I have been thinking about putting this guide together for a long time.
If you have no idea what HCX is, check out this link
This blog guide is an easy to follow, one page (long) guide of deploying HCX in VMC and on premise. The VMware Docs guide can be found here, I highly recommended reviewing the VMware Docs guide.
HCX provides many capabilities to customers, which include:
- Connect a source and destination site together for the purpose of migrations
- Extend Layer 2 networks between sites
- Migrate workloads to and from source and destination sites
I like to describe HCX as a plugin into vCenter, as that is where you will access the HCX GUI which allows you to configure HCX, extend networks and migrate workloads. If you want to automate all these steps, William Lam has a number of blog posts on this topic, check them out here
HCX has 5 main appliances, as shown in the image below. These appliances will be deployed at the source and destination sites.
HCX Enterprise or Cloud Manager
The HCX manager appliance is deployed as an OVA, it integrates HCX with the vSphere environment, and enables it to deliver HCX services. HCX Manager is deployed one to one with each vCenter Server.
HCX Manager is deployed at the source site. HCX Cloud Manager is deployed at the target site by the HCX Cloud Services provider. The HCX cloud manager automates the deployment of peer appliances when a service is enabled at the source site within the HCX plugin. Services cannot be enabled using the HCX Cloud interface.
An HCX Site Pair always consists of one HCX Enterprise source site (tenant site) and one HCX Cloud destination site (Cloud Provider site). The components listed in the following sections are always deployed in the context of a site pair.
HCX WAN Interconnect (HCX-IX)
This service appliance is deployed when migration and/or Data Recovery (DR) services are enabled. This component automatically tunnels to its peer at the remote site and provides an encrypted service path for migration services.
HCX WAN Optimization (HCX-WAN-OPT)
This service appliance is deployed when WAN Optimization services are enabled for a site pair. The WAN Optimization component only communicates with the HCX-IX, it does not make direct connections to its peer.
HCX Extension Appliance (HCX-NET-EXT / L2C)
This is deployed when Network Extension services are enabled. This component automatically tunnels to its peer at the remote site and provides an encrypted service path for migration services.
HCX Sentinel Gateway / Sentinel Data Receiver (HCX-SGW/SDR)
This is deployed when HCX OS Assisted Migration (OSAM) service are required. The use case for OSAM is migrating workloads from a non-VMware Hypervisor such as Hyper-V or KVM.
Please review this VMware HCX Checklist to make sure you have everything in place for a successful deployment. I will cover most of the requirements as we go through this guide.
Deploy HCX in VMC
- The first step is to log into the VMC Console at https://vmc.vmware.com
- Click View Details on the SDDC that you want to deploy HCX into
3. Click Add Ons
4. Click Open HCX
5. A new tab will open up, click Deploy HCX
6. Click Confirm
Deployment of HCX can take between 10 – 20 Minutes, it could take longer. Go grab a coffee. Leave the HCX Tab open.
Once the deployment is complete, you need to create a firewall rule to open the necessary ports to access the HCX Cloud Manager. So head back to your VMC Console tab.
7. From the VMC Console of the selected SDDC, Select Network & Security
8. Click Gateway Firewall
9. Click Management Gateway & Click Add Rule
10. Create a new inbound firewall rule with these parameters:
- Source: Where the connection to HCX Manager is coming from (ANY, Subnet, IP Address or IP Range)
- Destination: Select System Defined Group and select HCX
- Services: HTTPS (TCP 443)
- Note: HCX is already a system defined group that can be selected as a destination. A user-defined group can be created for the source.
11. To save the rule, click publish
Depending on how you plan to connect your existing data center to VMC, you will probably need to configure some firewall rules on-premises. For a full list of the required on-premise rules please review the Network Port and Protocol Requirements.
If you plan to connect your data center to VMC via the internet, you will need the HCX public IPs.
12. To get the HCX Public IPs, go into the Networking and Security tab in the selected SDDC & click Public IPs
Now is a good time to take note of the email@example.com user and password for HCX access and on-premise deployment.
