PCF PAS NSX-T 2.3 Preparation (NO-NAT)

T1 Routers & Logical Switches

Create T1 Router – T1-PAS-Infrastructure. Edge cluster is not needed for this T1 router.

Screen Shot 2018-12-17 at 2.13.47 PM

Create Logical Switch LS-PAS-Infrastructure.

Screen Shot 2018-12-17 at 2.17.47 PM

Create Router port on the T1 and connect to the LS.

IP Address: 10.11.24.124

Screen Shot 2018-12-17 at 2.20.02 PM

On the T1, enable route advertisement options.

Screen Shot 2018-12-17 at 2.21.31 PM

 

Create T1 Router – T1-PAS-Infrastructure. Attach an Edge cluster to this T1 router as Load Balancer services will be enabled on this T1 router.

Screen Shot 2018-12-17 at 2.23.46 PM

Screen Shot 2018-12-17 at 2.29.34 PM

Create Logical Switch LS-PAS-Deployment.

Screen Shot 2018-12-17 at 2.31.03 PM

Create Router port on the T1 and connect to the LS.

IP Address: 10.11.25.124

Screen Shot 2018-12-17 at 2.34.04 PM

Screen Shot 2018-12-17 at 2.34.41 PM

On the T1-PAS-Deployment , enable route advertisement options.

– All NSX Connected Routes

– All LB VIP Routes

Screen Shot 2018-12-17 at 2.36.21 PM

Create T1 Router – T1-PAS-Services. Edge cluster is not needed for this T1 router.

Screen Shot 2018-12-17 at 2.41.46 PM

Screen Shot 2018-12-17 at 2.42.37 PM

Create Logical Switch LS-PAS-Services.

Screen Shot 2018-12-17 at 2.44.48 PM

Create Router port on the T1 and connect to the LS.

IP Address: 10.11.26.124

Screen Shot 2018-12-17 at 2.46.58 PM

Screen Shot 2018-12-17 at 2.47.34 PM

On the T1, enable route advertisement options.

Screen Shot 2018-12-17 at 2.57.53 PM

NSX-T Load Balancers

For PAS, you will need LB for GoRouters, MySQL and DiegoBrain. These are the breakdown.

  • LB for GoRouter HTTP

    Used to redirect http traffic to HTTPS

  • LB for GoRouter HTTPS

    Used for application access from outside and also for internal communication

  • LB for MySQL

    Used for internal MySQL communication

  • LB for DiegoBrain

    Used for SSH access to application

Add LB instance which is going to be shared by GoRouter, MySQL proxy and DiegoBrain.

For LB sizing, please refer to https://communities.vmware.com/docs/DOC-37986

Screen Shot 2018-12-17 at 4.35.22 PM

Screen Shot 2018-12-17 at 4.43.15 PM Screen Shot 2018-12-17 at 4.43.53 PM

LB: Go Routers

Create NSGroup for GoRouter HTTPS to be used as members in a pool. There is no need to configure members now as PAS will configure automatically for you later.

Screen Shot 2018-12-17 at 4.51.21 PM

Create Monitoring for Go Router.

Screen Shot 2018-12-27 at 11.37.26 AM

Add New Active Health Monitor – Monitor Properties for GoRouters.

Screen Shot 2018-12-27 at 11.41.32 AM

Add New Active Health Monitor – Health Check Parameters for GoRouters.

Screen Shot 2018-12-27 at 11.47.43 AM

Screen Shot 2018-12-27 at 11.51.50 AM

Next we will create Application Profile for Go Router HTTPS. Additionally, to make client IP address visible, you will need to configure X-Forwarded-For.

Screen Shot 2018-12-27 at 11.56.25 AM

Screen Shot 2018-12-27 at 11.57.51 AM

Create LB Server Pool for Go Router HTTPS

Screen Shot 2018-12-27 at 12.03.12 PM

Change the Load Balancing Algorithm to LEAST_CONNECTION and Enable TCP Multiplexing.

Screen Shot 2018-12-27 at 12.04.56 PM

Choose the Auto Map for Translation Mode and Disable the Port Overload.

Screen Shot 2018-12-27 at 12.06.30 PM

Choose the Dynamic for Membership Type. Select the NSGroup that you previously created for GoRouters – NSGroup-GoRouters. Change the number for Max Group IP Address List to the maximum of Go Routers you desired.

Screen Shot 2018-12-27 at 12.08.01 PM

Select the Active Health Monitor – monitor-gorouter which previously you have created.

Screen Shot 2018-12-27 at 12.10.25 PM

Create Virtual Server(VS) for GoRouter HTTPS.

Screen Shot 2018-12-27 at 12.12.59 PM

Choose Layer 7 for Application Type and the Application Profile – profile-go-router-https which previously you have created.

Screen Shot 2018-12-27 at 12.15.17 PM

For Virtual Server Identifiers, you need to configure an IP address for this virtual server. As I have 10.11.0.0/16 routed from my physical network to the NSX-T T0 routers and I have 10.11.24.0/21 reserved for PAS deployment, I will use another /24 subnet from the next /21 segment: 10.11.31.0/24; I chose the last /24 segment. Any address in this subnet 10.11.31.0/24 will do. Put in the port 443 for Port and Default Pool Member Port.

Screen Shot 2018-12-27 at 12.23.39 PM

Select the Server-Pool-Go-Router which you previously created for the Default Server Pool.

Screen Shot 2018-12-27 at 12.31.11 PM

Leave the Persistence Profiles as default.

Screen Shot 2018-12-27 at 12.31.11 PM

Configure the Client Side SSL. Enable Client Side SSL.

Screen Shot 2018-12-27 at 12.33.34 PMConfigure the Server Side SSL. Enable Server Side SSL.

