Hybrid Cloud Extension (HCX) Install Guide for VMware Cloud on AWS
Learn how to deploy HCX for VMware Cloud on AWS
This post will guide you through deploying HCX both in your VMware Cloud on AWS environment and your On-Premises Data Centers.
HCX provides a three key capabilities to customers, these include:
- Connect a source and destination site together for the purpose of migrations
- Extend Layer 2 networks between two sites
- Migrate workloads from your On-Premises Data Center to VMware Cloud on AWS
When deployed, HCX is deployed as a plugin into vCenter, this is where you will access the HCX GUI which allows you to configure HCX, extend networks and migrate workloads. If you want to automate all these steps, there is a number of blog posts on this topic.
HCX has 5 main components, as shown in the image below. Required components are deployed at the source and destination sites.
The HCX Manager integrates HCX with the vSphere environment, and enables it to deliver HCX services. HCX Manager is deployed one to one with each vCenter Server.
HCX Manager is deployed at the source site, the source site/s is generally On-Premises (in can be another VMware Cloud on AWS environment) . HCX Cloud Manager is deployed in VMware Cloud on AWS. HCX Cloud Manager automates the deployment of the other HCX appliances when a service is enabled and configured.
An HCX Site Pair always consists of a source site and a destination site. The components listed in the following sections are always deployed in the context of a site pair.
HCX WAN Interconnect (HCX-IX)
The HCX-IX service appliance provides replication and vMotion-based migration capabilities over the Internet and Direct Connect (DX) to VMware Cloud on AWS. The HCX-IX also provides strong encryption and traffic engineering capabilities.
HCX WAN Optimization (HCX-WAN-OPT)
This service appliance is deployed when WAN Optimization services are enabled for a site pair. The WAN Optimization component only communicates with the HCX-IX, it does not make direct connections to its peer. Note: A WAN Opt increases efficiency by providing data reduction when deployed with network underlays with bandwidth below 1 Gbps.
HCX Extension Appliance (HCX-NET-EXT / L2C)
The HCX Network Extension service provides layer 2 connectivity between sites. HCX Network Extension provides the ability to keep the same IP and MAC addresses during virtual machine migrations.
HCX Sentinel Gateway / Sentinel Data Receiver (HCX-SGW/SDR)
Using VMware HCX OS Assisted Migration (OSAM), you can migrate non-vSphere virtual machines from on-premise data centers to VMware Cloud on AWS. The OSAM service has two components: the HCX Sentinel software that is installed on each virtual machine to be migrated, a Sentinel Gateway (SGW) appliance for connecting and forwarding guest workloads in the source environment, and a Sentinel Data Receiver (SDR) in the destination environment.
Please review this VMware HCX Checklist to make sure you have everything in place for a successful deployment.
The following post will take you through deploying HCX in VMware Cloud on AWS and deploying HCX at a source site (On-Premises)
Deploy HCX in VMware Cloud on AWS
- The first step is to log into the VMC Console at https://vmc.vmware.com
- Select View Details on the Software Defined Data Center (SDDC) that you want to deploy HCX to
- Select Integrated Services
- Select Open HCX
- A new browser tab will open, you should see a list of your SDDCs
- Select Deploy HCX on the required SDDC
- Select Confirm
Deployment of HCX can take between 15-30 minutes. Once the deployment is complete, you need to create a firewall rule to open the necessary ports to access the HCX Cloud Manager within VMware Cloud on AWS. This will be done via the VMC console browser tab.
HCX Inbound Firewall Rule
- From the VMC Console, select the SDDC you have deployed HCX to
- Select the Network & Security tab in the selected SDDC
- Select Gateway Firewall
- Select Management Gateway & select Add Rule
- Create a new inbound firewall rule with these parameters:
- Source: Where the connection to HCX Manager is coming from (ANY, Subnet, IP Address or IP Range)
- Destination: Select System Defined Group and select HCX
- Services: HTTPS (TCP 443)
- Note: HCX is already a system defined group that can be selected as a destination. A user-defined group needs to be created for the source.
