►
From YouTube: vSphere Integrated Containers (VIC) Networking with NSX
Description
In this demo presentation, Patrick Daigle provides an overview of NSX networking for vSphere Integrated Containers.
A
So,
let's
get
right
to
it
in
the
native
darker
world,
docker
implements
this
bridge
network,
that's
internal
to
the
dr
host
and
that
acts
as
a
way
to
connect.
The
containers
together,
connect
the
containers
with
the
hosts
and
expose
services
to
the
outside
world,
and
we
mimic
this
behavior
with
vSphere
integrated
containers.
Now
these
four
integrated
containers
has
this
special
way
of
instantiating
the
container
images
where
each
container
image
gets
instantiated
inside
of
its
own
VM.
A
So
we
actually
use
a
vSphere
port
group
to
mimic
the
docker
bridge
so
because
this
docker
bridge
needs
to
be
isolated
because
we
reuse
the
default
network
range
that
docker
uses
the
172
dot,
16
/
12,
to
5
a
way
to
isolate
this
traffic
in
the
vSphere
environment
and
there's
two
ways
you
can
do
that
with
a
regular
port
group.
You
can
use
a
VLAN
to
isolate
this
traffic
and
create
the
different
Bridge
port
groups
for
each
of
your
individual
container
hosts.
A
A
So
we
start
with
an
existing
vSphere
environment
in
this
environment.
I
have
a
compute
cluster
that
I
will
be
using
for
my
virtual
container
host,
so
the
virtual
container
host
will
get
deployed
on
this
compute
cluster
and
then
all
of
the
container
VMs
will
get
deployed
across
this
cluster
as
well.
Using
the
RS
for
initial
placement,
I've
deployed
a
couple
of
VMs
here:
I
have
a
Linux
workstation
that
I'm,
using
as
my
docker,
client
and
I
have
the
vSphere
degraded
containers
OVA
that
I've
already
pre
deployed.
You
can
see
that
I
have
a
second
cluster.
A
This
is
my
management
cluster,
where
I've
pre
deployed
and
pre-configured
most
of
the
NSX
constructs
that
we're
going
to
use
throughout
this
example.
So,
first,
let's
go
into
the
nsx
management
tab,
and
this
is
where
we
will
be
able
to
set
up
the
necessary
bridge
networking
that
we
will
use
with
vSphere
integrated
containers
container
host.
So
the
first
thing
you
need
to
do
is
head
over
to
your
transport
zones,
because
the
virtual
container
host
will
get
deployed
on
our
compute
cluster.
A
We
need
to
ensure
that
we
have
a
transport
zone
that
is
configured
on
that
cluster
and
that
that
spans
only
that
cluster,
because
we
want
to
keep
that
traffic
local
to
the
compute
cluster.
So
the
transport
zone
defines
the
boundary
for
any
logical
switches.
So
we
need
to
make
sure
that
we
have
that
set
up.
So
if
I
look
currently
I
only
have
a
transport
zone,
that's
global
that
spans.
A
Both
my
clusters,
so
I'll
create
a
new
transport
zone
that
spans
only
my
compute
cluster,
so
I
give
it
a
name
that
has
my
compute
clusters,
the
name
T
Z,
to
indicate
that
it's
a
transport
zone
and
I
create
it.
Now
that
that's
been
created,
I'm
ready
to
go
ahead
and
create
my
logical
switch.
So
again,
this
logical
switch
will
not
require
any
type
of
special
routing
or
anything
like
that.
A
We're
creating
this
logical,
switch
to
segment
out
or
isolate
the
traffic,
so
it
needs
to
span
the
whole
cluster,
but
it
doesn't
need
to
route
beyond
that.
So
let
me
create
this
switch
I'm
gonna
call
the
VC
h01a,
that's
the
name
of
the
VCH
I
will
create
and
then
bridge.
We
need
a
unique
bridge,
logical
switch
for
every
container
host,
because
if
you
remember
we're
reusing
that
170
2016
slash
12,
my
p
address
space
across
every
virtual
container.
No,
so
we
need
to
have
a
dedicated
switch
to
isolate
that
traffic.
A
That
will
allow
us
to
mimic
the
the
docker
bridge.
Networking
so
I
select
my
newly
created
transport
zone
again.
I
want
this
logical
switch
to
have
the
cluster
as
a
boundary.