Screen Shot 2018-12-27 at 12.34.41 PM

Now we need to attach this VS to the LB object we created previously.

Screen Shot 2018-12-27 at 12.36.41 PMScreen Shot 2018-12-27 at 12.37.21 PM

Once done, it will look like this.

Screen Shot 2018-12-27 at 12.38.18 PM

Next, we will create a LB Application Profile for Go Routers HTTP redirection to HTTPS.

Screen Shot 2018-12-27 at 12.40.34 PM

Choose HTTP to HTTPS Redirect.

Screen Shot 2018-12-27 at 12.43.10 PM

Create Go Router HTTP Virtual Server. Select the profile-go-router-http Application Profile which you previously have created.

Screen Shot 2018-12-27 at 12.45.49 PM

You have use the same IP address 10.11.31.1124 which you configured for the Go Routers HTTPS virtual server.

Screen Shot 2018-12-27 at 12.57.21 PM

Leave everything default for Server Pool and Rules.

Screen Shot 2018-12-27 at 12.58.22 PM

Leave Persistence Profiles as default as well.

Screen Shot 2018-12-27 at 12.48.32 PM

Leave Client Side SSL disabled.

Screen Shot 2018-12-27 at 12.49.23 PMLeave Server Side SSL disabled.

Screen Shot 2018-12-27 at 12.52.48 PM

Attach the VS-Go-Router-HTTP virtual server to LB-PAS Load Balancer.

Screen Shot 2018-12-27 at 12.53.24 PM

Once done configured, it will look like this.

Screen Shot 2018-12-27 at 12.59.34 PM

 

LB: MySQL Proxy

Create NSGroup for MySQL Proxy to be used as members in a pool. There is no need to configure members now as PAS will configure automatically for you later.

Screen Shot 2018-12-27 at 2.12.46 PM

Create LB Monitoring for MySQL Proxy. Change the Health Check Protocol to LbTcpMonitor and specify 1936 for the Monitoring Port.

Screen Shot 2018-12-27 at 2.13.48 PM

Leave the New Active Health Monitor – TCP Health Check Parameters as default.

Screen Shot 2018-12-27 at 2.01.43 PM

Create LB Server Pool for MySQL Proxy. Select the LEAST_CONNECTION for the Load Balancing Algorithm. Leave TCP Multiplexing to be Disabled.

Screen Shot 2018-12-27 at 2.14.36 PM

Choose Auto Map for SNAT Translation Mode and Disabled for Port Overload.

Screen Shot 2018-12-27 at 2.15.00 PM

Choose Dynamic Membership Type and select the NSGroup-MySQL-Proxy which previously you have created. Specify the maximum pool members.

Screen Shot 2018-12-27 at 2.15.39 PM

Select monitor-mysql-proxy as the Active Health Monitor.

Screen Shot 2018-12-27 at 2.16.32 PM

Next Add Virtual Server for MySQL. Choose Layer 4 TCP Application Type and. Select nsx-default-lb-fast-tcp-profile for Application Profile.

Screen Shot 2018-12-27 at 2.18.29 PM

For Virtual Server Identifiers, use another IP address for the VS Pool ie. 10.11.31.0/24. Put in the port 3306 for Port and Default Pool Member Port.

Screen Shot 2018-12-27 at 2.23.00 PM

Select the Server-Pool-MySQL-Proxy server pool.

Screen Shot 2018-12-27 at 2.25.14 PMLeave the Load Balancing Profiles as default.

Screen Shot 2018-12-27 at 2.26.28 PM

Attach the VS-MySQL-Proxy virtual server to LB-PAS load balancer.

Screen Shot 2018-12-27 at 3.04.39 PM

Once configured, it will look like this.

Screen Shot 2018-12-27 at 3.05.41 PM

 

LB: Diego Brain

Create NSGroup for Diego Brain to be used as members in a pool. There is no need to configure members now as PAS will configure automatically for you later.

Screen Shot 2018-12-27 at 3.08.48 PM

Create LB Monitoring for Diego Brain. Select LbTCPMonitor for Health Check Protocol and specify 2222 for Monitoring Port.

Screen Shot 2018-12-27 at 3.14.00 PM

Leave the Health Check Parameters as default.

Screen Shot 2018-12-27 at 3.14.58 PM

Create LB Server Pool for Diego Brains. Select LEAST_CONNECTION for Load Balancing Algorithm and leave TCP Multiplexing disabled.

Screen Shot 2018-12-27 at 3.17.02 PM

Choose Transparent for SNAT Translation for Diego Brain.

Screen Shot 2018-12-27 at 3.18.25 PM

Choose Dynamic Membership Type and select the NSGroup-Diego-Brians which previously you have created. Specify the maximum pool members.

Screen Shot 2018-12-27 at 3.20.08 PM

Select monitor-diego-brain for the Active Health Monitor.

Screen Shot 2018-12-27 at 3.20.47 PM

Add Virtual Server for Diego Brain. Choose Layer 4 TCP Application Type and. Select nsx-default-lb-fast-tcp-profile for Application Profile.

Screen Shot 2018-12-27 at 3.24.17 PM

For Virtual Server Identifiers, use another IP address for the VS Pool ie. 10.11.31.0/24. Put in the port 2222 for Port and Default Pool Member Port.

Screen Shot 2018-12-27 at 3.25.31 PM

Select the Server-Pool-Diego-Brain for Server Pool.

Screen Shot 2018-12-27 at 3.26.19 PM

Leave the Load Balancing Profiles as default.

Screen Shot 2018-12-27 at 3.27.38 PM

Attach the VS-Diego-Brain to LB-PAS load balancer.

Screen Shot 2018-12-27 at 3.28.42 PM

Once done configuring, it will look like this.

Screen Shot 2018-12-27 at 3.29.18 PM