Add a Compute Manager

A compute manager, for example,
VMware vCenter
, is an application that manages resources such as hosts and VMs.
  • Verify that you use the supported
    vSphere
    version. See Supported vSphere version.
  • IPv4 communication with
    VMware vCenter
    .
  • Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
  • Decide the hashing algorithm type you want to use for stamping
    NSX Manager
    thumbprint in compute manager extension. SHA1 and SHA256 algorithm types are supported. The default is SHA1. If you use SHA256 there might be communication issues between WCP component in VC and NSX Manager.
    • To set the hashing algorithm, run API
      PUT https://<nsx-mgr>/api/v1/fabric/compute-managers/thumbprint-hashing-algorithm
      { "hashing_algorithm_type": "SHA1" }
  • Provide credentials of a
    VMware vCenter
    user. You can provide the credentials of
    VMware vCenter
    administrator, or create a role and a user specifically for
    NSX
    and provide this user's credentials. Go to the
    Administration
    Global Permissions
    tab. Add global permissions to the newly created user and role and select
    Propogate to Children
    .
    Create an admin role with the following
    VMware vCenter
    privileges:
    Global
    Cancel task
    Extension
    Register extension
    Extension
    Unregister extension
    Extension
    Update extension
    Host
    Configuration.Maintenance
    Host
    Configuration.NetworkConfiguration
    Host
    Local Operations.Create virtual machine
    Host
    Local Operations.Delete virtual machine
    Host
    Local Operations.Reconfigure virtual machine
    Network
    Assign network
    Permissions
    Reassign role permissions
    Resource
    Assign vApp to resource pool
    Resource
    Assign virtual machine to resource pool
    Sessions
    Message
    Sessions
    Validate session
    Sessions
    View and stop sessions
    Scheduled task
    Select all privileges
    Tasks
    Select all privileges
    vApp
    Select all privileges
    Virtual Machine.
    Configuration
    Virtual Machine
    Guest Operations
    Virtual Machine
    Provisioning
    Virtual Machine
    Inventory
    To use the
    NSX
    license for the vSphere Distributed Switch 7.0 feature, the
    VMware vCenter
    user must either be an administrator, or the user must have
    Global.Licenses
    privileges and be a member of the
    LicenseService.Administrators
    group.
  • Before you create a service account for the compute manager, add these additional
    VMware vCenter
    privileges to the admin user role:
    Permissions
    Modify permission
    Permissions
    Modify role
    Service Account Management
    Administer
    VMware vSphere Lifecycle Manager
    ESXi Health Perspectives.Read
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: General Privileges.Read
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: Image Privileges.Read
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: Image Privileges.Write
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: Image Remediation Privileges.Write
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: Settings Privileges.Read
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: Settings Privileges.Write
    VMware vSphere Lifecycle Manager
    Lifecycle Manager: General Privileges.Write
NSX
polls compute managers to collect cluster information from
VMware vCenter
.
For more information about
VMware vCenter
roles and privileges, see the
vSphere Security
document.
  1. From your browser, log in with admin privileges to an
    NSX Manager
    at https://<nsx-manager-ip-address> or https://<nsx-manager-fqdn>.
  2. Select
    System
    Fabric
    Compute Managers
    Add Compute Manager
    .
  3. Complete the compute manager details.
    Option
    Description
    Name and Description
    Type the name to identify the
    VMware vCenter
    .
    You can optionally describe any special details such as, the number of clusters in the
    VMware vCenter
    .
    Type
    The default compute manager type is set to
    VMware vCenter
    .
    Multi NSX
    Starting with
    NSX
    3.2.2, you can register the same vCenter Server with multiple
    NSX Manager
    s.
    Enable this field if you want to allow multiple
    NSX
    instances to manage a single
    VMware vCenter
    . This functionality is supported from
    VMware vCenter
    7.0 or later versions.
    Cannot be enabled on a Workload Control Plane (WCP) cluster or vSphere Lifecycle Manager (vLCM) cluster.
