NC2 Azure Flashcards
Is Nutanix ssh keys created in the same resource group as Nutanix cluster?
No ssh keys are in a separate resource groups to allow customers to use same keys for multiple clusters
You have an issue with Nc2 azure deployment and you want to see all the resources that were created so far where do you check
Azure Subscription name -> Resources blade
Where is Prism Central deployed and where is Nutanix nodes deployed and how they can communicate
Prism Central is deployed on to a subnet in a separate vnet and PE is deployed into a subnet that is present in a different vnet, the vnets are peered which allows them to communicate with each other.
How does PC and PE reach internet what is required for them to reach internet
Both PE and PC needs a NAT gateway in their respective vnets. The NAT gateway also requires a public ip to be assigned so it can reach the internet.
Where is flow gateway installed.
Flow gateway is installed in the same virtual network as Prism Central but in a different subnet than Prism Central VM.
Explain how MCM interacts with PE to deploy Prism Central which services should you look at when there is a trouble
MCM talks to cluster-agent leader in PE. We can find the leader by checking which CVM systemctl status cluster-agent, one of the CVMs will host the cluster-agent leader. This will then talk to the genesis leader via Infra-gateway service, this is how a Prism Central deployment will be triggered in NC2 Azure
Where are the two interfaces on FGW connected to
Both FGW interfaces will be connected to Azure subnet. External NIC will be connected to the subnet that will carry north south user vpc traffic. Internal interface will be connected to another subnet where only FGW has a nic, no other Nutanix devices will be connected
why do you need to use transit vpc, compare it with on-prem env
In on-prem user vpc’s get external connectivity via a Vlan network but in Azure we cannot have a regular Azure network connected since the nutanix nodes are all in a delegated subnet. We use transit vpc which is spawns between the flow gateway running in regular Azure subnets and Nutanix nodes which run in delegated subnets. The packet will be carried over from delegated subnet to an interface assigned to FGW VM that runs in regular Azure subnet.
What is the use of clusters upgrader
This will take care of upgrading clusters components like infra gateway, clusters-agent and host-agent.
Where does an Azure node get the ip addresses to use from?
Instance metadata that is injected into the node when it boots up will contain CVM ip, AHV ip and uuid to use etc… This information comes from MCM to Kristitel in Azure
how can you expose prism central to external world with nc2
Hub vnet peering should allow the local on-prem PC to access the Azure PC.
how do you find the compatible aos version for aws or Azure cloud
check release notes
Vnet peering is it unidirectional or bi-directional
Vnet peering should be bi-directional, else communications could be blocked.
Is the NAT gateway per subnet or per vnet
It is per vNet and we can add the subnet routes
How does the traffic from UVM vnic flow through the bridges to external world
UVMs vnics are connected to br0.local bridge like on-prem, they flow through bridge chain and will end up on the br0-uvms bridge, from there they will move to br0-azure bridge and then via an uplink it will reach external world
If customer wants to access vms inside a NC2 Azure cluster from their on-premises, what needs to be done
Customer will connect their express route or vpn via hub vnet to Azure, for For No-Nat networks they have to set the next hop route on the hub vnet for the no-nat network to fgw external nic.
For NAT network
What are the use of Floating IPs in NC2 Azure
Floating ips are used to talk to a VM inside an NC2 Azure overlay NAT network from external clients. NAT only takes care of outbound connectivity but when a call is initiated from an external client to the NC2 Azure vm we need floating ips similar to a port forwarding in our home routers
Does PE and PC comms from on-prem clusters go via flow gateway
No they are on delegated subnets they will be going from hub vnet straight into the delegated subnets
What is the use of overlay network
Overlay network is used to transport network traffic over a tunnel to another host, these packets otherwise cannot traverse due to the network not existing physically. These networks only exist inside the hosts that are part of the overlay network, the physical networking equipment doesn’t know anything about the existence of these networks.
Why do we need overlay networks in Azure
Azure AHV hosts are deployed into a delegated subnet meaning, the traffic exiting AHV hosts should have ip address in the delegated subnet range. Since delegated subnets lack a lot of features we need to make sure the Azure NC2 vms are transported to another vm (flow gateway) that is present in regular Azure subnet where all the features like network security groups etc… can be used. In order to move the vm traffic packets to the flow gateway vm we need to make use of Overlay networks where the original ip packet is encapsulated into ip packet in the delegated subnet range
What is the use of transit vpc and compare it with regular vpc
Regular vpcs exist only within the AHV hosts, but in Azure we need to move the packets from delegated subnet into a regular Azure network so we create a vm called flow gateway vm in regular Azure network and make the transit vpc spawn between delegated and regular Azure network
What is required for regular vpc to route traffic north south in NAT environment
Regular on-prem vpcs get connectivity outside by connecting to a vlan network. In Azure due to limitations we need to send the packets to flow gateway vm. But the flow gateway vm has nics in regular Azure network not in delegated subnet so we create an overlay network named OEN NAT network by default.
How do you connect to FGW vm
Get the FGW key from customer
SSH to PC VM
SSH from PC VM to FGW’s public subnet ip (Find the public subnet in NC2 support admin) using the provided key
Where is the storage account created for storing frame gateway vm image
It is created in a separate resource group than the one chosen by customer during deployment
