Nutanix Cloud Clusters Azure
Nutanix Cloud Clusters Azure
Nutanix Cloud Clusters Azure
on Azure Deployment
and User Guide
Cloud Clusters (NC2) Hosted
March 7, 2024
Contents
ii
Validating the Allowlisting...............................................................................................................80
Registering the Azure Resource Providers...............................................................................................80
Creating an App Registration....................................................................................................................81
Creating an Azure Custom Role.................................................................................................... 81
Checking the Azure AD and Azure Subscription Permissions.......................................................85
Creating and Registering an App...................................................................................................86
Assigning the Azure Custom Role................................................................................................. 87
Creating a New Client Secret........................................................................................................ 89
Getting the Azure IDs............................................................................................................................... 90
Creating Azure Policy Exemptions............................................................................................................90
iii
Updating the Cluster Capacity................................................................................................................ 167
Migrating to Scaled-out Flow Gateway Deployment...............................................................................169
Scaling up or down Flow Gateway VMs.................................................................................................172
Manually Replacing a Node.................................................................................................................... 173
Azure Events in NC2.............................................................................................................................. 174
Viewing Azure Events.................................................................................................................. 175
Viewing the Licensing Details of a Cluster............................................................................................. 176
Terminating a Cluster..............................................................................................................................176
Support Log Bundle Collection............................................................................................................... 177
VM Management Using NGT..................................................................................................................177
Release Notes................................................................................................209
Copyright........................................................................................................210
ABOUT THIS DOCUMENT
This User Guide describes the deployment processes for NC2 on Azure. The guide provides instructions for setting
up the Azure and Nutanix resources required for NC2 on Azure deployment, subscribing to NC2 payment plans, and
end-to-end steps for creating a Nutanix cluster. It also provides reference information for use cases, such as setting up
Disaster Recovery.
This document is intended for users responsible for the deployment and configuration of NC2 on Azure. Readers
must be familiar with the Azure concepts and Nutanix products, such as Prism, Flow Virtual Networking, and
Disaster Recovery.
Document Organization
The following table shows how this User Guide is organized and helps you find the most relevant sections in the
guide for the tasks that you want to perform.
• NC2 on Azure:
• Deploy, remediate, and install Nutanix software onto bare-metal instances under your Azure account.
NC2 on Azure places the complete Nutanix hyperconverged infrastructure (HCI) stack directly on the bare-metal
instance. This bare-metal instance runs a Controller VM (CVM) and the Nutanix AHV as the hypervisor just like any
on-prem Nutanix deployment, using the Azure Virtual Network (VNet) to connect to the network.
AHV runs an efficient embedded distributed network controller that integrates user VM networking with Azure
networking. AHV assigns all user VM IPs to the bare-metal instance where VMs are running. NC2 on Azure uses
Flow Virtual Networking to create an overlay to give granular control for Nutanix administrators while allowing
connectivity to the Microsoft Azure services.
Nutanix architecture keeps hardware failures in mind, offering better resilience. AOS can withstand hardware failures
and software glitches and ensures that application availability and performance are never compromised. AOS Storage
is built to handle component, service, and CVM failures to maintain availability. AOS Storage helps to prevent
network partition errors and resolve bad disk resources.
Availability zones go offline for several reasons, such as power, cooling, networking issues, and scheduled system
maintenance. NC2 ensures that your NC2 on Azure instance meets your availability needs. To avoid downtime in
• Cluster management:
Essential Concepts
This section describes the terms and concepts used throughout the guide. Nutanix recommends gaining familiarity
with these terms before you begin deploying NC2 on Azure.
Availability zone
Physically separate locations that contain one or more datacenters inter-connected by a high-
performance network with low latency links. Availability zones are physically isolated from each
other to ensure that a disaster at one availability zone does not affect another availability zone.
Costs
While consuming NC2 on Azure, the hardware is provided and billed by Azure. The NC2 software consumption
is metered by Nutanix. You can choose to be billed for NC2 software usage either directly by Nutanix or by Azure
through your Azure marketplace account.
For more information about how your Azure BareMetal instances are billed, engage with Azure or see the Microsoft
documentation.
Nutanix sets the costs for running Nutanix clusters in Azure. For more information about the cost of running NC2 on
Azure, engage with your Nutanix sales representative.
Sizing
You can use the Nutanix Sizer tool to create the optimal Nutanix solution for your needs. For more information, see
the Sizer User Guide.
Capacity Optimizations
The Nutanix hybrid multicloud platform offers capacity optimization features, such as compression and
deduplication, that improve storage utilization and performance.