    FQDN or IP Address
    Type the FQDN or IP address of the
    VMware vCenter
    .
    If you plan to deploy
    NSX Manager
    in dual stack mode (IPv4 and IPv6) and if you plan to configure
    NSX Manager
    with CA signed certificates, you must set a FQDN with valid domain name.
    HTTPS Port of Reverse Proxy
    The default port is 443. If you use another port, verify that the port is open on all the
    NSX Manager
    appliances.
    Set the reverse proxy port to register the compute manager in
    NSX
    .
    Username and Password
    Type the
    VMware vCenter
    login credentials.
    SHA-256 Thumbprint
    (Optional) Type the
    VMware vCenter
    SHA-256 thumbprint algorithm value. If you configured the
    VMware vCenter
    WCP (Workload Control Plane) feature, using the SHA256 setting results in communication issues between the WCP component in
    VMware vCenter
    and
    NSX Manager
    . In such cases, use the SHA1 algorithm instead.
    Create Service Account
    (Optional) Enable this field for features such as vSphere Lifecycle Manager that need to authenticate with
    NSX
    APIs. Log in with the [email protected] credential to register a compute manager. After registration, the compute manager creates a service account.
    Service account creation is not supported on a global
    NSX Manager
    .
    If service account creation fails, the compute manager's registration status is set to
    Registered with errors
    . The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled on
    NSX
    clusters.
    If a
    VMware vCenter
    admin deletes the service account after it was successfully created, vSphere Lifecycle Manager tries to authenticate the
    NSX
    APIs and the compute manager's registration status is set to
    Registered with errors
    .
    Enable Trust
    (Optional) Enable this field to establish trust between
    NSX
    and compute manager, so that services running in vCenter Server can establish trusted communication with
    NSX
    . For vSphere Lifecycle Manager to be enabled on
    NSX
    clusters, you must enable the
    Enable Trust
    field.
    Supported only on
    VMware vCenter
    7.0 and later versions.
    Access Level
    Enable one of the options based on your requirement:
    • Full Access to NSX: Is selected by default. This access level gives the compute manager complete access to
      NSX
      . Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate with
      NSX
      . The
      VMware vCenter
      user's role must be set to an Enterprise Admin.
    • Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate with
      NSX
      . The
      VMware vCenter
      user's role must be set to Limited vSphere Admin.
    If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.
    After you accept the thumbprint, it takes a few seconds for
    NSX
    to discover and register the
    VMware vCenter
    resources.
    If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values.
  4. If the progress icon changes from
    In progress
    to
    Not registered
    , perform the following steps to resolve the error.
    1. Select the error message and click
      Resolve
      . One possible error message is the following:
      Extension already registered at CM <vCenter Server name> with id <extension ID>
    2. Enter the
      VMware vCenter
      credentials and click
      Resolve
      .
      If an existing registration exists, it will be replaced.
It takes some time to register the compute manager with
VMware vCenter
and for the connection status to appear as
UP
.
You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.
After the
VMware vCenter
is successfully registered, do not power off and delete the
NSX Manager
VM without deleting the compute manager first. Otherwise, when you deploy a new
NSX Manager
, you will not be able to register the same
VMware vCenter
again. You will get the error that the
VMware vCenter
is already registered with another
NSX Manager
.
After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
  • Transport nodes are prepared using VDS that is dependent on the VC.
  • Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
  • You use the NSX Manager UI to deploy Edge VMs or NSX Manager nodes on a host or a cluster in the VC.
If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.
If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
  • Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
  • Undeploy all service VMs, all NSX Edge VMs, and all NSX Manager nodes. The undeployment must be successful or in a failed state.
  • If an
    NSX Manager
    cluster consists of nodes deployed from the VC (manual method) and nodes deployed from the
    NSX Manager
    UI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To successfully remove the VC, ensure that you re-deploy an
    NSX Manager
    node from the VC.
This restriction applies to a fresh installation of
NSX
as well as an upgrade.