I have been thinking about putting this guide together for a long time.

If you have no idea what HCX is, check out this link

This blog guide is an easy to follow, one page (long) guide of deploying HCX in VMC and on premise. The VMware Docs guide can be found here, I highly recommended reviewing the VMware Docs guide.

HCX provides many capabilities to customers, which include:

  1. Connect a source and destination site together for the purpose of migrations
  2. Extend Layer 2 networks between sites
  3. Migrate workloads to and from source and destination sites
Configuring and Managing the HCX Interconnect

I like to describe HCX as a plugin into vCenter, as that is where you will access the HCX GUI which allows you to configure HCX, extend networks and migrate workloads. If you want to automate all these steps, William Lam has a number of blog posts on this topic, check them out here

HCX has 5 main appliances, as shown in the image below. These appliances will be deployed at the source and destination sites.

Cloud Migration Series: Part 2 - VMware HCX Overview - VMware vSphere Blog
HCX Enterprise or Cloud Manager

The HCX manager appliance is deployed as an OVA, it integrates HCX with the vSphere environment, and enables it to deliver HCX services. HCX Manager is deployed one to one with each vCenter Server.

HCX Manager is deployed at the source site. HCX Cloud Manager is deployed at the target site by the HCX Cloud Services provider. The HCX cloud manager automates the deployment of peer appliances when a service is enabled at the source site within the HCX plugin. Services cannot be enabled using the HCX Cloud interface.

An HCX Site Pair always consists of one HCX Enterprise source site (tenant site) and one HCX Cloud destination site (Cloud Provider site). The components listed in the following sections are always deployed in the context of a site pair.

HCX WAN Interconnect (HCX-IX)

This service appliance is deployed when migration and/or Data Recovery (DR) services are enabled. This component automatically tunnels to its peer at the remote site and provides an encrypted service path for migration services.

HCX WAN Optimization (HCX-WAN-OPT)

This service appliance is deployed when WAN Optimization services are enabled for a site pair. The WAN Optimization component only communicates with the HCX-IX, it does not make direct connections to its peer.

HCX Extension Appliance (HCX-NET-EXT / L2C)

This is deployed when Network Extension services are enabled. This component automatically tunnels to its peer at the remote site and provides an encrypted service path for migration services.

HCX Sentinel Gateway / Sentinel Data Receiver (HCX-SGW/SDR)

This is deployed when HCX OS Assisted Migration (OSAM) service are required. The use case for OSAM is migrating workloads from a non-VMware Hypervisor such as Hyper-V or KVM.

Please review this VMware HCX Checklist to make sure you have everything in place for a successful deployment. I will cover most of the requirements as we go through this guide.

Deploy HCX in VMC

  1. The first step is to log into the VMC Console at https://vmc.vmware.com
  2. Click View Details on the SDDC that you want to deploy HCX into

3. Click Add Ons

4. Click Open HCX

5. A new tab will open up, click Deploy HCX

6. Click Confirm

Deployment of HCX can take between 10 – 20 Minutes, it could take longer. Go grab a coffee. Leave the HCX Tab open.

Once the deployment is complete, you need to create a firewall rule to open the necessary ports to access the HCX Cloud Manager. So head back to your VMC Console tab.

7. From the VMC Console of the selected SDDC, Select Network & Security

8. Click Gateway Firewall

9. Click Management Gateway & Click Add Rule

10. Create a new inbound firewall rule with these parameters:

  • Source: Where the connection to HCX Manager is coming from (ANY, Subnet, IP Address or IP Range)
  • Destination: Select System Defined Group and select HCX
  • Services: HTTPS (TCP 443)
  • Note: HCX is already a system defined group that can be selected as a destination. A user-defined group can be created for the source.

11. To save the rule, click publish

Depending on how you plan to connect your existing data center to VMC, you will probably need to configure some firewall rules on-premises. For a full list of the required on-premise rules please review the Network Port and Protocol Requirements.

If you plan to connect your data center to VMC via the internet, you will need the HCX public IPs.

