At first glance, HCX seems remarkably simple to deploy, especially if you migrate to a VMware Cloud environment. The cloud provider does the network configuration and target-side HCX deployment for you, reducing the heavy lifting for your infrastructure engineers. While this is true, there is much more to successfully deploying HCX on-premises than downloading an appliance and powering it on. In reality, engineers deploying HCX Connector must consider three key steps before we start to avoid any bottlenecks in our configuration. We will address these in the order in which you would experience issues with each step.
HCX terminology can be a little confusing. We will define some of the terms for clarity. It’s easiest if everyone is on the same page!
Target Site: The cloud environment where we will migrate VMs. Examples include VMware Cloud on AWS, Azure VMware Solution, and Google Cloud VMware Solution.
Source Site: The VMware environment where VMs currently reside. Typically, this is an on-premises environment, but it can be any VMware deployment, even a VMware cloud.
HCX Connector: The virtual appliance installed at the source site. It can create an outbound connection to an HCX target site
Site Pairing: A general connection between a Source Site and Target Site
Network Profile: A configuration defining networks used for uplink, management, and vMotion
Compute Profile: A configuration defining ESXi clusters and network profiles to use when creating a Service Mesh
Service Mesh: A more specific configuration between a source and target site, defining services available for migration
Consider the Proxy Server
The very first thing that can stall an HCX Connector deployment is a proxy requirement. Many enterprise environments block internet access on vSphere management VLANs. HCX depends on internet access to activate the license during deployment and must have constant access to the VMware hybridity depot to check licensing entitlements. If you don’t have public internet access for the HCX Connector, it won’t activate, and you will be stuck at the first configuration step.
Assuming there is an established proxy, you configure it in the HCX Connector administrator console. Instead of going through the HCX configuration wizard, click on the Administration tab. On the left, choose Network Settings > Proxy and configure the proxy server.
Aside from the standard proxy settings, there is an exclusions area. Any IP addresses, CIDR blocks, and FQDNs in this field will not travel through the proxy. We must enter these settings and, at a minimum, include the VMware management network, the vMotion network, and the networking for the target site. If it is left blank, all HCX Connector traffic will travel to the proxy and won’t communicate to the local resources.
Preplan Network Profiles
Once the HCX Connector is licensed, we have to set up the source site configuration. We must configure Network Profiles to instruct the Service Mesh about which networks to use for uplink, management, vMotion, and replication. I will deep-dive into Network Profiles in another article. For now, know Network Profiles often cause an HCX migration to break for a day to plan. Figuring these out early will save time during the process.
A Network Profile requires a distributed port group or NSX segment, an IP range with some IP addresses available on that port group or segment, and the default gateway. Planning this information before you start will speed up the process of configuring the Service Mesh.
Open Firewall Ports Early
Last but not least, we must consider the firewall. After the Network and Compute Profiles are set, you can create a Service Mesh. As part of the Service Mesh wizard, there is a list of firewall ports that we must open to allow communications between appliances and establish the IPSec tunnels. VMware publishes the list of ports at https://ports.vmware.com/
Those are my three tips for overlooked settings that can speed up your HCX Connector deployment and configuration. If you have any questions or other tips you feel I missed, please contact me on twitter at @ThomTalksTech