NSX Application Platform Part 4: Deploying the Application Platform
January 7, 2022
NSX Application Platform Part 4: Deploying the Application Platform
Completing the NSX Application Platform (NAPP) Deployment
You can download the the latest bundle from here.
The OVF will be deployed to the designated cluster.
Generating a kubeconfig File
8. If everything was configured correctly, your deployment should succeed.
Log into the jumpbox, if you missed the configuration of the jumpbox, you can find it here.
Issue the command below to log into the guest Tanzu Guest cluster created in part 3.
2. Once all checks pass, you will be able to activate the feature. I have seen this process take up to 30 minutes, the timeframe will vary depending on your environment.
2. The cloud region will already be configured, as the same one that was selected for NDR will be used for Malware prevention. Run the prechecks and make sure everything passes.
3. In “IDS/IPS & Malware Prevention Setup” I have left everything enabled, feel free to chose the features you want enabled. Click Next, when you are ready.
This section demonstrates the process to enable distributed malware prevention, for this, each hypervisor in the cluster will require the NSX Malware Prevention Service Virtual Machine (SVM). The OVA can be downloaded here.
This section will highlight the process to get NSX Intelligence activated.
From the image below, I can see that contour has successfully deployed.
After applying the license, you will see all tiles enabled.
This section will highlight the process to activate “NSX Network Detection and Response”.
You must have a license that is fit for purpose, if you do not have an adequate license, you cannot enable the NAPP features. You will see the message below if you do not have an appropriate license.
This completes the deployment of NSX Malware Prevention.
The node was low on resource: ephemeral-storage
Disk Pressure
Issuing the command below, I was able to see the most recent pods that were created after initiating the deployment.
As you can see, all checks completed successfully, except for one warning. This is a time syncrhonization warning between the Kubernetes cluster and NSX-T. This is not a showstopper and you are able to continue. Click on Next.
Advanced Threat Protection (ATP)
root@jump:~# kubectl get svc -n projectcontour
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
projectcontour ClusterIP 10.108.127.21 <none> 8001/TCP 3m30s
projectcontour-envoy LoadBalancer 10.110.127.98 172.51.0.6 80:30753/TCP,443:30815/TCP 3m30s
4. If you need to setup a proxy server for internet connectivity, select “Go To Proxy Server”, if not click Next.
NSX Intelligence
The official instructions to generate and obtain this file are available here. This section will walk through the process outlined in the link.
Click on NSX Intelligence in the NSX Application Platform screen, in NSX-T Manager. You will be greeted with a precheck screen. Run the prechecks and make sure everything passes.
This article concludes the series, and you should now have a completely functional NSX Application Platform Deployment, with all features enabled. Make sure you run through each article, as I have highlighted issues and ways I have overcome them in each.
Note: If the file path is not correct in the ovf_url and you have already pushed the configuration to NSX Manager. To revert or clear the configuration, it is simplest to delete Malware Prevention and re-activate it.
3. Select your preferred Cloud Region, and then run Prechecks.
12. The final step is to enable the nodes. Click Done, when ready.
Network Detection and Response
You can manually trust the chain to move past this issue, however, as mentioned in part 2, once begin your deployment, the cert-manager namespace will fail with an x509 untrusted certificate error.
Navigate to System -> NSX Application Platform -> Click on “Activate” in NSX Network Detection and Response”.
As part of the workflow, an unauthenticated GET request is sent to https://nsx.lastline.com/nsx/cloud-connector/api/v1/papi/accounting/nsx/get_cloud_regions.json. This retrieves the list of cloud regions to connect to. My first attempt at deploying this, I faced the below error.
root@jump:~# kubectl describe pod nsxi-platform-fluent-bit-7st6q -n nsxi-platform
6. You are required to deploy the SVM that you downloaded before proceeding to the next step. Click on “Go To Service Deployment”. Make sure you have completed all prerequisites first.
9. Fill out the details relevant to your environment in the fields below. Click Save.
7. The final screen is a Review & Deploy, this is your last chance to change any of the settings. Click Deploy when you are ready.
Click Next.
4. Next, we generate an authentication token for the service account we just created and the cluster CA. Make sure you run these commands individually as well. There will be no output from any of the commands.
Once you allow the connection through the firewall (if you have this issue), you should be able to see the regions to select from.
NSX Malware Prevention
Navigate to System -> NSX Application Platform -> Click on “Activate” in NSX Malware Prevention”.
Note: As the yellow message states, Malware Prevention only works in environments with internet connectivity.
3. Issue the following commands to create an administrator service account and cluster role binding. I prefer to run each command individually.
This part of the deployment takes a considerable amount of time compared to the previous namespaces. To check it is still running and not suck you can issue the command below.
This is after allowing the NSX-T manager and VIP subnet full internet access. I tailed my firewall, and noticed the IP 172.52.0.14 hitting a deny rule when attempting a connection on 443 to 38.95.226.10. The source IP is one of my worker nodes, the destination IP address is nsx.lastline.com. It seems the worker nodes require internet connectivity to be able to enable this feature, make sure you have internet connectivity if you are enabling this feature.
NAPP allows administrators to bolster their security with the addition of Malware Analysis and Prevention, Network Traffic Analysis (NSX Intelligence), and Network Detection and Response (NDR).
Navigate to System -> NSX Application Platform -> NSX Malware Prevention -> Actions -> Settings.
