VMware NSX Plugin#

Technical Preview

The VMware NSX Plugin is currently only available as alpha version for technical preview purposes. It can be used for demo, POC or lab purposes.

The following features are not included in the technical preview:

Connect Audit
EDA-managed
Alarms
Lag support
NSX certificate support: As a workaround set nsxTlsVerify to false in the NsxPluginInstance

Overview#

The NSX plugin enables automated fabric configuration for VMware NSX environments, supporting both Overlay and VLAN segments. It integrates with EDA Connect to dynamically manage bridge domains and VLANs based on NSX segment definitions.

NSX provides advanced networking capabilities such as:

L2/L3 overlays using VXLAN or Geneve
VLAN-based connectivity
Tier-0 routers for overlay-to-underlay breakout
Micro-segmentation, load balancing, and VPN services

This plugin focuses on automating fabric configuration for overlay and VLAN segments:

Automatic provisioning of the fabric based on the configured NSX VLAN segments.
Automatic provisioning of the fabric based on NSX Transport Node and Host Switch Profile. The plugin will facilitate the communication between the hypervisors on these overlay segments. EDA will not be involved in the actual overlay traffic in this case.

Supported Versions#

VMware NSX 4.2

Architecture#

The VMware NSX plugin consists of two components:

VMware NSX Plugin App: This app runs in EDA and manages the lifecycle of the VMware NSX plugins. It does so in the standard app model where a custom resource is used to manage the VMware NSX plugins.
VMware NSX Plugin: The plugin itself, which is responsible for connecting and monitoring the VMware NSX environment for changes.

Supported Features#

The following are some of the supported VMware NSX plugin features:

CMS-managed integration mode
EDA-managed integration mode (not in 25.8)
VLAN segment fabric management
Overlay segment fabric management

Overlay Segments#

Overlay segments in NSX are L2 networks encapsulated in L3 using VXLAN or Geneve. The encapsulated traffic is VLAN-tagged and transported via uplinks defined in NSX configurations.

The NSX plugin will create a BridgeDomain and a VLAN resource based on the Transport VLAN defined on the Transport Node in NSX.

VLAN Segments#

In NSX, it is also still possible to create VLAN segments; the NSX plugin will create the appropriate BridgeDomain and VLAN resources in EDA.

Deployment#

Similarity with VMware vSphere Plugin

Those familiar with the VMware vSphere plugin will recognize the steps defined here.

To deploy the VMware NSX plugin, complete the following tasks:

Deploy the plugin app.
Deploy the plugin.

Connect VMware NSX Plugin App Deployment#

The VMware NSX plugin app is an application in the EDA app ecosystem. It can be easily installed using the EDA Store UI.

Installation using Kubernetes API#

If you prefer installing the plugin using the Kubernetes API, you can do so by creating the following Workflow resource:

YAML Resourcekubectl apply command

apiVersion: appstore.eda.nokia.com/v1
kind: AppInstaller
metadata:
  name: nsx-plugin
  namespace: eda-system
spec:
  operation: install
  apps:
    - appId: nsx.eda.nokia.com
      catalog: eda-catalog-builtin-apps
      version:
        type: semver
        value: v1alpha1

kubectl apply -f - <<EOF
apiVersion: appstore.eda.nokia.com/v1
kind: AppInstaller
metadata:
  name: nsx-plugin
  namespace: eda-system
spec:
  operation: install
  apps:
    - appId: nsx.eda.nokia.com
      catalog: eda-catalog-builtin-apps
      version:
        type: semver
        value: v1alpha1

EOF

Connect VMware NSX Plugin Deployment#

A prerequisite for creating a NsxPluginInstance resource is a Secret resource with username and password fields that contain the account information for an account that can connect to the VMware NSX environment and has read-only access to the cluster so that it can monitor the necessary resources.

YAML Resourcekubectl apply command

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: my-vmware-creds
  namespace: eda-system
  labels:
    "eda.nokia.com/backup": "true"
data: 
  username: YWRtaW4K # base64 encoded
  password: YWRtaW4K # base64 encoded

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: my-vmware-creds
  namespace: eda-system
  labels:
    "eda.nokia.com/backup": "true"
data: 
  username: YWRtaW4K # base64 encoded
  password: YWRtaW4K # base64 encoded

EOF

Base64 encoding

Use the following command to base64 encode your username and password:

echo -n myUsernameOrPassword | base64

As the VMware NSX plugins are managed through the operator, you can use the EDA UI to create a new NsxPluginInstance resource under the * System Administration > Connect > NSX Plugins* menu item.

