requires that traffic flow through an HTTP/HTTPS proxy, see HTTP/HTTPS Proxy Support for a Service Domain VM.

  3. Add this Service Domain VM to the Karbon Platform Services cloud management console. See:
    • Adding a Single Node Service Domain. This VM acts as a single node that stores installation, configuration, and service/microservice data, metadata, and images, as well as providing Service Domain computing and cloud infrastructure management.
    • Adding a Multinode Service Domain. Create an initial three-node Service Domain to create a multinode Service Domain cluster.

See also:

  • Deploying the Service Domain Image on a Bare Metal Server
  • Deploying the Service Domain on Amazon Web Services

Uploading the Service Domain Image

How to upload the Service Domain VM disk image file on AHV running in an AOS cluster.

About this task

This topic describes how to initially install the Service Domain VM on an AOS cluster by uploading the image file. For details about your cluster AOS version and the procedures, see the Prism Web Console Guide.

To deploy a VM from an OVA file on vSphere, see the documentation at the VMware web site describing how to deploy a virtual machine from an OVF or OVA file for your ESXi version.

Procedure

  1. Log on as an administrator to the Prism Element web console through the Chrome web browser.
  2. Click the gear icon in the main menu and select Image Configuration .
    The Image Configuration window appears.
    Figure. Image Configuration Window Click to enlarge Image configuration windows with Upload Image button

  3. Click Upload Image to launch the Create Image window.
    Do the following in the indicated fields:
    Figure. Create Image Window Click to enlarge create image window

    1. Name : Enter a name for the image.
    2. Annotation (optional): Enter a description for the image.
    3. Image Type (optional): Select the image type Disk .
    4. Storage Container : Select the default SelfServiceContainer .
    5. Image Source : Click Upload a file , then Choose File to select the Service Domain VM disk image file (that you downloaded from the Nutanix Support portal) from the file search window.
    6. When all the fields are correct, click the Save button.
      The Create Image window closes after uploading the file and the Image Configuration window reappears with the new disk image appearing in the list. This window also displays the uploading progress and will show the image State as INACTIVE until uploading completes, where the State changes to ACTIVE .

What to do next

See the topic Creating and Starting the Service Domain.

Creating and Starting the Service Domain VM

After uploading the Service Domain VM disk image file, create the Service Domain VM and power it on. After creating the Service Domain VM, note the VM IP address and ID in the VM Details panel. You will need this information to add your Service Domain in the Karbon Platform Services management console Service Domains page.

About this task

This topic describes how to create the Service Domain VM on an AOS cluster and power it on. For details about your cluster's AOS version and VM management, see the Prism Web Console Guide.

To deploy a VM from an OVA file on vSphere, see the VMware documentation for your ESXi version.

The most recent requirements for the Service Domain VM is listed in the Karbon Platform Services Release Notes.

If your network requires that traffic flow through an HTTP/HTTPS proxy, you can use a cloud-init script. See HTTP/HTTPS Proxy Support for a Service Domain VM.

Procedure

  1. Log on as an administrator to your cluster's web console through the Chrome web browser.
  2. Click Home > VM , then click Create VM .
    The Create VM dialog box appears. You might need to scroll down to see everything that is displayed here.
    Figure. Create VM Dialog Box 1 Click to enlarge Create VM dialog box with fields

    Figure. Create VM Dialog Box 2 Click to enlarge Create VM dialog box with fields

    Figure. Create VM Dialog Box 3 Click to enlarge Create VM dialog box with fields

  3. Do the following in the indicated fields.
    You might require more memory and storage as determined by your applications.
    1. Name : Enter a name for the VM.
    2. Description (optional): Enter a description for the VM.
    3. Use this VM as an agent VM : Do not select. Not used in this case.
    4. vCPU(s) : Enter the number of virtual CPUs to allocate to this VM. For Karbon Platform Services, enter 8 .
    5. Number of Cores per vCPU : Enter the number of cores assigned to each virtual CPU. For Karbon Platform Services, enter 1 .
    6. Memory : Enter the amount of memory (in GiBs) to allocate to this VM. For Karbon Platform Services, enter 16 .
  4. Click Add Disk to add the uploaded Karbon Platform Services image file.
    Figure. Add Disk Dialog Click to enlarge Create a disk for your VM

    1. Select Type > DISK .
    2. Select Operation > Clone from Image Service .
    3. Select Bus Type > SCSI .
    4. Select the Image you uploaded in Uploading the Service Domain Image.
    5. Keep the default Index selection.
    6. Click Add .
  5. Click Add New Nic to assign the VM network interface to a vlan, then click Add .
  6. Select Legacy BIOS to start the VM using legacy BIOS firmware. This choice is selected by default on AHV clusters supporting legacy or UEFI boot firmware.
  7. (For GPU-enabled AHV clusters only) To configure GPU access, click Add GPU in the Graphics section, and then do the following in the Add GPU dialog box:
    Figure. Add GPU Dialog Box Click to enlarge

    1. Configure GPU pass-through by clicking Passthrough , selecting the GPU that you want to allocate, and then clicking Add .
      If you want to allocate additional GPUs to the VM, repeat the procedure as many times as you need to. Make sure that all the allocated pass-through GPUs are on the same host. If all specified GPUs of the type that you want to allocate are in use, you can proceed to allocate the GPU to the VM, but you cannot power on the VM until a VM that is using the specified GPU type is powered off.
  8. Click Save .
    The VM creation task progress appears in Tasks at the top of the web console.
    Note: You might require more storage as determined by your applications. Before first power on of the Service Domain VM, you can increase (but not decrease) the VM disk size.
    • When the VM creation task is completed (the VM is created successfully), select the new Service Domain VM in the Table view, scroll to the bottom of the VM page, and click Update .
    • Scroll to the disk, click the pencil icon to edit the disk, and increase the disk Size , then click Update and Save .
  9. When the VM creation task is completed (the VM is created successfully), select the new Service Domain VM in the Table view, scroll to the bottom of the VM page, and Power On the VM.
    Note the VM IP address and ID in the VM Details panel. You will need this information to add your Service Domain in the Karbon Platform Services management console Service Domains page.
  10. If you are creating a multinode Service Domain , repeat these steps to create at least two more VMs for a minimum of three VMs. The additional VMs you create here can become nodes in a multinode Service Domain cluster, or remain unclustered individual/single node Service Domains.

What to do next

Add the newly-created Service Domain VM in the Karbon Platform Services management console. See:
  • Getting Started - Infrastructure Administrator
  • Adding a Single Node Service Domain for single node service domains
  • Manage a Multinode Service Domain for Service Domains of up to three nodes

Deploying the Service Domain Image on a Bare Metal Server

Before you begin

  • For installing the Service Domain on bare metal, see About the Service Domain Image Files for available image types. In this procedure, you can use a RAW or EFI RAW compressed Service Domain image depending on the bare metal server BIOS type.
  • For a list of approved hardware for bare metal installation, contact Nutanix Support or send email to kps@nutanix.com.
  • Before imaging the bare metal server, prepare it by updating any required firmware and performing hardware RAID virtual disk configuration.
  • Minimum destination disk size is 200 GB.
  • Single node Service Domain support only. Multinode Service Domains are not supported.

Procedure

  1. Download and boot a live image.
    You can image the bare metal serve by live-booting any Linux operating system that includes destination driver support and these utilities or packages: lshw (list hardware), tar (tape archive), gzip (GNU compression utilitiy), dd (file convert and copy). You can live-boot an image through a USB or BMC connection. These steps use an Ubuntu distro and USB drive as an example.
    1. Use MacOS or Microsoft Windows, create an Ubuntu bootable USB drive.
    2. Download the Service Domain image and copy to the USB drive.
    3. Boot from the Ubuntu bootable USB drive with the Try Ubuntu option.
  2. In Ubuntu, open Terminal, find the destination disk, and image it.
    1. Find the destination disk.
      $ sudo lshw -c disk
    2. Go to the directory where you saved the Service Domain image. For example, where drive_label is the USB drive:
      $ cd /media/ubuntu/drive_label
    3. Image the destination disk. For example:
      $ sudo tar -xOzvf service-domain-image.raw.tgz | sudo dd of=destination_disk bs=1M status=progress
      • service-domain-image.raw .tgz. RAW or EFI RAW compressed Service Domain image you downloaded and copied to the USB drive.
      • destination_disk . Destination disk. For example, /dev/sda , /dev/nvme0n1 , and so on.
  3. When imaging is completed successfully, restart the baremetal server.
    1. Connect the primary network interface to a network with DHCP.
    2. Remove the USB drive.
    3. Restart the bare metal server and note the IP address received from DHCP on boot.
    During startup (boot), note the IP address assigned by the DHCP server.

What to do next

See Adding a Single Node Service Domain

Deploying the Service Domain on Amazon Web Services

Before you begin

  • For installing the Service Domain on Amazon Web Services (AWS), see About the Service Domain Image Files for available image types. In this procedure, you can use a RAW uncompressed Service Domain image.
  • You need an AWS account to deploy the Service Domain on AWS.
  • Nutanix recommends that you create a new dedicated Amazon S3 bucket for the Service Domain. This procedure applies a new trust policy to the S3 bucket storing the Service Domain. Creating a dedicated S3 bucket helps avoid other policies or configurations being inadvertently being applied to the Service Domain.
  • Install configure the AWS command line interface aws on your local machine, so that you can communicate with AWS as required in these steps. For convenience, download the Service Domain image to this machine.
  • Single node Service Domain support only. Multinode Service Domains are not supported.

Procedure

  1. Create an AWS S3 bucket and copy the Service Domain RAW image to it.
    1. Create the bucket.
      $ aws s3 mb s3://raw-image-bkt
      • raw-image-bkt . Name of the your S3 bucket.
      • aws_region . Your AWS Region.
    2. Copy the Service Domain RAW image to the bucket you just created.
      $ aws s3 cp service-domain-image.raw s3://raw-image-bkt
      • service-domain-image.raw . RAW uncompressed Service Domain image you downloaded.
  2. In a text editor, create a new trust policy configuration file named trust-policy.json .
    {
       "Version": "2012-10-17",
       "Statement": [
          {
             "Effect": "Allow",
             "Principal": { "Service": "vmie.amazonaws.com" },
             "Action": "sts:AssumeRole",
             "Condition": {
                "StringEquals":{
                   "sts:Externalid": "vmimport"
                }
             }
          }
       ]
    }
  3. Create a role named vmimport and grant VM Import/Export access to it.
    $ aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
  4. Create a new role policy configuration file named role-policy.json .
    Make sure you replace raw-image-bkt with the actual name of your S3 bucket.
    {
       "Version":"2012-10-17",
       "Statement":[
          {
             "Effect": "Allow",
             "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket" 
             ],
             "Resource": [
                "arn:aws:s3:::raw-image-bkt",
                "arn:aws:s3:::raw-image-bkt/*"
             ]
          },
          {
             "Effect": "Allow",
             "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetBucketAcl"
             ],
             "Resource": [
                "arn:aws:s3:::raw-image-bkt",
                "arn:aws:s3:::raw-image-bkt/*"
             ]
          },
          {
             "Effect": "Allow",
             "Action": [
                "ec2:ModifySnapshotAttribute",
                "ec2:CopySnapshot",
                "ec2:RegisterImage",
                "ec2:Describe*"
             ],
             "Resource": "*"
          }
       ]
    }
  5. Attach the role policy in role-policy.json to the vmimport role.
    $ aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
  6. Create a file named container.json .
    Make sure you replace raw-image-bkt with the actual name of your S3 bucket and service-domain-image.raw with the name of the RAW uncompressed Service Domain image.
    {
         "Description": "Karbon Platform Services Raw Image",
         "Format": "RAW",
         "UserBucket": {
            "S3Bucket": "raw-image-bkt",
            "S3Key": "service-domain-image.raw"
        }
     }
    
  7. Import the snapshot as an Amazon Machine Image (AMI) by specifying container.json .
    $ aws ec2 import-snapshot --description "exampletext" --disk-container "file://container.json"
    The command output displays a task_id . With the task_id , you can see the snapshot task progress as follows:
    $ aws ec2 describe-import-snapshot-tasks --import-task-ids task_id
  8. After the task completes successfully, get the snapshot ID ( SnapshotId , needed for the next steps).
    $ aws ec2 describe-import-snapshot-tasks --import-task-ids task_id
    Example completed task status output:
    {
        "ImportSnapshotTasks": [
            {
                "Description": "Karbon Platform Services Raw Image",
                "ImportTaskId": "import-task_id",
                "SnapshotTaskDetail": {
                    "Description": "Karbon Platform Services Raw Image",
                    "DiskImageSize": "disk_size",
                    "Format": "RAW",
                    "SnapshotId": "snapshot_ID"
                    "Status": "completed",
                    "UserBucket": {
                       "S3Bucket": "raw-image-bkt",
                       "S3Key": "service-domain-image.raw"
                    }
                }
            }
        ]
    }

Registering and Launching the Image in the EC2 Console

Procedure

  1. To register the AMI from the snapshot, run this command.
    $ aws ec2 register-image --virtualization-type hvm \
    --name "Karbon Platform Services Service Domain Image" --architecture x86_64 \
    --root-device-name "/dev/sda1"  --block-device-mappings \
    "[{\"DeviceName\": \"/dev/sda1\", \"Ebs\": {\"SnapshotId\": \"snapshot_ID\"}}]"
    
    1. snapshot_ID . Snapshot ID from completed task status output
  2. In the EC2 console, go to Images > AMIs , and select the AMI you created.
  3. Click Launch .
    1. For Choose Instance Type , select an instance with minimum 4 vCPUs and 16GiB memory.
    2. Click through to Add Storage and create an EBS volume with minimum disk size of 100 GiB and a device name of /dev/xvdf .
    3. Proceed to Review .
    4. In the Select an existing key pair or create a new key pair dialog box, use an existing key pair or create a new pair.
    5. If you create a new key pair, download the corresponding .PEM file.
  4. Launch the AMI.
  5. Return to the AWS CLI and get the Public and Private IP address of your instance by using the instance ID instance_id .
    $ aws ec2 describe-instances --instance-id instance_id --query 'Reservations[].Instances[].[PublicIpAddress]' --output text | sed '$!N;s/\n/ /'
  6. Back at the EC2 console, select Connect and follow the instructions to open an SSH session into your instance.
    Next, you need the serial number and gateway/subnet address to add your Service Domain to Karbon Platform Services.
  7. Log on to the instance and run these commands, noting the serial number and addresses:
    $ cat /config/serial_number.txt
    $ route -n

What to do next

See Adding a Single Node Service Domain

HTTP/HTTPS Proxy Support for a Service Domain VM

Attach a cloud-init script to configure HTTP/HTTPS proxy server support.

If your network policies require that all HTTP network traffic flow through a proxy server, you can configure a Service Domain to use an HTTP proxy. When you create the service domain VM, attach a cloud-init script with the proxy server details. When you then power on the VM and it fully starts, it will include your proxy configuration.

If you require a secure proxy (HTTPS), use the cloud-init script to upload SSL certificates to the Service Domain VM.

You can attach or copy the script in the Custom Script section of the Nutanix AOS cluster Create VM dialog box.
Figure. Create VM Cloud-Init for HTTP/HTTPS Proxy Click to enlarge This picture shows the cloud-init section of the Nutanix AOS cluster Create VM dialog box.

Sample cloud-init Script for HTTPS Proxy Server Configuration

This script creates an HTTP/HTTPS proxy server configuration on the Service Domain VM after you create and start the VM. Note that CACERT_PATH= in the first content spec is optional in this case, as it is already specified in the second path spec.

#cloud-config
#vim: syntax=yaml
write_files:
- path: /etc/http-proxy-environment
  content: |
    HTTPS_PROXY="http://ip_address:port"
    HTTP_PROXY="http://ip_address:port"
    NO_PROXY="127.0.0.1,localhost"
    CACERT_PATH="/etc/pki/ca-trust/source/anchors/proxy.crt"
- path: /etc/systemd/system/docker.service.d/http-proxy.conf
  content: |
    [Service]
    Environment="HTTP_PROXY=http://ip_address:port" 
    Environment="HTTPS_PROXY=http://ip_address:port" 
    Environment="NO_PROXY=127.0.0.1,localhost"
- path: /etc/pki/ca-trust/source/anchors/proxy.crt
  content: |
    -----BEGIN CERTIFICATE-----
PASTE CERTIFICATE DATA HERE
    -----END CERTIFICATE-----
runcmd:
- update-ca-trust force-enable
- update-ca-trust extract
- yum-config-manager --setopt=proxy=http://ip_address:port --save
- systemctl daemon-reload
- systemctl restart docker
- systemctl restart sherlock_configserver

Adding a Single Node Service Domain

Create and deploy a Service Domain cluster that consists of a single node.