13. Click on Settings, then take note of the password for the user firstname.lastname@example.org
14. Head back to the VMware HCX Tab in your browser and click Open HCX. We are now going to download the OVA that we will use to deploy HCX to you on premises data center.
You will need the email@example.com credentials to access this page
15. Click System Updates and Select Request Download link. This will take about 2 – 5 minutes to be enabled, once enabled, download the HCX OVA
16. Copy the HCX URL from your browser tab, it is specific to your SDDC and it should look something like this: https://hcx.sddc-11-22-123-321.vmwarevmc.com
17. Go back to the HCX Tab and click Activation Keys
18. Click Create Activate Key
19. Select the VMware Cloud on AWS Subscription, then click confirm
20. Save you activation key
We are now ready to move to our on premises installation you will need to make sure you have the following details before moving on.
- HCX Public IPs
- HCX Cloud URL
- HCX Activation Key
- VMC vCenter UserID
- VMC vCenter Password
Deploy HCX On Premises
You will need the following before you can deploy HCX on premises
- 3 private IP Addresses from the on premises Management network, these are for HCX Manager, HCX Interconnect and HCX Network Extension appliances
- The Management network needs to be able to route externally to the internet (and via Direct Connect if required)
- 1 private IP address from the on premises vMotion Network
- Proxy information (if required)
- DNS Server Details
- NTP Server Details
- Administrator@vsphere.local rights or AD user/group with same rights
Please review Network Port and Protocol Requirements, the below map shops all the network ports required by HCX.
The below are the 5 key external rules that need to be configured
|4500||UDP||Network Extension (HCX-NE On-Prem)||Network Extension (HCX-NE in VMC)|
|4500||UDP||Interconnect (HCX-IX On-Prem)||Interconnect (HCX-IX in VMC)|
|443||TCP||HCX Manager (On-Prem)||HCX Manager (VMC)|
|443||TCP||HCX Manager (On-Prem)||hybridity-depot.vmware.com|
|443||TCP||HCX Manager (On-Prem)||connect.hcx.vmware.com|
Enough network talk, lets deploy the HCX Manger on premises
- Deploy HCX OVA into the on premises vCenter. This will deploy the HCX Manager appliance only, the other appliances will come later. (you don’t need any other OVA’s for the other appliances)
2. Right Click on the folder / resource pool that you want to deploy the HCX Mnaager appliance to, and select Deploy OVF template
Follow the wizard to deploy the OVF template, please note:
- Make sure the HCX Manger is deployed to the management network
- Rember the username and passwords you set, you will need these as part of the deployment process
- Please enter DNS, NTP & Domain Search List
- Enable SSH
3. Once the appliance is deployed make sure the VM is powered on, this will take about 5-20 minutes to finish initiating
4. We are now going to connect to the new on premises HCX Manager. Open a new browser tab and connect to https://privateipofhcxmanager:9443
5. Login with the admin username and password you set during the HCX OVF deployment
6. Activate your HCX instance, copy and paste the license key you saved from the VMC portal. Click Activate
If this fails, one of the most common reasons is there has not been a firewall rule setup for HCX Manager to authenticate to https://connect.hcx.vmware.com Please review all the required firewall rules
7. Enter the location of your current Data Center (the city), click Continue
8. Give the system a name, click Continue
9. Click on Yes, Continue
10. Connect your vCenter, please enter the vCenter URL, Username and Password that has administration rights to the on premises vCenter, Click Continue
If you are running NSX, select Connect your NSX, enter the credentials for the on premises NSX Manager
11. Configure SSO/PSC, enter the Identity Sources, click Continue
10. Great work, now click Restart
This should take between 5 – 20 minutes to restart and for the plugin into vCenter to be added. You may need to log out and back into vCenter
11. Check HCX plugin in vCenter has been deployed
Setup HCX Site Pair
A Site Pair establishes the connection needed for management, authentication, and orchestration of HCX services across a source and destination environment.
