Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "DISTRIBUTED_ONLY" deployment mode support to NSX-T Edge Gateway #1300

Merged
merged 9 commits into from
Aug 20, 2024
Merged

Add "DISTRIBUTED_ONLY" deployment mode support to NSX-T Edge Gateway #1300

merged 9 commits into from
Aug 20, 2024

Conversation

Didainius
Copy link
Collaborator

@Didainius Didainius commented Aug 5, 2024
edited
Loading

Closes #1299

This PR adds new field - deployment_mode that supports two values ACTIVE_STANDBY (the default that the edge gateway worked always) and DISTRIBUTED_ONLY . A new feature of VCD 10.6

NON-DISTRIBUTED Edge Gateway

Edge Gateways (backed by Tier-1 NSX GWs) can now also be deployed in the Distributed only mode without the SR (services router) component. In such case the Tier-1 GW does not provide services that run on SR such as firewalling, NAT, VPN, DNS forwarding or static routes. The distributed nature guarantees high N/S data throughput (no hairpinning of traffic to single edge node running the active SR component). Load balancing, rate limiting or DHCP service in network mode is still supported. The other use case beside performance is to limit the NSX licensing costs.

Edge Gateway in NON_DISTRIBUTED mode supports only a small subset of configurations. The error is not completelly clear therefore there is an additional effort to make the error more clear if it matches the error for known resources that fail.

Error: [nsx-t firewall create/update] error creating NSX-T Firewall Rules: error setting
NSX-T Firewall: error in HTTP PUT request: ACCESS_TO_RESOURCE_IS_FORBIDDEN - [
19-2024-08-05-15-02-04-250--9e6beec5-5b47-4797-ab0d-162fed8d1401 ] Either you need some or
all of the following rights [ORG_VDC_GATEWAY_VIEW_FIREWALL] to perform operations
[GATEWAY_VIEW_FIREWALL_NSX_T] for 5f1fc518-865a-4c43-8b13-408c11ed8c06 or the target entity
is invalid.

to

│ Error: error setting NSX-T Firewall: error in HTTP PUT request: ACCESS_TO_RESOURCE_IS_FORBIDDEN - [ 19-2024-08-06-11-14-20-775--09cd9edc-5d2f-458d-9a98-608a3d178004 ] Either you need some or all of the following rights [ORG_VDC_GATEWAY_VIEW_FIREWALL] to perform operations [GATEWAY_VIEW_FIREWALL_NSX_T] for ccf22499-c009-47ab-9472-a05dfba80391 or the target entity is invalid.
│ 
│ vcd_nsxt_firewall cannot be configured on DISTRIBUTED_ONLY NSX-T Edge Gateway
│ 
│   with vcd_nsxt_firewall.testing,
│   on vcd.TestAccVcdNsxtEdgeGateway.tf line 52, in resource "vcd_nsxt_firewall" "testing":
│   52: resource "vcd_nsxt_firewall" "testing" {

Tested on 10.4.0 and 10.6.0 (nsxt tag)

@Didainius Didainius marked this pull request as ready for review August 6, 2024 06:00
@Didainius Didainius marked this pull request as draft August 6, 2024 06:18
@Didainius
Restore BGP validation
574d145 
Signed-off-by: Dainius Serplis <[email protected]>
@Didainius
Enrich error instead of just reporting it
6bc830c 
Signed-off-by: Dainius Serplis <[email protected]>
@Didainius Didainius marked this pull request as ready for review August 6, 2024 08:42
adambarreiro
adambarreiro reviewed Aug 12, 2024
View reviewed changes
Copy link
Collaborator

@adambarreiro adambarreiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick scan

go.mod Outdated Show resolved Hide resolved
vcd/remove_leftovers_test.go Show resolved Hide resolved
lvirbalas
lvirbalas requested changes Aug 16, 2024
View reviewed changes
Copy link
Collaborator

@lvirbalas lvirbalas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't seem to find docs for this feature in the PR :)

@Didainius
Address comments
2fcf510 
Signed-off-by: Dainius Serplis <[email protected]>
@Didainius
Copy link
Collaborator Author

I can't seem to find docs for this feature in the PR :)

Indeed. Added

@Didainius
Add documentation
a6cd679 
Signed-off-by: Dainius Serplis <[email protected]>
lvirbalas
lvirbalas approved these changes Aug 20, 2024
View reviewed changes
Copy link
Collaborator

@lvirbalas lvirbalas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a tiny polish comment.

website/docs/r/nsxt_edgegateway.html.markdown Outdated Show resolved Hide resolved
@Didainius
Add space after comma
ad84a79 
Signed-off-by: Dainius Serplis <[email protected]>
@Didainius
Bump sdk
f8999b9 
Signed-off-by: Dainius Serplis <[email protected]>
@Didainius Didainius merged commit bc736a9 into vmware:main Aug 20, 2024
3 checks passed
@Didainius Didainius deleted the distributed-only-edge branch August 20, 2024 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lvirbalas lvirbalas lvirbalas approved these changes

@adambarreiro adambarreiro adambarreiro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

vcd_nsxt_edgegateway with distributed only
3 participants
@Didainius @adambarreiro @lvirbalas