1. Introduction
2. A Basic configuration require for enabling the VPC
3. How to associate the users in the NSX VPC as per the topology diagrams
4. How to configure the VPC Networking
5. Intra-VPC Communication Flow
6. Conclusion

1. Introduction

The project serves as the fundamental component that enables the VPC’s functionalities. In this discussion, we will not delve into the intricacies of the project and its operations. However, for those seeking an in-depth understanding of the concept, the following link provides comprehensive information.

The VPC is a self-contained boundary that facilitates networking and security. Unlike in NSX, where the VPC administrator creates release segments, the VPC admin creates a subnet in which the platform automatically allocates IP addresses. The VPC admin does not require an in-depth understanding of the subnets they need to assign to these segments, as this process is entirely automated. Additionally, there is no need to establish a router since there is implicit routing for the subnets, except for isolated ones. The VPC admin only needs to determine the type of subnets, which can either be private, public, or isolated.

I am pleased to provide you with detailed explanations of these topics.

1. A Basic configuration is required to enable the VPC.
2. How to associate the users in the NSX VPC as per the topology diagrams
3. How to configure the VPC networking.
4. Intra-VPC Communication Flow .
5. Conclusion

Below is the high-level topology we are referring to simulate in this blog.

Capture 1:-

Brief information about the topology

1. We will create a T0 under the /ORG or default Space.
2. We will create 2 no’s of VPC under the Project -Automation (VPC-Operations & VPC Engineering).
3. VPC-Operations will be owned by the VPC Administrator-TOM.
4. VPC Engineering will be owned by the VPC Administrator-CHRIS.
5. VPC-Operations has its dedicated auto-created T1, project distributed firewall rules.
6. VPC-Operations has its dedicated Private IP block 192.168.90.0/24. Which will be further divided into dedicated subnets/Segments(Web & APP ).DB is the Public subnet as per our topology diagram.
7. VPC-Engineering has its dedicated auto-created T1, project distributed firewall rules.
8. VPC-Engineering has its dedicated Private IP block 192.168.80.0/24. Which will be further divided into dedicated subnets/Segments(Test,). Prod is the Public subnet & iKB is the isolated subnet as per our topology diagram.
9. Both VPCs are connected to the common T0 Gateway(TO-VPC).
10. Both VPCs subnets/segments are connected to the dedicated T1(T1-VPC-OPS & T1-VPC-ENGG)
11. Both VPCs use the default /ORG transport zone.

2. A Basic configuration require for enabling the VPC

1. NSX-T version should be 4.1.1.x or higher

Capture 2: –

2. Edge Cluster should be configured with Edges.

Capture 3: –

3. TO Gateway should be configured and status should be Success.

Capture 4:-

4. Project should be configured. In this blog PROJECT Name -Automation we are configuring.(What & How to create the project please refer this link )

Capture 5: –

Step 1:- Click on “ADD PROJECT”

Step 2:- Give the name of the project. As per our design, we have given the project name “Automation”.

Step 3:- Select the T0. As per our design, we will select the TO-VPC.

Step 4:- Select the edge cluster. As per our design, we will select the “Edge-Cluster-Shared”.

Step 5:- Click on 3 dots under the External IPV4 Blocks and then click on “Create New”.

Step 6:- Give the name. As per our design, we have given the “External IPV4 Blocks”.

Step 7:- Give the CIDR detail. As per our design, we have given the 10.10.10.0/24.

Step 8:- In the Visibility “External” will be auto popup.

Step 9: – Click on Save.

Step 10:- We can the name of the external auto popup subnet because we have given the single subnet, if you are given more than one subnet then we have to select the right one.

Note:- A maximum of five external IPv4 blocks can be added to a project. The external IPv4 blocks must not overlap each other within a project, and they must not overlap on the same tier-0 gateway.

Step 11:- Click on SAVE

Step 12:- Click on NO if we are not making any changes else select Yes.