- To save the rule, select publish
On-Premises Firewall Rules
Depending on how you plan to connect your existing data center/s to VMC, you will probably need to configure some firewall rules On-Premises. For a full list of the required firewall rules please review the Network Port and Protocol requirements.
If you plan to connect your data center to VMC via the internet, you will probably want the HCX public IP addresses from your VMC deployment to use for your firewall rules.
- To get the HCX Public IP addresses, go into the Networking and Security tab in the selected SDDC & select Public IPs from the left hand menu
- Take note of the HCX and HCX Fleet IP addresses.
Download HCX OVA & Get Activations Keys
The first step is to download the HCX OVA that is used for the On-Premises install of HCX Manager. To get access to the OVA we need to get the VMware Cloud on AWS vCenter username (firstname.lastname@example.org) and associated password, which we will use later on. Note: If you have added an Identity Source to you VMware Cloud on AWS vCenter, you can also use the appropriate login credentials in the steps below.
- In the VMC console, goto the Settings tab, then take note of how to get to the default password (please don't save this password, but come back an retrieve it when you need it later in this post)
- Staying in the Settings tab, scroll down and expand HCX Information, note down the HCX FQDN. If you are using a Direct Connect, make sure the Resolution Address is set to Private IP, if it isn't, Select Edit on the far right, and change this to Private IP. This will allow the connectivity to HCX in VMC to go via the private endpoint rather than public endpoint. The default is the Public IP, which should be selected if you are connecting to HCX over the internet.
- Go back to the VMware HCX tab in your browser (if you have closed it, go back to the VMC console, select Integrated Services on the selected SDDC). Click Open HCX
- Enter your login credentials (vCenter username/password) and select Log In
- Select System Updates and Select Request Download Link. Note if the Request Download Link is greyed out, give it 1 - 2 minutes and it should become clickable
- You can either download the OVA by selecting VMware HCX or select Copy Link to copy the download link (you will need this link when you deploy the OVF template, so note it down, if you plan to use the link)
- Go back to the HCX tab in your browser and select Activation Keys, then select Create Activation Key
- Select Confirm
- Once the Activation Key is created you will the key with the status available, copy the activation key as you will need this later
Please ensure you have the following items noted down:
- HCX FQDN/URL
- HCX Activation Key
- vCenter Username / Password (please don't write the password down)
Deploy HCX On-Premises
You will need the following before you can deploy HCX on premises
- 3 private IP Addresses from the on premises Management Network, these are for the HCX Manager, HCX Interconnect and HCX Network Extension appliances
- The Management Network needs to be able to route externally to the internet (and via Direct Connect if required)
- 1 private IP address from the On-Premises vMotion Network
- Proxy information (if required)
- DNS Server Details
- NTP Server Details
- Administrator@vsphere.local rights or AD user/group with same rights
The below are the 5 key external firewall rules that need to be configured, these were mentioned above in this post, but please ensure the below required ports are allowed on the firewall. Also ensure that you have reviewed the Network Port and Protocol Requirements
|4500||UDP||On-Premises Network Extension Appliance||VMC Network Extension Appliance|
|4500||UDP||On-Premises Interconnect Appliance||VMC Interconnect Appliance|
|443||TCP||On-Premises HCX Manager||VMC HCX Manager|
|443||TCP||On-Premises HCX Manager||hybridity-depot.vmware.com|
|443||TCP||On-Premises HCX Manager||connect.hcx.vmware.com|
Lets begin the deployment, the first step is to deploy the HCX Manager OVA.
