VMware Engine is upgrading existing private clouds to use newer VMware components. See Service announcements for more details.

Creating a workload network segment in a private cloud

The Google Cloud VMware Engine service includes NSX-T for workload networking and security features such as microsegmentation and firewall policies. This page explains how to create and manage network segments for your workloads using NSX-T Manager.

Before you begin

  1. Create a private cloud and confirm that its status is Operational.
  2. VMware Engine service gives you administrator access by default. If you prefer role based access control (RBAC) for NSX-T, then you must setup vIDM (VMware Identity Manager). Please file a support ticket if you require RBAC for NSX-T.
  3. Allocate address ranges for the following purposes:
    • DHCP service
    • A subnet for the workload network segment

Access NSX-T Manager from the VMware Engine portal

  1. Access the VMware Engine portal.
  2. On the navigation menu, click Resources.
  3. Click the Private cloud name corresponding to the private cloud where you want to create workload network segments using NSX-T.
  4. In Resources for your selected private cloud, click the vSphere Management Network tab.
  5. Click the FQDN corresponding to NSX Manager.

Log into NSX-T

If you are logging into NSX-T for the first time and you have not set up vIDM, enter the following default credentials:

  • User name: admin
  • Password: VMwareEngine123!

If you have set up vIDM and connected it to your identity source, such as Active Directory, use your identity source credentials.

Set up DHCP service for the workload network segment

  1. In NSX-T Manager, click the Networking tab.
  2. As the dashboard shows, the service creates one Tier-0 and one Tier-1 gateway.
  3. Set up DHCP service for your workloads. NSX-T has support for DHCP-Relay as well. For information about provisioning, see DHCP Relay. To provision a DHCP server, under IP Management, select DHCP.
  4. Select Add Server.
  5. For Server type, select DHCP server.
  6. Provide a DHCP Service IP Address range.
  7. Click Save.
  8. Attach this DHCP service to the relevant Tier-1 gateway. A default Tier-1 gateway has already been provisioned by the service. In the navigation pane, under Connectivity, click Tier-1 Gateways.
  9. Click the vertical ellipses. Select Edit.
  10. In the IP Address Management field, click No IP Allocation Set.
  11. Set Type to DHCP Local Server and select the DHCP Server that you just created.
  12. Click Save.
  13. Click Close Editing. You can now create a workload network segment.

Creating a workload network segment

  1. In the navigation pane, under Connectivity, click Segments.
  2. Select Add Segment.
  3. Name your segment and, from the Connected Gateway & Type drop-down list, select Tier1 to connect to Tier1 Gateway.
  4. Click Set Subnets.
  5. Click Add Subnets.
  6. In the Gateway IP/Prefix Length field, enter the subnet range. Specify the subnet range with .1 in the last octet, for example,
  7. Specify the DHCP Ranges and click ADD.
  8. In Segment, select TZ-OVERLAY | Overlay from the drop-down list.
  9. Click Save. You can now select this network segment in vCenter while creating a VM.

In a given region, you can set up at most 100 unique routes from VMware Engine to your VPC network using private service access. This includes, for example, private cloud management CIDRs, NSX-T workload segments, and HCX network CIDRs. This limit includes all private clouds in the region.