This post is part of my VMware VCIX-NV Study Guide and is about the backup and restore possibilities in NSX.

Documentation

Index

 

Backup & Restore in NSX
When a complete NSX virtual network is built with logical switches, distributed routers & firewalls, edge services gateways and all the virtual machine network data, there has gone a lot of time into that configuration. As with physical switches, you’d want to make sure that the implementation time cannot be thrown away by some major disaster where you loose configuration and need to do it all over again. With NSX, you can backup the networking configuration, in case of disaster striking. The NSX Manager, Distributed vSwitch, NSX Service Composer and the NSX Distributed Firewall all have backup and restore options, which are covered in this post.

 

Schedule/Backup/Restore NSX Manager data

Requirements:

  • Deployed NSX Manager.
  • (S)FTP Server to push backups to.

VMware Documentation: Back Up Your NSX Manager Data

The NSX Manager is the foundation for the NSX configuration inside the virtual environment. You set it up to make NSX available within vCenter, it handles the preparation of ESXi hosts and is involved in pretty much every configuration step that is performed. This means the configuration inside the NSX Manager is pretty important and you damn well create some backups of it, in case of a natural disaster crippling it (software bug corrupting the database). Luckily, the NSX Manager has the option to manually create a backup, create a scheduled task for FTP or SFTP backups and of course, to restore backups. This all happens in the NSX Manager interface, not the vCenter interface, keep that in mind for the next walkthroughs.

Backup NSX Manager setup

  • Login to your NSX Manager interface.
  • Navigate to the “Backup & Restore” page by using the big button.
  • First, configure the (S)FTP server the backups will be stored on by clicking the “Change” button next to the “FTP Server Settings”.
  • In the popup window, enter the details of your server. Enter the IP address or hostname, select the protocol (SFTP or FTP), the server port, username and password details, a directory to put the backups in, a prefix for the backup files and a pass phrase to protect the backup with a password.
  • Click “OK” when you’re done.
  • NSX Manager will now login to (S)FTP server and check what files are there. If it cannot connect for some reason, an error message will appear at the top of the page. If there are existing backups on the server, they will be displayed in the “Backup History” table.
  • To run a backup manually, click the “Backup” button.

Now that you have set up the backup destination server and created your first manual backup to confirm that the destination server is working as it should be, you can configure the NSX Manager to automatically create backups with a scheduled task.

Configure scheduled NSX Manager backups

  • Login to your NSX Manager interface.
  • Navigate to the “Backup & Restore” page by using the big button.
  • Click the “Change” button next to “Scheduling:”.
  • In the popup window, select the backup frequency (Weekly, Daily, Hourly). Depending on the backup frequency, you can select the day of the week, hour of the day and minute in the hour to run the backup.
  • Click “Schedule” when you’re done.

When first configuring the (S)FTP server, the NSX Manager will login to the server and see if there are any existing backups in there. If you’re restoring a NSX Manager from a backup, you can select one of those existing backups and restore it.

Restoring a NSX Manager backup

  • Login to your NSX Manager interface.
  • Navigate to the “Backup & Restore” page by using the big button.
  • In the “Backup History” table, select the backup you want to restore from (dates are displayed) and click the “Restore” button.
  • A popup window will ask you to confirm the restore, as it’ll interrupt connections with the NSX Manager and redirect you to the login screen when it is done.

 

Export/Restore vSphere Distributed Switch configuration

Requirements:

  • Existing vSphere Distributed Switch to backup.

VMware Documentation: Export, Import, and Restore Distributed Switch Configurations

The Distributed vSwitch is another integral part of a NSX environment, with the transport zone portgroup and all logical switch virtual wire portgroups created on the dvSwitch. A backup of the distributed vSwitch can be made through the vSphere Web Client.

Export dvSwitch configuration

  • Login to your vSphere Web Client.
  • Navigate to “Networking” under “Inventories”.
  • Right click on the dvSwitch you want to backup, go down to “All vCenter Actions” and select “Export Configuration” in the sub-menu.
  • In the popup window, select whether to export the dvSwitch configuration and the created portgroups or just the dvSwitch configuration. Also give it an optional description. Click “OK” when you’re ready.
  • After creating the export, it will ask you if you want to save the exported file. Click “Yes” to save the file on your local computer.

After making a backup of a dvSwitch, you can use that saved file to restore the configuration of a dvSwitch.

Restore dvSwitch configuration

  • Login to your vSphere Web Client.
  • Navigate to “Networking” under “Inventories”.
  • Right click on the dvSwitch you want to restore (create a new one if you’re starting from scratch), go down to “All vCenter Actions” and select “Restore Configuration” in the sub-menu.
  • In the popup window, select the backup file and select whether to restore just the dvSwitch configuration or also the portgroups. Keep in mind that existing portgroups that do not conflict will not be deleted.
  • Click “Next”, review your pending action and click “Finish” to perform the restore.

 

Import/Export Service Composer profiles

Requirements:

  • Existing Service Composer Security Policies to export.

VMware Documentation: Export a Service Composer Configuration, Import a Service Composer Configuration

The Security Policies inside the Service Composer are where you couple actions (such as applying firewall rules) to virtual machines that a third party service tags for some reason. Setting up these security policies can be time consuming, which is why it is possible to backup and restore them through the vSphere Web Client.

Export a Security Policy

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” sub-tab and right click the security policy you want to backup and select “Export Configuration”.
  • In the popup window, give the export a name, description and object prefix. Click “Next”.
  • Double check the right security policy is selected and optionally select more. Click “Next” when ready.
  • Review the export and click “Finish” when done. When asked, save the export somewhere on your local computer.

After creating a backup file of a security policy, you can import that policy back into the service composer to restore the policy if it has been deleted.

Import a Security Policy

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Service Composer” menu.
  • Select the “Security Policies” sub-tab and click on the “Import Configuration” icon:
  • In the popup window, browse to the backup file by using the “Browse” link, give the imported objects an optional prefix and click “Next”.
  • Review the import task and click “Finish” to start importing.

 

Export/Import/Load Distributed Firewall configurations

Requirements:

  • Distributed Firewall configuration.

VMware Documentation: Working with Distributed Firewall Configurations

The Distributed Firewall can contain a lot of configuration (and thus configuration time spent) that you don’t want to loose. Backups and restores are possible through the vSphere Web Client.

Making a backup of the Distributed Firewall policies

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Firewall” menu.
  • In the “Configuration” tab, click the “Export configuration” icon to start an export:
  • An export is creating instantly and the popup window will ask you if you want to download the export. Click the “Download” button to do so.

Restoring Distributed Firewall policies

  • Login to your vSphere Web Client.
  • Navigate to “Networking & Security” and select the “Firewall” menu.
  • In the “Saved Configurations” tab, click the “Import configuration” icon to start an import:
  • In the popup window, browse to the backup file using the “Browse” button and press the “OK” button when you’ve located the backup.
  • Click “OK” to instantly import the policies in the backup.

 



Share the wealth!