Upgrading vCloud Networking & Security to NSX including vCloud Director

This morning I gave an internal presentation to my colleagues about upgrading vCloud Networking & Security (vCNS) to NSX including vCloud Director (vCD), as there’s still quite some customers that need to follow up on this. In this article, you can find my remarks and key takeaways that might assist you in performing the upgrade without any hassle.

Rest in Peace

Since last September, vCNS is “end-of-life”. Or in official terms: EOA (End of Availability) and EOGS (End of General Support).

If you’re still running vCNS and issues arise in your environment, it’s nearly impossible to get support. This, unless you’re a big company that doesn’t mind spending top buck to get special support.

To prevent you from ending up in this situation, an upgrade of vCNS to NSX will make your life a lot easier. However, some environments can be pretty complex, especially if you introduce (third-party) integrated pieces of software.

Last few weeks I got busy with some customers that wanted to upgrade and were sized between 25 and 1.300 hosts. Being bigger doesn’t necessarily mean it’s more complex. Depending on the number of software integrations, use of features and even maintenance windows, an upgrade can be very easy or pretty hard.

Upgrade steps

Looking at the upgrade from a high-level perspective, it’s pretty straight forward:

  • Upgrade software that integrates with vCNS (including vCloud Director)
  • Upgrade vCNS to NSX
  • Upgrade vShield Edges to Edge Services Gateways (ESG’s)
  • Upgrade VIBs (vCNS to NSX VIBs)

Product interoperability

The most important piece in this is that you maintain compatibility between all of your products, both third-party and VMware-based pieces. The VCG (VMware Compatibility Guide) really helps as you can select all VMware-based product versions you want to go to and see if they can work together.

For third-party software it’s best to reach out to the vendor and verify compatibility.

Know issues and bugs

Next, it’s important to check release notes of the versions you will deploy to check for any know issues or special instructions.


Before you upgrade, make sure you have a rollback plan ready. The more rollback points you have, the better. To get an idea of what types of rollbacks you can perform, have a look at the following bullets:

  • VM Snapshots (if the VM supports this and doesn’t crash the application)
  • Configuration backup/export (vShield Manager, NSX Manager)
  • VM Backup (Using your daily backup software)
  • Database dumps (vCenter database, vCloud Director database)

Test and benchmark

If you can, perform the upgrade in a test environment first. If you know which products and versions you got running now, just deploy them in your test environment and perform the same upgrade as you will in production. Record the timings (how long does each step take?) and verify if the documented upgrade steps are correct.

Using this method, you can prevent many issues and perform troubleshooting in the test environment instead of in production.

NSX-specific remarks

  • NSX Manager requires additional vCPUs and RAM. At moment of writing, 4 vCPUs and 12GB of RAM. So make sure you make these changes before upgrading vShield Manager
  • When you’ve upgraded vShield Manager a couple of times, you could be running it with an E1000 NIC right now. If this is the case, a redeploy and import of the configuration on a fresh NSX Manager (which has a VMXNET3 adapter) is advisable
  • Firewall requirements of NSX Manager differ from vShield Manager. Make sure the required ports are open between all components
  • For Unicast and Hybrid replication modes, distributed logical routing and ARP suppression, you need NSX Controllers (3). Make sure your cluster is big enough and resources are available
  • Make sure your NSX license covers all features you currently use in vCNS. IPsec and SSL VPN is currently not covered in the advanced edition of NSX and requires an enterprise license

vCD-specific remarks

  • Make sure there is enough disk space on the / partition of your vCloud Director cells before upgrading
  • After upgrading vCNS to NSX, don’t upgrade any vShield Edges yet as they will be unmanageable by vCloud Director. First upgrade vCloud Director to support the version of NSX you are deploying
  • Make yourself a pretty maintenance page where you can redirect users to while you are performing the upgrade. The maintenance mode in vCD only shows a “page cannot be opened or displayed” warning, which is not very user friendly
  • VCDNI networks should be replaced by VXLAN networks. This can be done manually, but in future releases of vCloud Director this might be done in a more automated way

Extra resources

A whitepaper written by Tomas Fojta that basically describes both the upgrade of vCNS to NSX including vCloud Director, can be found here.

2 thoughts on “Upgrading vCloud Networking & Security to NSX including vCloud Director

  1. Hi Jitendra,

    A VCDNI network is just a Port Group inside your vCenter Server environment, just like a NSX-based Logical Switch (VXLAN-based Port Group).

    Creating a new logical switch as a replacement for a VCDNI network and reconfiguring your virtual machines and edges should do the trick.
    This can be done manually or scripted, depending on the size of your environment.

    I didn’t perform this yet, so proceed with caution (do sufficient testing!).
    Please let me know the outcome if you can 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s