Compression
Nutanix systems currently offer the following two types of compression policies:
• Inline: The system compresses data synchronously as it is written to optimize capacity and maintain the
high performance for sequential I/O operations. Inline compression only compresses sequential I/O to
avoid degrading performance for random write I/O.
Note: If there are any issues with provisioning the Nutanix cluster, see the Notification Center on the NC2 Dashboard.
Public IPs Yes Public IP addresses are created when a NAT gateway
and VPN gateway is configured.
Microsoft Entra ID (formerly Yes Microsoft Entra ID is used as Microsoft identity and
Azure Active Directory) access management.
Resource Group No Resource groups are logical groupings of resources
in Azure. There is no price for the resource group.
You need to pay for the Azure resources based on the
pricing model.
Storage
Azure Disk Storage Yes Azure disk storage is used with Azure workloads, such
as VMs and databases.
Blob Storage Yes Blob storage can be used as a backup destination
when using backup products that are compatible with
AHV.
The following table lists the optional Azure components that can be used with the NC2 on Azure deployment.
Network Services
Azure DNS Yes Azure DNS is used by clusters for VMs by default. You
can configure AHV to use your own DNS.
You can view all the resources allocated to a cluster running on Azure on the cluster details page.
Note: Some of the steps are only needed if you choose to use your existing Azure resources.
3. Setting up the NC2 console - adding your Azure cloud account to NC2
4. Creating a Nutanix cluster
5. Creating and managing a user VM network for external connectivity
6. Performing additional configurations after the cluster is created
For end-to-end deployment steps, see the Deployment Checklist.
NC2 provides the ability to deploy NC2 on Azure in a flexible way to suit your requirements. You can choose either
an automated workflow or a manual workflow.
Automated Workflow
Instead of using your existing Azure resources, you can create the required Azure resources, such as a resource group,
VNets, and subnets, while creating a cluster from the NC2 console. The NC2 console takes care of setting up the
required networking infrastructure.
Manual Workflow
You can use your existing Azure resources, such as a resource group, VNets, and subnets, or you can create your
Azure resources before creating a Nutanix cluster. You must take care of setting up the required networking
infrastructure.
Deployment Checklist
The following table lists the deployment flow and a checklist for all the required and optional steps that you must
perform to deploy NC2 on Azure.
Note: The steps that are only relevant to the manual workflow are listed under the Steps required only in the Manual
Workflow section in the following table. The rest of the steps apply to both workflows.
Read this checklist carefully and do the required planning and preparations to get ready for deploying NC2 on Azure.
2 Start a 30-day free trial for NC2 on Azure. Start a 30-day free trial for NC2 on
Azure. Beyond the free trial period, you
can pay for NC2 using the subscription
plan or use your Nutanix licenses.
See NC2 Payment Methods.
6 Get your Azure subscription allowlisted by Microsoft. See Allowlisting Your Azure
Subscription.
7 Switch to the NC2 subscription plan. You can pay for NC2 with PAYG
or your Nutanix licenses. You
can choose to pay for NC2 either
directly to Nutanix or through Azure
marketplace. See NC2 Payment
Methods.
8 Register the Azure resource providers for your See Registering the Azure Resource
account. Providers.
9 Create an App registration in Azure AD with access to See Creating an App Registration.
the new subscription with the Azure custom role.
10 Note the following details: You need these IDs later while adding
your Azure account to the NC2 console.
• Directory ID
See Getting the Azure IDs.
• Application ID
• Client secret
• Azure subscription ID
Note: If direct access to the Cloud Cluster through VPN or ExpressRoute is not possible, you can deploy a Jump Host
instance to access Prism Element and Prism Central. You can deploy the Jump Host instance in the Prism Central
VNet inside a non-delegated subnet. Alternatively, you can deploy it in an external VNet and peer the VNets for
communication between Prism Central VNet and the Jump Host VNet.
Note: When you create a My Nutanix account, a default workspace gets created for you with the Account
Admin role, which is required to create an NC2 subscription and access the Admin Center and Billing Center
portals. If you are invited to a workspace, then you must get the Account Admin role so that you can subscribe
to NC2 and access the Admin Center and Billing Center.
• Connectivity between your on-prem datacenter and Azure. Both ExpressRoute and VPN are supported.
• Virtual IP addresses for both the on-prem cluster and the cluster running in Azure.
• Outbound Internet access on your Azure portal.
• Azure Directory Service resolves the FQDN gateway-external-api.cloud.nutanix.com.