- Login to your On-Premises vCenter
- Right Click on the folder / Resource Pool that you want to deploy the HCX Manager appliance to, and select Deploy OVF template
Follow the wizard to deploy the OVF template, please note:
- Make sure the HCX Manger is deployed to the Management Network
- Remember the username and passwords you set, you will need these as part of the deployment process
- Please enter DNS, NTP & Domain Search List
- Enable SSH
- Once the OVF is deployed make sure the VM is powered on, this will take about 15-20 minutes to finish initiating
- We are now going to connect to the new On-Premises HCX Manager. Open a new browser tab and connect to https://privateipofhcxmanager:9443
- Login with the admin username and password you set during the HCX OVF deployment (note if you can't connect to the login page, please make sure you have given it 20 minutes since you powered the VM on)
- Activate your HCX instance, copy and paste the Activation Key you saved from the VMC portal. Click Activate
Note: If activation fails or has a timeout, one of the most common reasons is, there has not been a firewall rule configured for HCX Manager to authenticate to https://connect.hcx.vmware.com please review all the required firewall rules, also confirm you have the right Activation Key.
- Enter the location of your current Data Center (the city), select Continue
- Give the system a name, select Continue
- Select on Yes, Continue
- Connect your vCenter, please enter the vCenter URL, username and password that has administration rights to the On-Premises vCenter, Select Continue
If you are running NSX, select Connect your NSX, enter the credentials for the on premises NSX Manager
- Configure SSO/PSC, enter the Identity Sources, select Continue
- Great work, now select Restart
This should take between 15 – 20 minutes to restart and for the plugin into vCenter to be added. You may need to log out and back into vCenter.
After 15-20 minutes check that the HCX plugin has been deployed into vCenter
Setup HCX Site Pair
A Site Pair establishes the connection needed for management, authentication, and orchestration of HCX services across a source and destination environment. The HCX site pair is created by pairing the On-Premises HCX Manager with the VMware Cloud on AWS HCX Manager on port 443.
- Within your On-Premises vCenter, go into the menu and select HCX
- Once the HCX GUI has loaded, on the left hand menu, select Site Pairing
- Click Add a Site Pairing
- Enter in the remote HCX URL (if you are using Direct Connect / TGW / vTGW please make sure you have changed the HCX Resolved Address to Private), the VMC vCenter username "Cloudadmin@vmc.local" (If you have configured another Identity Source in the VMC vCenter, please use the appropriate username/password for this step) and the VMC vCenter Password, click connect
Compute and Network Profiles
A Compute Profile defines where the HCX appliances will be deployed On-Premises (Think folders, resource pools, networks, etc).
A Network Profile defines a range of IP addresses / networks that can be used for HCX appliances.
- In HCX , select Interconnect from the left hand menu, select Compute Profile, Create Compute Profile
- Give the Compute Profile a name, select Continue
- Select the Services to be activated, select Continue
- Select Resources from the Drop down menu, select ok, then select Continue
- Select the Resources, Datastore and Folder (optional) to deploy the appliances to, select Continue Note : Interconnect Appliance Reservation Settings are optional, so set these if required.
Select the Management Network Profile drop down
Select Create Network Profile
- Select the Management Network, give the Network Profile a Name, set an IP range for the available IP address. These are the IP addresses that will be assigned from the Management Network to the Interconnect and Network Extension Appliances (you will need 2 or more Private IPs)
- Fill in the Prefix Length, Gateway IP, DNS/DNS Suffix, and select the HCX Traffic Types (Management, HCX Uplink, vSphere Replication - note if these services need different Network Profiles, you will need to create them, we will cover this later in this post)
- Select Create, then make sure the Management Network you just created is selected, then select Continue
- Select the Up-link Network Profile Drop down and Select the Management Network you just created Note: If you have a different Uplink Network, please select the dropdown, instead of selecting Management Network, select Create Network Profile, and go through the process of creating the new Network Profile for the Uplink Network
- Select the vMotion Network Profile Drop down, select Create Network Profile
- Find your vMotion Network and select it
- Input a Name for the Network Profile
- Set an IP range for the available IP address. This is the IP addresses that will be assigned from the vMotion, you should only need one IP address
- Fill in the Prefix Length, Gateway IP, DNS/DNS Suffix and Select vMotion under the HCX Traffic Type
Select Create, then select the vMotion Network and select Continue
Select the vSphere Replication Network Profile drop down, and select the Management Network profile you created earlier, select Continue Note: If you have a different vSphere Replication Network, please select the dropdown, instead of selecting Management Network, select Create Network Profile, and go through the process of creating the new Network Profile for vSphere Replication
Select the Network Containers drop down and select the virtual switches or transport zones that are eligible for HCX Network Extension Operations, Select Continue
- Review the firewall rules that are displayed, if your or you networking/security team hasn't setup the other firewall rules yet, now is the time to do that. select Continue
- Select Finish You have now created your Compute and Network Profiles.