I
want
to
use
a
VX
LAN
to
isolate
this
traffic,
so
I
choose
unicast
and
I
want
to
make
sure
that
IP
discovery
is
enabled
on
this
logical
switch
as
well.
So
nsx
created
the
switch
for
me.
It
assigned
a
VX
LAN
segment
ID
automatically
out
of
the
pool
that's
configured
in
nsx.
A
A
So
next
we
will
switch
over
to
the
html5
client,
where
we
will
use
the
visa
integrated
containers
wizard
to
create
our
virtual
container
host.
So
we're
back
in
our
environment
using
the
html5
client,
so
I'll
go
into
the
vSphere
integrated
containers
plug-in,
and
this
plug-in
will
give
me
an
easy
wizard
based
workflow,
to
create
my
container
host.
So
this
is
again
an
easy
workflow
that
steps
you
through
every
step
to
configure
your
container
host
and
provides
hints
along
the
way
to
help
you
make
the
right
decisions
so
we'll
select
a
name.
A
We're
gonna
call
this
VC
h01a
to
be
consistent
in
our
naming.
I'm,
not
gonna
worry
about
any
of
these
other
settings
for
now.
I'm
gonna
focus
on
the
mandatory
settings
here
as
we
go
through
this
and
then
focus
on
the
network
settings
which
is
what's
interesting
to
us.
So
I'm
selecting
the
image
you
can
see
that
the
mandatory
settings
are
identified
by
a
little
red
asterisks,
and
this
is
where
things
get
interesting.
Now,
for
my
bridge,
Network
I'm
gonna
be
able
to
select
this
newly
created,
NSX
backed
logical,
switch
I'm,
not
gonna
change.
A
The
default
Bridge
network
range.
That's
the
default
that's
used
by
darker
and
it's
the
one
I'm
gonna
use
in
this
example
for
my
public
network
I'm
using
a
regular
port
group
with
the
static
IP
address
that
I'm
setting
here.
That's
one
of
the
key
things
that
that
we
can
do
with
nsx
is
that
you
can
have
this
phase
deployment
where
we're
starting
to
use
some
of
the
NSX
constructs
without
making
huge
changes
to
our
existing
to
our
existing
networking
infrastructure.
A
So
I'm
using
the
network
regular
distributed
switch
for
my
public
networking
and
I'm
using
NSX
only
to
isolate
that
bridge
traffic.
There's
a
number
of
advanced
networking
options
that
you
can
set
here
as
well.
I'm
not
going
to
worry
about
those
and
then
again,
I'm
going
to
keep
things
simple
here:
I'm
just
going
to
upload
a
certificate
to
access
to
this
remote
docker,
API
endpoint.
If
you're
interested
to
learn
more
about
the
the
wizard,
we
have
documentation
available
on
github
at
the
Vig
page
and
we
have
some
videos
on
YouTube
as
well.
A
A
I
can
see
that
I've
selected
the
right
bridge
Network
for
my
logical,
switch
and
then
hit
finish,
which
will
create
this
virtual
container
host
for
me
now
that
the
virtual
container
host
has
been
created,
I
can
look
at
the
results
by
expanding
here
and
get
a
lot
of
debugging
information
on
how
this
was
created
and
if
any
problems
happened,
it
doesn't
look
like
I've
had
any
problems
here.
Hitting
refresh
will
give
me
the
information
on
how
to
access
this
docker
API
endpoints
I'm
going
to
go
ahead
and
grab
this
information.
A
That's
going
to
allow
me
to
access
this
docker
API
endpoint,
using
regular
docker
tools.
Now
we
will
switch
to
the
developer
view
or
my
command
line
view.
First
thing
I
need
to
do
is
set
my
environment
variable
so
that
my
doctor
client
points
to
that
newly
created
docker,
API
endpoint,
so
I'm
going
to
point
it
to
V
CH
dash
zero,
one,
eighth
Corp
dot
local.
A
Once
I've
done
that
I'm
able
to
use
the
standard,
docker,
CLI
and
standard
standard,
docker
CLI
commands
to
talk
to
this
endpoint,
so
using
docker
info
can
get
some
information
about
the
engine.
That's
running
and,
as
you
can
see,
it's
running
these
four
integrated
containers
and
then,
if
I
want
to
look
at
the
networks
that
are
currently
available,
I
see
that
I
only
have
the
default
Bridge
network
available
to
me.