• Any network interface attached to a Flow Gateway VM must have the IP forwarding option enabled for it in
the Azure portal and in the operating system of the Flow Gateway VM. For more information, see Turn on IP
forwarding.
Note: Ensure that Azure policy assignments do not conflict with these requirements. For more information, see
Creating Azure Policy Exemptions.
Port Requirements
The following table lists the ports that must be open for disaster recovery between on-prem cluster and Azure.
Note: Open the required ports and ensure that your firewall allows bi-directional Internet Control Message Protocol
(ICMP) traffic between the CVMs, Prism Element, and Prism Central. For more information on port requirements for
Nutanix products and services, see Ports and Protocols and select the Nutanix product from the Software Type
list.
The IP address 192.168.5.1 is used for all CVMs. For more information, see Networking Components.
Note: Many of the destinations listed here use DNS failover and load balancing. For this reason, the IP address
returned when resolving a specific domain may change rapidly. Nutanix cannot provide specific IP addresses in place of
domain names.
Note: These
ports must
be opened
bidirectionally.
Note: NC2 might not support some bare-metal instance types in certain regions due to limitations in the number of
partitions available. NC2 supports bare-metal instances in regions with three or more partitions.
Bare-metal Instances
Azure supports the following bare-metal instances for NC2 on Azure:
Specification Ready Node for Nutanix AN36 Ready Node for Nutanix AN36P
Core Intel 6140, 36 Core, 2.3 GHz Intel 6240, 36 Core, 2.6 GHz
vCPUs 72 72
RAM 576 GiB 768 GiB
For more information, see Hardware Platform Spec Sheets. Select NC2 on Azure from the Select your
preferred Platform Providers list.
NC2 on Azure supports:
• Minimum of three (or more) Azure Nutanix Ready nodes per cluster.
• Only the Nutanix AHV on Nutanix clusters running in Azure.
• Prism Central instance deployed on NC2 on Azure to manage the Nutanix clusters in Azure.
Azure Regions
NC2 on Azure supports the following Azure regions and bare-metal instances:
Region name Ready Node for Nutanix AN36 Ready Node for Nutanix AN36P
East US (Virginia) Yes No
West US 2 (Washington) Yes No
East US 2 (Virginia) No Yes
North Central US (Illinois) No Yes
Southeast Asia No Yes
Australia East No Yes
UK South No Yes
West Europe No Yes
Germany West Central No Yes
Japan East (Tokyo) No Yes
Limitations
This section lists the usage constraints and service limits of NC2 on Azure.
NC2 does not support:
Note: A maximum of 28 nodes are supported in a cluster. AOS 6.6 or higher version and Prism Central pc.2022.9
or higher version provides the ability to create a cluster with 28 nodes or expand an existing cluster capacity to 28
• Two-node clusters
• Sharing of Azure subnets among multiple clusters
Note: NC2 requires a unique CIDR for each subnet in the Azure resource group. The subnets must not use the
same CIDR. Only private IPv4 addresses are supported.
• Use of 192.168.5.0/24 CIDR for the VNet being used to deploy the NC2 on Azure cluster. All Nutanix nodes use
that CIDR for communication between the CVM and the installed hypervisor.
• Use of IPs 192.168.0.0/16, 10.100.0.0/16, 10.200.0.0/24, or 10.200.0.0/22 for Prism Central VNet.
• Reconfiguration of Prism Central VM IP addresses for Prism Central scale-out deployments used in an NC2
environment
• Prism Central backup and recovery
• SyncRep operations
• Hibernate and resume operations
• The default configuration for CVMs on NC2 with AOS 6.7 or earlier is 32 GiB of RAM. On NC2 with AOS
6.7.1.5, the CVM memory size is set to 48 GiB.
• Access to the CVM and AHV through SSH
• Access to the CVM console through Prism Element
• Unregistering a cluster through the Prism user interface (Prism Central and Prism Element web console)
• Unregistering Prism Central from Prism Element
• Automatic installation of Nutanix Guest Tools (NGT)
• Dynamic routing (eBGP) for No-NAT connectivity as Azure VPN gateway does not redistribute UDR routes to
on-prem
• Connectivity to private endpoints from resources on Azure-delegated subnets
Note: Host, CVM, and Prism Central cannot be connected to private endpoints. User VMs do not have this
restriction as they are not deployed on delegated subnets.
For more information about the Azure limitations on UDR, SD-WAN, and global VNet peering of delegated
subnets, see Microsoft documentation. Nutanix recommends to contact your Microsoft account representative for
workarounds for these Azure-specific constraints. Additionally, for more information about the supported network
topologies, global peering, and connectivity using VPN and ExpressRoute gateway, see Microsoft documentation.
