NSX Intelligence Install

Version 1.2.0 of NSX Intelligence

Network Security Policy - ONE DOES NOT SIMPLY GUESS AT FIREWALL POLICY TRAFFIC FLOW REQUIREMENTS Boromir

Let’s assume you stood up NSX-T with intentions to increase security within the datacenter through micro-segmentation. If you’re licensed for it your second step should be an NSX Intelligence install.

NSX Intelligence is going to be your friend if you plan to implement NSX-T into an environment where you already have applications living. One of the challenges of implementing any type of micro-segmentation is creating the relevant firewall rules. The older the app the harder it may be or maybe you just have a complex environment with a lot of cross communication. Creating rules to minimize risk can have risk in itself because you don’t want to leave a whole open on the firewall based on an assumption or block something important and cause an outage. Luckily we can pull from all the context within NSX and vSphere to gain an understanding of traffic flows.

NSX Intelligence gives you a deep view into your NSX-T environment and the flows that take place within the virtualized datacenter. Not only can you see the communication flows between virtual machines, but it takes that data and makes recommendations for firewall policies. Those policies can then be directly implemented into NSX, all through the NSX Manager UI. Saving everyone time, guesswork, and stress. Now that sounds awesome and with anything new it’s important to keep an eye on the recommendations and ensure they are correct before implementing the rules. Lucky for us we have all the context of the machines and the traffic being passed so it’s fairly easy to double check things.

What’s New

I’m happy to say that v1.1 and also v1.2 no longer have a dependency on a separate web server to get the installation done. This was a big improvement and makes the install if Intelligence similar to other VMware appliances. Be sure to reference the official install guide for your version of NSX-T and Intelligence as there are situations where you would still need to follow the old method, such as with NSX-T 2.5. The steps below are specific to NSX-T 3.0 or newer and NSX Intelligence 1.2.

1.2 of Intelligence introduced a bunch of small changes which can be viewed in the Release Notes. This release improved many of the aspects of flow visibility and filtering options.

Prerequisites

Be sure to reference the latest NSX Intelligence documentation specific to the release you plan to install. For this walk through I’ll be installing version 1.2 and the official documentation can be found here.

Important Requirements (please reference the documentation here for a full list)

  1. NSX Intelligence is depended on having NSX-T deployed as the install can only be performed through NSX Manager. These instructions are for NSX-T 3.0 or newer. The steps vary slightly for NSX-T 2.5 and are not covered here.
  2. An available static IP address for the NSX Intelligence appliance management IP. This IP cannot be changed after installation.
  3. Ensure synchronized time between an NTP server and all components, especially NSX and the ESXi hosts. Use this same NTP server for the Intelligence configuration.
  4. Available compute resources. The resources are reserved by default on the appliance so be sure you have them available before deploying the appliance.

Download NSX Intelligence Installation

From your myvmware account locate the NSX Intelligence download as show below. Under the Networking & Security heading you should see NSX Intelligence or it can be found within the NSX-T Data Center category.

Clicking on the Go To Downloads button will bring you to the following screen. Here you can select the specific release next to Select Version. I’m installing 1.2.0 (latest). Then simply click Download Now next to the NSX Intelligence Appliance 1.2.0 OVA.

Download VMware NSX Intelligence

NSX Intelligence Appliance Install

Start by logging into your NSX-T Manager UI. Navigate to System > Appliances and scroll down to where it lists NSX Intelligence Appliance.

Click on the big box that says Add NSX Intelligence Appliance.

Add NSX Intelligence Appliance to NSX-T Manager

The first step is to upload the OVA File we previously downloaded. Click Select to locate and add the OVA.

NSX Intelligence Appliance OVA Upload

Back on the Appliance Information screen click Upload next to the OVA file.

NSX Intelligence Appliance OVA Upload

It will take a minute or two, depending on your connection, to upload the file. You can enter the remaining info on the Appliance Information screen.

Enter the Hostname as an FQDN. Then enter the Management IP/Netmask for the NSX Intelligence appliance IP address. Follow that up with the corresponding gateway, DNS, and NTP server. The DNS and NTP should pre-populate from the NSX Manager config.