Step 13:- We can the give name of the Short log identifier. As per our design, we have given the “Automate”, if we left blank then it will be auto-created.

Note:- This short log identifier name like “Automate” will help the system can use to identify the logs that are generated in the context of this project. The short log identifier is applied to the security logs and audit logs.

5. Now we are configuring basic configuration for VPCs so that we can associate the Users.

Capture 6:-

Step 1:- Login as the admin.

Step 2:- Click on the drop down button.

Step 3:- Click on the Project name “Automation”.

Capture 7:-

Step 1:- Click on VPCs.

Step 2:- Click on ADD VPC tab under the VPC.

Capture 8:-

Step 1: – Give the name of the VPC. As per our design, we have created two VPCs “NSX VPC-Operations & NSX VPC-Engineering ”.

Step 2:- Select the T0. As per our design, we have selected “TO-VPC”.

Step 3:- Select the External IP Blocks. As per our design, we have selected” External IP Block”.

Note:- To comply with the basic configuration we have to give either an external IP Block or a Private IP Block or we can do both.

Step 4:- Under DHCP “Managed by NSX” will be auto-selected. The benefit of this option NSX will cater to IP Schema from the given IP blocks,

Note:- If we select the “External” option then we have to configure the DHCP Reply Agent.

If we select None, then we do not need to give anything.

Step 5:- Select the Edge cluster. As per our design, we have selected the “Edge-Cluster-Shared”.

Step 6:- Shortlog identifier is not mandatory. and then click on save.

3. How to associate the users in the NSX VPC as per the topology diagrams

As per the topology diagram “Active Directory” already associated with the NSX-T. Now we will associate the roles to the respective users.

Capture 1:-

Step 1:- login as the enterprise admin.

Step 2:- Click on System

Step 3: – Click on user management under the Settings

Step 4: – Click on “User Role Assignment” under the user management.

Note: – if you don’t have any Active Directory service or any other authentication mechanism then you can create the users under “local Users” and assign the required roles. Follow the link to explore this option.

Step 5: – Click on “ADD Role For LDAP Users”.

Capture 2:-

Step1: – Select the domain. As per our topology diagram, we have given the “corp.local”.

Step 2: – Select the user which we want to associate with the VPC. As per our topology diagram, we will configure the user “TOM” as a VPC Admin for the NSX-VPC-Operations and the user “CHRIS” as a VPC Admin for the NSX-VPC-Engineering.

Step 3: – Click on Set under the roles.

Step 4: – Click on ADD ROLE.

Step 5: – Select the VPC Admin role from the Dropdown.

Step 6: – Click on “SET” under the Scope.

Step 7: – Select the VPC that we want to associate with the respective user. As per our topology diagram, we have selected the “NSX-VPC-Operations”.

Step 8: – Click on APPLY.

Step 9: – Click on ADD.

Step 10: – Click on Apply.

Step 11: – Click on SAVE

Tom user is successfully associated with the NSX-VPC-Operations & Chris user is successfully associated with the NSX-VPC-Engineering.

Now we will try to login with the assigned user credentials and look into the dashboard.

Capture 3: –

Step 1: – Login with the VPC-associated user and password. As per the above capture we are successfully logged in on both VPCs.

Step 2: – Click on VPCs.

Step 3: – We will have the associated VPC name will be auto-pop up.

Step 4: – Click on the number 1 and we will see the associated use details bonded with the right VPC.

Step 5: – Status should be Green if it is successfully configured otherwise we have to repeat the above step.

Note: – VPC admin has very limited access. Max VPC admin can perform below the tasks: –

VPC Admin Can DO

We can create new subnets, new static routes, new NAT rules, new security policies (E-W & N-S) & new groups.

VPC Admin Can’t DO

We can’t edit the VPC Name, IP Assignment, Service Settings, Profiles, already created subnet size, Already created static routes, network services(NAT) & default Security policies.

4. How to configure the VPC Networking

Below are the steps we are performing for configuring the VPC networking.

1. We will configure the Private IPV4 Blocks for both the VPCs(NSX-VPC-Operations & NSX-VPC-Engineering ).
2. We will configure the respective subnets for each VPC.
3. Review the NAT profile.
4. We will attach the VMs to the respective subnet of each VPC.
5. Review the Auto popup VPC segments.
6. Review the Auto popup T1 GW of each VPC.

1.We will configure the Private IPV4 Blocks for both the VPCs(NSX-VPC-Operations & NSX-VPC-Engineering ).

As per the below captures, I will try to show the configuration of a VPC(NSX-VPC-Operations) and will do the replica of another VPC(NSX-VPC-Engineering).

Capture 1:-

Step 1:- Login with the Enterprise admin rights user.

Step 2: – From the drop-down menu select the project. As per our topology diagram, we are selecting the Project ”Automation”.

Step 3: – Click on VPCs.

Step 4: – Click on the 3 dots in front of VPC and click on Edit. As per our topology diagram, we will edit the VPC ”NSX-VPC-Operations”.

Step 5: – Click on the 3 dots in front of Private IPV4 Blocks.

Step 6: – click on “Create New”.

Capture 2:-

Step 1:- Give the name of the Private-IP-Blocks. As per our topology diagram, we will give the NSX-OPS-Blocks.

Step 2: – Give the CIDR Value. As per our topology diagram, we will give the 192.168.90.0/24.

Note:- VPS Subnets/segments IPV4 T-shirt size will consume from this CIDR. Kindly make your CIDR planning Accordingly.

Step 3: – By default, the visibility is “Private”. This option is greyed out we can make changes from the GUI.

Step 4: – Click on SAVE.

Step 5: – Click on “Save” to configuring the VPC setting.

Note :- Once it is saved we can’t make any changes in the Private IPV4 Blocks from the VPC. If we want to make any changes in the VPC then follow the below capture.

Capture 3 :-

Step 1: – Login with the Enterprise admin rights user.

Step 2: – Click on Networking.

Step 3: – Click on IP Address Pools under the IP Management.

Step 4: – Click on IP Address Blocks.

Step 5: – Click on 3dots and click on edit.

2. We will configure the respective subnets for each VPC.

Capture 1:-

Step 1 :- Click on “Set” under the connectivity subnets.

Step 2 :- Click on “ADD Subnet”.

Capture 2 :-

Step 1: – Give the name of the subnet. As per our topology diagram, we will configure the Web(private), APP (private)& DB (public)subnet.

Step 2: – As per our topology diagram, we are using “Private”.

Note: – There are 3 types of Access Mode:

1. Private: – A private subnet is only accessible within the NSX VPC and allows workloads to communicate with other workloads on private or public subnets within the same VPC.
2. Public: – The public subnet in the NSX VPC is reachable from outside and has direct external connectivity by default. It is advertised up to the tier-0 gateway of the project, allowing the IPv4 addresses in the subnet to be accessible from both inside and outside the project.
3. Isolate: – An isolated subnet cannot communicate with workloads on private or public subnets within the same NSX VPC and packets from isolated subnets cannot go outside the VPC. VPC Admins must manually specify the CIDR address of an isolated subnet.

Step 3: – By default, the IP Assignment Automatic is enabled, if we disable this toggle button then the VPC admin can manually assign the subnet CIDR.

Step 4: – In this step, we are configuring the workload size. It started with 16 workloads and ended with 256 workloads. As per our topology diagram, we will use the 64 workloads for WEB Subnet, 16 workloads for DB Subnet & 32 workloads for APP Subnet

Note: – Four IPs from the subnet are by default reserved for internal use. Subnet division depends on first configure criteria. like as per our topology diagram 64 workload usable IPs for the web then App Subnet will get the 32 workload IP and DP Subnet will get the 16 usable IPs from the External IP Block Pool.