So
the
first
thing
I'm
going
to
do
is
I'm
going
to
go
ahead
and
create
a
new
network.
A
So
this
is
a
user-defined
bridge
network
and
it's
gonna
make
my
life
easier
here,
because
the
user-defined
bridge
network
actually
has
built-in
dns
resolution
so
I'll
be
able
to
reference
the
containers
that
I
create
by
names
to
run
the
different
desks.
I
need
to
run
so
the
next
thing
I
want
to
do
is
I
want
to
start
a
test
container
on
this
new
network.
A
So
I'm
going
to
use
the
network
test
net
I'm,
going
to
use
the
darker
facility
to
map
a
ports
on
mapping
port
80
from
the
container
to
port
8080
of
my
container
host
I'm,
going
to
give
it
a
name
of
web
0.
1
we're
going
to
run
this
detach
because
I
want
to
run
this
as
a
service
and
I'll
start.
The
nginx
container.
A
Next
I'm
going
to
start
a
Linux
container,
so
I'm
using
the
VMware
photon
OS
to
do
image
here.
Photon
OS
is
a
Linux
distribution.
That's
maintained
by
VMware,
so
again,
I'm
connecting
this
to
my
test
net
bridge
Network
I
am
going
to
give
it
a
name
of
Linux
0
1
running
this
in
interactive
mode.
So
once
this
starts
up,
it's
going
to
drop
me
into
a
shell
where
I'm
going
to
be
able
to
run
the
next
commands
and
test
connectivity
from
this
container.
A
So,
let's
switch
over
to
the
vSphere
client
to
look
at
how
this
got
provisioned,
because
this
is
V,
so
integrated
containers.
Each
of
the
containers
that
I
started
was
instantiated
in
its
own
VM.
So
the
first
one
I
have
is
this
web
0
1.
So
this
has
the
name
of
the
container,
as
well
as
the
docker
container.
Id
and
I
can
see
that
this
was
connected
to
my
nsx
logical,
switch
and
received
an
IP
of
170
216
dot,
0
dot
2
from
docker.
A
We
see
that
it
got
a
172
1703
address,
and
this
is
also
connected
to
my
bridge
network,
because
this
user-defined
bridge
got
created
on
this
nsx
backed
logical
switch.
My
two
containers
got
created
as
VMs
on
separate
ESX
hosts.
So
let's
switch
over
to
my
developer
view
and
see
if
these
two
things
can
talk
to
one
another,
so
I'm
gonna
do
a
simple
curl
to
get
the
webserver
on
web
0,
1
and
I
can
see
that
it
answers
just
as
expected.
A
Switching
over
to
the
browser,
because
I
had
this
port
redirection
I
should
be
able
to
access
the
nginx
service
on
port
8080
on
my
VCH
container
host
and
if
I
test
it
in
the
browser.
I
see
that
again
it
behaves
as
expected.
So
my
nsx
logical
switch
provides
the
connectivity
that
I
expect
from
a
bridge
network
implemented
in
vSphere
integrated
containers.
A
We
have
that
that
VM
as
a
security
boundary
that
we
can
use-
and
we
can
use
NSX
and
the
dynamic
groups
in
NSX
to
provide
security
to
the
containerized
workloads,
so
computerized
workloads
tend
to
be
ephemeral,
tends
to
create
this
very
dynamic
environment
and
the
use
of
security
groups
with
dynamic
membership
can
help
us
ensure
that
containers
have
the
right
level
of
security
policies
applied
to
them
as
they
get
spun
up.
So,
let's
look
at
how
this
is
implemented.
A
Switching
over
to
our
NSX
configuration.
The
first
thing
we
want
to
do
is
set
up
a
security
group
that
can
be
applied
to
our
container
VMs,
so
I'm
gonna
go
into
groups
and
tags
and
from
here
I'm
going
to
add
a
security
group.
So
a
security
group
is
basically
a
logical
grouping
of
virtual
machines
that
can
be
done
on
a
number
of
different
attributes.
A
So
I'm
gonna
name
this
Webster
security
group
and,
as
you
can
see
here,
I
can
select
a
number
of
different
criteria
for
the
purposes
of
this
example:
I'm
going
to
use
the
VM
name
as
the
criteria
to
select
members
of
the
security
group
and
I'm
gonna
select
any
VM
that
contains
web
in
its
name.