• VLAN ID: Azure does not support VLANs. Therefore, if you deploy a cluster on Azure, you do not need to
provide the VLAN ID when you create or update the network in the cluster. The VLAN ID is replaced by the
subnet ID, which uniquely identifies a given network in a VPC.
Cluster Operations
Perform the following actions using the NC2 console:
• Deploy and provision the cluster using the NC2 console. Do not use Foundation.
• Perform the add node and remove node operations using the NC2 console. Do not use the Prism Element web
console.
API Operations
The following API calls are disabled or changed in a Nutanix cluster running in Azure:
API Changes
GET /clusters Values for the rack and block configuration are not
displayed.
POST /cluster/block_aware_fixer Not supported
Procedure
1. Go to https://my.nutanix.com.
3. Enter your details, including first name, last name, company name, Job title, phone number, country,
email, and password.
Follow the specified password policy while creating the password. Personal domain email addresses, such as
gmail.com or yahoo.com are not allowed. You must sign up with a company email address.
4. Click Submit.
A confirmation page appears and you receive an email from mynutanix@nutanix.com after you successfully
complete the sign-up process.
6. Sign in to the portal using the credentials you specified during the sign-up process.
A default Personal workspace is created after you successfully create a My Nutanix account. You can rename
your workspaces. For more information on workspaces, see Workspace Management.
Note: The default Personal workspace name contains the domain followed by the email address of the user and
the tenant word.
Note: When you create a My Nutanix account, a default workspace gets created for you with the Account Admin
role, which is required to create an NC2 subscription and access the Admin Center and Billing Center portals. If you
are invited to a workspace, then you must get the Account Admin role so that you can subscribe to NC2 and access
the Admin Center and Billing Center.
Note: The owner of the My Nutanix workspace that has been used to start the free trial for NC2 must add other users
from the NC2 console with appropriate RBAC if those users need to manage clusters in the same tenant. For more
information on adding users and the roles that can be assigned, see NC2 User Management.
Note: You are responsible for any hardware and cloud services costs incurred during the NC2 free trial.
Note: Ensure that you select the correct workspace from the Workspace dropdown list on the My Nutanix
dashboard. For more information on workspaces, see Workspace Management.
2. On the My Nutanix dashboard, scroll to Cloud Services, and under Nutanix Cloud Clusters (NC2), click
Get Started.
3. On the Nutanix Cloud Clusters (NC2) on Public Clouds page, under Try NC2, click Start your 30 day
free trial.
Note: If you want to subscribe to NC2 instead of using a free trial, you can click the Select from our available
plan options to get started option, and then complete the subscription on the Nutanix Billing Center.
Note: To be able to use NC2 on Azure, you must get your Azure subscription allowlisted. For more information,
see Allowlisting Your Azure Subscription.
Note: You cannot switch back from NCI licensing to AOS licensing. You cannot switch back from EUC licensing to
VDI licensing.
Nutanix also provides flexible subscription options that help you select a suitable subscription type and payment
method for NC2.
You can use the legacy portfolio licenses and pay using the Pay As You Go (PAYG) subscription plan for overages
above the legacy license capacity used.
For more information on the pricing that is used to charge for overages above legacy AOS license capacity, see NC2
pricing options.
For the new NCI licensing, NC2 does not charge for overages above the NCI license capacity used. For more details
on the new NCI licenses, see Nutanix Cloud Platform Software Options.
You can choose to be invoiced either directly by Nutanix or through your cloud marketplace account, if you choose to
use your cloud marketplace.
NC2 supports Advanced Replication and Security add-ons for NCI Pro and Nutanix Unified Storage (NUS) Pro, and
you have to manually apply these licenses to Prism Central managing your NC2 cluster. NC2 supports Advanced
Replication and Data-at-Rest Encryption add-ons for AOS (legacy) Pro, and you have to reserve capacity from these
licenses, after which they are automatically picked up and applied to your NC2 cluster.
The following table lists the combination of license types based on the software configuration and the subscription
plan available for these license types.
Note: Your NC2 cluster is enabled with AOS, NCI, VDI, or EUC licenses during the free trial. You can switch from
AOS to NCI licenses at any time; however, you cannot switch from NCI to AOS licenses. You can switch from VDI to
EUC licenses at any time; however, you cannot switch from EUC to VDI licenses.