Step 5: – Click on save.

Step 6: – Click on close.

3.Review the NAT profile.

Capture 1 : –

Step 1: – Click on the number 1 after the NAT under the network services.

Step 2: – Click on the drop down and we will find the below NSX banded details:

1. Name : – Default created.
2. Action : – SNAT
3. Source IP is the Private IP Blocks subnet pool.
4. Destination Ip : – Any
5. Translated IP : – It is the External IP Block IP Pool.
6. Enabled :- Yes.

Note :- VPC admin can create the NAT rule from the “ADD NAT Rule” option. Default Outbound NAT option is default enabled to ensure private subnets are routable outside of VPC. One SNAT rule will be auto-plumbed, and the translate Ip will be taken from the external IPV4 block for this VPC.

Note :- NSX-VPC Engineering Private Ip Blocks & Subnet detail only for reference.

4.We will attach the VM’s to the respective subnet of each VPC

Below is the logical representation of VMs alignment with the VPC subnets.

Capture 1: –

As per the above capture we can see the association of each VM with the respective subnets.

Now let’s we check the IPAM consumption of VPC APP subnets as an example. The same procedure we can use for other subnets.

Capture 2: –

Step 1: – login as a VPC admin rights. As per our topology diagram, we will be logging in as a user “TOM”.

Step 2:- Click on VPCs.

Step 3: – Click on the drop-down arrow in front of the VPC. As per the current example APP-Subnet falls under the NSX-VPC-Operations.

Step 4: – Click on Subnets under the connectivity As per our topology diagram, we will click on 3 in front of the subnet.

Step 5: – Click on the drop down arrow in front of the APP-Subnet.

Step 6: – Click on 1 under the subnet port and we can see the APP_Vm-01 is associated with the APP-Subnet.

Step 7: – Click on “VIEW IPAM STATISTICS” and we can see the IPAM details like IP Pool name, type, IP range, allocated IPs & allocated %.

5.Review the Auto popup VPC segments.

VPCs subnets are view as a segments in the NSX-T.

Capture 1 : –

Step 1: – login as a project admin or enterprise admin.

Step 2: – Select the project from the drop-down menu. As per our topology diagram, we select the project name “Automation”.

Step 3: – Click on networking.

Step 4: – Click on Segment.

Step 5: – Click the radio button in front of VPC realized objects.

Note:- if we never select the radio button in front of VPC realized objects then we are not able to see the VPC objects we can only able to see the project objects.

Step 6: – RED Color-marked are the NSX-VPC-Operations realized Subnets/segments.

Step 7:- Blue Color-marked are the NSX-VPC-Engineering realized Subnets/segments.

6.Review the Auto popup T1 GW of each VPC.

T1 GW will be auto created when we create the subnets of the VPCs.

Capture 1:-

NSX-VPC-Engineering

Step 0: – login as a project admin or enterprise admin. Select the project from the drop-down menu. As per our topology diagram, we select the project name “Automation”.

Step 1: – Click on networking.

Step 2: – Click on Tier-1 under the Connectivity.

Sep 3: – Click the radio button in front of VPC realized objects.

Note:- if we never select the radio button in front of VPC realized objects then we are not able to see the VPC objects we can only able to see the project objects.

Step 4: – Click on the drop-down in front of the VPC.

Step 5: – Click on 2 under the linked segments and we can see the Prod and test subnet, not the iKB subnet because the iKB subnet access mode is ISOLATED and these subnets are not connecting with the Tier1- gateways.

Step 6: – Click on 1 in front of the Set Route Advertisement rules and we can see route advertisement rule is already created and all types of route advertisement filters are allowed.

Capture 2: –

NSX-VPC-Operations

Step 0: – login as a project admin or enterprise admin. Select the project from the drop-down menu. As per our topology diagram we select the project name “Automation”.

Step 1: – Click on networking.

