Learning NSX-Part-9-Edge Services Gateway

By | 20/10/2016

In last 2 post of the series we discussed about Distributed Logical Router. Moving forward in NSX learning series, we will look into what is Edge Service Gateway and will discuss on when to use edge gateway. We will look into deploying ESG and configuring it and then finally some touch down points on monitoring Edge gateways.

If you have missed earlier posts of this series, you can read them from below links:

1: Introduction to VMware NSX

2: Installing and Configuring NSX Manager

3: Deploying NSX Controllers

4: Preparing Esxi Hosts and Cluster

5: Configure VXLAN on the ESXi Hosts

6: Logical Switching

7: Distributed Logical Router Tidbits

8: Installing Distributed Logical Router

In VMware NSX for vSphere there are two different types of NSX routers which can be deployed in virtual network infrastructure.

  1. The NSX Edge Services Router (ESR)
  2. The NSX Distributed Logical Router (DLR)

Both the ESR and DLR can run dynamic routing protocols, or not. Both of them support Static/default routes as well.

Although we can use Logical route to route between 2 or more logical networks, and physical networks, the recommended way is to use an Edge Services router. The ESR has a number of features such as Firewall, DHCP Services, NAT, load balancing and VPN services.

Difference between ESR and DLR?

ESR can be think of a router contained within a VM. Both the control plane and data plane resides in the VM, but ESR is more than just a router. It provides supports for L4-L7 services like FW, LB, NAT, VPN. ESR can establish routing protocol sessions with other routers and all of the traffic flows through this VM.

In DLR the data plane is distributed in kernel modules at each vSphere host, while the control plane exists in a VM (LRC).  The control plane VM in turn relies on the NSX controller cluster to push routing updates to the kernel modules.

When to use ESR?

In last post of the series we discussed that with evolution of virtualization/cloud computing, the amount of East-West traffic in datacenter have grown significantly. We also discussed about the hair-pinning of traffic and how DLR can be used to reduce the East-West traffic and get rid of hair-pinning issue.

As compared to DLR, ESR is unique in its own way. It’s more than a just router.  Using ESR we can leverage features such as firewall, load balancer, and VPN etc and because of this, it works well as the device handling the North-South traffic at the perimeter of your virtual network.

Since ESR is deployed as a VM, we can have virtually unlimited ESR’s running in parallel, each establishing the secure perimeter for their own.

Lets jump into the lab now and see the installation/configuration of ESG.

The edge gateway is deployed in the same way as a distributed router instance. To deploy an ESG, navigate to Networking & Security > NSX Edge. 

1: Click on the  (plus) button to open the deployment wizard.


2: Select Edge Services Gateway and enter the name of your Edge gateway . You can also configure a hostname.

If you want edge gateway to be highly available, check mark the “Enable High Availability” option. Hit Next to continue.


3: Provide the password for the admin user (atleast 12 characters long)

If you want to manage Edge Gateway over ssh then enable ssh access. Enabling auto rule generation, which will create necessary rules automatically when edge services such as VPN and load balancing are enabled:


4: Click Next and select the Appliance Size. There are a number of options for the appliance size. I have chosen ‘Compact’ in my lab environment. Click on (plus)  to select the Cluster/Resource Pool/Datastore/ Host etc where the edge will be deployed.

More on what should be an ideal choice for edge size, please read this article


5:  Click on (plus)  to Configure edge gateway’s interfaces.


6: Select the uplink interface and select the port-group to which this uplink will connect to. Assign an IP Address and subnet mask for the interface.

Note that it could be either a Public IP (in case of Uplink connected to a public network) either a private (in case of a Firewall inter-vlan or internal network)

Hit OK once you have entered all the information.


Click on next to continue the deploy wizard.

7:  For Default gateway settings, select the vNIC where your gateway will be connected to and enter the Gateway IP. Hit Next to continue.


8: On the next screen you can, optionally, select to configure the Firewall default policy:


9: On Ready to Complete page review your settings and hit finish to complete ESG deployment wizard.


10: In vCenter Recent task pane you can see edge vm deployment has been kicked off.


11: Under NSX Edges you can see your newly created edge gateway listed there.


12: Under VM and Templates view in vCenter, you can verify that 2 edge VM’s have been deployed (as we deployed edge in HA mode). You can select the edge VM to verify that VM is now up and running. Additionally you can check how much RAM/CPU has been assigned to the edge VM.


16: Double click on the edge gateway from Network & Security > NSX Edges view to open up the edge gateway configuration options.

Click on Manage > Settings > Configuration to add additional configuration items like defining a syslog server where edge gateway can forward the logs, DNS Settings on edge gateway etc.

Also verify the HA status of edge VM from this page.


17: By navigating to Monitor > Statistics tab, you can grab the Interface throughput stats and concurrent connection data for your edge gateway.


18: Finally if you click Actions button, it will bring a drop down menu which provides additional options available on edge gateway like Force Sync (it reboots the edge gateway backing VM’s), Edge re-deployment etc (this deletes the existing edge VM’s from vCenter a new VM is deployed).

You can also change the edge gateway admin user credentials by selecting Change CLI Credentials, also you change logging level etc from the dropdown menu.


I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

Category: NSX

2 thoughts on “Learning NSX-Part-9-Edge Services Gateway

  1. Pingback: Learning NSX-Part-11-Replacing NSX default SSL Certficates with CA Signed Certificates | Virtual Reality

  2. Pingback: Learning NSX-Part-11-Replacing NSX default SSL Certficates with CA Signed Certificates – Virtual Reality