- Open up the new HCX in vCenter
- On the left hand menu, select Site Pairing
- Click Add a Site Pairing
Note the above screenshot has a existing site pairing, you won’t see this the first time you create a site pair. you should see only the Add a Site Pair button
4. Enter in the remote HCX URL (or private IP address, if using a direct connect), the VMC vCenter User name (Cloudadmin@vmc.local) and the VMC vCenter Password, click connect
Compute and Network Profile
A compute profile defines a couple of things. First it allows you to configure where the HCX appliances will be deployed in your data center. It also defines which portion of your VMware data center you want to be accessible to the HCX service itself.
A network profile Defines a range of IP addresses / networks that can be used for HCX to provide for its virtual appliances.
- In the HCX vCenter plugin, select Interconnect, and select Compute Profile, Create Compute Profile
2. Give the Compute Profile a name, click Continue
3. Select the Service to be activated, Click Continue
4. Select Resources from the Drop down menu, click Continue
4. Select the Resources, Datastore and Folder (optional) to deploy the appliances to, click Continue
Set any Interconnect Appliance Reservation Settings if required(optional)
5. Select the Management Network Profile drop down and select Create Network Profile
6. Select the Management Network from the list
7. Input a name for the network profile
8. Set an IP range for the available IP address. These are the IP addresses that will be assigned from the management network to the Interconnect and Network Extension Appliances (you will need 2 or more private IPs)
9. Select the Prefix Length, Gateway IP, DNS/DNS Suffix
10. Click Create
11. Select the Up-link Network File Drop down and Select the Management network you just created, click close, then click Continue
12. Select the vMotion Network Profile Drop down, select Create Network Profile
13. Select the vMotion Network from the list
14. Input a name for the network profile
15. Set an IP range for the available IP address. This is the IP addresses that will be assigned from the vMotion, you should only need one IP
16. Select the Prefix Length, Gateway IP, DNS/DNS Suffix
17. Click Create
18. Select the vSphere Replication Network Profile drop down, and select the Management Network profile you created earlier, click close, click Continue
19. Select the Network Containers drop down and select the Networks that are eligible for HCX Network Extension Operations, Select Continue
20. Review the firewall rules that are displayed, click Continue
21. Click Finish
You have now created your Compute and Network Profiles.
The Compute Profile Tab should now look similar to this screenshot
The Network Profile tab should look similar to this screenshot (the Management and vMotion network profiles you created should be in here)
Service Mesh specifies a local and remote Compute & Network Profile pair. When a Service Mesh is created, the HCX Service appliances are deployed on both the source and destination sites and automatically configured by HCX to create the secure optimized transport fabric.
- Click on the Service Mesh Tab within the Interconnect option in HCX
2. Click Create Service Mesh
3. Select the on premises and VMC sites, click Continue
4. Select the Source Compute Profile and Remote Compute Profile form the Drop downs, Click Continue
5. Select the Services to be activated, click Contiue
6. Select the Source Site Uplink Network Profile (usually the management network)
7. Select the Destination Site Uplink Network Profile (Select directConnectNetwork for direct connect, select externalNetwork for internet connectivity)
8. Click Continue
9. Select how many Network Extension Appliances you want deployed (1 is the default, each network extension appliance can handle up to 8 extended networks), click Continue
10. Select if you want Application Path Resiliency and TCP flow Condition enabled. Details of both these options can be found here
11. Enter a Bandwidth Limit if you want to throttle the traffic
12. Click Continue
13. Review the topology, click Continue
14. Provide a name for the service mesh, click Finish
That is it, you are now deploying the appliances, this should take between 15-40 minutes to deploy.
To track the progress, click on view Tasks in the Service Mesh that is being deployed
Under tasks you can follow along while all the appliances are deployed.
Once the tasks are all complete, select Appliances, if everything is successful you should see the Tunnel Status as Up on the Interconnect and Network Extension Appliances. This means the 2 IPSEC tunnels have been successfully created and connected.
Also, once completed you should see a similar view to the below screen shot