About this task

To add (that is, create and deploy) a multinode Service Domain consisting of three or more nodes, see Manage a Multinode Service Domain.

If you deploy the Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.

  • After adding a Service Domain, the status and dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
    • Healthy (green). Service domain nodes started and connected.
    • Not Onboarded (gray). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
    • Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.

Procedure

  1. Log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > + Service Domain .
  3. Select Any other On-prem or Cloud Environment and click Next .
  4. Name your Service Domain.
    • Starts and ends with a lowercase alphanumeric character
    • Maximum length of 63 lowercase alphanumeric characters
    • Dash (-) and dot (.) characters are allowed. For example, my-servicedomain.contoso.com is a valid Service Domain name.
  5. Select Single Node to create a single-node Service Domain.
    1. You cannot expand this Service Domain later by adding nodes.
  6. Click Add Node and enter the following node details:
    1. Serial Number of your Service Domain node VM.
      • If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the VM page, select the Service Domain node VM, and note the ID.
      • You can also display the serial number by opening this URL in a browser. Use your Service Domain node VM IP address: http://service-domain-node-ip-address:8080/v1/sn
    2. Name the node.
    3. IP Address of your Service Domain node VM.
    4. Subnet Mask and Gateway . Type the subnet mask and gateway IP address in these fields.
    5. Click the check mark icon. To change the details, hover over the ellipses menu and click Edit .
  7. Click Add Category .
    See Creating a Category. You can create one or more categories to add them to a Service Domain.
    1. Select a category and its associated value.
    2. Click Add to select another category and value.
  8. Click Next .
  9. Enter environment variables as one or more key-value pairs for the service domain. Click Add Key-Value Pair to additional pairs.
    You can set environment variables and associated values for each Service Domain as a key-value pair, which are available for use in Kubernetes apps.

    For example, you could set a secret variable key named SD_PASSWORD with a value of passwd1234 .For an example of how to use existing environment variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.

  10. If your Service Domain includes a GPU/vGPU, choose its usage case.
    1. To allow access by any Kubernetes app or data pipeline, choose Use GPU for Kubernetes Apps and Data Pipelines .
    2. To allow access by AI Inferencing API (for example, if you are using ML Models), select Use GPU for AI Inferencing .
  11. To provide limited secure shell (SSH) administrator access to your service domain to manage Kubernetes pods. select Enable SSH Access .
    SSH Service Domain access enables you to run Kubernetes kubectl commands to help you with application development, debugging, and pod troubleshooting. See Secure Shell (SSH) Access to Service Domains.
  12. Click Add .

What to do next

See Adding a Data Source and IoT Sensor.
See [Optional] Creating Your Cloud Profile

Manage a Multinode Service Domain

Create and deploy a Service Domain cluster that consists of three or more nodes.

Caution: Nutanix does not support upgrading Tech Preview multinode Service Domains to generally available Service Domain versions, then deploying those Service Domains in a production environment. For example, upgrading a multinode Service Domain v1.18 to v2.0.0, then using that Service Domain in production.

A multinode Service Domain is a cluster initially consisting of a minimum of three leader nodes. Each node is a single Service Domain VM hosted in an AHV cluster.

Creating and deploying a multinode Service Domain is a three-step process:

  1. Log on to the AHV cluster web console and upload the Service Domain disk image to a Nutanix AHV cluster through the image service as described in Uploading the Service Domain Image.
  2. Create three or more Service Domain VMs from this disk image, as described in Creating and Starting the Service Domain VM.
  3. Add a multinode Service Domain in the Karbon Platform Services management console as described in Adding a Multinode Service Domain.

Multinode Service Domain Requirements and Limitations

The Service Domain image version where Karbon Platform Services introduces this feature is described in the Karbon Platform Services Release Notes.

Service Domain VM hosting
  • Create and then start Service Domain VMs in a Nutanix AHV cluster only.
Single node Service Domain
  • You can create a single node Service Domain from a multinode compatible image version. It must remain a single node Service Domain, as you cannot expand this domain type.
  • You can upgrade an existing single node Service Domain to a multinode compatible image version, but it is limited for use as a single node Service Domain only.
Supported multinode Service Domain configuration
  • You can add a multinode Service Domain consisting of three Service Domain nodes initially created from a multinode compatible image version only.
  • Each node in a multinode Service Domain must reside on the same subnet.
  • You cannot mix image versions. Create each node in a multinode Service Domain from the same image version. You can also upgrade them to the same multinode compatible version later.
Service Domain High Availability Kubernetes API Support

Starting with new Service Domain version 2.3.0 deployments, high availability support for the Service Domain is now implemented through the Kubernetes API server (kube-apiserver). This support is specific to new multinode Service Domain 2.3.0 deployments. When you create a multinode Service Domain to be hosted in a Nutanix AHV cluster, you must specify a Virtual IP Address (VIP), which is typically the IP address of the first node you add.

  • To enable the HA kube-apiserver support, ensure that the VIP address is part of the same subnet for all Service Domain VMs and the VIP address has not already been allocated to any VM. Otherwise, the Service Domain will not enable this feature.
  • Also ensure that the VIP address in this case is not part of any cluster IP address pool range that you have specified when you created a virtual network for guest VMs in the AHV cluster. That is, the VIP address must be outside this IP pool address range. Otherwise, creation of the Service Domain in this case will fail.
Adding or removing nodes from a multinode Service Domain
  • You can add or remove nodes to an existing multinode Service Domain. However, you cannot remove the first three nodes you add to the Service Domain. These nodes are tagged as leader nodes. Each subsequent node you add is a worker node and is removable.
Configuring Storage and Storage Infrastructure

Each node requires access to shared storage from an AOS cluster. Ensure that you meet the following requirements to create a storage profile. Adding a Multinode Service Domain requires these details.

On your AOS cluster:

  • Create a Cluster Administrator user dedicated for use with this feature. Do not use this admin user for day-to-day AOS cluster tasks. For information about creating a user role, see Creating a User Account in the Security Guide .
  • You must configure the AOS cluster with a cluster virtual IP address and an iSCSI Data Services IP address. See Modifying Cluster Details in the Prism Web Console Guide .
  • Ensure that the AOS cluster has at least one storage container available for shared storage use by the nodes. If you want to optionally maintain a storage quota for use by the nodes, create a new storage container. See Creating a Storage Container in the Prism Web Console Guide .
  • Get the storage container name from the Prism Element web console Storage dashboard. Do not use the NutanixManagementShare or SelfServiceContainer storage containers. AOS reserves these storage containers for special use.
Unsupported multinode Service Domain configurations
Nutanix does not support the following configurations.
  • You cannot create (add) a multinode Service Domain where you have upgraded each node to a multinode compatible version from a previous incompatible single-node-only version.

    For example, you have upgraded three older single-node Service Domains to a multinode image version. You cannot create a multinode Service Domain from these nodes.

  • In a multinode Service Domain, you cannot mix Service Domain nodes that you have upgraded to a multinode compatible version with newly created multinode compatible nodes.

    For example, you have upgraded two older single-node Service Domains to a multinode image version. You have a newly created multinode compatible single node. You cannot add these together to form a new muiltinode service domain.

  • Service domain version 1.14 and previous versions allow you to create single node Service Domains only. These Service Domain nodes are not "multinode aware" but are still useful as single node Service Domains.

Adding a Multinode Service Domain

Create and deploy a Service Domain cluster that consists of three or more nodes.

Before you begin

  • See Multinode Service Domain Requirements and Limitations.
  • If you deploy each Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.
  • After adding a Service Domain, the status and dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
    • Healthy (green). Service domain nodes started and connected.
    • Not Onboarded (gray). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
    • Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.

Adding Each Node

Procedure

  1. Log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > + Service Domain .
  3. Select Any other On-prem or Cloud Environment and click Next .
  4. Name your Service Domain.
    • Starts and ends with a lowercase alphanumeric character
    • Maximum length of 63 lowercase alphanumeric characters
    • Dash (-) and dot (.) characters are allowed. For example, my.service-domain is a valid Service Domain name.
  5. Select Multi-Node to create a multinode Service Domain type.
  6. Click Add Node and enter the following node details:
    1. Name the node.
    2. Serial Number of your Service Domain node VM.
      • If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the VM page, select the Service Domain node VM, and note the ID.
      • You can also display the serial number by opening this URL in a browser. Use your Service Domain node VM IP address: http://service-domain-node-ip-address:8080/v1/sn
    3. IP Address of your Service Domain node VM.
      The IP address of the first node you add becomes the Service Domain Virtual IP Address . By default, Karbon Platform Services uses this node IP address to represent the Service Domain cluster in the Service Domains List page.
    4. Subnet Mask and Gateway . Type the subnet mask and gateway IP address in these fields.
    5. Click the check mark icon. To change the details, hover over the ellipses menu and click Edit .
    6. Click Add Node and repeat these steps to add two leader nodes and worker nodes.
      The first three nodes are tagged as leader nodes and cannot be removed. Nodes four and later are considered as worker nodes and can be removed.
    7. Virtual IP Address . The IP address of the first node you add becomes the Service Domain Virtual IP Address . By default, this node IP address represents the Service Domain cluster in the Service Domains List page.

      Starting with new Service Domain version 2.3.0 deployments, high availability support for the Service Domain is now implemented through the Kubernetes API server (kube-apiserver). This support is specific to new multinode Service Domain 2.3.0 deployments.

      To enable the HA kube-apiserver support, ensure that the VIP address is part of the same subnet as the Service Domain VMs and the VIP address is unique (that is, has not already been allocated to any VM). Otherwise, the Service Domain will not enable this feature.

      Also ensure that the VIP address in this case is not part of any cluster IP address pool range that you have specified when you created a virtual network for guest VMs in the AHV cluster. That is, the VIP address must be outside this IP pool address range. Otherwise, creation of the Service Domain in this case will fail.

Adding Categories

Procedure

  1. Click Add Category .
    See Creating a Category. You can create one or more categories to add them to a Service Domain.
    1. Select a category and its associated value.
    2. Click Add to select another category and value.
  2. Click Add .
    You can expand this Service Domain later by adding nodes. You can also remove nodes from this Service Domain.
  3. On the Service Domains page, you can add another Service Domain by clicking + Service Domain .
  4. You can also Edit Service Domain properties or Remove a Service Domain from Service Domains by selecting it.
  5. Click Next to configure storage and advanced settings.

Configuring Storage (Nutanix Volumes)

Before you begin

Each node requires access to shared storage from an AOS cluster. Ensure that you meet the following requirements to create a storage profile for the nodes. On your AOS cluster:
  • Create a Cluster Administrator user as described in the Nutanix Security Guide: Creating a User Account .
  • Ensure that the AOS cluster is configured with a cluster virtual IP address and an iSCSI Data Services IP address. See the Prism Web Console Guide: Modifying Cluster Details.
  • Ensure that the AOS cluster has at least one storage container available for shared storage use by the nodes. If you want to optionally maintain a storage quota for use by the nodes, create a new storage container. See the Prism Web Console Guide: Creating a Storage Container.
  • Get the storage container name from the Prism Element web console Storage dashboard. Do not use the NutanixManagementShare or SelfServiceContainer storage containers. AOS reserves these storage containers for special use.

Procedure

  1. From the Storage Infrastructure drop-down menu, select Nutanix Volumes .
  2. In the Nutanix Cluster Virtual IP Address field, enter the AOS cluster virtual IP address.
  3. In the Username and Password fields, enter the AOS cluster administrator user credentials.
  4. In the Data Services IP Address field, enter the iSCSI Data Services IP address.
  5. In the Storage Container Name field, enter the cluster storage container name.
  6. Continue to Advanced Settings . Otherwise, click Done .

What to do next

  • See Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile.
  • See also Expanding a Multinode Service Domain or Removing a Worker Node from a Multinode Service Domain

Advanced Settings

Procedure

  1. Enter environment variables as one or more key-value pairs for the service domain. Click Add Key-Value Pair to additional pairs.
    You can set environment variables and associated values for each Service Domain as a key-value pair, which are available for use in Kubernetes apps.

    For example, you could set a secret variable key named SD_PASSWORD with a value of passwd1234 .For an example of how to use existing environment variables for a Service Domain in application YAML, see Using Service Domain Environment Variables - Example. See also Configure Service Domain Environment Variables.

  2. If your Service Domain includes a GPU/vGPU, choose its usage case.
    1. To allow access by any Kubernetes app or data pipeline, choose Use GPU for Kubernetes Apps and Data Pipelines .
    2. To allow access by AI Inferencing API (for example, if you are using ML Models), select Use GPU for AI Inferencing .
  3. To provide limited secure shell (SSH) administrator access to your service domain to manage Kubernetes pods. select Enable SSH Access .
    SSH Service Domain access enables you to run Kubernetes kubectl commands to help you with application development, debugging, and pod troubleshooting. See Secure Shell (SSH) Access to Service Domains.
  4. Click Done .

What to do next

  • See Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile.
  • See also Expanding a Multinode Service Domain or Removing a Worker Node from a Multinode Service Domain

Expanding a Multinode Service Domain

Add nodes to an existing multinode Service Domain.

Before you begin

  • See Multinode Service Domain Requirements and Limitations.
  • You can add or remove nodes to an existing multinode Service Domain. However, you cannot remove the first three nodes you add to the Service Domain. These nodes are tagged as leader nodes. Each subsequent node you add is a worker node and is removable.
  • If you deploy each Service Domain node as a VM, the procedure described in Creating and Starting the Service Domain VM can provide the VM ID (serial number) and IP address.
  • After adding a Service Domain, the status dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
    • Healthy (green). Service domain nodes started and connected.
    • Not Onboarded (grey). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
    • Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.

Procedure

  1. log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > List .
  3. Select a multinode Service Domain, then click Edit .
    You can also rename the Service Domain as part of this procedure.
  4. Click Add Node and enter the following node details:
    1. Subnet Mask and Gateway . Type the subnet mask and gateway IP address in these fields.
    2. Click the check mark icon. To change the details, hover over the ellipses menu and click Edit .
  5. To expand the Service Domain, click Add Node and enter the following node details:
    1. Name the node.
    2. Serial Number of your Service Domain node VM.
      • If a Nutanix AOS cluster hosts your Service Domain node VM: in the cluster Prism web console, open the VM page, select the service domain node VM, and note the ID.
      • You can also display the serial number by opening this URL in a browser. Use your Service Domain node VM IP address: http://service-domain-node-ip-address:8080/v1/sn
    3. IP Address of your Service Domain node VM.
    4. Subnet Mask and Gateway . Type the subnet mask and gateway IP address in these fields.
    5. Click the check mark icon. To change the details, hover over the ellipses menu and click Edit .
    6. Click Add Node and repeat these steps to add more nodes.

Adding Categories and Updating the Service Domain

Procedure

  1. Click Add... .
    See Creating a Category. You can create one or more categories to add them to a Service Domain.
    1. Select a category and its associated value.
    2. Click Add to select another category and value.
  2. To edit an existing category, select a category and value from the drop-down menu.
  3. To delete a category, click the trash can icon next to it.
  4. When you finish adding or deleting categories, click Next , the click Update .
  5. Click Update .
  6. On the Service Domains page, you can add another Service Domain by clicking + Service Domain .
  7. You can also Edit Service Domain properties or Remove a Service Domain from Service Domains by selecting it.

What to do next

Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile. See also Removing a Worker Node from a Multinode Service Domain
.

Removing a Worker Node from a Multinode Service Domain

Remove worker nodes from a multinode Service Domain. Any node added to an existing three-node Service Domain is considered a worker node.