For more information on how to switch an already running cluster with AOS legacy licensing to NCI licensing, see
Applying NCI, EUC, and NUS Licenses.
Once you have configured Prism Central with the cluster, you can manually apply the NCI licenses to that Prism
Central to cover the usage of the cloud usage.
When switching cloud cluster from one Prism Central to another Prism Central, you must manually re-license that
new Prism Central with the NCI license you want to use.
Note: You can use the same Prism Central with both AOS and NCI-licensed clusters.
• AOS 6.0.1.7
• Nutanix Cluster Check (NCC) 4.3.0
• Prism Central pc.2021.9
Applying NUS licenses requires that the cluster is running the minimum versions of the following software:
• AOS 6.1.1
• NCC 4.5.0
• pc.2022.4
Procedure
1. If you are using a free trial for NC2, you can select NCI, AOS, VDI, or EUC as the option during the free trial
period.
You can switch from the AOS to the NCI licensing option or from the VDI licensing to the EUC licensing at any
time. Make sure you follow the appropriate licensing instructions for legacy licenses or new portfolio licenses.
Note: You must perform this step with every NC2 cluster that use the new portfolio licenses, for both general
purpose and VDI clusters.
Perform the following steps to change the license type from AOS to NCI:
3. If you already have the following licenses that you are ready to use, you can manually apply these licenses by
following the procedures described in Applying and Managing Cloud Platform Licenses.
Note: License reservation is required for AOS (legacy) licenses and the associated Advanced Replication and Data-at-
Rest Encryption add-ons. License reservation is not required for NCI licenses and the associated Advanced Replication
and Data-at-Rest Encryption add-ons, as you need to manually apply the NCI licenses.
You do not need to delete the license reservation when terminating an NC2 cluster if you intend to use the
same license reservation quantity for a cluster you might create in the future.
Procedure
1. Sign in to the Nutanix Support portal at https://portal.nutanix.com and then click the Licenses link on the
portal home page. You are redirected to the Licensing portal.
2. Under Licenses on the left pane, click Active Licenses and then click the Available tab on the All Active
Licenses page.
3. Select the licenses that you want to reserve for NC2 and then select Update reservation for Nutanix Cloud
Clusters (NC2) from the Actions list.
Note: This option becomes available only after you select at least one license for reservation.
5. Enter the number of licenses that you want to reserve in the Reserved for AWS and Reserved for Azure
columns for the license. The available licenses appear in the Total Available to Reserve column.
Procedure
1. Terminate your cluster from the NC2 console. For more information, see Terminating a Cluster.
2. Update the license reservation for the NC2 cluster under Reserved for AWS or Reserved for Azure columns
as 0 on the Licensing portal. For more information, see Modifying License Reservations.
3. Your license capacity is now available for use with any other Nutanix cluster, including on-prem clusters.
Managing Licenses
Follow these steps to manage licenses and change license type or add add-on products to your running
NC2 cluster.
Procedure
2. In the Clusters page, click the cluster name for which you want to update the add-on product selection.
4. Under Software Configuration, you can change your license tier Pro to Ultimate or vice versa from the
Software Tier list.
5. Under Add-on Products, based on the cluster type (General Purpose or VDI cluster) and the license tier, the
available add-on products are displayed. Select or remove the add-on product based on your requirements.
6. Click Save.
You must subscribe to an NC2 subscription plan (Nutanix Direct or Cloud Marketplace) to cover your NC2 usage.
Any licenses applied to your NC2 cluster will be given priority to cover NC2 usage, and the remaining overages will
be billed to that subscription plan.
Note: You can only reserve your legacy portfolio licenses. You must not reserve the new portfolio licenses, such as
NCI and EUC licenses. You need to apply these licenses to an NC2 cluster manually.
To learn more about how to reserve the legacy portfolio licenses, see Reserving License Capacity.
To learn more about how to manually apply new portfolio licenses, see Applying NCI, EUC, and NUS Licenses.
You can subscribe to NC2 from the My Nutanix dashboard > Administration > Billing Center > Launch. In the
Billing Center, under Nutanix Cloud Clusters, click Subscribe Now.
At the beginning of the subscription steps, you get the following options to cover your NC2 usage:
• Use your reserved license capacity: You can reserve your legacy portfolio licenses, such as AOS Pro, AOS
Ultimate, VDI Ultimate license, and associated add-ons for NC2 usage. These licenses are automatically applied
to the cloud clusters to cover their configuration and usage.
You still need to select a subscription plan to cover any overage above your reserved license capacity. You have a
choice of paying directly to Nutanix or using your cloud marketplace account to pay for NC2 software usage.
