This morning I gave an internal presentation to my colleagues about upgrading vCloud Networking & Security (vCNS) to NSX including vCloud Director (vCD), as there’s still quite some customers that need to follow up on this. In this article, you can find my remarks and key takeaways that might assist you in performing the upgrade without any hassle.
Rest in Peace
Since last September, vCNS is “end-of-life”. Or in official terms: EOA (End of Availability) and EOGS (End of General Support).
If you’re still running vCNS and issues arise in your environment, it’s nearly impossible to get support. This, unless you’re a big company that doesn’t mind spending top buck to get special support.
To prevent you from ending up in this situation, an upgrade of vCNS to NSX will make your life a lot easier. However, some environments can be pretty complex, especially if you introduce (third-party) integrated pieces of software.
Last few weeks I got busy with some customers that wanted to upgrade and were sized between 25 and 1.300 hosts. Being bigger doesn’t necessarily mean it’s more complex. Depending on the number of software integrations, use of features and even maintenance windows, an upgrade can be very easy or pretty hard.
Looking at the upgrade from a high-level perspective, it’s pretty straight forward:
- Upgrade software that integrates with vCNS (including vCloud Director)
- Upgrade vCNS to NSX
- Upgrade vShield Edges to Edge Services Gateways (ESG’s)
- Upgrade VIBs (vCNS to NSX VIBs)
The most important piece in this is that you maintain compatibility between all of your products, both third-party and VMware-based pieces. The VCG (VMware Compatibility Guide) really helps as you can select all VMware-based product versions you want to go to and see if they can work together.
For third-party software it’s best to reach out to the vendor and verify compatibility.
Know issues and bugs
Next, it’s important to check release notes of the versions you will deploy to check for any know issues or special instructions.
Before you upgrade, make sure you have a rollback plan ready. The more rollback points you have, the better. To get an idea of what types of rollbacks you can perform, have a look at the following bullets:
- VM Snapshots (if the VM supports this and doesn’t crash the application)
- Configuration backup/export (vShield Manager, NSX Manager)
- VM Backup (Using your daily backup software)
- Database dumps (vCenter database, vCloud Director database)
Test and benchmark
If you can, perform the upgrade in a test environment first. If you know which products and versions you got running now, just deploy them in your test environment and perform the same upgrade as you will in production. Record the timings (how long does each step take?) and verify if the documented upgrade steps are correct.
Using this method, you can prevent many issues and perform troubleshooting in the test environment instead of in production.
- NSX Manager requires additional vCPUs and RAM. At moment of writing, 4 vCPUs and 12GB of RAM. So make sure you make these changes before upgrading vShield Manager
- When you’ve upgraded vShield Manager a couple of times, you could be running it with an E1000 NIC right now. If this is the case, a redeploy and import of the configuration on a fresh NSX Manager (which has a VMXNET3 adapter) is advisable
- Firewall requirements of NSX Manager differ from vShield Manager. Make sure the required ports are open between all components
- For Unicast and Hybrid replication modes, distributed logical routing and ARP suppression, you need NSX Controllers (3). Make sure your cluster is big enough and resources are available
- Make sure your NSX license covers all features you currently use in vCNS. IPsec and SSL VPN is currently not covered in the advanced edition of NSX and requires an enterprise license
- Make sure there is enough disk space on the / partition of your vCloud Director cells before upgrading
- After upgrading vCNS to NSX, don’t upgrade any vShield Edges yet as they will be unmanageable by vCloud Director. First upgrade vCloud Director to support the version of NSX you are deploying
- Make yourself a pretty maintenance page where you can redirect users to while you are performing the upgrade. The maintenance mode in vCD only shows a “page cannot be opened or displayed” warning, which is not very user friendly
- VCDNI networks should be replaced by VXLAN networks. This can be done manually, but in future releases of vCloud Director this might be done in a more automated way
A whitepaper written by Tomas Fojta that basically describes both the upgrade of vCNS to NSX including vCloud Director, can be found here.