NSX Intelligence Appliance Information

Scrolling down you will need to select the appropriate Node size for your environment. Be aware the Small node size is only recommended for Demo or POC environments. Production should always be the Large node size. Be sure you have the appropriate CPU/RAM requirements met or the node will not power on. Both have reserved resources by default. Storage is not as critical since you can use Thin Provisioning (default).

For reference my Small node is around 35GB in size after running for a couple days with very little traffic. I did disable the memory reservation afterwards so I do now have to account for the vswp file. I wouldn’t recommend disabling the reservation in a production environment if you can avoid it.

NSX Intelligence Node Size Options

When the upload is complete you should see a green Uploaded checkmark just under the file path. You can now click Next.

On the configuration screen select all the appropriate options for your environment. I’ll provide a brief description of each below.

Compute Manager – the vCenter where you are deploying NSX-Intelligence. You should place it within the same vCenter as the NSX Manager.

Compute Cluster – The ESXi cluster where NSX Intelligence should be placed. If you need to place it on a specific host within that cluster, as I did, do not select a Resource Pool. Instead skip to Host.

Resource Pool – If you are using resource pools you can select one.

Host – If you need to place the appliance on a specific host you can select that host here. In production it is recommended to use a DRS cluster and not a specific host. For my lab I needed to place it on a dedicated host that can accommodate the resources.

Virtual Disk Format – Thin or Thick disk provisioning. Thin is the default. If you choose Thick Provision be sure you have the required 2TB available.

Network – Click Select Network to choose a corresponding network.

NSX Intelligence Appliance Configuration

Select the appropriate Network for the NSX Intelligence Management IP to live on. Click Ok to save the selection.

NSX Intelligence Management Network

With that click Next.

On the final screen Access & Credentials the Root, CLI Admin, and Audit user accounts need to have their passwords set. A huge improvement over other appliance installs we’ve had in the past is the ability to check the box for setting the passwords all the same. I need to clarify that my opinion comes from a lab/demo environment perspective. In a production environment it may make sense, or be required, to set different passwords for each account. I would recommend this for all production environments as a compromised password on the Audit account would be detrimental if it’s the same password for Root/Admin. Please don’t do that. You also have the option to enable SSH or Root access, which in most situations won’t be necessary and also introduces another security concern. When you’re ready click Install Appliance.

NSX Intelligence Access and Credentials Configuration

Now we wait…. you can track the progress from the System > Appliance screen shown below.

NSX Intelligence Appliance Installing

In my lab it only tool 7-8 minutes to complete, but it’s a little deceiving. In reality the appliance was deployed to vCenter, but the configuration is not complete as you’ll see. You may see something similar to the below message about degraded services. Don’t panic just yet, although if it sticks around for an hour or so you may want to reference the linked troubleshooting documentation.

Those same troubleshooting docs do explain that the initial configuration and synchronization of services can take an additional 30 minutes.

NSX Intelligence Appliance degraded services while waiting to complete the install and configuration

About 10 minutes later the appliance showed Available.

NSX Intelligence Appliance Available after initial install

Here I was thinking I was all set so I went to the Plan & Troubleshoot tab where I noticed the UI had not updated just yet. One thing to note is that before installing NSX Intelligence the menu options on the left side of the Plan & Troubleshoot screen will show the Discover & Plan page at the bottom and Recommendations is missing. Shown below is a screenshot I took at this stage in the install. It’s nice enough to let me know that Intelligence is still configuring.

NSX Intelligence Appliance deployment is in progress

I ended up getting distracted while waiting, and at this time can’t answer a question I have. Does the UI update automatically or do you have to log out and back in again? I hope to test this soon or if someone knows the answer please let me know in the comments.

When I came back to check on it NSX Manager UI had timed out for me so I had to log back in. Upon logging in the UI had updated to reflect the new NSX Intelligence install. You can see below now the Discover & Plan menus show up at the top with the new Recommendations page available.

NSX Intelligence Appliance Installed and available in NSX-T Manager UI

Clicking on Discover & Take Action should now start to show traffic flows between your virtual machines and groups within the NSX-T environment.

NSX Intelligence Appliance UI for Discover and Take Action

At this point you are set to start analyzing traffic flows and creating firewall policies.

I hope you found this use full. Let me know if future blogs around NSX Intelligence would be helpful.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *