NC2 Azure

Question 1

Is Nutanix ssh keys created in the same resource group as Nutanix cluster?

Answer 1

No ssh keys are in a separate resource groups to allow customers to use same keys for multiple clusters

Question 2

You have an issue with Nc2 azure deployment and you want to see all the resources that were created so far where do you check

Answer 2

Azure Subscription name -> Resources blade

Question 3

Where is Prism Central deployed and where is Nutanix nodes deployed and how they can communicate

Answer 3

Prism Central is deployed on to a subnet in a separate vnet and PE is deployed into a subnet that is present in a different vnet, the vnets are peered which allows them to communicate with each other.

Question 4

How does PC and PE reach internet what is required for them to reach internet

Answer 4

Both PE and PC needs a NAT gateway in their respective vnets. The NAT gateway also requires a public ip to be assigned so it can reach the internet.

Question 5

Where is flow gateway installed.

Answer 5

Flow gateway is installed in the same virtual network as Prism Central but in a different subnet than Prism Central VM.

Question 6

Explain how MCM interacts with PE to deploy Prism Central which services should you look at when there is a trouble

Answer 6

MCM talks to cluster-agent leader in PE. We can find the leader by checking which CVM systemctl status cluster-agent, one of the CVMs will host the cluster-agent leader. This will then talk to the genesis leader via Infra-gateway service, this is how a Prism Central deployment will be triggered in NC2 Azure

Question 7

Where are the two interfaces on FGW connected to

Answer 7

Both FGW interfaces will be connected to Azure subnet. External NIC will be connected to the subnet that will carry north south user vpc traffic. Internal interface will be connected to another subnet where only FGW has a nic, no other Nutanix devices will be connected

Question 8

why do you need to use transit vpc, compare it with on-prem env

Answer 8

In on-prem user vpc’s get external connectivity via a Vlan network but in Azure we cannot have a regular Azure network connected since the nutanix nodes are all in a delegated subnet. We use transit vpc which is spawns between the flow gateway running in regular Azure subnets and Nutanix nodes which run in delegated subnets. The packet will be carried over from delegated subnet to an interface assigned to FGW VM that runs in regular Azure subnet.

Question 9

What is the use of clusters upgrader

Answer 9

This will take care of upgrading clusters components like infra gateway, clusters-agent and host-agent.

Question 10

Where does an Azure node get the ip addresses to use from?

Answer 10

Instance metadata that is injected into the node when it boots up will contain CVM ip, AHV ip and uuid to use etc… This information comes from MCM to Kristitel in Azure

Question 11

how can you expose prism central to external world with nc2

Answer 11

Hub vnet peering should allow the local on-prem PC to access the Azure PC.

Question 12

how do you find the compatible aos version for aws or Azure cloud

Answer 12

check release notes

Question 13

Vnet peering is it unidirectional or bi-directional

Answer 13

Vnet peering should be bi-directional, else communications could be blocked.

Question 14

Is the NAT gateway per subnet or per vnet

Answer 14

It is per vNet and we can add the subnet routes

Question 15

How does the traffic from UVM vnic flow through the bridges to external world

Answer 15

UVMs vnics are connected to br0.local bridge like on-prem, they flow through bridge chain and will end up on the br0-uvms bridge, from there they will move to br0-azure bridge and then via an uplink it will reach external world

Question 16

If customer wants to access vms inside a NC2 Azure cluster from their on-premises, what needs to be done

Answer 16

Customer will connect their express route or vpn via hub vnet to Azure, for For No-Nat networks they have to set the next hop route on the hub vnet for the no-nat network to fgw external nic.
For NAT network

Question 17

What are the use of Floating IPs in NC2 Azure

Answer 17

Floating ips are used to talk to a VM inside an NC2 Azure overlay NAT network from external clients. NAT only takes care of outbound connectivity but when a call is initiated from an external client to the NC2 Azure vm we need floating ips similar to a port forwarding in our home routers

Question 18

Does PE and PC comms from on-prem clusters go via flow gateway

Answer 18

No they are on delegated subnets they will be going from hub vnet straight into the delegated subnets

Question 19

What is the use of overlay network

Answer 19

Overlay network is used to transport network traffic over a tunnel to another host, these packets otherwise cannot traverse due to the network not existing physically. These networks only exist inside the hosts that are part of the overlay network, the physical networking equipment doesn’t know anything about the existence of these networks.

Question 20

Why do we need overlay networks in Azure

Answer 20

Azure AHV hosts are deployed into a delegated subnet meaning, the traffic exiting AHV hosts should have ip address in the delegated subnet range. Since delegated subnets lack a lot of features we need to make sure the Azure NC2 vms are transported to another vm (flow gateway) that is present in regular Azure subnet where all the features like network security groups etc… can be used. In order to move the vm traffic packets to the flow gateway vm we need to make use of Overlay networks where the original ip packet is encapsulated into ip packet in the delegated subnet range

Question 21

What is the use of transit vpc and compare it with regular vpc

Answer 21

Regular vpcs exist only within the AHV hosts, but in Azure we need to move the packets from delegated subnet into a regular Azure network so we create a vm called flow gateway vm in regular Azure network and make the transit vpc spawn between delegated and regular Azure network

Question 22

What is required for regular vpc to route traffic north south in NAT environment

Answer 22

Regular on-prem vpcs get connectivity outside by connecting to a vlan network. In Azure due to limitations we need to send the packets to flow gateway vm. But the flow gateway vm has nics in regular Azure network not in delegated subnet so we create an overlay network named OEN NAT network by default.

Question 23

How do you connect to FGW vm

Answer 23

Get the FGW key from customer
SSH to PC VM
SSH from PC VM to FGW’s public subnet ip (Find the public subnet in NC2 support admin) using the provided key

Question 24

Where is the storage account created for storing frame gateway vm image

Answer 24

It is created in a separate resource group than the one chosen by customer during deployment