Step 2: – Click on Tier-1 under the Connectivity.

Sep 3: – Click the radio button in front of VPC realized objects.

Note:- if we never select the radio button in front of VPC realized objects then we are not able to see the VPC objects we can only able to see the project objects.

Step 4: – Click on the drop-down infront of the VPC.

Step 5: – Click on 3 under the linked segments and we can see the APP, DB& WEB subnet.

Step 6: – Click on 1 in front of the Set Route Advertisement rules and we can see route advertisement rule is already created and all types of route advertisement filters are allowed.

5. Intra-VPC Communication Flow

Let we test first the NSX-VPC-Operations subnet communication. We will divide our testing in 3 Phases.

1. Private to Private subnet with traceflow
2. Private or Public to Isolated
3. Private to Public subnet with traceflow

Phase1 :-

1. Private to Private subnet ICMP & trace flow(NSX-VPC-Operations).

As per our topology diagram Private subnets are WEB Subnet to APP Subnet.

Capture 1 : –

As per the above capture, we successfully ping from WEB to APP Subnet .

let us try the traceflow communication from the APP to WEB.

Note: – VPC Admin can’t see the traceflow option. We can do the Traceflow with the Project Admin rights.

Capture 2: –

As per the above capture we can see traceflow from APPVM-01 to WEB-VM-01 is successfully delivered.

Phase-2

1. Private or Public subnet to isolated .(NSX-VPC-Engineering)

As per our topology diagram, Private subnets are WEB Subnet to APP Subnet.

Capture 1 : –

1. iKB-VM-01 is unable to ping the gateway because the gateway does not exists means there due to its isolated nature it is not connected with the NSX-VPC-Engineering Tier-1 gateway.
2. iKB-VM-01 can ping the isolated DHCP Server IP.
3. iKB-VM-01 is unable to ping the Test-VM-01 IP, as expected.
4. iKB-VM-01 is unable to ping the PROD-VM-01 IP, as expected.

Phase-3

1. Public to Private subnet ICMP & trace flow (NSX-VPC-Operations)

Capture 1:-

As per the above capture we successfully pinged from DB to WEB Subnet & DB to APP Subnet.

let us try the traceflow communication from the DB to WEB & APP to DB.

Note: – VPC Admin can’t see the traceflow option. We can do the Traceflow with the Project Admin rights.

DB-VM-01 to WEB-VM-01: –

As per the above capture we can see traceflow from DB-VM-01 to WEB-VM-01 is successfully delivered.

APP-VM-01 to DB-VM-01

As per the above capture we can see traceflow from APP-VM-01 to DB-VM-01 is successfully delivered.

Public to Private subnet ICMP & trace flow (NSX-VPC-Engineering)

PROD-VM-01 to TEST-VM-01

Capture 2: –

As per the above capture we successfully pinged fromPROD-VM-01 to TEST-VM-01 Subnet.

let we try the traceflow communication from the TEST-VM-01 to PROD-VM-01.

Note: – VPC Admin can’t see the traceflow option. We can do the Traceflow with the Project Admin rights.

As per the above capture we can see traceflow from TEST-VM-01 to PROD-VM-01 is successfully delivered.

6. Conclusion

Thank you for taking the time to peruse this post. The purpose of this article is to examine the fundamental requirements of basic Virtual Private Cloud (VPC) configuration, the association of users and their respective rights with VPCs, the functioning of networking in VPCs, and the mechanics of intra-VPC communication flows.

In the forthcoming post, we will delve deeper into the packet flow of intra-VPC virtual machine (VM) behavior. It is our hope that these discussions will provide readers with a comprehensive understanding of VPCs and their intricacies.

We acknowledge that exploring the complexities of VPC configuration and networking can be challenging. However, we are confident that our insights and expertise will enable readers to gain a comprehensive understanding of these concepts.

Thank you for your interest, and we look forward to presenting our forthcoming post.