So
I
expect
that
my
already
created
web
0
1
container
will
get
added
to
this
group
here.
A
I
can
select
static
objects
to
include
or
exclude
Aspire
this
group
as
well
I'm,
not
gonna,
bother
with
that
I
just
want
to
demonstrate
the
dynamic
membership
in
this
security
group.
Now
that
my
security
group
has
been
created,
I
can
use
it
to
create
a
firewall
rule.
So
let's
go
to
the
firewall
and
I'm
going
to
add
a
rule
here.
A
The
first
thing
I'm
gonna
do
is
I'm
gonna,
add
my
newly
created
security
group
as
a
destination,
so
I
select
security
group
as
the
object
type
to
apply
this
security
rule
select
my
web
security
group.
Add
it
to
the
list.
I
can
see
that
web
0-1
ones
are
already
added
to
this
group
automatically
as
expected.
So
that's
what
I
want
at
this
security
group
as
the
destination
for
my
firewall
rule
as
the
source
I'm
going
to
add
my
Linux
zero
1
container
VM
that
I
created
earlier
so
I
just
want
to
create
a
simple
rule.
A
Here,
that's
going
to
take
this
container
VM
as
a
source.
That's
going
to
use
my
web
security
group
as
the
destination,
the
service
that
I
want
to
filter
on
I'm,
going
to
filter
on
HTTP,
because
this
is
web
service.
Http
I'm
going
to
select
the
appropriate
service
from
the
list
here.
So
look
for
HTTP.
A
This
is
TCP
port
80.
That's
what
I
want
so
I'll.
Add
it
to
the
services
as
part
of
this
rule
and
the
action
I'm
gonna
take
is
reject.
The
only
reason
I'm
using
reject
here
is
it's
going
to
be
faster
and
simpler
in
terms
of
a
providing
an
example.
So
I
expect
this
rule
to
block
or
reject
traffic
from
my
Linux
container
VM.
That
I
was
using
previously
to
run
my
test
to
my
web
server.
A
So
let's
see
how
this,
how
this
plays
out
now
that
I
have
this
rule
enabled
so
the
next
thing
I'm
gonna
do
is
I'm
going
to
create
a
second
web
server.
My
goal
here
is
to
test
that
this
newly
created
web
server
will
get
automatically
added
to
my
security
group.
So
when
we're
talking
about
dynamic
membership,
this
is
what
we
mean
so
containers
before
they
even
start
up,
get
added
to
a
security
group
and
have
policies
associated
with
them.
So
again,
again,
I'm
gonna
use
the
nginx
image.
A
A
A
So
if
I
doctor
inspect
my
newly
created
container,
I
can
find
out
its
IP
address
and
I
see
here
that
it
received
a
172
about
17,
that's
here
without
for
now,
let's
switch
over
to
the
security
group
and
there
we
can
see
that
my
web
0-2
was
automatically
added
to
the
group
so
automatically
added
to
the
firewall
rules
preventing
web
traffic
from
my
Linux
machine
to
these
two
web
servers.
So,
let's
see
if
this
works
I'm
back
in
my
Linux
0-1
container,
and
if
this
worked
as
expected.
A
Now,
if
I
try
to
access
the
web
server
on
web
0-1,
I
should
get
a
reject
and
the
same
thing
when
I
try
to
access
web
0-2.
So
I
can
see
that
the
rule
is
in
effect.
I
cannot
access
these
two
web
servers
from
my
Linux
0-1,
but
if
I
go
over
to
the
portrait
direction,
it's
still
available
because
I'm
not
filtering
these
other
IP
addresses.
So
only
this
east-west
traffic
that
I'm
filtering
from
the
Linux
0-1
container
to
the
web
containers
is
filtered
out.
A
So
in
conclusion,
we've
showed
you
how
you
can
use
a
nsx
logical,
switch
to
meet
the
bridge
networking
requirements
and
avoid
having
to
make
any
changes
to
your
physical
network
and
as
well.
We've
showed
how
the
nsx
security
groups
and
the
dynamic
memberships
can
be
applied
to
a
container
deployment
on
fees
for
integrated
containers
and
allow
you
to
bring
additional
security
to
your
container
image
deployments
with
that
I.
Thank
you
for
your
time
and
have
a
great
day.