Before you begin

  • See Multinode Service Domain Requirements and Limitations.
  • You can add or remove nodes to an existing multinode Service Domain. However, you cannot remove the first three nodes you add to the Service Domain. These nodes are tagged as leader nodes. Each subsequent node you add is a worker node and is removable.
  • Before you remove a node, ensure that the remaining nodes in the Service Domain have enough CPU, storage, and memory capacity to run applications running on the removed node. The Service Domains dashboard shows health status, CPU/Memory/Storage usage, version details, and more information for every Service Domain.
  • After adding a Service Domain, the status dot color shows Service Domain status and can take a few minutes to update. See also Example: Managing a Service Domain From Its Dashboard.
    • Healthy (green). Service domain nodes started and connected.
    • Not Onboarded (grey). Service domain nodes have not started and are not yet connected. Might be transitioning to Healthy.
    • Disconnected (red). Service domain nodes have not started and are not connected. VM might be offline or unavailable.

Procedure

  1. log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > List .
  3. Select a multinode Service Domain, then click Edit .
    You can also rename the Service Domain as part of this procedure.
  4. In the Service Domain table, click the elipsis menu next to a node and select Remove .
    This step removes the node.

Adding, Editing, or Deleting Categories and Updating the Service Domain

Procedure

  1. Click Add... .
    See Creating a Category. You can create one or more categories to add them to a Service Domain.
    1. Select a category and its associated value.
    2. Click Add to select another category and value.
  2. To edit an existing category, select a category and value from the drop-down menu.
  3. To delete a category, click the trash can icon next to it.
  4. When you finish adding or deleting categories, click Next , the click Update .
  5. On the Service Domains page, you can add another Service Domain by clicking + Service Domain .
  6. You can also Edit Service Domain properties or Remove a Service Domain from Service Domains by selecting it.

What to do next

Adding a Data Source and IoT Sensor or [Optional] Creating Your Cloud Profile. See also Expanding a Multinode Service Domain.

Onboarding a Multinode Service Domain By Using Nutanix Karbon

You can now onboard a multinode Service Domain by using Nutanix Karbon as your infrastructure provider to create a Service Domain Kubernetes cluster.

About this task

For advanced Service Domain settings, the Nutanix public Github repository includes a README file describing how to use the kps command line and the required YAML configuration file for the cluster. This public Github repository at https://github.com/nutanix/karbon-platform-services/tree/master/cli also describes how to install the kps command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.

Before you begin

This task requires the following.
  • Prism Central deployment managing at least one Prism Element Cluster running AHV.
  • Nutanix Karbon installed on Prism Central. Ensure that you have downloaded the ntnx-1.0 image. See Downloading Images in the Nutanix Kubernetes Engine Guide .
  • kps command line installed on a machine running Linux or MacOS, as described at the Nutanix public Github repository.

Procedure

  1. Log on to the cloud management console at https://karbon.nutanix.com/.
  2. Click Infrastructure > Service Domains > + Service Domain .
  3. Select Nutanix AOS and click Next .
  4. Download and configure the kps command line if you have not previously done so.
    See the README at https://github.com/nutanix/karbon-platform-services/tree/master/cli for details.
  5. Name your Service Domain.
    • Starts and ends with a lowercase alphanumeric character
    • Maximum length of 63 lowercase alphanumeric characters
    • Dash (-) and dot (.) characters are allowed. For example, my-servicedomain.contoso.com is a valid Service Domain name.
  6. Enter these details about your Prism Central, Prism Element, and Nutanix Karbon deployments.
    1. Prism Central IP Address. IP address of the Prism Central cluster.
    2. Prism Central Username. User name of a Prism Central admin user.
    3. Prism Central Password. Password for the Prism Central admin user.
    4. Nutanix Cluster Name. Cluster name of the AHV cluster being managed by Prism Central
    5. Storage Container Name. Name of the storage container located on the Prism Element AHV cluster.
    6. Subnet Name. Name of the subnet configured on the Prism Element AHV cluster.
    7. Karbon Cluster Master VIP Address. Master VIP IP address for the Kubernetes API server (kube-apiserver). AHV IP address management (IPAM) provides an IP address for each node. Ensure that the VIP address has not been already allocated and is not part of any cluster IP address pool range that you have specified when you created a virtual network in the AHV cluster. The VIP address must be outside this IP pool address range but part of the same VLAN.
      For more information about network, see Cluster Setup in the Nutanix Kubernetes Engine Guide .

      This information populates the kps command line options and parameters in next step.

    Figure. Example Create Service Domain with Karbon Page Click to enlarge Image shows the fields need to create the Service Domain through Nutanix Karbon

  7. Click Copy next to the kps command line and run it on the machine where you installed the kps command line.
    For advanced Service Domain settings, the Nutanix public Github repository includes a README file describing how to use the kps command line and the required YAML configuration file for the cluster.
  8. Click Close .

Upgrade Service Domains

Your network bandwidth might affect how long it takes to completely download the latest Service Domain version. Nutanix recommends that you perform any upgrades during your scheduled maintenance window.

Note: Each Kubernetes release potentially deprecates or removes support for API versions or resources. To help ensure that your applications run correctly after upgrading your Service Domain version, Nutanix recommends that you check the Deprecated API Migration Guide available at the Kubernetes Documentation web site. Depending on the deprecated or removed APIs, you might have to modify your Kubernetes App YAML files.

Upgrade your existing Service Domain VM by using the Upgrades page in the cloud management console. From Upgrades , you can see available updates that you can download and install on one or more Service Domains of your choosing.

Upgrading the Service Domain is a two-step process where you:

  1. Download an available upgrade to one or more existing Service Domains.
  2. Upgrade selected Service Domains to the downloaded version.
Upgrades lets you choose how to upgrade your Service Domains.
Note: During a Service Domain upgrade operation, you might see service or app related alerts such as Kafka is degraded, partitions are under-replicated, and others. These messages are expected and can be safely ignored when you are upgrading your Service Domain. Nutanix recommends that you perform installation and upgrades during your scheduled maintenance window or outside your normal business hours.
Table 1. Upgrades Page Links
Link Use Case
Service Domains "1-click" download or upgrade for all upgrade-eligible Service Domains.
  • Select the most recent available version (N) or the next most recent available versions (N-1, and N-2). For example, if your current Service Domain version is 1.16, you can download, then upgrade your Service Domain to available versions 1.16.1, 1.17, and 1.18.
  • Upgrade all Service Domains where you have already downloaded the selected available Service Domain version(s)
Download and upgrade on all eligible Use this workflow to download an available version to all Service Domains eligible to be upgraded. You can then decide when you want to upgrade the Service Domain to the downloaded version. See Upgrading All Service Domains.
Download and upgrade on selected Use this workflow to download an available version to one or more Service Domains that you select and are eligible to be upgraded. This option appears after you select one or more Service Domains. After downloading an available Service Domain version, upgrade one or more Service Domains when convenient. See Upgrading Selected Service Domains.
Task History

View Recent History

See Checking Upgrade Task History.

View Recent History appears in the Service Domains page list for each Service Domain, and shows a status summary.

Upgrading All Service Domains

Before you begin

Note:
  • During a Service Domain upgrade operation, you might see service or app related alerts such as Kafka is degraded, partitions are under-replicated, and others. These messages are expected and can be safely ignored when you are upgrading your Service Domain. Nutanix recommends that you perform installation and upgrades during your scheduled maintenance window or outside your normal business hours.
  • Each Kubernetes release potentially deprecates or removes support for API versions or resources. To help ensure that your applications run correctly after upgrading your Service Domain version, Nutanix recommends that you check the Deprecated API Migration Guide available at the Kubernetes Documentation web site. Depending on the deprecated or removed APIs, you might have to modify your Kubernetes App YAML files.
Log on to the cloud management console. Nutanix recommends that you perform any upgrades during your scheduled maintenance window.

About this task

  • Download an available Service Domain version to all eligible Service Domains
  • Upgrade all Service Domains where you have already downloaded an available service domain version
  • You can select the most recent available version (N) or the next most recent available versions (N-1, and N-2). For example, if your current Service Domain version is 1.16, you can download, then upgrade your Service Domain to available versions 1.16.1, 1.17, and 1.18.

Procedure

  1. Go to Administration > Upgrades > Service Domains .
    A Service Domain table lists each Service Domain, current status (Healthy, Not Healthy, Disconnected), current installed version, and upgrade actions and history.
  2. To download a version to all eligible Service Domains, click Download on all eligible and select a version (for example 1.18).
    The Download on all eligible drop-down menu shows the latest version as vX.xx.x (Latest) .
    The Download popup window shows the eligible service domains as selected. Clear (unselect) any Service Domain to prevent the bundle from downloading onto it.
  3. Click Download .
    The Service Domain version downloads to all Healthy Service Domains. The Actions column shows a downloading message. Hover over the task circle to see current progress. When the Actions column displays Upgrade to vX.xx.x , downloads are completed and you can upgrade the Service Domains.
  4. To upgrade the Service Domains when downloads are completed, click Upgrade all eligible to and select a version.
  5. In the Upgrade Service Domains popup window, click Upgrade . Clear (unselect) any Service Domain to prevent it from being upgraded.
    The Actions column shows upgrade progress similar to download. When the Actions column displays View Recent History and the Version column is updated, upgrade operations are complete. See also Checking Upgrade Task History.

Upgrading Selected Service Domains

Before you begin

Note:
  • During a Service Domain upgrade operation, you might see service or app related alerts such as Kafka is degraded, partitions are under-replicated, and others. These messages are expected and can be safely ignored when you are upgrading your Service Domain. Nutanix recommends that you perform installation and upgrades during your scheduled maintenance window or outside your normal business hours.
  • Each Kubernetes release potentially deprecates or removes support for API versions or resources. To help ensure that your applications run correctly after upgrading your Service Domain version, Nutanix recommends that you check the Deprecated API Migration Guide available at the Kubernetes Documentation web site. Depending on the deprecated or removed APIs, you might have to modify your Kubernetes App YAML files.
Log on to the cloud management console.

About this task

Use this workflow to download an available version to one or more Service Domains. You can then decide when you want to upgrade the Service Domain to the downloaded version. Your network bandwidth might affect how long it takes to completely download the latest Service Domain version. Nutanix recommends that you perform any upgrades during your scheduled maintenance window.

Procedure

  1. Go to Administration > Upgrades > Service Domains .
    A Service Domain table lists each Service Domain, current status (Healthy, Not Healthy, Disconnected), current installed version, and upgrade actions and history.
  2. To download the upgrade to selected eligible Service Domains, do these steps.
    1. Select one or more Service Domains in the table.
    2. Click Download on selected num and select a version (for example 1.18). num is the number of eligible Service Domains you selected. The drop-down menu shows the latest version as vX.xx.x (Latest)
    The Download popup window shows the eligible service domains as selected. Clear (unselect) any Service Domain to prevent the bundle from downloading onto it.
  3. Click Download .
    The Service Domain version downloads to all Healthy Service Domains. The Actions column shows a downloading message. Hover over the task circle to see current progress. When the Actions column displays Upgrade to vX.xx.x , downloads are completed and you can upgrade the Service Domains.
  4. To upgrade selected eligible Service Domains, do these steps.
    1. Select one or more Service Domains where the Actions status is Upgrade to vX.xx.x .
    2. Click Upgrade selected num . num is the number of eligible Service Domains you selected.
    The Download popup window shows the eligible service domains as selected. Clear (unselect) any Service Domain to prevent the bundle from downloading onto it.
  5. Click Upgrade .
    The Actions column shows upgrade progress similar to download. When the Actions column displays View Recent History and the Version column is updated, upgrade operations are complete. See also Checking Upgrade Task History.

Checking Upgrade Task History

Before you begin

Log on to the cloud management console.

About this task

After downloading and upgrading an available Service Domain version, upgrade task history is available in the console.

View Recent History appears in the Service Domains page list for each Service Domain and shows a status summary.

Procedure

  1. To see Service Domain upgrade task history, go to Administration > Upgrades > Task History .
  2. You can see status for single node and multinode Service Domains.
    1. Version . The available Service Domain version to which you attempted to download or upgrade.
    2. Status . Downloaded (version download is complete), Upgraded (Service Domain is upgraded), Upgrade Failed (Service Domain was not upgraded).
    3. Completed on . Date and time task occurred (Upgrade Failed) or completed (Upgraded or Downloaded).
    4. Service Domains . Link to the Service Domain(s) where the action occurred. This link is especially helpful with multinode Service Domains. After you click the Service Domain link, a popup status windows shows for each service domain. The window includes a filter field so you can see individual status.

Projects

A project is an infrastructure, apps, and data collection created by the infrastructure administrator for use by project users.

When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project. When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.

A project can consist of:

  • Existing administrator or project users
  • A Service Domain
  • Cloud profile
  • Container registry profile

When you add a Service Domain to a project, all resources such as data sources associated with the Service Domain are available to the users added to the project.

Projects Page

The Projects page lets an infrastructure administrator create a new project and lists projects that administrators can update and view.

For project users, the Projects page lists projects created and assigned by the infrastructure administrator that project users can view and add apps and data. Project users can view and update any projects assigned by the administrator with applications, data pipelines, and so on. Project users cannot remove a project.

When you click a project name, the project Summary dashboard is displayed and shows resources in the project.

You can click any of the project resource menu links to edit or update existing resources, or create and add resources to a project. For example, you can edit an existing data pipeline in the project or create a new one and assign it to the project. For example, click Kafka to shows details for the Kafka data service associated with the project. See Viewing Kafka Status.).

Figure. Project Summary Dashboard Click to enlarge Project summary dashboard with component links.

Creating a Project

As an infrastructure administrator, create a project. To complete this task, log on to the cloud management console.

About this task

  • When an infrastructure administrator creates a project and then adds themselves as a user for that project, they are assigned the roles of project user and infrastructure administrator for that project.
  • When an infrastructure administrator adds another infrastructure administrator as a user to a project, that administrator is assigned the project user role for that project.

Procedure

  1. Click the menu button, then click Projects > Create .
    1. Name your project. Up to 200 alphanumeric characters are allowed.
    2. Description . Provide a relevant description for your project.
    3. Click Add Users to add users to a project.
    4. Click Next .
  2. Add a Service Domain, which associates any resources available to the Service Domain to your project.
    1. Select Select By Category to choose and apply one or more categories associated with a Service Domain.
      Click the plus sign ( + ) to add more categories.
    2. Select Select Individually to choose a Service Domain, then click Add Service Domain to select one or more Service Domains.
  3. Select a Cloud Profile and Container Registry .
    Click the plus sign ( + ) to select additional cloud profiles or container registries.
  4. Click Next to enable one or more project services.
    1. Enabled indicates that this service is available to all projects.
    2. Click Enable to enable a service for all project users.
      See Enabling or Disabling One or More Services for a Project.
  5. Click Create .

Editing a Project

Update an existing project. To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
    The project dashboard is displayed along with Edit and Manage Services buttons. See Enabling or Disabling One or More Services for a Project.
  3. Click Edit .
    1. Update the projects general information by updating the name and description.
    2. Click the trashcan to remove a user from the list. Click Edit to open the user dialog box where you add or remove users associated with the project.
    3. Click Next to update project resources.
  4. Update the associated Service Domains.
    1. Select Select By Category to add or remove one or more categories associated with a Service Domain.
      • Click the trashcan to remove a category.
      • Click the plus sign ( + ) to add more categories.
    2. Select Select Individually to remove or add a Service Domain. Do one of the following.
      • Click the trashcan to remove a Service Domain in the list.
      • Click Edit to select one or more Service Domains.
  5. For Cloud Profile and Container Registry :
    1. Click the trashcan to remove cloud profiles or container registries.
    2. Click the plus sign ( + ) to add cloud profiles or container registries.
  6. Click Next to enable one or more project services.
    1. Enabled indicates that this service is available to all projects.
    2. Click Enable to enable a service for all project users.
      See Enabling or Disabling One or More Services for a Project.
  7. Click Update .

Removing a Project

As an infrastructure administrator, delete a project. To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Select a project in the list.
    The project dashboard is displayed along with Edit , Manage Services , and Remove buttons. See Enabling or Disabling One or More Services for a Project.
  3. If Remove does not appear as an option, you might need to delete any apps associated with the project.
  4. After removing associated apps, return to the Projects page and select the project.
  5. Click Remove , then click Delete to confirm.
    The Projects page lists any remaining projects.

Managing Project Services

The Karbon Platform Services cloud infrastructure provides services that are enabled by default. It also provides access to services that you can enable for your project.

