Scope of work - Build New SDDC Using NSX Design


This does not include building Workspaces. If the customer wants a Workspaces deployment in addition to the Software Defined Datacenter (SDDC) setup, it will add $4,000 per the Quick Start.

A SDDC is created when the networking, and frequently the storage, are no longer provided using physical devices. Instead, they are decoupled from the physical layer and become software-defined virtual devices. Utilizing these virtual network devices the administrator is able to create a new tenant Workspace in which new virtual servers can be provisioned and subsequently connected to the network.

The purpose of this task is to design, create, and configure a working SDDC for the customer using vSphere NSX. Once the SDDC is completed, the customer will be able to connect virtual servers to virtual switches, which will then connect to either a virtual router or virtual firewall, and eventually be connected to the internet. More advanced configuration can contain virtual load balancers, DHCP servers, DHCP relays, and micro-segmentation using the Distributed Firewall (DFW) function.

Scope of Work


  • Design diagram has been created and presented to customer. Customer must approve design prior to work moving forward.
  • Private Cloud has been deployed with vSphere 6.5 and NSX installed.
  • Physical networking is completed with a port group presented to vCenter which allows public internet traffic to the external interface of the Edge Services Gateway (ESG). Details will be in the design diagram.
  • Successful access to vCenter is confirmed per the NSX design diagram. This should be configured by the cloud network team. The network must have port 443 for API access, plus all know vSphere ports for administrative customer access available.
  • Storage volumes are connected, or if vSAN is used the storage is available for use.
  • Windows templates, both 2012 and 2016, have been copied to the environment so that VMs can be created during the process.

After prerequisites are met Neverfail will:

  • Validate all setting are in place.
  • Install the ESG firewall and connect public network interface to the assigned vCenter port.
  • Install Distributed Logical Router (DLR) device and connect to ESG per network design.
  • If required make both the ESG and DLR an HA pair for redundancy.
  • Setup a DHCP scope on ESG and a DHCP relay on DLR.
  • Create base firewall rules in ESG, plus the needed DNAT and SNAT rules.
  • Create vSwitch for initial test virtual machine connectivity.
  • Validate initial connectivity via the ESG and DLR CLI to the internet and vCenter.
  • Install test VMs from templates.
  • Test internet connectivity and vCenter connectivity from test VM and adjust the necessary ESG and DFW rules to allow proper connectivity.

Neverfail will provide up to two (2) hours of basic training on the use of NSX devices:

  • Demonstrate use of ESG firewall, DHCP, NAT, VPN, and Load Balancer.
  • Show customer how to create a virtual switch.
  • Cover the use of the Distributed Logical Router, the firewall, and DHCP relay.
  • Demonstrate the Distributed Firewall and how to create rules.
  • Look at Flow Monitoring.

Acceptance Criteria

  • Two test VMs have been created from template.
  • A Logical Switch has been created and Test VMs are connected.
  • Distributed Logical Router (DLR) has been created.
  • Edge Service Gateway device has been created.
  • If required, both the ESG and DLR are configured in an HA Pair and failover demonstrated.
  • DLR is connected to an interface on the ESG.
  • An interface is configured on the DLR and connected to the logical switch.
  • Test VMs are connected to the logical switch.
  • Two test VMs are attached and are able to connect to the public Network.
  • A second Logical Switch has been created and one VM attached to it and can communicate with the internet.
  • Distributed Firewall (DFW) rules have been created and micro-segmentation has been demonstrated using the two test VMs.
  • Validated test VMs are receiving DHCP-based addresses through DHCP relay.
  • 2 hours of training had been completed teaching the customer how to:
    • Create devices - Logical Switches, DLR, and ESG
    • Connect VMs to switches
    • Create firewall rules on the ESG to control North and South traffic
    • Create firewall rules on the DFW and control East and West traffic via micro-segmentation
    • Use DHCP relay and ESG DHCP function
    • Review services, service groups, IPsets, and other group objects
0 out of 0 found this helpful



Article is closed for comments.