VMware NSX 6.3 is here!
NSX 6.3 has just been made generally available and it’s a humongous one. The changes in this new version reflect a new maturation phase in which NSX is now in. Here are my top picks, for the entire list of changes go here.
Controller Disconnect Operation (CDO) Mode
The control plane and data plane in SDN are inherently separated from each other. The control plane can be shut down without affecting the data plane, at least, affecting it immediately. Once the control plane is down, no changes can be made and the data plane operators (in NSXs case, the ESXi hosts) age out the network information database, which eventually makes the virtual network inaccessible.
Same goes for the NSX control plane. It’s pretty unlikely that the NSX Controller Cluster will be down in its entirely, but a network communication break between the NSX Controllers and ESXi hosts can have the same affect as the NSX Controllers going down.
CDO introduces a new operational mode that can extend the availability of the virtual network. It accomplishes that in two ways;
- ESXi hosts have a new VTEP database called the Global VTEP List, which is basically a backup cache for VTEP information. When the ESXi host cannot reach the NSX Controller Cluster, it uses the Global VTEP List to determine where to send the network traffic.
- NSX Controllers have a configurable delay (default is 24 hours) of the VTEP cleanup process, to make sure the database isn’t aged out and removed from other ESXi hosts before the disconnected ESXi host returns to working status.
NSX Kernel Modules Now Independent from ESXi Version (also, ESXi 6.5 support!)
Previously, the NSX kernel modules were using internal ESXi code to do their jobs. This is why you had to reboot ESXi hosts after removing or updating the NSX functionality. Starting 6.3, the NSX modules use the public VMKAPI functions, which means these modules are now ESXi version independent and NSX will instantly be compatible with new ESXi versions when they are released (instead of having to wait a few months for NSX to catch up).
Rebootless Upgrades & Uninstalls
One of the benefits that this new architecture brings, is that the NSX modules can be inserted and removed on the fly. After 6.3, you will not have to reboot your hosts to upgrade anymore. This makes upgrades a heck of a lot easier, yay!
Load Balancer – Drain State
Before 6.3, the load balancer functionality within NSX had 2 states for real servers behind a virtual IP; on or off. This made (web) servers upgrades a bit awkward, as you could only stop the server from serving request in flight, causing some sessions to terminate hard and affect users. You can know put a real server into a ‘drain state’ – which stops the server from getting new requests but lets the current sessions run out their time. Eventually the server will have no active sessions and you can do your maintenance on it.
Cross-vCenter DFW Enhancements
The first version of Cross-vCenter had support for basic network & security functionality, allowing you to stretch networks and synchronise configuration like the Distributed Firewall rules. The Service Composer and all its glory was not included in the synchronisation process, which made dynamic security not part of the Cross-vCenter solution. With 6.3, you can now create Universal Security Groups and Universal Security Tags (notice a theme? ;-) ), which are synchronised between all Cross-vCenter enabled environments. You can use those to create the dynamic security that the Service Composer is famous for. The ability to use service insertion is also available again, due to these changes.
Control Panel Agent Auto-recovery
The Control Panel Agent (netcpa) is an agent that runs on each ESXi host and maintains a SSL encrypted communication tunnel with the NSX Controllers to exchange network information (VTEP) so that the ESXi host knows where to send network traffic that VMs want to send. Basically, without the netcpa service changes to the virtual network aren’t propagated to ESXi hosts where the service is on the fritz.
It already had a watchdog to make sure it keeps running, the watchdog has been significantly improved in 6.3. There’s a new functionality that monitors the integrity of the netcpa service; see if it’s functioning properly and that it’s not frozen of doing something that it’s not supposed to. The improved watchdog maintains a heartbeat with netcpa and repairs the netcpa service whenever it’s not handling that heartbeat properly.
One More Thing..
Well, a lot more things, actually. Check out the entire list here: VMware NSX 6.3 Release Notes
Updated 22:13 PST: Updated “(almost) available” to “available” !
Great article, one correction – Service Composer does not support universal object groups yet. You can now create universal service groups with dynamic inclusion and use them in the firewall policy, so long as that is not performed within service composer.