Note: Ensure that you have reserved enough license capacity for NC2 if you plan to use Nutanix licenses for NC2
usage.
• Use your subscription plan: You can use your paid subscription plan and pay directly to Nutanix or use your
cloud marketplace account.
Based on your preferences, you can use the following subscription workflows to pay for your NC2 software usage,
such as any overage above your reserved license capacity or invoices for your subscription plan.
• Nutanix Direct Subscription: Pay for your NC2 software usage directly to Nutanix.
For more information, see Nutanix Direct.
• Cloud Marketplace Subscription: Pay for your NC2 software usage through your cloud marketplace account.
For more information, see Azure Marketplace.
With NC2 being a multicloud product, you can consume NC2 on AWS as well as Azure. Your Cloud marketplace
subscription is given preference to cover NC2 on Azure usage, if you are connecting your Azure marketplace
account. However, NC2 on AWS usage will still need to be covered by a Nutanix Direct subscription. Your Azure
marketplace account is not charged for any NC2 usage on AWS.
You are billed by Azure marketplace, and you can use your MACC commitments to pay for the bill.
Nutanix Direct
Perform the following procedure to pay for NC2 on Azure and NC2 on AWS consumption with a Nutanix Direct
subscription plan:
Procedure
• On the My Nutanix dashboard, scroll down to Administration > Billing Center and click Launch. In the
Billing Center, under Nutanix Cloud Clusters, click Subscribe Now.
• On the NC2 console, click the Nutanix billing center link in the banner displayed on the top of the NC2
console.
You are directed to the Nutanix Billing Center.
• Select Yes, I would like to use Nutanix Licenses to cover NC2 usage if you want to use Nutanix
licenses for NC2. You must reserve the legacy license capacity from the Nutanix license portal or manually
apply new portfolio licenses to your NC2 cluster.
If you select this option, the licenses reserved or applied are used to cover the NC2 usage first, and any
overage is charged to the subscription plan you select in the next step.
• Select No, I don’t want to use my licenses. Invoice all NC2 usage to my subscription plan
option if you do not want to use any licenses for NC2. All NC2 usage will be charged to the subscription
plan that you select in the next step.
5. Next, the How would you like to pay for overage above any reserved license capacity? option is
presented.
• Pay directly to Nutanix: The NC2 software usage on all supported clouds (AWS and Azure) is paid to a
single subscription plan.
• Pay via Cloud Marketplace: The Azure marketplace bills you for the NC2 usage on Azure. Any NC2 on
AWS usage still goes through a Nutanix Direct subscription.
Select Pay directly to Nutanix and then click Next.
Legacy License Portfolio: You can click Reserve existing licenses on the Support Portal to reserve
licenses for the NC2 usage. To learn more about how to reserve the legacy portfolio licenses, see Reserving
License Capacity.
New Portfolio Licenses: To learn more about how to manually apply new portfolio licenses, see Applying
NCI, EUC, and NUS Licenses.
Select Pay As You Go (For NC2 on AWS and Azure) payment plan for your Nutanix cluster. With this
plan, you are billed at the end of each month for the NC2 usage for that month without any term commitments.
Click Next.
8. On the Company Details page, type the details about your organization and then click Next.
Nutanix Cloud Services considers the address that you provide in the Address 1 and Address 2 fields as the
Bill To Address and uses this location to determine your applicable taxes.
If the address where you consume the Nutanix services is different than your Bill To Address, under the
Sold to Address section, clear the Same information as provided above checkbox and then provide the
address of the location where you use the Cloud services. However, only the Bill To Address is considered to
determine your applicable taxes.
9. On the Payment Method page, select one of the following payment methods, and then click Next.
11. (Optional) If you have received a promotional code from Nutanix, type the code in the Promo code field and
click Apply.
What to do next
You can now begin using the NC2.
You can do one of the following:
Azure Marketplace
You can subscribe to NC2 on Azure from Azure Marketplace in the following ways:
• Nutanix licenses and associated overages: Work with your Nutanix account manager to get discounted
pricing for Nutanix licenses.
For more information, see Subscribing to NC2 From Azure Marketplace With Private Offers.
Note: Nutanix recommends always reaching out to your Nutanix account manager for discounted pricing to
subscribe to NC2 from Azure Marketplace.
• Pay-as-you-go subscription plan: You can subscribe to NC2 using publicly available plans.
For more information, see PAYG Subscription Plan.