12. To get the HCX Public IPs, go into the Networking and Security tab in the selected SDDC & click Public IPs

Now is a good time to take note of the cloudadmin@vmc.local user and password for HCX access and on-premise deployment.

13. Click on Settings, then take note of the password for the user cloudadmin@vmc.local

14. Head back to the VMware HCX Tab in your browser and click Open HCX. We are now going to download the OVA that we will use to deploy HCX to you on premises data center.

You will need the cloudadmin@vmc.local credentials to access this page

15. Click System Updates and Select Request Download link. This will take about 2 – 5 minutes to be enabled, once enabled, download the HCX OVA

16. Copy the HCX URL from your browser tab, it is specific to your SDDC and it should look something like this: https://hcx.sddc-11-22-123-321.vmwarevmc.com

17. Go back to the HCX Tab and click Activation Keys

18. Click Create Activate Key

19. Select the VMware Cloud on AWS Subscription, then click confirm

20. Save you activation key

We are now ready to move to our on premises installation you will need to make sure you have the following details before moving on.

  • HCX Public IPs
  • HCX Cloud URL
  • HCX Activation Key
  • VMC vCenter UserID
  • VMC vCenter Password

Deploy HCX On Premises

You will need the following before you can deploy HCX on premises

  • 3 private IP Addresses from the on premises Management network, these are for HCX Manager, HCX Interconnect and HCX Network Extension appliances
  • The Management network needs to be able to route externally to the internet (and via Direct Connect if required)
  • 1 private IP address from the on premises vMotion Network
  • Proxy information (if required)
  • DNS Server Details
  • NTP Server Details
  • Administrator@vsphere.local rights or AD user/group with same rights

Please review Network Port and Protocol Requirements, the below map shops all the network ports required by HCX.

The below are the 5 key external rules that need to be configured

PortProtocolSourceDestination
4500UDPNetwork Extension (HCX-NE On-Prem)Network Extension (HCX-NE in VMC)
4500UDPInterconnect (HCX-IX On-Prem)Interconnect (HCX-IX in VMC)
443TCPHCX Manager (On-Prem)HCX Manager (VMC)
443TCPHCX Manager (On-Prem)hybridity-depot.vmware.com
443TCPHCX Manager (On-Prem)connect.hcx.vmware.com

Enough network talk, lets deploy the HCX Manger on premises

  1. Deploy HCX OVA into the on premises vCenter. This will deploy the HCX Manager appliance only, the other appliances will come later. (you don’t need any other OVA’s for the other appliances)

2. Right Click on the folder / resource pool that you want to deploy the HCX Mnaager appliance to, and select Deploy OVF template

Follow the wizard to deploy the OVF template, please note:

  • Make sure the HCX Manger is deployed to the management network
  • Rember the username and passwords you set, you will need these as part of the deployment process
  • Please enter DNS, NTP & Domain Search List
  • Enable SSH

3. Once the appliance is deployed make sure the VM is powered on, this will take about 5-20 minutes to finish initiating

4. We are now going to connect to the new on premises HCX Manager. Open a new browser tab and connect to https://privateipofhcxmanager:9443

5. Login with the admin username and password you set during the HCX OVF deployment

6. Activate your HCX instance, copy and paste the license key you saved from the VMC portal. Click Activate

If this fails, one of the most common reasons is there has not been a firewall rule setup for HCX Manager to authenticate to https://connect.hcx.vmware.com Please review all the required firewall rules

7. Enter the location of your current Data Center (the city), click Continue

8. Give the system a name, click Continue

9. Click on Yes, Continue

10. Connect your vCenter, please enter the vCenter URL, Username and Password that has administration rights to the on premises vCenter, Click Continue

If you are running NSX, select Connect your NSX, enter the credentials for the on premises NSX Manager

11. Configure SSO/PSC, enter the Identity Sources, click Continue

10. Great work, now click Restart

This should take between 5 – 20 minutes to restart and for the plugin into vCenter to be added. You may need to log out and back into vCenter

11. Check HCX plugin in vCenter has been deployed

Setup HCX Site Pair

A Site Pair establishes the connection needed for management, authentication, and orchestration of HCX services across a source and destination environment.