The platform includes these ready-to-use services, which provide an advantage over self-managed services:

  • Secure by design.
  • No life cycle management. Service Domains do not require any user intervention to maintain or update service versions, patches, or other hands-on activities. For ease of use, all projects using the Service Domain use the same service version.
  • Dedicated service resources. Your project uses isolated service resources. Service resources are not shared with other projects. Applications within a project are not required to authenticate to use the service.
  • Service-specific alerts. Like other Karbon Platform Services features, the Service Domain helps monitor service health and raises service-specific alerts.
App Runtime Services
These services are enabled by default on each Service Domain.
  • Kubernetes Apps. Containers as a service. You can create and run Kubernetes apps without having to manage the underlying infrastructure.
  • Functions and Data Pipelines. Run server-less functions based on data triggers, then publish data to specific cloud or Service Domain endpoints.
  • AI Inferencing. Enable this service to use your machine learning (ML) models in your project. The ML Model feature provides a common interface for functions (that is, scripts) or applications.
Ingress Controller
Traefik or Nginx-Ingress. If your project requires Ingress controller routing, you can choose the open source Traefik router or the NGINX Ingress controller to enable on your Service Domain. See Enable an Ingress Controller.
Service Mesh
Istio. Provides secure connection, traffic management, and telemetry. See Istio Service Mesh.
Data Streaming | Messaging
  • Kafka. Available for use within project applications and data pipelines, running on a Service Domain hosted in your environment. See Kafka as a Service.
  • NATS. Available for use within project applications and data pipelines. In-memory high performance data streaming including pub/sub (publish/subscribe) and queue-based messaging.
Logging | Monitoring | Alerting
  • Prometheus. Provides Kubernetes app monitoring and logging, alerting, metrics collection, and a time series data model (suitable for graphing). See Prometheus Application Monitoring and Metrics as a Service.
  • Logging. Provides log monitoring and log bundling. See Audit Trail and Log Management.

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Enabling or Disabling One or More Services for a Project

Enable or disable services associated with your project.

Before you begin

  • You cannot disable the default Kubernetes Apps, Functions and Data Pipelines, and AI Inferencing services.
  • Disabling Kafka. When you disable Kafka, data stored in PersistentVolumeClaim (PVC) is not deleted and persists. If you later enable Kafka on the same Service Domain, the data is reused.
  • Disabling Prometheus. When you disable Prometheus and then later enable it, the service creates a new PVC and clears any previously-stored metrics data stored in PVC.

Procedure

  1. From the home menu, click Projects , then click a project.
    Depending on your role, you can also select a project from Admin Console drop-down menu.
  2. Click Manage Services .
  3. Enable a service.
    1. Click Enable in a service tile.
    2. Click Enable service_name .
      For Istio, apps in this project restart.
    3. Click Confirm .
    If the minimum Service Domain version is detected, the service is available for use in your project in a few minutes, after the service initializes. Otherwise, an alert is triggered if the Service Domain does not support the service.
  4. Disable a service.
    1. Click Disable in a service tile.
    2. Click Disable service_name .
      For Istio, apps in this project restart.
    3. Click Confirm .
    The service is no longer available for use in your project.

Kafka as a Service

Kafka is available as a data service through your Service Domain.

The Kafka data service is available for use within a project's applications and data pipelines, running on a Service Domain hosted in your environment. The Kafka service offering from Karbon Platform Services provides the following advantages over a self-managed Kafka service:

  • Secure by design.
  • No need to explicitly declare Kafka topics. With Karbon Platform Services Kafka as a service, topics are automatically created.
  • No life cycle management. Service Domains do not require any user intervention to maintain or update service versions, patches, or other hands-on activities. For ease of use, all projects using the Service Domain use the same service version.
  • Dedicated service resources. Your project uses isolated service resources. Service resources are not shared with other projects. Applications within a project are not required to authenticate to use the service.
  • Service-specific alerts. Like other Karbon Platform Services features, the Service Domain monitors service health and raises service-specific alerts.

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Using Kafka in an Application

Information about application requirements and sample YAML application file

Create an application for your project as described in Creating an Application and specify the application attributes and configuration in a YAML file.

Sample Kafka Application YAML Template File


apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app-deployment
  labels:
    app: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: some.container.registry.com/myapp:1.7.9
        ports:
        - containerPort: 80
     env:
        - name: KAFKA_ENDPOINT
          value: {{.Services.Kafka.Endpoint}}
Field Name Value or Field Name / Description Value or Field Name / Description
kind Deployment Specify the resource type. Here, use Deployment .
metadata name Provide a name for your deployment.
labels Provide at least one label. Here, specify the application name as app: my-app
spec Define the Kafka service specification.
replicas Here, 1 to indicate a single Kafka cluster (single Service Domain instance or VM) to keep data synchronized.
selector Use matchLabels and specify the app name as in labels above.
template
Specify the application name here ( my-app ), same as metadata specifications above.
spec Here, define the specifications for the application using Kafka.
containers
  • name: my-app . Specify the container application
  • image: some.container.registry.com/myapp:1.7.9 . Define the container registry host address where the container image is stored.
  • ports: containerPort: 80 . Define the container registry port. Here, 80.
env

name: KAFKA_ENDPOINT

value: {{.Services.Kafka.Endpoint}}

Leave these values as shown.

Using Kafka in a Function for a Data Pipeline

Information about data pipeline function requirements.

See Functions and Data Pipelines.

You can specify a Kafka endpoint type in a data pipeline. A data pipeline consists of:

  • Input. An existing data source or real-time data stream (output from another data pipeline).
  • Transformation. A function (code block or script) to transform data from a data source (or no function at all to pass data directly to the endpoint).
  • Output. An endpoint destination for the transformed or raw data.

Kafka Endpoint Function Requirements

For a data pipelines with a Kafka topic endpoint:

  • Language . Select the golang scripting language for the function.
  • Runtime Environment . Select the golang runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.

Viewing Kafka Status

In the cloud management console, you can view Kafka data service status when you use Kafka in an application or as a Kafka endpoint in a data pipeline as part of a project. This task assumes you are logged in to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
    The project dashboard is displayed along with Edit and Manage Services buttons.
  3. Click Kafka .
    This dashboard shows a consolidated, high-level view of all Kafka topics, deployments, and related alerts. The default view is Topics.
  4. To show all topics for this project, click Topics .
    1. Topics. All Kafka topics used in this project.
    2. Service Domain. Service Domains in the project employing Kafka messaging.
    3. Bytes/sec produced and Bytes/sec consumed. Bandwidth use.
  5. To view Service Domain status where Kafka is used, click Deployments .
    1. List of Service Domains and provisioned status.
    2. Brokers. A No Brokers Available message might mean the Service Domain is not connected.
    3. Alerts. Number of Critical (red) and Warning (yellow) alerts.
  6. To see all alerts associated with Kafka for this project, click Alerts .

Enable an Ingress Controller

The Service Domain supports the Traefik open source router as the default Kubernetes Ingress controller. You can also choose the NGINX ingress controller instead.

An infrastructure admin can enable an Ingress controller for your project through Manage Services as described in Managing Project Services. You can only enable one Ingress controller per Service Domain.

When you include Ingress controller annotations as part of your application YAML file, Karbon Platform Services uses Traefik as the default on-demand controller.

If your deployment requires it, you can alternately use NGINX (ingress-nginx) as a Kubernetes Ingress controller instead of Traefik.

In your application YAML, specify two snippets:

  • Service snippet. Use annotations to define the HTTP or HTTPS host protocol, path, service domain, and secret for each Service Domain to use as an ingress controller. You can specify one more Service Domains.
  • Secret snippet. Use this snippet to specify the certificates used to secure app traffic.

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Sample Ingress Controller Service Domain Configuration

To securely route application traffic with a Service Domain ingress controller, create YAML snippets to define and specify the ingress controller for each Service Domain.

You can only enable and use one Ingress controller per Service Domain.

Create an application for your project as described in Creating an Application to specify the application attributes and configuration in a YAML file. You can include these Service and Secret snippets Service Domain ingress controller annotations and certificate information in this app deployment YAML file.

Ingress Controller Service Domain Host Annotations Specification

apiVersion: v1
kind: Service
metadata:
  name: whoami
  annotations:
    sherlock.nutanix.com/http-ingress-path: /notls
    sherlock.nutanix.com/https-ingress-path: /tls
    sherlock.nutanix.com/https-ingress-host: DNS_name
    sherlock.nutanix.com/http-ingress-host: DNS_name
    sherlock.nutanix.com/https-ingress-secret: whoami
spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami
Table 1. Ingress Controller Annotations Specification
Field Name Value or Field Name / Description Value or Field Name / Description
kind Service Specify the Kubernetes service. Here, use Service to indicate that this snippet defines the ingress controller details.
apiVersion v1 Here, the Kubernetes API version.
metadata name Provide an app name to which this controller applies.
annotations These annotations define the ingress controller encryption type and paths for Karbon Platform Services.
sherlock.nutanix.com/http-ingress-path: /notls /notls specifies no Transport Layer Security encryption.
sherlock.nutanix.com/https-ingress-path: /tls

/tls specifies Transport Layer Security encryption.

sherlock.nutanix.com/http-ingress-host: DNS_name Ingress service host path, where the service is bound to port 80.

DNS_name . DNS name you can give to your application. For example, my.contoso.net . Ensure that the DNS name resolves to the Service Domain IP address.

sherlock.nutanix.com/https-ingress-host: DNS_name Ingress service host path, where the service is bound to port 443.

DNS_name . DNS name you can give to your application. For example, my.contoso.net . Ensure that the DNS name resolves to the Service Domain IP address.

sherlock.nutanix.com/https-ingress-secret: whoami The sherlock.nutanix.com/https-ingress-secret: whoami snippet links the authentication Secret information defined above to this controller.
spec Define the transfer protocol, port type, and port for the application.
  • protocol: TCP . Transfer protocol of TCP.
  • ports: Define the port and type.

    name: web Port type.

    port: 80 TCP port.

A selector to specify the application. selector app: whoami

Securing The Application Traffic

Use a Secret snippet to specify the certificates used to secure app traffic.

apiVersion: v1
kind: Secret
metadata:
  name: whoami
type: kubernetes.io/tls
data:
  ca.crt: cert_auth_cert
  tls.crt: tls_cert
  tls.key: tls_key
Table 2. TLS Certificate Specification
Field Name Value or Field Name / Description Value or Field Name / Description
apiVersion v1 Here, the TLS API version.
kind Secret Specify the resource type. Here, use Secret to indicate that this snippet defines the authentication details.
metadata name Provide an app name to which this certification applies.
type Define the authentication type used to secure the app. Here, kubernetes.io/tls
data ca.crt Add the keys for each certification type: certificate authority certificate (ca.crt), TLS certificate (tls.crt), and TLS key (
tls.crt
tls.key

Viewing Ingress Controller Details

In the cloud management console, you can view Ingress controller status for any controller used as part of a project. This task assumes you are logged in to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
    The project dashboard is displayed along with Edit and Manage Services buttons.
  3. Depending on the deployed Ingress controller, click Nginx-Ingress or Traefik .
    This dashboard shows a consolidated, high-level view of all rules, deployments, and related alerts. The default view is Rules.
  4. To show all rules for this project, click Rules .
    1. Application. App where traffic is being routed.
    2. Rules. Rules you have configured for this app. Here, Rules shows the host and paths
    3. Destination. Application and port number.
    4. Service Domain. Service Domains in the project employing routing.
    5. TLS. Transport Layer Security (TLS) protocol status. On indicates encrypted communication is enabled. Off indicates it is not used.
  5. To view Service Domain status where the controller is used, click Deployments .
    1. List of Service Domains and provisioned status.
    2. Alerts. Number of Critical (red) and Warning (yellow) alerts.
  6. To see all alerts associated with the controller for this project, click Alerts .

Istio Service Mesh

Istio provides secure connection, traffic management, and telemetry.

Add the Istio Virtual Service and DestinationRules to an Application - Example

In the application YAML snippet or file, define the VirtualService and DestinationRules objects.

These objects specify traffic routing rules for the recommendation-service app host. If the traffic rules match, traffic flows to the named destination (or subset/version of it) as defined here.

In this example, traffic is routed to the recommendation-service app host if it is sent from the FireFox browser. The specific policy version ( subset ) for each host helps you identify and manage routed data.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: recomm-svc
spec:
  hosts:
  - recommendation-service
  http:
  - match:
    - headers:
        user-agent:
          regex: .*Firefox.*
    route:
    - destination:
        host: recommendation-service
        subset: v2
  - route:
    - destination:
        host: recommendation-service
        subset: v1

This DestinationRule YAML snippet defines a load-balancing traffic policy for the policy versions ( subsets ), where any healthy host can service the request.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: recomm-svc
spec:
  host: recommendation-service
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
  subsets:
  - name: v1
    labels:
      version: v1
  - name: v2
    labels:
      version: v2

Manage Traffic by Weight - Example

In this YAML snipped, you can split traffic for each subset by specifying a weight of 30 in one case, and 70 in the other. You can also weight them evenly by giving each a weight value of 50.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: recomm-svc
spec:
  hosts:
  - recommendation-service
  http:
  - route:
    - destination:
       host: recommendation-service
       subset: v2
      weight: 30   
    - destination:
       host: recommendation-service
       subset: v1
      weight: 70

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Viewing Istio Details

In the cloud management console, you can view Istio service mesh status associated with applications in a project. This task assumes you are logged in to the cloud management console.

About this task

The Istio tabs show service resource and routing configuration information derived from project-related Kubernetes Apps YAML files and service status.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list, then click Istio in the navigation sidebar to show the default Application Metrics page.
    Application Metrics shows initial details about the applications and related traffic metrics.
    1. Name and Service Domain. Application name and Service Domain where the application is deployed and the Istio service is enabled.
    2. Workloads. One or more workloads associated with the application. For example, Kubernetes Deployments, StatefulSets, DaemonSets, and so on.
    3. Inbound Request Volume / Outbound Request Volume. Inbound/Outbound HTTP requests per second for the last 5 minutes
  3. To see details about any traffic routing configurations associated with the application, click Virtual Services .
    An application can specify one or more virtual services, which you can deploy across one or more Service Domains.
    1. Application and Virtual Services. Application and service name.
    2. Service Domains. Number and name of the Service Domains where the service is deployed.
    3. Matches. Lists matching traffic routes.
    4. Destinations. Number of service destination host connection or request routes. Expand the number to show any destinations served by the virtual service (v1, v2, and so on) where traffic is routed. If specified in the Virtual Service YAML file, Weight indicates the proportion of traffic routed to each host. For example, Weight: 50 indicates that 50 percent of the traffic is routed to that host.
  4. To see rules associated with Destinations, click Destination Rules .
    An application can specify one or more destination rules, which you can deploy across one or more Service Domains. A destination rule is a policy that is applied after traffic is routed (for example, a load balancing configuration).
    1. Application. Application where the rule applies.
    2. Destination Rules. Rules by name.
    3. Service Domains. Number and name of the Service Domains where the rule is deployed.
    4. Subsets. Name and number of the specific policies (subsets). Expand the number to show any pod labels (v1, v2, and so on), service versions (v1, v2, and so on), and traffic weighting, where rules apply and traffic is routed.
  5. To view Service Domain status where Istio is used, click Deployments .
    1. List of Service Domains where the service is deployed and status.
      • PROVISIONED. The service has been successfully installed and enabled.
      • PROVISIONING. The service initialization and provisioning state is in progress.
      • UNPROVISIONED. The service has been successfully disabled (uninstalled).
      • FAILED. The service provisioning has failed.
    2. Alerts. Number of Critical (red) and Warning (yellow) alerts.
  6. To see all alerts associated with the controller for this project, click Alerts .

Prometheus Application Monitoring and Metrics as a Service

Note: When you disable Prometheus and then later enable it, the service creates a new PersistentVolumeClaim (PVC) and clears any previously-stored metrics data stored in PVC.

The Prometheus service included with Karbon Platform Services enables you to monitor endpoints you define in your project's Kubernetes apps. Karbon Platform Services allows one instance of Prometheus per project.

Prometheus collects metrics in your app endoints. The Prometheus Deployments dashboard displays Service Domains where the service is deployed, service status, endpoints, and alerts. See Viewing Prometheus Service Status.

You can then decide how to view the collected metrics, through graphs or other Prometheus-supported means. See Create Prometheus Graphs with Grafana - Example.