3. Intelligence has successfully activated.
2. Click “Start Setup”.
Note: You will need to have a Transport Node Profile attached to the Transport Node cluster, before you are able to deploy the SVM’s. If you don’t have a Transport Node Profile attached to the cluster, you will see the below error.
As part of this process, additional pods are deployed into the nsxi-platform namespace. Issue the command below to see the additional pods. I have omitted older pods that were not created as part of NDR’s deployment.
Once downloaded, in NSX-T manager, click on select and then upload the bundle.
This link will guide you through generating a Public-Private Key pair for the SVM.
This link will guide you through deploying a webserver for the SVM
There are a few ways to resolve this deployment error. I am going to rollback the deployment, delete the impactor namespace in vCenter, recreate the namespace, re-deploy the impactorlab cluster using the cluster.yml file, regenerate the kubeToken and then retry the deployment. I have chosen this method as it will give me a clean slate and there was no data on the platform anyway. You may wish to achieve a similar result in a different manner. To roll back the deployment, click cancel in the failed screen above.
2. Click on Deploy NSX Application Platform.
NSX Application Platform Part 3: NSX-T, NSX-ALB (Avi), and Tanzu
root@jump:~# kubectl get pods -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-769f5c8bc4-bddxh 1/1 Running 0 83s
cert-manager-cainjector-6cd9ff7784-2cdl2 1/1 Running 0 83s
cert-manager-truststoreinjector-7c956678d6-wrbqb 1/1 Running 0 83s
cert-manager-webhook-f744b7947-zvkx9 1/1 Running 0 83s
An agent is deployed to each hypervisor.
After the file is uploaded it authenticates with the server and picks up details such as cluster type and storage class, this will be shown in the next step. Notice the golden banner stating “Server version v1.20.7+vmware.1 and client version v1.18.20 are incompatible. Please upload Kubernetes Tools to resolve.” This is indicating that there is a kubernetes tools version mismatch between the client (NSX) and the Tanzu cluster.
And that’s it! All the new security features have been enabled. I will go into more details of each feature in future posts.
Once the namespace and nodes have been removed, you can follow the instructions in part 3 to redeploy the cluster.
If you deployed NDR already, one component precheck will be skipped, which is “NSX Advanced Threat Analyzer Cloud Eligibility” and that is because the component was already deployed. Click Activate once complete. The process took approximately 3 minutes to complete in my lab.
The previous articles covered the foundation required to deploy NAPP. This article will focus primarily on achieving a successful NAPP deployment. It will include all the remaining steps required to complete the deployment, including, generating a kubeconfig file, NAPP configuration and deployment, and some troubleshooting steps along the way.
4. Once the prechecks are complete, click on Activate. The deployment will start, and in my environment took about 3 minutes.
This completes the activation of NSX Intelligence. I will not walking through configuration of NSX Intelligence in this article.
6. The next page is the Precheck Platform page, click on prechecks and allow it to complete. If there are any errors you must remediate them.
Troubleshooting and Deployment Monitoring
Check POD Deployment
5. There is a check to ensure NAPP and Malware Prevention are configured and enabled, if they are not, it will alert you. Click Next.
In vCenter navigate to Menu -> Workload Management -> Namespaces -> Select the Namespace -> Remove.
If you used the cluster.yml file I provided in part 3 then you have enough resources to deploy the Advanced form factor. I am deploying advanced as I want to run NSX Intelligence, choose whichever option suits your needs. Once all that is done, click Next.
The deployment will begin.
8. Navigate back to System -> Service Deployments (you may have to refresh or log out and back in), you should now see the partner service registered. Click Deploy Service.
Project Contour Deployment
10. Navigate to Security -> IDS/IPS & Malware Prevention and you should be able to continue from where you were. Now that the SVM’s have been deployed, and NSX is aware of it, you should see the output below. Click Next.
NSX Application Platform Part 1: Environment Overview
Once complete, click Save URL.
Platform Deployment
To troubleshoot check the events of the nsxi-platform namespace. You should see errors that are worded similarly to the below.
It’s now time to deploy the NSX Application platform, log into your NSX Manager UI, ensure it is a greenfield NSX-T 3.2 deployment.
7. Now you need to register the NSX Distributed Malware Prevention Service, I will be using postman for this. My webserver is 192.168.63.113, I created a virtual directory called nsx and extracted the files from the OVA to it. Below is the result of browsing to the webserver.
11. The next page defines the malware and IDS/IPS signatures. You can either continue, or update them if there are any updates available. I will be updating. Click Next, when done.
ATP consists of IDS/IPS, Malware Analysis and Prevention, and Network Traffic Analysis (NSX Intelligence). It is important to note that NAPP is not required for IDS and IPS.
I wanted to highlight the importance of having a trusted certificate, as mentioned in part 2. The image below shows the result of having an improper certificate assigned to your harbor registry.
root@jump:~# kubectl get events -n cert-manager -w
The code from postman is below, make sure you use basic authentication, and enter the NSX admin username and password.
If you have configured everything correctly, with an appropriate certificate, you will see the below.
Previous Articles
5. Now choose the Storage Class. The Service Name needs to be correct or else the deployment will fail almost immediately. From what I can see, a DNS lookup is performed with the FQDN entered, and whatever IP address comes back is added as the ingress / contour / envoy load balancer IP. So ensure you create an appropriate DNS entry and IP address. In my case, I have created a DNS entry in the vip-tkg range.