Note: Any overages above the license capacity purchased through Azure Marketplace will also be billed through Azure
Marketplace, and the same discounted rate that was used for the initial license purchase through Azure Marketplace will
be used to calculate the billable amount for overages. The overages will be billed and invoiced monthly by Azure.
Note: You must manually apply NCI and EUC licenses to Prism Central to manage your NC2 clusters. For more
information, see Applying NCI, EUC, and NUS Licenses.
1. Contact your Nutanix Account Manager with your NC2 sizing requirements, such as the number of licenses
required and the term for usage.
Your Nutanix Account Manager works with a Nutanix reseller, if applicable, to come up with customized
pricing and convert that into a private offer in Azure Marketplace. Once the offer is ready for you to accept
through Azure Marketplace, you will receive an email from the Nutanix reseller with the private offer details,
including the pricing that is specific to you.
Note: You need to provide your Azure billing account details to the Nutanix Account Manager. You can find
your billing account ID in the Azure portal from Subscriptions > Your subscription that you want to use for the
NC2 subscription > Properties (or Billing Properties) > Billing Account ID.
2. Click the private offer URL in the email that you receive from the Nutanix reseller.
You are redirected to Azure Marketplace.
a. Review the private offer details, such as billing account, private offer pricing and validity duration, product
type, and the expiration date for the offer.
8. Review the plan and subscription on the Nutanix Cloud Clusters (NC2) listing page and click Subscribe.
You are redirected to the Subscribe to Nutanix Cloud Clusters (NC2) page.
Note: Ensure that the plan displayed here is the same plan that was selected in the private offer details
page in Step 4. You must not click Change plan to change the offered plan because the private offer is
made against a specific plan for you.
• Billing term, Price/payment frequency, and Subtotal: Review these prefilled details.
• Recurring billing: Set the recurring billing On if you want your subscription auto-renewed at the end
of the billing term.
Note: You must negotiate the private discounted pricing before the end of your subscription term, even if
you opt-in to auto-renew your subscription. Otherwise, you are billed at the publicly available rate, the non-
discounted pricing after the end of the term of your subscription, with discounted pricing.
Your discounted pricing is always lower than this public rate. Therefore, Nutanix recommends always
re-negotiating the pricing with your Nutanix Account Manager, even if you choose to auto-renew your
subscription.
If you select Off for Recurring billing, the auto-renewal is disabled for your subscription. In this case,
some of your NC2 features might be restricted when your subscription expires. You will not be billed any
amount for ongoing NC2 usage until you renegotiate custom pricing with your Nutanix Account Manager.
10. Click Review + subscribe and then review the offer and plan details.
13. While you are redirected to My Nutanix Billing Center, sign in with your My Nutanix account credentials.
Note: If you do not already have an existing My Nutanix account, you must sign up for a new My Nutanix
account and verify the email address used to sign up for My Nutanix. After verifying your email address, you will
be automatically redirected to My Nutanix Billing Center. For more information, see Creating My Nutanix
Account.
Note: Nutanix recommends using an alternate method for NC2 subscriptions that involves a Nutanix reseller, where
you can work with your Nutanix Account Manager to get discounted pricing based on your specific needs. For more
information, see Subscribing NC2 From Azure Marketplace With Private Offers.
With NC2 being a multicloud product, you can consume NC2 on AWS and Azure. Your Cloud marketplace
subscription is given preference to cover NC2 on Azure usage if you are connecting your Azure marketplace account.
However, NC2 on AWS usage still needs to be covered by a Nutanix Direct subscription. Your Azure Marketplace
account is not charged for any NC2 usage on AWS.
Follow these steps to pay for NC2 on Azure with a Cloud marketplace subscription:
Procedure
2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard.
For more information on workspaces, see Workspace Management.
• On the My Nutanix dashboard, go to Administration > Billing Center and click Launch. In the Billing
Center, under Nutanix Cloud Clusters, click Subscribe Now.
• On the NC2 console, click the Nutanix billing center link in the banner displayed on the top of the NC2
console. You are directed to the Nutanix Billing Center. In the Billing Center, under Nutanix Cloud
Clusters, click Subscribe Now.
4. On the Payment Plan page, select one of the following options under Would you like to use your
existing Nutanix Licenses for your NC2 usage?.
• Select Yes, I would like to use Nutanix Licenses to cover NC2 usage if you want to use Nutanix
licenses for NC2. You must reserve the exact amount of Nutanix licenses capacity from the Nutanix License
portal.
If you select this option, the reserved license capacity is used to cover the NC2 usage first, and once the
licenses are consumed, any overage will be charged to the subscription plan you select in the next step.