Default Service Settings

Table 1. Prometheus Default Settings
Setting Default Value or Description
Frequency interval to collect and store metrics (also known as scrape and store) Every 60 seconds 1
Collection endpoint /metrics 1
Default collection app collect-metrics
Data storage retention time 10 days
  1. You can create a customized ServiceMonitor YAML snippet to change this default setting. See Enable Prometheus App Monitoring and Metric Collection - Examples.

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Enable Prometheus App Monitoring and Metric Collection - Examples

Monitor an Application with Prometheus - Default Endpoint

This sample app YAML specifies an app named metricsmatter-sample-app and creates one instance of this containerized app ( replicas: 1 ) from the managed Amazon Elastic Container Registry.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: metricsmatter-sample-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: metricsmatter-sample-app 
  template:
    metadata:
      name: metricsmatter-sample-app
      labels:
        app: metricsmatter-sample-app
    spec:
      containers:
        - name: metricsmatter-sample-app
          imagePullPolicy: Always
          image: 1234567890.dkr.ecr.us-west-2.amazonaws.com/app-folder/metricmatter_sample_app:latest

Next, in the same application YAML file, create a Service snippet. Add the default collect-metrics app label to the Service object. When you add app: collect-metrics , Prometheus scrapes the default /metrics endpoint every 60 seconds, with metrics exposed on port 8010.

---
apiVersion: v1
kind: Service
metadata:
  name: metricsmatter-sample-service
  labels:
    app: collect-metrics
spec:
  selector:
    app: metricsmatter-sample-app
  ports:
    - name: web
      protocol: TCP
      port: 8010

Monitor an Application with Prometheus - Custom Endpoint and Interval Example

Add a ServiceMonitor snippet to the app YAML above to customize the endpoint to scrape and change the interval to collect and store metrics. Make sure you include the Deployment and Service snippets.

Here, change the endpoint to /othermetrics and the collection interval to 15 seconds ( 15s ).

Prometheus discovers all ServiceMonitors in a given namespace (that is, each project app) where it is installed.

---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
 name: metricsmatter-sample-app
 labels:
   app: collect-metrics
spec:
 selector:
   matchLabels:
     app: collect-metrics
 endpoints:
   - path: /othermetrics
     interval: 15s
     port: 8010

Use Environment Variables as the Endpoint

You can also use endpoint environment variables in an application template for the service and AlertManager.

  • {{.Services.Prometheus.Endpoint}} defines the service endpoint.
  • {{.Services.AlertManager.Endpoint}} defines a custom Alert Manager endpoint.

Configure Service Domain Environment Variables describes how to use these environment variables.

Viewing Prometheus Service Status

The Prometheus Deployments dashboard displays Service Domains where the service is deployed, service status, Prometheus endpoints, and alerts.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
    The project dashboard is displayed along with Edit and Manage Services buttons.
  3. Click Prometheus to view the default Deployments page.
    1. Service Domain and Status. Service Domains where the Prometheus service is deployed and status.
      • PROVISIONED. The service has been successfully installed and enabled.
      • PROVISIONING. The service initialization and provisioning state is in progress.
      • UNPROVISIONED. The service has been successfully disabled (uninstalled).
      • FAILED. The service provisioning has failed.
    2. Prometheus Endpoints. Endpoints that the service is scraping, by ID.
    3. Alert Manager. Alert Manager shows alerts associated with the Prometheus endpoints, by ID.
    4. Alerts. Number of Critical (red) and Warning (yellow) alerts.
  4. To see all alerts associated with Prometheus for this project, click Alerts .

Create Prometheus Graphs with Grafana - Example

This example shows how you can set up a Prometheus metrics dashboard with Grafana.

This topic provides examples to help you expose Prometheus endpoints to Grafana, an open-source analytics and monitoring visualization application. You can then view scraped Prometheus metrics graphically.

Define Prometheus as the Data Source for Grafana

The first ConfigMap YAML snippet example uses the environment variable {{.Services.Prometheus.Endpoint}} to define the service endpoint. If this YAML snippet is part of an application template created by an infra admin, a project user can then specify these per-Service Domain variables in their application.

The second snippet provides configuration information for the Grafana server web page. The host name in this example is woodkraft2.ntnxdomain.com


apiVersion: v1
kind: ConfigMap
metadata:
 name: grafana-datasources
data:
 prometheus.yaml: |-
   {
       "apiVersion": 1,
       "datasources": [
           {
              "access":"proxy",
               "editable": true,
               "name": "prometheus",
               "orgId": 1,
               "type": "prometheus",
               "url": "{{.Services.Prometheus.Endpoint}}",
               "version": 1
           }
       ]
   }
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-ini
data:
  grafana.ini: |
    [server]
    domain = woodkraft2.ntnxdomain.com
    root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana
    serve_from_sub_path = true
---

Specify Deployment Information on the Service Domain

This YAML snippet provides a standard deployment specification for Grafana.


apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      name: grafana
      labels:
        app: grafana
    spec:
      containers:
        - name: grafana
          image: grafana/grafana:latest
          ports:
            - name: grafana
              containerPort: 3000
          resources:
            limits:
              memory: "2Gi"
              cpu: "1000m"
            requests:
              memory: "1Gi"
              cpu: "500m"
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-storage
            - mountPath: /etc/grafana/provisioning/datasources
              name: grafana-datasources
              readOnly: false
            - name: grafana-ini
              mountPath: "/etc/grafana/grafana.ini"
              subPath: grafana.ini
      volumes:
        - name: grafana-storage
          emptyDir: {}
        - name: grafana-datasources
          configMap:
            defaultMode: 420
            name: grafana-datasources
        - name: grafana-ini
          configMap:
            defaultMode: 420
            name: grafana-ini
---

Define the Grafana Service and Use an Ingress Controller

Define the Grafana Service object to use port 3000 and an Ingress controller to manage access to the service (through woodkraft2.ntnxdomain.com).


apiVersion: v1
kind: Service
metadata:
  name: grafana
spec:
  selector:
    app: grafana
  ports:
    - port: 3000
      targetPort: 3000
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: grafana
  labels:
    app: grafana
spec:
  rules:
    - host: woodkraft2.ntnxdomain.com
      http:
        paths:
        - path: /grafana
          backend:
            serviceName: grafana
            servicePort: 3000

Copyright 2022 Nutanix, Inc. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. All other brand names used herein are for identification purposes only and may be the trademarks of their respective holder(s) and no claim of rights is made therein.

Kubernetes Apps

You can create intelligent applications to run on the Service Domain infrastructure or the cloud where you have pushed collected data. You can implement application YAML files to use as a template, where you can customize the template by passing existing Categories associated with a Service Domain to it.

You need to create a project with at least one user to create an app.

You can undeploy and deploy any applications that are running on Service Domains or in the cloud. See Deploying and Undeploying a Kubernetes Application.

Privileged Kubernetes Apps

Important: The privileged mode is deprecated. Nutanix plans to remove this feature in an upcoming release.

For Kubernetes apps running as privileged, you might have to specify the Kubernetes namespace where the application is deployed. You can do this by using the {{ .Namespace }} variable you can define in app YAML template file.

In this example, the resource kind of ClusterRoleBinding specifies the {{ .Namespace }} variable as the namespace where the subject ServiceAccount is deployed. As all app resources are deployed in the project namespace, specify the project name as well (here, name: my-sa).

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-sa
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: my-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-cluster-role
subjects:
  - kind: ServiceAccount
    name: my-sa
    namespace: {{ .Namespace }}

Creating an Application

Create a Kubernetes application that you can associate with a project.

Before you begin

To complete this task, log on to the cloud management console.

About this task

  • If your app requires a service, make sure you enable it in the associated project.
  • Application YAML files can also be a template where you can customize the template by passing existing Categories associated with a Service Domain to it.
  • See also Configure Service Domain Environment Variables to set and use environment variables in your app.
  • Nutanix recommends that you do not reuse application names after creating and then deleting (removing) an application. If you subsequently create an application with the same name as a deleted application, your application might re-use stale data from the deleted application.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click Kubernetes Apps > Create Kubernetes App .
  3. Name your application. Up to 200 alphanumeric characters are allowed.
  4. Description . Provide a relevant description for your application.
  5. Select one or more Service Domains, individually or by category.
    How your Service Domain was added in your project determines what you can select in this step. See Creating a Project.
    1. For Select Individually , click Add Service Domains to select one or more Service Domains.
    2. For Select By Category , select to choose and apply one or more categories associated with a Service Domain.
      Click the plus sign ( + ) to add more categories.
  6. Click Next .
  7. To use an application YAML file or template, select YAML based configuration , then click Choose File to navigate to a YAML file or template.
    After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
  8. To define an application with a Helm chart, select Upload a Helm Chart . See Helm Chart Support and Requirements.
    1. Helm Chart File . Browse to a Helm Chart package file.
    2. Values Override File (Optional) . You also can optionally browse to a values YAML file to override the values you specified in the Helm Chart package.
    3. View Generated YAML File . After uploading these files, you can view the generated YAML configuration by clicking Show YAML .
  9. Click Create .
    If your app requires a service, make sure you enable it in the associated project.
    The Kubernetes Apps page lists the application you just created as well as any existing applications. Apps start automatically after creation.

Editing an Application

Update an existing Kubernetes application.

Before you begin

To complete this task, log on to the cloud management console.

About this task

  • Application YAML files can also be a template where you can customize the template by passing existing Categories associated with a Service Domain to it.
  • To set and use environment variables in your app, see Configure Service Domain Environment Variables.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click Kubernetes Apps , then click an application in the list.
    The application dashboard is displayed along with an Edit button.
  3. Click Edit .
  4. Name . Update the application name. Up to 200 alphanumeric characters are allowed.
  5. Description . Provide a relevant description for your application.
  6. You cannot change the application's Project .
  7. Update the associated Service Domains.
    How your Service Domain was added in your project determines what you can select in this step. See Creating a Project.
    1. If Select Individually is selected:
      • Click X to remove a Service Domain in the list.
      • Click Edit to select or deselect one or more Service Domains.
    2. If Select By Category is selected, add or remove one or more categories associated with a Service Domain.
      • Select a category and value.
      • Click X to remove a category.
      • Click the plus sign ( + ) to add more categories and values.
  8. Click Next .
  9. To use an application YAML file or template, select YAML based configuration , then click Choose File to navigate to a YAML file or template.
    1. You can edit the file directly on the Yaml Configuration page.
    2. Click Choose File to navigate to a YAML file or template.
    After uploading the file, you can also edit the file contents. You can choose the contrast levels Normal , Dark , or High Contrast Dark .
  10. To define an application with a Helm chart, select Upload a Helm Chart . See Helm Chart Support and Requirements.
    1. Helm Chart File . Browse to a Helm Chart package file.
    2. Values Override File (Optional) . You also can optionally browse to a YAML file to override the values you specified in the Helm Chart package. Use this option to update your application without having to re-upload a new chart.
    3. View Generated YAML File . After uploading these files, you can view the generated YAML configuration by clicking Show YAML .
  11. Click Update .
    The Kubernetes Apps page lists the application you just updated as well as any existing applications.

Removing an Application

Delete an existing Kubernetes application.

About this task

  • To complete this task, log on to the cloud management console.
  • Nutanix recommends that you do not reuse application names after creating and then deleting (removing) an application. If you subsequently create an application with the same name as a deleted application, your application might re-use stale data from the deleted application.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click Kubernetes Apps , then select an application in the list.
  3. Click Actions > Remove , then click Delete to confirm.
    The Kubernetes Apps page lists any remaining applications.

Deploying and Undeploying a Kubernetes Application

You can undeploy and deploy any applications that are running on Service Domains or in the cloud. You can choose the Service Domains where you want the app to deploy or undeploy. Select the table or tile view on this page by clicking one of the view icons.

Before you begin

Undeploying a Kubernetes app deletes all config objects directly created for the app, including PersistentVolumeClaim data. Your app can create a PersistentVolumeClaim indirectly through StatefulSets. The following points describe scenarios when data is deleted and when data is preserved after you undeploy an app.

  • If your application specifies an explicit PersistentVolumeClaim object, when the app is undeployed, data stored in PersistentVolumeClaim is deleted. This data is not available if you then deploy the app.
  • If your application specifies a VolumeClaimTemplates object, when the app is undeployed, data stored in PersistentVolumeClaim persists. This data is available for reuse if you later deploy the app. If you plan to redeploy apps, Nutanix recommends using VolumeClaimTemplates to implement StatefulSets with stable storage.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click Kubernetes Apps , then select an application in the list.
  3. To undeploy a running application, select an application, then click Actions > Undeploy
    1. To undeploy every instance of the app running on all Service Domains, select Undeploy All , then click Undeploy .
    2. To undeploy the app running on specific Service Domains, select Undeploy Selected , select one or more Service Domains, then click Undeploy .
    3. Click Undeploy App to confirm.
  4. To deploy an undeployed application, select an application, then click Actions > Deploy , then click Deploy to confirm.
    1. To deploy every instance of the app running on all Service Domains, select Deploy All , then click Deploy .
    2. To deploy the app running on specific Service Domains, select Deploy Selected , select one or more Service Domains, then click Deploy .

Helm Chart Support and Requirements

Helm Chart Format
When you create a Kubernetes app in the cloud management console, you can upload a Helm chart package in a gzipped TAR file (.TGZ format) that describes your app. For example, it can include:
  • Helm chart definition YAML file
  • App YAML template files that define your application (deployment, service, and so on). See also Privileged Kubernetes Apps
  • Values YAML file where you declare variables to pass to your app templates. For example, you can specify Ingress controller annotations, cloud repository details, and other required settings
Supported Helm Version
Karbon Platform Services supports Helm version 3.
Kubernetes App Support
Karbon Platform Services supports the same Kubernetes resources in Helm charts as in application YAML files. For example, daemonsets, deployment, secrets, services, statefulsets, and so on are supported when defined in a Helm chart.

Data Pipelines

The Data Pipelines page enables you to create and view data pipelines, and also see any alerts associated with existing pipelines.

A data pipeline is a path for data that includes:

  • Input . An existing data source or real-time data stream.
  • Transformation . Code block such as a script defined in a Function to process or transform input data.
  • Output . A destination for your data. Publish data to the Service Domain, cloud, or cloud data service (such as AWS Simple Queue Service).

It also enables you to process and transform captured data for further consumption or processing.

To create a data pipeline, you must have already created or defined at least one of the following:

  • Project
  • Category
  • Data source
  • Function
  • Cloud profile. Required for cloud data destinations or Service Domain endpoints
  • When you create, clone, or edit a function, you can define one or more parameters. When you create a data pipeline, you define the values for the parameters when you specify the function in the pipeline.
  • Data pipelines can share functions, but you can specify unique parameter values for the function in each data pipeline.
  • You can also stop and start a data pipeline. See Stopping and Starting a Data Pipeline.

Creating a Data Pipeline

Create a data pipeline, with a data source or real-time data source as input and infrastructure or external cloud as the output.

Before you begin

You must have already created at least one of each: project, data source, function, and category. Also, a cloud profile is required for cloud data destinations or Service Domain endpoints. See also Naming Guidelines.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Data Pipelines .
  4. Click Create .
  5. Data Pipeline Name . Name your data pipeline. Up to 63 lowercase alphanumeric characters and the dash character (-) are allowed.

Input - Add a Data Source

Procedure

Click Add Data Source , then select Data Source .
  1. Select a data source Category and one related Value .
  2. [Optional] Click Add new to add another Category and Value . Continue adding as many as you have defined.
  3. Click the trashcan to delete a data source category and value.

Input - Add a Real-Time Data Stream

Procedure

Click Add Data Source , then select Real-Time Data Stream .
  1. Select an existing pipeline as a Real-Time Data Stream .

Transformation - Add a Function

Procedure

  1. Click Add Function and select an existing Function.
  2. Define a data Sampling Interval by selecting Enable .
    1. Enter a interval value.
    2. Select an interval: Millisecond , Second , Minute , Hour , or Day .
  3. Enter a value for any parameters defined in the function.
    If no parameters are defined, this field's name is shown as parens characters. ( )
  4. [Optional] Click the plus sign ( + ) to add another function.
    This step is useful if you want to chain functions together, feeding transformed data from one function to another, and so on.
  5. You can also create a function here by clicking Upload , which displays the Create Function page.
    1. Name your function. Up to 200 alphanumeric characters are allowed.
    2. Description . Provide a relevant description for the function.
    3. Language . Select the scripting language for the function: golang, python, node.
    4. Runtime Environment . Select the runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.
    5. Click Next .
    6. Click Choose File to navigate to a file containing your function code.
      After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
    7. Click Add Parameter to define and use any parameters for the data transformation in the function.
    8. Click Create .