  1. Open up the new HCX in vCenter
  2. On the left hand menu, select Site Pairing
  3. Click Add a Site Pairing

Note the above screenshot has a existing site pairing, you won’t see this the first time you create a site pair. you should see only the Add a Site Pair button

4. Enter in the remote HCX URL (or private IP address, if using a direct connect), the VMC vCenter User name (Cloudadmin@vmc.local) and the VMC vCenter Password, click connect

Compute and Network Profile

A compute profile defines a couple of things. First it allows you to configure where the HCX appliances will be deployed in your data center. It also defines which portion of your VMware data center you want to be accessible to the HCX service itself.

A network profile Defines a range of IP addresses / networks that can be used for HCX to provide for its virtual appliances.

  1. In the HCX vCenter plugin, select Interconnect, and select Compute Profile, Create Compute Profile

2. Give the Compute Profile a name, click Continue

3. Select the Service to be activated, Click Continue

4. Select Resources from the Drop down menu, click Continue

4. Select the Resources, Datastore and Folder (optional) to deploy the appliances to, click Continue

Set any Interconnect Appliance Reservation Settings if required(optional)

5. Select the Management Network Profile drop down and select Create Network Profile

6. Select the Management Network from the list

7. Input a name for the network profile

8. Set an IP range for the available IP address. These are the IP addresses that will be assigned from the management network to the Interconnect and Network Extension Appliances (you will need 2 or more private IPs)

9. Select the Prefix Length, Gateway IP, DNS/DNS Suffix

10. Click Create

11. Select the Up-link Network File Drop down and Select the Management network you just created, click close, then click Continue

12. Select the vMotion Network Profile Drop down, select Create Network Profile

13. Select the vMotion Network from the list

14. Input a name for the network profile

15. Set an IP range for the available IP address. This is the IP addresses that will be assigned from the vMotion, you should only need one IP

16. Select the Prefix Length, Gateway IP, DNS/DNS Suffix

17. Click Create

18. Select the vSphere Replication Network Profile drop down, and select the Management Network profile you created earlier, click close, click Continue

19. Select the Network Containers drop down and select the Networks that are eligible for HCX Network Extension Operations, Select Continue

20. Review the firewall rules that are displayed, click Continue

21. Click Finish

You have now created your Compute and Network Profiles.

The Compute Profile Tab should now look similar to this screenshot

The Network Profile tab should look similar to this screenshot (the Management and vMotion network profiles you created should be in here)

Service Mesh

Service Mesh specifies a local and remote Compute & Network Profile pair. When a Service Mesh is created, the HCX Service appliances are deployed on both the source and destination sites and automatically configured by HCX to create the secure optimized transport fabric.

  1. Click on the Service Mesh Tab within the Interconnect option in HCX

2. Click Create Service Mesh

3. Select the on premises and VMC sites, click Continue

4. Select the Source Compute Profile and Remote Compute Profile form the Drop downs, Click Continue

5. Select the Services to be activated, click Contiue

6. Select the Source Site Uplink Network Profile (usually the management network)

7. Select the Destination Site Uplink Network Profile (Select directConnectNetwork for direct connect, select externalNetwork for internet connectivity)

8. Click Continue

9. Select how many Network Extension Appliances you want deployed (1 is the default, each network extension appliance can handle up to 8 extended networks), click Continue

10. Select if you want Application Path Resiliency and TCP flow Condition enabled. Details of both these options can be found here

11. Enter a Bandwidth Limit if you want to throttle the traffic

12. Click Continue

13. Review the topology, click Continue

14. Provide a name for the service mesh, click Finish

That is it, you are now deploying the appliances, this should take between 15-40 minutes to deploy.

To track the progress, click on view Tasks in the Service Mesh that is being deployed

Under tasks you can follow along while all the appliances are deployed.

Once the tasks are all complete, select Appliances, if everything is successful you should see the Tunnel Status as Up on the Interconnect and Network Extension Appliances. This means the 2 IPSEC tunnels have been successfully created and connected.

Also, once completed you should see a similar view to the below screen shot