The Compute Profile Tab should now look similar to this screenshot
The Network Profile tab should look similar to this screenshot (the Management and vMotion network profiles you created should be in here)
If you are using a Direct Connect / TGW / VMware Transit Connect to VMC
If you are going to leverage a Direct Connect / TGW / VMware Transit Connect you will need to configure an additional Network Profile within the VMC HCX Manager
- Login to your VMware Cloud on AWS vCenter
- Open HCX from the menu
- Goto Interconnect from the left hand menu, and select Network Profiles
- There is a Network Profile named directConnectNetwork1, select Edit
- Enter the IP ranges / IP addresses you want to use, you need a minimum of 2 IP addresses (1 for the Network Extension and 1 for the Interconnect Appliances, if you plan to have multiple sites connecting to VMC and multiple Network Extension appliances, you will need more than 2 IP addresses.
- Select Update
Service Mesh specifies a local and remote Compute & Network Profile pair. When a Service Mesh is created, the HCX Service appliances are deployed on both the source and destination sites and automatically configured by HCX to create the secure optimized transport fabric.
- In HCX, select Interconnect, then select the Service Mesh Tab
- Select Create Service Mesh
- Select the On-premises and VMC sites, select Continue
- Select the Source Compute Profile and Remote Compute Profile form the Drop downs, select Continue
- Select the Services to be activated, select Continue
- Select the Source Site Uplink Network Profile (usually the Management network, or if you had to create a seperate Uplink Network Profile, select this)
Select the Destination Site Uplink Network Profile (Select externalNetwork for internet connectivity OR select directConnectNetwork1 for Direct Connect/TGW/VMware Transit Connect)
Select how many Network Extension Appliances you want deployed (1 is the default, each network extension appliance can handle up to 8 extended networks), select Continue
- Select if you want Application Path Resiliency and TCP flow Condition enabled. Note: Details of both these options can be found here
- Enter a Bandwidth Limit if you want to throttle the traffic
Review the topology, select Continue
- Provide a name for the Service Mesh, select Finish
The HCX appliances are now deploying, this should take between 20-40 minutes to deploy.
To track the progress, click on view Tasks in the Service Mesh that is being deployed
Under tasks you can follow along while all the appliances are deployed.
Once the tasks are all complete, select Appliances, if everything is successful you should see the Tunnel Status as Up on the Interconnect and Network Extension Appliances. This means the 2 IPSEC tunnels have been successfully created and connected. (Note: If the one or both two tunnels show "Down" instead of "Up" the first place to investigate is to make sure the correct firewall rules have been configured. Both these tunnels need UDP Port 4500 allowed, to and from the HCX Network Extension Appliance and Interconnect Appliance On-premises)
Also, once completed you should see a similar view to the below screen shot
That is the end of this post, hopefully this was useful for your HCX deployment. If you have any questions, or want to see some more detail in particular areas on this post, please comment below and I will do my best to answer any questions and make updates as HCX updates and evolves.
- rePost-User-3609941lg...已提問 4 個月前lg...
- AWS 官方已更新 1 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 個月前