Output - Add a Destination

Procedure

  1. Click Add Destination to specify where the transformed data is to be output: Publish to Service Domain or Publish to External Cloud .
  2. If you select Destination > Service Domain :
    1. Endpoint Type . Select Kafka , MQTT , Realtime Data Stream , or Data Interface .
    2. Data Interface Name . If shown, name your data interface.
    3. Endpoint Name . If shown, name your endpoint.
  3. If you select Destination > External Cloud and Cloud Type as AWS , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
    2. Endpoint Type . Select an existing endpoint type.
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
    4. Region . Select an AWS region.
  4. If you select Destination > External Cloud and Cloud Type as Azure , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
    2. EndpointType . Select an existing stream type, such as Blob Storage .
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
  5. If you select Destination > External Cloud and Cloud Type as GCP , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
      d
    2. Endpoint Type . Select an existing endpoint type.
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
    4. Region . Select a GCP region.
  6. Click Create .

Editing a Data Pipeline

Update a data pipeline, including data source, function, and output destination. See also Naming Guidelines.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Data Pipelines .
  4. Select a data pipeline in the list, then click Actions > Edit
    You cannot update the data pipeline name.

Input - Edit a Data Source

Procedure

You can do any of the following:
  1. Select a different Data Source to change the data pipeline Input source (or keep the existing one).
  2. Select a different value for an existing Category.
  3. Click the trashcan to delete a data source category and value.
  4. Click Add new to add another Category and Value . Continue adding as many as you have defined.
  5. Select a different category.

Input - Edit a Real-Time Data Stream

Procedure

Select a different Realtime Data Stream to change the data pipeline Input source.

Transformation - Edit a Function

About this task

You can do any of the following tasks.

Procedure

  1. Select a different Function .
  2. Add or update the Sampling Interval for any new or existing function.
    1. If not selected, create a Sampling Interval by selecting Enable
    2. Enter a interval value.
    3. Select an interval: Millisecond , Second , Minute , Hour , or Day .
  3. Enter a value for any parameters defined in the function.
    If no parameters are defined, this field's name is shown as parens characters. ( )
  4. [Optional] Click the plus sign ( + ) to add another function.
    This step is useful if you want to chain functions together, feeding transformed data from one function to another, and so on.
  5. You can also create a function here by clicking Upload , which displays the Add Function page.
    1. Name your function. Up to 200 alphanumeric characters are allowed.
    2. Description . Provide a relevant description for the function.
    3. Language . Select the scripting language for the function: golang, python, node.
    4. Runtime Environment . Select the runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.
    5. Click Next .
    6. Click Choose File to navigate to a file containing your function code.
      After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
    7. Click Add Parameter to define and use any parameters for the data transformation in the function.
    8. Click Create .
  6. Click Create .

Output - Edit a Destination

About this task

You can do any of the following tasks.

Procedure

  1. Select a Infrastructure or External Cloud Destination to specify where the transformed data is to be output.
  2. If you select Destination > Infrastructure :
    1. Endpoint Type . Select MQTT , Realtime Data Stream , Kafka , or Data Interface .
    2. Data Interface Name . If shown, name your data interface.
    3. Endpoint Name . If shown, name your endpoint.
  3. If you select Destination > External Cloud and Cloud Type as AWS , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
    2. Endpoint Type . Select an existing endpoint type.
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
    4. Region . Select an AWS region.
  4. If you select Destination > External Cloud and Cloud Type as GCP , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
    2. Endpoint Type . Select an existing endpoint type.
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
    4. Region . Select a GCP region.
  5. If you select Destination > External Cloud and Cloud Type as Azure , complete the following fields:
    1. Cloud Profile . Select your existing profile.
      See the topic Creating Your Cloud Profile in the Karbon Platform Services Administration Guide .
    2. EdType . Select an existing stream type, such as Blob Storage .
    3. Endpoint Name . Name your endpoint. Up to 200 alphanumeric characters and the dash character (-) are allowed.
  6. Click Update .

Removing a Data Pipeline

About this task

To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Data Pipelines .
  4. Select a data pipeline, click Actions > Remove , then click Delete again to confirm.
    The Data Pipelines page lists any remaining data pipelines.

Stopping and Starting a Data Pipeline

About this task

  • You can stop and start a data pipeline.
  • You can select the table or tile view on this page by clicking one of the view icons.
    Figure. View Icons Click to enlarge The view icons on the page let you switch between table and tile view.

About this task

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list, then click Functions and Data Pipelines .
  3. To stop an active data pipeline, select a data pipeline, then click Actions > Stop .
    You can also click a data pipeline, then click Stop or Start , depending on the data pipeline state.
    Stop stops any data from being transformed or processed, and terminates any data transfer to your data destination.
  4. To start the data pipeline, select Start (after stopping a data pipeline) from the Actions drop-down menu.

Functions

A function is code used to perform one or more tasks. Script languages include Python, Golang, and Node.js. A script can be as simple as text processing code or it could be advanced code implementing artificial intelligence, using popular machine learning frameworks like Tensorflow.

An infrastructure administrator or project user can create a function, and later can edit or clone it. You cannot edit a function that is used by an existing data pipeline. In this case, you can clone it to make an editable copy.

  • You can use ML models in your function code. Use the ML Model API to call the model and version.
  • When you create, clone, or edit a function, you can define one or more parameters.
  • When you create a data pipeline, you define the values for the parameters when you specify the function in the pipeline.
  • Data pipelines can share functions, but you can specify unique parameter values for the function in each data pipeline.

Creating a Function

About this task

To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Functions > Create .
  4. Name . Name the function. Up to 200 alphanumeric characters are allowed.
  5. Description . Provide a relevant description for your function.
  6. Language . Select the scripting language for the function: golang, python, node.
  7. Runtime Environment . Select the runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.
  8. Click Next .
  9. Add function code.
    1. Click Choose File to navigate to a file containing your function code.
      After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
    2. Click Add Parameter to define and use one or more parameters for data transformation in the function. Click the check icon to add each parameter.
  10. Click Create .

Editing a Function

Edit an existing function. To complete this task, log on to the cloud management console.

About this task

Other than the name and description, you cannot edit a function that is in use by an existing data pipeline. In this case, you can clone a function to duplicate it. See Cloning a Function.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Functions .
  4. Select a function in the list, then click Edit .
  5. Name . Update the function name. Up to 200 alphanumeric characters are allowed.
  6. Description . Provide a relevant description for your function.
  7. You cannot change the function's Project .
  8. Language . Select the scripting language for the function: golang, python, node.
  9. Runtime Environment . Select the runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.
  10. Click Next .
  11. If you want to choose a different file or edit the existing function code:
    1. Click Choose File to navigate to a file containing your function code.
      After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
    2. Click Add Parameter to define and use one or more parameters for data transformation in the function. Click the check icon to add each parameter.
  12. Click Update .

Cloning a Function

Clone an existing function. To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Functions .
  4. Select a function in the list, then click Clone .
  5. Name . Update the function name. Up to 200 alphanumeric characters are allowed.
  6. Description . Provide a relevant description for your function.
  7. You cannot change the function's Project .
  8. Language . Select the scripting language for the function: golang, python, node.
  9. Runtime Environment . Select the runtime environment for the function. A default runtime environment is already selected in most cases depending on the Language you have selected.
  10. Click Next .
  11. If you want to choose a different file or edit the existing function code:
    1. Click Choose File to navigate to a file containing your function code.
      After uploading the file, you can edit the file contents. You can also choose the contrast levels Normal , Dark , or High Contrast Dark .
    2. Click Add Parameter to define and use one or more parameters for data transformation in the function. Click the check icon to add each parameter.
  12. Click Next to update a data pipeline with this function, if desired.
  13. Click Create , then click Confirm in response to the data pipeline warning.
    An updated function can cause data pipelines to break (that is, stop collecting data correctly).

Removing a Function

About this task

To complete this task, log on to the cloud management console. You cannot remove a function that is associated with a data pipeline or realtime data stream.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines > Functions .
  4. Select a function, click Remove , then click Delete again to confirm.
    The Functions page lists any remaining functions.

AI Inferencing and ML Model Management

You can create machine learning (ML) models to enable AI inferencing for your projects. The ML Model feature provides a common interface for functions (that is, scripts) or applications to use the ML model Tensorflow runtime environment on the Service Domain.

The Karbon Platform Services Release Notes list currently supported ML model types.

An infrastructure admin can enable the AI Inferencing service for your project through Manage Services as described in Managing Project Services.

You can add multiple models and model versions to a single ML Model instance that you create. In this scenario, multiple client projects can access any model configured in the single ML model instance.

Before You Begin
  • To allow access by the AI Inferencing API, ensure that the infrastructure admin selects Use GPU for AI Inferencing in the associated project Service Domain Advanced Settings.
  • Ensure that the infrastructure admin has enabled the AI Inferencing service for your project.
ML Models Guidelines and Limitations
  • The maximum ML model zip file size you can upload is 1 GB.
  • Each ML model zip file must contain a binary file and metadata file.
  • You can use ML models in your function code. Use the ML Model API to call the model and version.
ML Model Validation
  • The Karbon Platform Services platform validates any ML model that you upload. It checks the following:
    • The uploaded model is a ZIP file, with the correct folder of file structure in the ZIP file.
    • The ML model binaries in the ZIP file are valid and in the required format.
    • TensorFlow ML model binaries in the ZIP file are valid and in the required format.

Adding an ML Model

About this task

To complete this task, log on to the cloud management console.

Before you begin

  • An infrastructure admin can allow access to the AI Inferencing API by selecting Use GPU for AI Inferencing in the associated project Service Domain Advanced Settings.
  • An infrastructure admin can enable the AI Inferencing service for your project through Manage Services as described in Managing Project Services.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click AI Inferencing > Add Model .
  3. Name . Name the ML model. Up to 200 alphanumeric characters are allowed.
  4. Description . Provide a relevant description.
  5. Select a specific project to make your ML model available to that project.
  6. Select a Framework Type from the drop-down menu. For example, Tensorflow 2.1.0 .
  7. Click Add Version in the List of Model Versions panel.
    1. Type an ML Model Version number, such as 1, 2, 3 and so on.
    2. Click Choose File and navigate to a model ZIP file stored on your local machine.
      • The maximum zip file size you can upload is 1 GB.
      • The console validates the file as it uploads it.
      • Uploading a file is a background task and might take a few moments depending on file size. Do not close your browser.
    3. Type any relevant Version Information , then click Upload .
  8. [Optional] Click Add new to add another model version to the model.
    A single ML model can consist of multiple model versions.
  9. Click Done .
    The ML Model page displays the added ML model. It might also show the ML model as continuing to upload.

What to do next

Check ML model status in the ML Model page.

Editing an ML Model

About this task

  • To complete this task, log on to the cloud management console.
  • You cannot change the name or framework type associated with an ML model.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click AI Inferencing , select a model in the list, and click Edit .
  3. Description . Update an existing description.
  4. Edit or Remove an existing model version from the List of Model Versions.
  5. [Optional] Click Add new to add another model version.
    A single ML model can consist of multiple model versions.
    1. Type an ML Model Version number, such as 1, 2, 3 and so on.
    2. Click Choose File and navigate to a model ZIP file stored on your local machine.
      • The maximum zip file size you can upload is 1 GB.
      • The console validates the file as it uploads it.
      • Uploading a file is a background task and might take a few moments depending on file size. Do not close your browser.
    3. Type any relevant Version Information , then click Upload .
  6. Click Done .
    The ML Model page displays the added ML model. It might also show the ML model as continuing to upload.

What to do next

Check ML model status in the ML Model page.

Removing an ML Model

How to delete an ML model.

About this task

To complete this task, log on to the cloud management console.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click AI Inferencing and select a model in the list.
  3. Cick Remove , then click Delete again to confirm.
    The ML Models page lists any remaining ML models.

What to do next

Check ML model status in the ML Model page.

Viewing ML Model Status

The ML Models page in the Karbon Platform Services management console shows version and activity status for all models.

Procedure

  1. From the home menu, click Projects , then click a project.
  2. Click AI Inferencing to show model information like Version, File Size, and Framework Type.
  3. To see where a model is deployed, click the model name.
    This page shows a list of associated Service Domains.

Runtime Environments

A runtime environment is a command execution environment to run applications written in a particular language or associated with a Docker registry or file.

Karbon Platform Services includes standard runtime environments including but not limited to the following. These runtimes are read-only and cannot be edited, updated, or deleted by users. They are available to all projects, functions, and associated container registries.

  • Golang
  • NodeJS
  • Python 2
  • Python 3
  • Tensorflow Python
You can add your own custom runtime environment for use by all or specific projects, functions, and container registries.
Note: Custom Golang runtime environments are not supported. Use the provided standard Golang runtime environment in this case.

Creating a Runtime Environment

How to create a user-added runtime environment for use with your project.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines , then click the Runtime Environments tab.
  4. Click Create .
  5. Name . Name the runtime environment. Up to 75 alphanumeric characters are allowed.
  6. Description . Provide a relevant description.
  7. Container Registry Profile . Click Add Profile to create a new container registry profile or use an existing profile. Do one of the following sets of steps.
    1. Select Add New .
    2. Name your profile.
    3. Description . Describe the profile. Up to 75 alphanumeric characters are allowed.
    4. Container Registry Host Address . Provide a public or private registry host address. The host address can be in the format host.domain:port_number/repository_name
      For example, https://index.docker.io/v1/ or registry-1.docker.io/distribution/registry:2.1
    5. Username . Enter the user name credential for the profile.
    6. Password . Enter the password credential for the profile. Click Show to display the password as you type.
    7. Email Address . Add an email address in this field.
    1. Select Use Existing cloud profile and elect an existing profile from Cloud Profile .
    2. Name your profile.
    3. Description . Describe the profile. Up to 75 alphanumeric characters are allowed.
    4. Server . Provide a server URL to the container registry in the format used by your cloud provider.
      For example, an Amazon AWS Elastic Container Registry (ECR) URL might be: https:// aws_account_id .dkr.ecr. region .amazonaws.com
  8. Click Done .
  9. Container Image Path . Provide a container image URL. For example, https:// aws_account_id .dkr.ecr. region .amazonaws.com/ image : imagetag
  10. Languages . Select the scripting language for the runtime: golang, python, node.
  11. [Optional] Click Add Dockerfile to choose and upload a Dockerfile for the container image, then click Done .
    A Dockerfile typically includes instructions used to build images automatically or run commands.
  12. Click Create .

Editing a Custom Runtime Environment

How to edit a user-added runtime environment from the cloud management console. You cannot edit the included read-only runtime environments.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines , then click the Runtime Environments tab.
  4. Select a runtime environment in the list, then click Edit .
  5. Name . Name the runtime environment. Up to 75 alphanumeric characters are allowed.
  6. Description . Provide a relevant description.
  7. Container Registry Profile . Select an existing container registry profile.
  8. Container Image Path . Provide a container image URL. For example, https:// aws_account_id .dkr.ecr. region .amazonaws.com/ image : imagetag
  9. Languages . Select the scripting language for the runtime: golang, python, node.
  10. [Optional] Remove or Edit any existing Docker file.
    After editing a file, click Done .
  11. Click Add Docker Profile to choose a Docker file for the container image.
  12. Click Update .

Removing a Runtime Environment

How to remove a user-added runtime environment from the cloud management console. To complete this task, log on to the cloud management console.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
  3. Click Functions and Data Pipelines , then click the Runtime Environments tab.
  4. Select a runtime environment, click Remove , then click Delete again to confirm.
    The Runtime Environments page lists any remaining runtime environments.

Audit Trail and Log Management

Logging provides a consolidated landing page enabling you to collect, forward, and manage logs from selected Service Domains.