As an alternative, you can also create the same NsxPluginInstance using the following custom resource example. Make sure to replace the specified values with their relevant content.

A VMware NSX instance can manage multiple VMware vCenter servers, this is reflected by referencing the vCenters and the corresponding Connect VMware Vcenter plugins in the NsxPluginInstance.

vCenterFQDN

The vCenterFQDN field has to correspond to the "FQDN or IP Address" field when creating the compute manager.

YAML Resourcekubectl apply command

apiVersion: vmware.eda.nokia.com/v1
kind: NsxPluginInstance
metadata:
  name: my-nsx-plugin-instance # A unique name for the plugin resource (can be the same as the spec.name, or different)
  namespace: eda-system # The system namespace.
spec:
  pluginNamespace: eda # The namespace in the EDA deployment holding the fabric associated with this plugin
  externalId: example-external-id # A unique Identifier for the plugin (can be same as the name)
  heartbeatInterval: 30
  name: example-NSX # A unique name for the plugin
  nsxManagementIP: exampleHost # The IP address of the NSX Server
  nsxPollInterval: 2 # The plugin will poll NSX for changes every x seconds
  nsxTlsVerify: false # To verify TLS of the NSX server
  nsxCertificate: "" # If the NSX certificate is self signed, add it here to be able to verify from the plugin
  authSecretRef: my-nsx-creds # Credentials are hosted in a separate Secret
  vCenters:
    - vCenterFQDN: x.y.z # FQDN or IP of the Vcenter as defined in NSX
      vmwarePluginID: example-VMWARE # Name of the Vcenter Plugin

kubectl apply -f - <<EOF
apiVersion: vmware.eda.nokia.com/v1
kind: NsxPluginInstance
metadata:
  name: my-nsx-plugin-instance # A unique name for the plugin resource (can be the same as the spec.name, or different)
  namespace: eda-system # The system namespace.
spec:
  pluginNamespace: eda # The namespace in the EDA deployment holding the fabric associated with this plugin
  externalId: example-external-id # A unique Identifier for the plugin (can be same as the name)
  heartbeatInterval: 30
  name: example-NSX # A unique name for the plugin
  nsxManagementIP: exampleHost # The IP address of the NSX Server
  nsxPollInterval: 2 # The plugin will poll NSX for changes every x seconds
  nsxTlsVerify: false # To verify TLS of the NSX server
  nsxCertificate: "" # If the NSX certificate is self signed, add it here to be able to verify from the plugin
  authSecretRef: my-nsx-creds # Credentials are hosted in a separate Secret
  vCenters:
    - vCenterFQDN: x.y.z # FQDN or IP of the Vcenter as defined in NSX
      vmwarePluginID: example-VMWARE # Name of the Vcenter Plugin

EOF

The plugin name and external ID must comply with the regex check of '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]' and can only contain alphanumerical characters and ., _ and -. It must start with an alphanumerical character.

Functionality#

Startup#

When the plugin is started, the following actions are taken by the plugin:

The plugin registers itself with Connect, based on the provided externalID. If a matching ConnectPlugin pre-exists, it is reused.
The plugin performs an audit: Any Connect-related state that was programmed in NSX while the plugin was not running is synchronized with Connect.

Polling Loop#

The plugin will connect to a VMware NSX environment and poll for changes. The plugin will configure Connect and EDA based on the configuration in NSX.

vCenter Plugin Dependency#

While NSX is used for defining overlay networking, vCenter is still used to configure the compute hosts and VMs. The NSX plugin has a dependency on one or more VMware vCenter plugins for the creation of the ConnectInterface objects in EDA.

Operational Modes#

The technical preview of the NSX plugin only supports NSX-managed mode.

NSX Managed Mode: Also referred to as Connect Managed. When using this mode, the plugin will create a unique BridgeDomain for each VLAN segment and to facilitate overlay segment communication between the hypervisors.

Troubleshooting#

Technical preview

The technical preview in 25.8 will not support alarms. Please consult the logs of the NSX plugin pod for troubleshooting.

The plugin is not running#

If an incorrect NSX hostname or IP is configured in the NsxPluginInstance resource, the plugin will try to connect for 3 minutes and log an error if it fails to connect. To retry, the plugin can be restarted. In case the credentials are incorrect, the plugin will crash and restart immediately.

Check the connectivity from the EDA cluster to NSX.
Verify the credentials for NSX.
Check the logs of the plugin pod.

The plugin is not creating any resources in EDA#

Check the connectivity from the EDA cluster to NSX.
Check the logs of the plugin pod.
Check the plugin staleness state field and verify that heartbeats are being updated.
Check the NSXPluginInstance resource and verify that it has valid values.