NSX – Edge Service Gateway (Basics)

Deploying an ESG (Edge Service Gateway) starts off in the same way as a DLR (see my DLR basics post). The ESG is the next layer above a DLR and acts as the perimeter to the “real” world. The ESG provides tonnes of functionality and this is were I found the biggest leap from being a traditional VMware infrastructure (think vCenter, ESXi, VSAN, dvS, dvPortgroups, VMs etc. etc.) to becoming an SDDC engineer.

The ESG can do the following (I’m hoping to break all these functions down into posts over the next few months):

  • Firewall – Supported rules include IP 5-tuple configuration with IP and port ranges for stateful inspection for all protocols.
  • NAT – Separate controls for Source and Destination IP addresses, as well as port translation.
  • DHCP – Configuration of IP pools, gateways, DNS servers, and search domains.
  • Site-to-Site Virtual Private Network (VPN) – Uses standardized IPsec protocol settings to interoperate with all major VPN vendors.
  • L2 VPN – Provides the ability to stretch your L2 network.
  • SSL VPN-Plus – SSL VPN-Plus enables remote users to connect securely to private networks behind a NSX Edge gateway.
  • Load Balancing – Simple and dynamically configurable virtual IP addresses and server groups.
  • High Availability – High availability ensures an active NSX Edge on the network in case the primary NSX Edge virtual machine is unavailable.

Let’s get down to business… Web Client > Networking & SecurityNSX Edges, once here click the green cross:



From this screen we can deploy a Edge Service Gateway or Logical (Distributed) Router, there is then a set of options for us to complete:

Name – The name of the DLR to be deployed (and the VM name if you also deploy a control VM)
Hostname – I have always configured this to be the same as the name
Description – A better engineer would put something helpful and descriptive here (I’ve left it blank)
Tenant – This is an interesting one… there is not built in tenancy within NSX manager, this is either here for the use of a CMS or there is a new feature coming (hopefully the second option)
Deploy NSX Edge – Select this option to create a new NSX Edge in deployed mode. Appliance and interface configuration is mandatory to deploy the NSX Edge.
Enable High Availability – Enable HA, for enabling and configuring High Availability.

Once this is all filled in click next:


ESG username, password and logging level to be completed then hit next, the next screen is looking for some info around the appliance that has to be deployed, click the green cross…


A new window will pop up asking for:

  • Cluster/Resource Pool
  • Datastore
  • Host
  • Folder

Next step is to configure interfaces for the NSX Edge (this is the first step that is different from deploying a DLR):


Click the green cross and fill in the following:

Name: Name of the interface being created.
Type: Internal or Uplink – Internal interfaces should connect to Logical Switches and Uplinks should connect to the “real” network.
Connected To: Select the Logical Switch, Standard Portgroup or Distributed Portgroup to connect this interface to.
Green cross to give the interface an IP address
MAC Address: You can specify a MAC address or leave it blank for auto generation. In case of HA, two different MAC addresses are required.
MTU: Specify the MTU size for this interface
Options – Enable Proxy ARP – Supports overlapping network forwarding between different interfaces.
Options – Send ICMP Redirect – Conveys routing information to hosts.
Reverse Path Filter (Enabled/Disabled): This is a technique used to ensure loop-free forwarding of multicast packets in multicast routing and to help prevent IP address spoofing in unicast routing.
Fence Parameters: Configure fence parameters if you want to reuse IP and MAC addresses across different fenced environments. For example, in a cloud management platform (CMP), fencing allow you to run several cloud instances simultaneous with the same IP and MAC addresses completely isolated or “fenced.”


Once you have created your interfaces click ok and then next, next screen is the ESG Default Gateway configuration:


Once this is configured click next, next up is the Firewall and HA settings. Each ESG has a built in firewall (separate from the distributed firewall that we will cover later):


During initial config or testing I tend to configure the default traffic policy to accept everything. Once this is set, click next check over your settings and click finish.

One comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.