From Logging or System Logs > Logging or the summary page for a specific project, you can:

  • Run Log Collector on every or selected Service Domains (admins only)
  • See created log bundles, which you can then download or delete
  • Create, edit, and delete log forwarding policies to help make collection more granular and then forward those logs to the cloud
  • View alerts
  • View an audit trail of any operations performed by users in the last 30 days

You can also collect logs and stream them to a cloud profile by using the kps command line available from the Nutanix public Github channel https://github.com/nutanix/karbon-platform-services/tree/master/cli. Readme documentation available there describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.

Audit Trail Dashboard

Access the Audit Log dashboard to view the most recent operations performed by users.

Karbon Platform Services maintains an audit trail of any operations performed by users in the last 30 days and displays them in an Audit Trail dashboard in the cloud management console. To display the dashboard, log on to the console, open the navigation menu, and click Audit Trail .

Click Filters to display operations by Operation Type, User Name, Resource Name, Resource Type, Time Range, and other filter types so you can narrow your search. Filter Operation Type by CREATE, UPDATE, and DELETE actions.

Running Log Collector - Service Domains

Log Collector examines the selected Service Domains and collects logs and configuration information useful for troubleshooting issues and finding out details about any Service Domain.

Procedure

  1. Go to System Logs > Logging from the Dashboard in the navigation sidebar menu.
  2. Click Run Log Collector .
    1. To collect log bundles for every Service Domain, choose Select all Service Domains , then click Select Logs .
    2. To collector log bundles for specific Service Domains, choose them, then click Collect Logs
      The table displays the collection status.
    • Collecting . Depending on how many Service Domains you have chosen, it can take a few minutes to collect the logs.
    • Success . All logs are collected. You can now Download them or Delete them.
    • Failed . Logs could not be collected. Click Details to show error messages relating to this collection attempt.
  3. After downloading the log bundle, you can delete it from the console.

What to do next

  • The downloaded log bundle is in a gzipped TAR file. Extract the TAR file, then untar or unzip the TAR file to see the collected logs.
  • You can also forward logs to the cloud based on your cloud profile. See Creating and Updating a Log Forwarding Policy.

Running Log Collector - Kubernetes Apps

Log Collector examines the selected project application and collects logs and configuration information useful for troubleshooting issues and finding out details about an app.

Procedure

  1. Click the menu button, then click Projects .
  2. Click a project in the list.
    The project dashboard and navigation sidebar is displayed.
  3. Click Kubernetes Apps , then click an app in the list.
  4. Select the Log Bundles tab, then click Run Log Collector .
    1. To collect log bundles for every Service Domain, choose Select all Service Domains , then click Select Logs .
    2. To collector log bundles for specific Service Domains, choose them, then click Collect Logs
      The table displays the collection status.
    • Collecting . Depending on how many Service Domains you have chosen, it can take a few minutes to collect the logs.
    • Success . All logs are collected. You can now Download them or Delete them.
    • Failed . Logs could not be collected. Click Details to show error messages relating to this collection attempt.
  5. After downloading the log bundle, you can delete it from the console.

What to do next

  • The downloaded log bundle is in a gzipped TAR file. Extract the TAR file, then untar or unzip the TAR file to see the collected logs.
  • You can also forward logs to the cloud based on your cloud profile. See Creating and Updating a Log Forwarding Policy.

Creating and Updating a Log Forwarding Policy

Create, edit, and delete log forwarding policies to help make collection more granular and then forward those Service Domain logs to the cloud.

Before you begin

Make sure your infrastructure admin has created a cloud profile first.

Procedure

  1. Go to System Logs > Logging from Dashboard or the summary page for a specific project.
  2. Click Log Forwarding Policy > Create New Policy .
  3. Name . Name your policy.
  4. Select a Service Domain.
    1. Select All . Logs for all Service Domains are forwarded to the cloud destination.
    2. Select Select By Category to choose and apply one or more categories associated with a Service Domain. Click the plus sign ( + ) to add more categories.
    3. Select Select Individually to choose a Service Domain, then click Add Service Domain to select one or more Service Domains.
  5. Select a destination.
    1. Select Profile . Choose an existing cloud profile.
    2. Select Service . Choose a cloud service. For example, choose Cloudwatch to stream logs to Amazon CloudWatch. Other services include Kinesis and Firehose .
    3. Select Region . Enter a valid AWS region name or CloudWatch endpoint fully qualified domain name. For example, us-west-2 or monitoring.us-west-2.amazonaws.com
    4. Select Stream . Enter a log stream name.
    5. Select Groups . (CloudWatch only) Enter a Log group name.
  6. Click Done .
    The dashboard or summary page shows the policy tile.
  7. From the Logging dashboard, you can edit or delete a policy.
    1. Click Edit and change any of the fields, then click Done .
    2. To delete a policy, click Delete , then click Delete again to confirm.

Creating a Log Collector for Log Forwarding - Command Line

Create a log collector for log forwarding by using the kps command line.

Nutanix has released the kps command line on its public Github channel. https://github.com/nutanix/karbon-platform-services/tree/master/cli describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.

Each sample YAML file defines a log collector. Log collectors can be:

  • Infrastructure-based: collects infrastructure-related (Service Domain) information. For use by infra admins.
  • Project-based: project-related information (applications, data pipelines, and so on). For use by project users and infra admins (with assigned projects).

See the most up-to-date sample YAML files and descriptions at https://github.com/nutanix/karbon-platform-services/tree/master/cli.

Example Usage

Create a log collector defined in a YAML file:

user@host$ kps create -f infra-logcollector-cloudwatch.yaml

infra-logcollector-cloudwatch.yaml

This sample infrastructure log collector collects logs for a specific tenant, then forwards them to a specific cloud profile (for example: AWS CloudWatch ).

To enable AWS CloudWatch log streaming, you must specify awsRegion, cloudwatchStream, and cloudwatchGroup.

kind: logcollector
name: infra-log-name
type: infrastructure
destination: cloudwatch
cloudProfile: cloud-profile-name
awsRegion: us-west-2
cloudwatchGroup: cloudwatch-group-name
cloudwatchStream: cloudwatch-stream-name
filterSourceCode: ""
Field Name Value or Subfield Name / Description Value or Subfield Name / Description
kind logcollector Specify the resource type
name infra-log-name Specify the unique log collector name
type infrastructure Log collector for infrastructure
destination cloudwatch Cloud destination type
cloudProfile cloud-profile-name Specify an existing Karbon Platform Services cloud profile
awsRegion For example, us-west-2 or monitoring.us-west-2.amazonaws.com Valid AWS region name or CloudWatch endpoint fully qualified domain name
cloudwatchGroup cloudwatch-group-name Log group name
cloudwatchStream cloudwatch-stream-name Log stream name
filterSourceCode Specify the log conversion code

project-logcollector.yaml

This sample project log collector collects logs for a specific tenant, then forwards them to a specific cloud profile (for example: AWS CloudWatch ).

kind: logcollector
name: project-log-name
type: project
project: project-name
destination: cloud-destination type
cloudProfile: cloud-profile-name
awsRegion: us-west-2
cloudwatchGroup: cloudwatch-group-name
cloudwatchStream: cloudwatch-stream-name
filterSourceCode: ""
Field Name Value or Subfield Name / Description Value or Subfield Name / Description
kind logcollector Specify the resource type
name project-log-name Specify the unique log collector name
type project Log collector for specific project
project project-name Specify the project name
destination cloud-destination type Cloud destination type such as CloudWatch
cloudProfile cloud-profile-name Specify an existing Karbon Platform Services cloud profile
awsRegion For example, us-west-2 or monitoring.us-west-2.amazonaws.com Valid AWS region name or CloudWatch endpoint fully qualified domain name
cloudwatchGroup cloudwatch-group-name Log group name
cloudwatchStream cloudwatch-stream-name Log stream name
filterSourceCode Specify the log conversion code

Stream Real-Time Application and Pipeline Logs

Real-Time Log Monitoring built into Karbon Platform Services provides real-time log monitoring and lets you view application and data pipeline log messages securely in real time.

Note: Infrastructure administrators can stream logs if they have been added to a project.

Viewing the most recent log messages as they occur helps you see and troubleshoot application or data pipeline operations. Messages stream securely over an encrypted channel and are viewable only by authenticated clients (such as an existing user logged on to the Karbon Platform Services cloud platform).

The cloud management console shows the most recent log messages, up to 2 MB. To get the full logs, collect and then download the log bundles by Running Log Collector - Service Domains.

Displaying Real-Time Logs

View the most recent real-time logs for applications and data pipelines.

About this task

To complete this task, log on to the cloud management console.

Procedure

  1. Go to the Deployments page for an application or data pipeline.
    1. From the home menu, click Projects , then click a project.
    2. Click Kubernetes Apps or Functions and Data Pipelines .
    3. Click an app name or data pipeline name, then click Deployments .
    4. Click an application or a data pipeline in the table, then click Deployments .
      A table shows each Service Domain deploying the application or data pipeline.
  2. Select a Service Domain, then click View Real-time Logs .
    The window displays streaming log messages and shows the most recent 2 MB of log messages from a container associated with your data pipeline function or application, from the Service Domain.

What to do next

Real-Time Log Monitoring Console describes what you see in the terminal-style display.

Real-Time Log Monitoring Console

The Karbon Platform Services real-time log monitoring console is a terminal-style display that streams log entries as they occur.

After you do the steps in Displaying Real-Time Logs, a terminal-style window is displayed in one or more tabs. Each tab is streaming log messages and shows the most recent 2 MB of log messages from a container associated with your data pipeline function or application.

Your application or data pipeline function generates the log messages. That is, the console shows log messages that you have written into your application or function.

Figure. Real-Time Log Monitoring Console Click to enlarge One or more tabs with a terminal style display shows messages generated by your application or function.

No Logs Message

If your Karbon Platform Services Service Domain is connected and your application or function is not logging anything, the console might show a No Logs message. In this case, the message means that the application or function is idle and not generating any log messages.

Errors

You might see one or more error messages in the following cases. As a result, Real-Time Log Monitoring cannot retrieve any logs.

  • If your application, function, or other resource fails
  • Network connectivity fails or is highly intermittent between the Karbon Platform Services Service Domain or your browser and karbon.nutanix.com

Tips for Real-Time Log Monitoring for Applications

  • The first tab shows the first container associated with the application running on the Karbon Platform Services Service Domain. The console shows one tab for each container associated with the application, including a tab for each container replicated in the same application.
  • Each tab displays the application and container name as app_name : container_id ) and might be truncated. To see the full name on the tab, hover over it.
  • Reordering tabs is not available. Unlike your usual tabbed browser experience, you cannot reorder or move the tabs.

Tips for Real-Time Log Monitoring for Functions in Data Pipelines

  • The first tab shows the first function deployed in the data pipeline running on the Service Domain. The console shows one tab for each function deployed in the data pipeline.
  • Reordering tabs is not available. Unlike your usual tabbed browser experience, you cannot reorder or move the tabs. For data pipelines, the displayed tab order is the order of the functions (that is, scripts of transformations) in the data pipeline.
  • Duplicate function names. If you use the same function more than once in the data pipeline, you will see duplicate tabs. That is, one tab for each function instance.
  • Each tab displays the data pipeline and function name as data_pipeline_ : function ) and might be truncated. To see the full name on the tab, hover over it.

Managing API Keys

Simplifies authentication when you use the Karbon Platform Services API by enabling you to manage your keys from the Karbon Platform Services management console. This topic also describes API key guidelines.

As a user (infrastructure or project), you can manage up to two API keys through the Karbon Platform Services management console. After logging on to the management console, click your user name in the management console, then click Manage API Keys to create, disable, or delete these keys.

Number of API Keys Per Users and Expiration
  • Each user can create and use two API keys.
  • Keys do not have an expiration date.
Deleting and Reusing API Keys
  • You can delete an API key at any time.
  • You cannot use or reuse a key after deleting it.
Creating and Securing the API Keys
  • When you create a key, the Manage API Keys dialog box displays the key.
  • When you create a key, make a copy of the key and secure it. You cannot see the key later. It is not recoverable at any time.
  • Do not share the key with anyone, including other users.

Read more about the Karbon Platform Services API at nutanix.dev. For Karbon Platform Services Developers describes related information and links to resources for Karbon Platform Services developers.

Using API Keys With HTTPS API Requests

Example API request using an API key.

After you create an API key, use it with your Karbon Platform Services API HTTPS Authorization requests. In the request, specify an Authorization header including Bearer and the key you generated and copied from the Karbon Platform Services management console.

For example, here is an example Node JS code snippet:

var http = require("https");

var options = {
  "method": "GET",
  "hostname": "karbon.nutanix.com",
  "port": null,
  "path": "/v1.0/applications",
  "headers": {
    "authorization": "Bearer API_key"
  }
};

Creating API Keys

Create one or more API keys through the Karbon Platform Services management console.

Procedure

  1. After logging on to the management console, click your user name, then click Manage API Keys .
    Figure. Manage API Keys Click to enlarge Click your profile name, then click Manage API keys.

  2. Click Create API Key .
    Manage API Keys shows that the key is created. Keys do not have an expiration date.
  3. Click Copy to Clipboard .
    • Make a copy of the API key and secure it. It is not recoverable at any time.
    • Click View to see the key value. You cannot see the key later.
    • Copy to Clipboard is a mandatory step. The Close button is inactive until you click Copy to Clipboard .
  4. To create another key, click Create API Key and Copy to Clipboard .
    Make a copy of the key and secure it. It is not recoverable at any time. Click View to see the key value. You cannot see the key later.
    Note that Status for each key is Active .
    Figure. Key Creation Click to enlarge The API keys show as Active.

  5. Click Close .

Disabling, Enabling, or Deleting API Keys

Create one or more API keys through the Karbon Platform Services management console.

Procedure

  1. After logging on to the management console, click your user name, then click Manage API Keys .
    Figure. Manage API Keys Click to enlarge Click your profile name, then click Manage API keys.

    Manage API Keys shows information about each API key: Create Time, Last Accessed, Status (Active or Disabled).
    Depending on the current state of the API key, you can disable, enable, or delete it.
    Figure. API Keys Click to enlarge The dialog shows API Key status as active or disabled.

  2. Disable an enabled API key.
    1. Click Disable .
      Note that Status for the API key is now Disabled .
    2. Click Close .
  3. Enable a disabled API key.
    1. Click Enable .
      Note that Status for the API key is now Active .
    2. Click Close .
  4. Delete an API Key.
    1. Click Delete , then click Delete again to confirm.
    2. Click Close .
      You cannot use or reuse a key after deleting it. Any client authenticating with this now-deleted API key will need a new key to authenticate again.

Secure Shell (SSH) Access to Service Domains

Karbon Platform Services provides limited secure shell (SSH) access to your cloud-connected service domain to manage Kubernetes pods.

Note: To enable this feature, contact Nutanix Support so they can set your profile accordingly. Setting Privileged Mode shows how you can check your Service Domain effectiveProfile setting.
Caution: Nutanix recommends limiting your use of this feature in production deployments. Do not enable SSH access in production deployments unless you have exhausted all other troubleshooting or debugging alternatives.

The Karbon Platform Services cloud management console provides limited secure shell (SSH) access to your cloud-connected Service Domain to manage Kubernetes pods. SSH Service Domain access enables you to run Kubernetes kubectl commands to help you with application development, debugging, and pod troubleshooting.

As Karbon Platform Services is secure by design, dynamically generated public/private key pairs with a default expiration of 30 minutes secure your SSH connection. When you start an SSH session from the cloud management console, you automatically log on as user kubeuser .

Infrastructure administrators have SSH access to Service Domains. Project users do not have access.

kubeuser Restrictions

  • Limited to running kubectl CLI commands
  • No superuser or sudo access: No /root file access, unable to issue privileged commands

Opening a Secure Session (SSH) Console to a Service Domain

Access a Service Domain through SSH to manage Kubernetes pods with kubectl CLI commands. This feature is disabled by default. To enable this feature, contact Nutanix Support.

Before you begin

To complete this task, log on to the cloud management console as an infrastructure administrator user.
Caution: Nutanix recommends limiting your use of this feature in production deployments. Do not enable SSH access in production deployments unless you have exhausted all other troubleshooting or debugging alternatives.

