HCX Network Extension – extending network, step by step

Network Extension (NE) is a HCX service mesh appliance that helps to extend L2 network between two sites. It is used to provide network accessibility when migrating VMs between sites. Most popular use case is to use NE when migrating (via HCX or using other methods) VMs from on-prem site to cloud and back. It is also a little bit overused because the configuration is so easy and fast, we may want it stay there forever ;-). If this is the case, it is worth mentioning Mobility Optimised Networking (MON) NE feature would be needed for latency sensitive production workload. MON provides routing based on locality of source and destination VMs and prevents L2 Extension Tromboning. With MON VM in site B (remote) could communicate with other VMs in other segments without reaching site A where its gateway is located.

For my step by step demo I am using two locations: site A (on-prem) where network segment aga_test is originally configured and site B (cloud) where the network aga_test will be extended. Site A uses NSX-T and DHCP is configured for my segment but NSX-T is not required, it can be any vSphere Distributed Switch VLAN/tagged network.

HCX-5 (site A, connector role) and HCX-1 (site B, manager role) are paired and NE service mesh appliances are deployed on both locations. NEs create unmanaged Encrypted Transport Tunnel between sites on the network link defined in Network Uplink Profile.

The goal is to enable L2 communication between vm1 in site A and vm2 in site B. Additional points are for making DHCP working on extended network ;-).

aga_test is NSX-T 3.0 subnet: with DHCP enabled
HCX service mesh with Network Extension appliance deployed between hcx-5 (site A) and hcx-1 (site B).
When NE appliance is deployed, we can create a Network Extension. Take a look at the description, “the default gateway for the network extension only exist at the origin site”, that is why MON may be useful.
We pick a network to extend from the list: aga_test.
This is the moment when we can enable MON. It is included in HCX Enterprise license. We provide gateway address and NE appliance that we want to use.
The network extension is ready in just a few minutes.
Service Mesh view provides more details on extended network: L2E_aga_test
vCenter on site B shows the extended network L2E_aga_test in the Network tab
Extended segment is visible in the Segments view in NSX-T on site B. Default Segment Security doesn’t allow DHCP so for the L2E_aga_test it has to be allowed.

The NSX-T segment created by HCX has Connectivity set to OFF. It means the subnet is not advertised to routing table on the remote site. This is by design because we want to use the original (on-prem) gateway for this subnet.

Creating DHCP_Allow_Sec profile that allows to receive DHCP traffic for VMs on the extended network.
vm1 is deployed on Site A in aga_test network and has address
vm2 is deployed on Site in L2E_aga_test extended network and got address
vm1 pinging vm2
vm2 pinging vm1
The connectivity between vm1 and vm2 can be also verified using NSX-T Traceflow feature.