Add a Compute Manager
A compute manager, for example,
VMware vCenter
, is an application that manages resources such as hosts and VMs. - Verify that you use the supportedvSphereversion. See Supported vSphere version.
- IPv4 communication withVMware vCenter.
- Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
- Decide the hashing algorithm type you want to use for stampingNSX Managerthumbprint in compute manager extension. SHA1 and SHA256 algorithm types are supported. The default is SHA1. If you use SHA256 there might be communication issues between WCP component in VC and NSX Manager.
- To set the hashing algorithm, run APIPUT https://<nsx-mgr>/api/v1/fabric/compute-managers/thumbprint-hashing-algorithm{ "hashing_algorithm_type": "SHA1" }
- Provide credentials of aVMware vCenteruser. You can provide the credentials ofVMware vCenteradministrator, or create a role and a user specifically forNSXand provide this user's credentials. Go to the tab. Add global permissions to the newly created user and role and selectPropogate to Children.
Create an admin role with the followingVMware vCenterprivileges:GlobalCancel taskExtensionRegister extensionExtensionUnregister extensionExtensionUpdate extensionHostConfiguration.MaintenanceHostConfiguration.NetworkConfigurationHostLocal Operations.Create virtual machineHostLocal Operations.Delete virtual machineHostLocal Operations.Reconfigure virtual machineNetworkAssign networkPermissionsReassign role permissionsResourceAssign vApp to resource poolResourceAssign virtual machine to resource poolSessionsMessageSessionsValidate sessionSessionsView and stop sessionsScheduled taskSelect all privilegesTasksSelect all privilegesvAppSelect all privilegesVirtual Machine.ConfigurationVirtual MachineGuest OperationsVirtual MachineProvisioningVirtual MachineInventoryTo use theNSXlicense for the vSphere Distributed Switch 7.0 feature, theVMware vCenteruser must either be an administrator, or the user must haveGlobal.Licensesprivileges and be a member of theLicenseService.Administratorsgroup. - Before you create a service account for the compute manager, add these additionalVMware vCenterprivileges to the admin user role:PermissionsModify permissionPermissionsModify roleService Account ManagementAdministerVMware vSphere Lifecycle ManagerESXi Health Perspectives.ReadVMware vSphere Lifecycle ManagerLifecycle Manager: General Privileges.ReadVMware vSphere Lifecycle ManagerLifecycle Manager: Image Privileges.ReadVMware vSphere Lifecycle ManagerLifecycle Manager: Image Privileges.WriteVMware vSphere Lifecycle ManagerLifecycle Manager: Image Remediation Privileges.WriteVMware vSphere Lifecycle ManagerLifecycle Manager: Settings Privileges.ReadVMware vSphere Lifecycle ManagerLifecycle Manager: Settings Privileges.WriteVMware vSphere Lifecycle ManagerLifecycle Manager: General Privileges.Write
NSX
polls compute managers to collect cluster information from VMware vCenter
. For more information about
VMware vCenter
roles and privileges, see the vSphere Security
document. - From your browser, log in with admin privileges to anNSX Managerat https://<nsx-manager-ip-address> or https://<nsx-manager-fqdn>.
- Select .
- Complete the compute manager details.OptionDescriptionName and DescriptionType the name to identify theVMware vCenter.You can optionally describe any special details such as, the number of clusters in theVMware vCenter.TypeThe default compute manager type is set toVMware vCenter.Multi NSXEnable this field if you want to allow multipleStarting withNSX3.2.2, you can register the same vCenter Server with multipleNSX Managers.NSXinstances to manage a singleVMware vCenter. This functionality is supported fromVMware vCenter7.0 or later versions.Cannot be enabled on a Workload Control Plane (WCP) cluster or vSphere Lifecycle Manager (vLCM) cluster.FQDN or IP AddressType the FQDN or IP address of theVMware vCenter.If you plan to deployNSX Managerin dual stack mode (IPv4 and IPv6) and if you plan to configureNSX Managerwith CA signed certificates, you must set a FQDN with valid domain name.HTTPS Port of Reverse ProxyThe default port is 443. If you use another port, verify that the port is open on all theNSX Managerappliances.Set the reverse proxy port to register the compute manager inNSX.Username and PasswordType theVMware vCenterlogin credentials.SHA-256 Thumbprint(Optional) Type theVMware vCenterSHA-256 thumbprint algorithm value. If you configured theVMware vCenterWCP (Workload Control Plane) feature, using the SHA256 setting results in communication issues between the WCP component inVMware vCenterandNSX Manager. In such cases, use the SHA1 algorithm instead.Create Service Account(Optional) Enable this field for features such as vSphere Lifecycle Manager that need to authenticate withNSXAPIs. Log in with the [email protected] credential to register a compute manager. After registration, the compute manager creates a service account.Service account creation is not supported on a globalNSX Manager.If service account creation fails, the compute manager's registration status is set toRegistered with errors. The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled onNSXclusters.If aVMware vCenteradmin deletes the service account after it was successfully created, vSphere Lifecycle Manager tries to authenticate theNSXAPIs and the compute manager's registration status is set toRegistered with errors.Enable Trust(Optional) Enable this field to establish trust betweenNSXand compute manager, so that services running in vCenter Server can establish trusted communication withNSX. For vSphere Lifecycle Manager to be enabled onNSXclusters, you must enable theEnable Trustfield.Supported only onVMware vCenter7.0 and later versions.Access LevelEnable one of the options based on your requirement:
- Full Access to NSX: Is selected by default. This access level gives the compute manager complete access toNSX. Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate withNSX. TheVMware vCenteruser's role must be set to an Enterprise Admin.
- Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate withNSX. TheVMware vCenteruser's role must be set to Limited vSphere Admin.
If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.After you accept the thumbprint, it takes a few seconds forNSXto discover and register theVMware vCenterresources.If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values. - If the progress icon changes fromIn progresstoNot registered, perform the following steps to resolve the error.
- Select the error message and clickResolve. One possible error message is the following:Extension already registered at CM <vCenter Server name> with id <extension ID>
- Enter theVMware vCentercredentials and clickResolve.If an existing registration exists, it will be replaced.
It takes some time to register the compute manager with
VMware vCenter
and for the connection status to appear as UP
.You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.
After the
VMware vCenter
is successfully registered, do not power off and delete the NSX Manager
VM without deleting the compute manager first. Otherwise, when you deploy a new NSX Manager
, you will not be able to register the same VMware vCenter
again. You will get the error that the VMware vCenter
is already registered with another NSX Manager
.After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
- Transport nodes are prepared using VDS that is dependent on the VC.
- Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
- You use the NSX Manager UI to deploy Edge VMs or NSX Manager nodes on a host or a cluster in the VC.
If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.
If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
- Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
- Undeploy all service VMs, all NSX Edge VMs, and all NSX Manager nodes. The undeployment must be successful or in a failed state.
- If anNSX Managercluster consists of nodes deployed from the VC (manual method) and nodes deployed from theNSX ManagerUI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To successfully remove the VC, ensure that you re-deploy anNSX Managernode from the VC.
This restriction applies to a fresh installation of
NSX
as well as an upgrade.