Procedure

  1. Click Infrastructure > Service Domains .
  2. In the table, click a Service Domain Name , then click Console to connect to the Service Domain.
    A terminal window connects as the kubeuser user for 30 minutes.
  3. To activate the cursor, click the terminal window.
  4. After 30 minutes, you can choose to stay connected or disconnect.
    • After 30 minutes, you can remain connected by clicking Reconnect to reestablish the SSH connection.
    • To disconnect an active connection, click Back to Service Domains or another link on this page ( Summary , Nodes , or any others except SSH ).

What to do next

For example commands, see Using kubectl to Manage Service Domain Kubernetes Pods.

Using kubectl to Manage Service Domain Kubernetes Pods

Use kubectl commands to manage Kubernetes pods on the Service Domain.

Example kubectl Commands

  • List all running pods.
    kubeuser@host$ kubectl get pods
  • List all pod services.
    kubeuser@host$ kubectl get services
  • Get logs for a specific pod named pod_name .
    kubeuser@host$ kubectl logs pod_name
  • Run a command for a specific pod named pod_name .
    kubeuser@host$ kubectl exec pod_name command_name
  • Attach a shell to a container container_name in a pod named pod_name .
    kubeuser@host$ kubectl exec -it pod_name --container container_name -- /bin/sh

Alerts

The Alerts page and the Alerts Dashboard panel show any alerts triggered by Karbon Platform Services depending on your role.

  • Infrastructure Administrator . All alerts associated with Projects, Apps & Data, Infrastructure
  • Project User Alerts . All alerts associated with Projects and Apps & Data

To see alert details:

  • On the Alerts page, click the alert Description to see details about that alert.
  • From the Alerts Dashboard panel, click View Details , then click the alert Description to see details.

Click Filters to sort the alerts by:

  • Severity . Critical or Warning.
  • Time Range . Select All, Last 1 Hour, Last 1 Day, or Last 1 Week.

An Alert link is available on each Apps & Data and Infrastructure page.

Figure. Sorting and Filtering Alerts Click to enlarge Filters flyout menu to sort alerts by severity

For Karbon Platform Services Developers

Information and links to resources for Karbon Platform Services developers.

This section contains information about Karbon Platform Services development.

API Reference
Go to https://www.nutanix.dev/api-reference/ for API references, code samples, blogs , and more for Karbon Platform Services and other Nutanix products.
Karbon Platform Services Public Github Repository

The Karbon Platform Services public Github repository https://github.com/nutanix/karbon-platform-services includes sample application YAML files, instructions describing external client access to services, Karbon Platform Services kps CLI samples, and so on.

Karbon Platform Services Command Line

Nutanix has released the kps command line on its public Github repository. https://github.com/nutanix/karbon-platform-services/tree/master/cli describes how to install the command line and includes sample YAML files for use with applications, data pipelines, data sources, and functions.

Ingress Controller Support - Command Line

Karbon Platform Services supports the Traefik open source router as the default Kubernetes Ingress controller and NGINX (ingress-nginx) as a Kubernetes Ingress controller. For full details, see https://github.com/nutanix/karbon-platform-services/tree/master/services/ingress.

Kafka Data Service Support - Command Line

Kafka is available as a data service through your Service Domain. Clients can manage, publish and subscribe to topics using the native Kafka protocol. Data Pipelines can use Kafka as destination. Applications can also use a Kafka client of choice to access the Kafka data service.

For full details, see https://github.com/nutanix/karbon-platform-services/tree/master/services/kafka. See alsoKafka as a Service.

Free Karbon Platform Services Trial
Sign up for a free Karbon Platform Services Trial at https://www.nutanix.com/products/iot/try.

Set Privileged Mode For Applications

Enable a container application to run with elevated privileges.

Important: The privileged mode is deprecated. Nutanix plans to remove this feature in an upcoming release.
Note: To enable this feature, contact Nutanix Support so they can set your profile accordingly. In your profile, this feature is disabled by default. After privileged mode is enabled in your profile, you can configure a container application to run with elevated privileges.
Caution: Nutanix recommends that you use this feature sparingly and only when necessary. To keep Karbon Platform Services secure by design, as a general rule, Nutanix also recommends your run your applications at user level.

For information about installing the kps command line, see For Karbon Platform Services Developers.

Karbon Platform Services enables you to develop an application which requires elevated privileges to run successfully. By using the kps command line, you can set your Service Domain to enable an application running in a container to run in privileged mode.

Setting Privileged Mode

Configure your Service Domain to enable a container application to run with elevated privileges.

Before you begin

Important: The privileged mode is deprecated. Nutanix plans to remove this feature in an upcoming release.
  • Ensure that you have created an infrastructure administrator or project user with associated resources (Service Domain, project, applications, and so on).
  • To enable this feature, contact Nutanix Support so they can set your profile accordingly. In your profile, this feature is disabled by default. After privileged mode is enabled in your profile, you can configure a container application to run with elevated privileges.
Caution: Nutanix recommends that you use this feature sparingly and only when necessary. To keep Karbon Platform Services secure by design, as a general rule, Nutanix also recommends your run your applications at user level.

Procedure

  1. Install the kps command line as described at GitHub: https://github.com/nutanix/karbon-platform-services/tree/master/cli
  2. From your terminal window, create a Karbon Platform Services context to associate with an existing Karbon Platform Services user.
    user@host$  kps config create-context context_name --email user_email_address --password password
    1. context_name . A context name to associate with the specified user_email_address and related Karbon Platform Services resources.
    2. user_email_address . Email address of an existing Karbon Platform Services user. This email address can be a My Nutanix account address or local user address.
    3. password . Password for the Karbon Platform Services user.
  3. Verify that the context is created.
    user@host$ kps config get-contexts
    The terminal displays CURRENT CONTEXT as the context_name . It also displays the NAME, URL, TENANT-ID, and Karbon Platform Services email and password.
  4. Get the Service Domain names (displayed in YAML format) where the container application needs to run with elevated privileges.
    user@host$ kps get svcdomain -o yaml
  5. Set privilege mode for a specific Service Domain svc_domain_name .
    user@host$ kps update svcdomain svc_domain_name --set-privileged
    Successfully updated Service Domain: svc_domain_name
  6. Verify privileged mode is set to true .
    user@host$ kps get svcdomain svc_domain_name -o yaml
    kind: edge
    name: svc_domain_name
    
    connected: true
    .
    .
    .
    profile: 
       privileged: true 
       enableSSH: true 
    effectiveProfile: 
       privileged: true
       enableSSH: true
    effectiveProfile privileged set to true indicates that Nutanix Support has enabled this feature. If the setting is false , contact Nutanix Support to enable this feature. In this example, Nutanix has also enabled SSH access to this Service Domain (see Secure Shell (SSH) Access to Service Domains in Karbon Platform Services Administration Guide ).

What to do next

See Using Privileged Mode with an Application (Example).

Using Privileged Mode with an Application (Example)

Important: The privileged mode is deprecated. Nutanix plans to remove this feature in an upcoming release.

After elevating privilege as described in Setting Privileged Mode, elevate the application privilege. This sample enables USB device access for an application running in a container on elevated Service Domain

YAML Snippet, Sample Privileged Mode USB Device Access Application

Add a tag similar to the following in the Deployment section in your application YAML file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: usb
  annotations:
    sherlock.nutanix.com/privileged: "true"

Full YAML File, Sample Privileged Mode USB Device Access Application


apiVersion: v1
kind: ConfigMap
metadata:
  name: usb-scripts
data:
  entrypoint.sh: |-
    apk add python3
    apk add libusb
    pip3 install pyusb
    echo Read from USB keyboard
    python3 read-usb-keyboard.py
  read-usb-keyboard.py: |-
    import usb.core
    import usb.util
    import time

    USB_IF      = 0     # Interface
    USB_TIMEOUT = 10000 # Timeout in MS

    USB_VENDOR  = 0x627
    USB_PRODUCT = 0x1

    # Find keyboard
    dev = usb.core.find(idVendor=USB_VENDOR, idProduct=USB_PRODUCT)
    endpoint = dev[0][(0,0)][0]
    try:
      dev.detach_kernel_driver(USB_IF)
    except Exception as err:
      print(err)
    usb.util.claim_interface(dev, USB_IF)
    while True:
      try:
        control = dev.read(endpoint.bEndpointAddress, endpoint.wMaxPacketSize, USB_TIMEOUT)
        print(control)
      except Exception as err:
        print(err)
      time.sleep(0.01)
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: usb
  annotations:
        sherlock.nutanix.com/privileged: "true"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: usb
  template:
    metadata:
      labels:
        app: usb
    spec:
      terminationGracePeriodSeconds: 0
      containers:
      - name: alpine
        image: alpine
        volumeMounts:
        - name: scripts
          mountPath: /scripts
        command:
        - sh
        - -c 
        - cd /scripts && ./entrypoint.sh
      volumes:
      - name: scripts
        configMap:
          name: usb-scripts
          defaultMode: 0766

Configure Service Domain Environment Variables

Define environment variables for an individual Service Domain. After defining them, any Kubernetes app that specifies that Service Domain can access them as part of a container spec in the app YAML.

As an infrastructure administrator, you can set environment variables and associated values for each Service Domain, which are available for use in Kubernetes apps. For example:

  • You can provide environment variables and values by using a Helm chart you upload when you create an app. See Creating an Application and Helm Chart Support and Requirements.
  • You can also set specific environment variables per Service Domain by updating a Service Domain in the cloud management console or by using the kps update svcdomain command line.
  • See also Privileged Kubernetes Apps.

As a project user, you can then specify these per-Service Domain variables set by the infra admin in your app. If you do not include the variable name in your app YAML file but you pass it as a variable to run in your app, Karbon Platform Services can inject this variable value.

Setting and Clearing Service Domain Environment Variables - Command Line

How to set environment variables for a Service Domain.

Before you begin

You must be an infrastructure admin to set variables and values.

Procedure

  1. Install the kps command line as described at GitHub: https://github.com/nutanix/karbon-platform-services/tree/master/cli
  2. From your terminal window, create a Karbon Platform Services context to associate with an existing infra admin user.
    user@host$  kps config create-context context_name --email user_email_address --password password
    1. context_name . A context name to associate with the specified user_email_address and related Karbon Platform Services resources.
    2. user_email_address . Email address of an existing Karbon Platform Services user. This email address can be a My Nutanix account address or local user address.
    3. password . Password for the Karbon Platform Services user.
  3. Verify that the context is created.
    user@host$ kps config get-contexts
    The terminal displays CURRENT CONTEXT as the context_name . It also displays the NAME, URL, TENANT-ID, and Karbon Platform Services email and password.
  4. Get the Service Domain names (displayed in YAML format) to find the service domain where you set the environment variables.
    user@host$ kps get svcdomain -o yaml
  5. For a Service Domain named my-svc-domain , for example, set the Service Domain environment variable. In this example, set a secret variable named SD_PASSWORD with a value of passwd1234 .
    user@host$ kps update svcdomain my-svc-domain --set-env '{"SD_PASSWORD":"passwd1234"}'
  6. Verify the changes.
    user@host$ kps get svcdomain my-svc-domain -o yaml
    kind: edge
    name: my-svc-doamin
    connected: true
    .
    .
    .
    env: '{"SD_PASSWORD": "passwd1234"}'
    The Service Domain is updated. Any infra admin or project user can deploy an app to a Service Domain where you can refer to the secret by using the variable $(SD_PASSWORD) .
  7. You can continue to add environment variables by using the kps update svcdomain my-svc-domain --set-env '{" variable_name ": " variable_value "}' command.
  8. You an also clear one or all variables for Service Domain svc_domain_name .
    1. To clear (unset) all environment variables:
      user@host$ kps update svcdomain svc_domain_name --unset-env
    2. To clear (unset) a specific environment variables:
      user@host$ kps update svcdomain svc_domain_name --unset-env '{"variable_name":"variable_value"}'
  9. To update an app, restart it. See also Deploying and Undeploying a Kubernetes Application.

What to do next

Using Service Domain Environment Variables - Example

Using Service Domain Environment Variables - Example

Example: how to use existing environment variables for a Service Domain in application YAML.

About this task

  • You must be an infrastructure admin to set variables and values. See Setting and Clearing Service Domain Environment Variables - Command Line.
  • In this example, an infra admin has created these environment variables: a Kafka endpoint that requires a secret (authentication) to authorize the Kafka broker.
  • As a project user, you can then specify these per-Service Domain variables set by the infra admin in your app. If you do not include the variable name in your app YAML file but you pass it as a variable to run in your app, Karbon Platform Services can inject this variable value.

Procedure

  1. In your app YAML, add a container snippet similar to the following.
    
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: my-app-deployment
      labels:
        app: my-app
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: my-app
      template:
        metadata:
          labels:
            app: my-app
        spec:
          containers:
          - name: my-app
            image: some.container.registry.com/myapp:1.7.9
            ports:
            - containerPort: 80
         env:
            - name: KAFKA_ENDPOINT
              value: some.kafka.endpoint
            - name: KAFKA_KEY
            - value: placeholder
         command:
           - sh
           - c
           - "exec node index.js $(KAFKA_KEY)"
    
  2. Use this app YAML snippet when you create a Kubernetes app in Karbon Platform Services as described in Kubernetes Apps.

Karbon Platform Services Terminology

Category

Logically grouped Service Domain, data sources, and other items. Applying a category to an entity applies any values and attributes associated with the category to the entity.

Cloud Connector

Built-in Karbon Platform Services platform feature to publish data to a public cloud like Amazon Web Services or Google Cloud Platform. Requires a customer-owned secured public cloud account and configuration in the Karbon Platform Services management console.

Cloud Profile

Cloud provider service account (Amazon Web Services, Google Cloud Platform, and so on) where acquired data is transmitted for further processing.

Container Registry Profile

Credentials and location of the Docker container registry hosted on a cloud provider service account. Can also be an existing cloud profile.

Data Pipeline

Path for data that includes input, processing, and output blocks. Enables you to process and transform captured data for further consumption or processing.

  • Input. An existing data stream or data source, identified according to a Category
  • Transformation. Code block such as a script defined in a Function to process or transform input data.
  • Output. A destination for data. Publish data to the cloud or cloud service (such as AWS Simple Queue Service) at the edge.
Data Service

Data service such as Kafka as a Service or Real-Time Stream Processing as a Service.

Data Source

A collection of sensors, gateways, or other input devices to associate with a node or Service Domain (previously known as an edge). Enables you to manage and monitor sensor integration and connectivity.

A node minimally consists of a node (also known as edge device) and a data source. Any location (hospital, parking lot, retail store, oil rig, factory floor, and so on) where sensors or other input devices are installed and collecting data. Typical sensors measure (temperature, pressure, audio, and so on) or stream (for example, an IP-connected video camera).

Functions

Code used to perform one or more tasks. A script can be as simple as text processing code or it could be advanced code implementing artificial intelligence, using popular machine learning frameworks like Tensorflow.

Infrastructure Administrator

User who creates and administers most aspects of Karbon Platform Services. The infrastructure administrator provisions physical resources, Service Domains, data sources and public cloud profiles. This administrator allocates these resources by creating projects and assigning project users to them.

Project

A collection of infrastructure (Service Domain, data source, project users) plus code and data (Kubernetes apps, data pipelines, functions, run-time environments), created by the infrastructure administrator for use by project users.

Project User

User who views and uses projects created by the infrastructure administrator. This user can view everything that an infrastructure administrator assigns to a project. Project users can utilize physical resources, as well as deploy and monitor data pipelines and applications. This user has project-specific CRUD permissions: the project user can create, read, update, and delete assigned applications, scripts, data pipelines, and other project users.

Real-time Data Stream
  1. Data Pipeline output endpoint type with a Service Domain as an existing destination.
  2. An existing data pipeline real-time data stream that is used as the input to another data pipeline.
Run-time Environment

A run-time environment is a command execution environment to run applications written in a particular language or associated with a Docker registry or file.

Service Domain

Intelligent Platform as a Service (PaaS) providing the Karbon Platform Services Service Domain infrastructure (consisting of a full software stack combined with a hardware device). It enables customers to deploy intelligent applications (powered by AI/artificial intelligence) to process and transform data ingested by sensors. This data can be published selectively to public clouds.

Karbon Platform Services Management Console

Browser-based console where you can manage the Karbon Platform Services platform and related infrastructure, depending on your role (infrastructure administrator or project user).

Karbon Platform Services

Software as a Service (SaaS)/Platform as a Service (PaaS) based management platform and cloud IoT services. Includes the Karbon Platform Services management console.

Version

Read article