Cross-VC NSX: Easy and Flexible Multiple Deployments

As you know, Cross-VC NSX makes multisite possible - it provides centralized vertical routing between logical networks deployed in NSX domains and the external infrastructure of the physical network.

The benefits of this feature are clear at a glance — mobility, workload balancing, resource pooling, centralized management and security policies for vCenter domains / sites, and disaster recovery. This article is not about detailed technical indicators, but the ease and flexibility of using Cross-VC NSX for multiple sites.


In this example, vCenter, the primary NSX Manager, and Universal Controller Cluster (UCC) are deployed on site 1. The secondary NSX Manager registered with the primary NSX Manager is deployed on site 2 with the corresponding vCenter.

Figure 1

Figure 2 shows the NSX Managers with the roles “primary” and “secondary”, as well as the corresponding UCC clusters and relationships. The Universal Controller Cluster is deployed from NSX Manager with the primary role on site 1 inside vCenter, to which the NSX Manager with the primary role is linked.

There are only 3 universal controllers on the main site that manage all universal and local objects for all vCenter domains inside the Cross-VC NSX deployment . However, in Figure 2, inside the NSX Controllers Node section, the status of all controllers that apply to all NSX Managers.

Figure 2

As seen in Figure 3, the Universal Controller Cluster is deployed in the Edge cluster on site 1.

Figure 3

Once NSX configurations are configured, the primary and secondary roles for NSX Manager are selected, and UCC is deployed, you can start creating logical networks connecting different sites with a single click of a button.

Figure 4

If the user wants to get Active / Active deployments, where the active workloads for the same segment are on both sites (deployment configuration with one high availability server), this can easily be done using logical intervals on both sites. In addition, since Cross-VC NSX extends logical networks and security to all vCenter domains, workloads can easily be moved between vCenter domains across all sites without any changes to  IP addresses or security policies.

Figure 5 shows the application of the Universal Distributed Firewall rules to the Universal Section.

Figure 5

If the user wants only site 1 to be the outlet for North / South traffic, then this can be done using the Universal Control VM deployment, which is at the Universal Distributed Logical Router (UDLR) management level on the main site, and also using metric / weight routing to ensure that all North / South traffic passes through the Edge Service Gateways (ESGs) of site 1.

In this model, North / South traffic matches the active / passive model, where Site 1 Edge Service Gateways are active and Site 2 Edge Service Gateways are passive with respect to North / South traffic.

Existence of a single site at the Ingress / Egress point for North / South traffic simplifies the process of deployment and further actions and may be required for cases when tracking services use North / South traffic and asymmetric traffic flows should be avoided. An example of such a deployment is shown below.

Figure 6

If a user needs Active / Active North / South traffic flows and is not concerned about the asymmetry of traffic flows, or he has some kind of solution to control incoming traffic, then to provide a site-specific North / South traffic flow, Local Egress function. It is activated when the UDLR is created.

Local Egress allows you to control which routes are provided for ESXi hosts based on a unique identifier, the so-called Locale ID. All hosts within the NSX Manager domain have the same Locale ID; by default, this is the UUID of the NSX Manager on the local site.

Universal Control VM on each site learns routes from the physical network through the ESG of the local site. UCC then explores the best routes with the accompanying Locale ID from the Universal Control VM of each site. Finally, UCC distributes best route information to ESXi hosts with the corresponding Locale ID. This deployment using Local Egress is shown below. Note that in this deployment model, Universal Control VM is present on every site.

Figure 7

As you can see, Cross-VC NSX provides flexibility and capabilities for multiple deployments. In fact, in this way you can deploy the NSX infrastructure for multiple users, while some users will use the Active / Passive scheme, while others will use Active / Active. This deployment is shown below: User 1 and User 2 use the same UDLR and the only Universal Control VM with an Active / Passive scheme. User 3 uses a different UDLR with Local Egress and, accordingly, another Universal Control VM for site 1 and site 2; this makes the Active / Active schema possible. In this case, the IP addresses of users do not overlap. Separate UDLRs and ESGs can also be used for each user if IP mapping is required. or additional isolation.

Figure 8