If you have not reserved license capacity, you can click Reserve your license capacity from the
License Portal now to reserve licenses for NC2 usage.
Note: You can reserve only the legacy licenses. You cannot reserve new portfolio licenses (NCI and EUC
licenses); you need to manually apply the required license capacity if you want to use NCI and EUC licenses
with NC2. For more information, see Applying NCI, EUC, and NUS Licenses.
• Select No, I don’t want to use my licenses. Invoice all NC2 usage to my subscription plan
option if you do not want to use any licenses for NC2. Your entire NC2 usage will be charged to your
subscription plan in the next step.
• Pay directly to Nutanix: The NC2 software usage on all supported clouds (AWS and Azure) is paid to a
single subscription plan.
• Pay via Cloud Marketplace: The Azure marketplace bills you for the NC2 usage on Azure. Any NC2 on
AWS usage still goes through a Nutanix Direct subscription.
Here, you must select Pay via Cloud Marketplace and then click Next.
6. Click Next.
Click Next.
Note: NC2 being a multicloud product, you can also consume NC2 on Azure and AWS. Your Nutanix Direct
subscription is used to cover NC2 on AWS consumption. Select the subscription plan to cover NC2 software
usage on AWS. You are not charged if there is no usage.
Click Next.
9. On the Company Details page, enter your organization details and click Next.
Nutanix Cloud Services considers the address that you provide in the Address 1 and Address 2 fields as the
Bill To Address and uses this location to determine your applicable taxes.
If the address where you consume the Nutanix services is different than your Bill To Address, under the
Sold to Address section, clear the Same information as provided above checkbox and then provide the
address of the location where you use the Cloud services. However, only the Bill To Address is considered to
determine your applicable taxes.
Note: This subscription workflow only allows you to pay for Nutanix software through your Azure marketplace
account. You are responsible for paying for Azure bare-metal costs directly to Azure.
Note: You might receive an email from Microsoft asking for your new subscription activation. Nutanix
recommends not clicking the Activate now button in the email.
11. You must also provide a payment method for the Nutanix Direct subscription to cover the NC2 software usage
on AWS. Select one of the following payment methods on the Payment Method page, and then click Next.
You are not charged on this subscription if there is no NC2 usage on AWS.
Note: It is optional to provide credit card details. Nutanix will invoice you directly for your NC2 on AWS
usage if you do not provide a credit card.
• ACH Bank Transfer: Enter your Automated Clearing House (ACH) bank transfer details. You must
discuss with your account team if you prefer to use the ACH Bank Transfer option. The ACH payment
method is available only if the bill-to address of your organization is in the United States of America, and
you must at least have made one positive payment from your account for the same or any other service.
• Invoice Me: Direct invoicing by Nutanix at the end of every billing cycle. You must discuss with your
account team if you prefer to be invoiced by Nutanix.
12. Review all the details on the Review & Confirm page. You can click Edit next to each section if you want to
edit any of the details.
13. (Optional) If you have received a promotional code from Nutanix, type the code in the Promo code field and
click Apply.
Note: If you have your Azure marketplace account connected for the NC2 usage, you need to first disable it before
canceling your NC2 subscription. You can cancel your Azure marketplace subscription from your Azure account.
Procedure
2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard. For more
information on workspaces, see Workspace Management.
3. On the My Nutanix dashboard, go to Administration > Billing Center and click Launch.
6. In the Cancel Plan dialog, click Yes, Cancel to cancel the subscription plan or click Nevermind to close the
Cancel Plan dialog.
7. In the Share Your Feedback dialog, you can specify your reasons to cancel the plan, and click Send.
What to do next
Your plan is deactivated at the end of the current billing schedule. The Cancel Plan dialog displays the date on
which your plan is scheduled to be deactivated.
Note: You can revoke the cancellation of your plan at the most two times before the plan is deactivated.
Billing Management
The Billing Summary page allows you to do the following:
Note: Only the primary billing contact can modify any billing or subscription details.
• If you have applied the Nutanix software licenses, you can change the licenses allocated to NC2.
• View details about the unbilled amount for the current month.
• View details of usage, such as rate, quantity, and the amount charged for each entity (CPU hours, public IP
address hours, disk size, and memory hours) for each cluster.
For more information on how to manage billing, see Nutanix Cloud Services Administration Guide.
• Details about the rate, quantity, and amount charged per unit for a selected billing cycle. You can check the details
for the current and last two billing cycles.
• Details about the usage of clusters by units of measure for a selected billing cycle.
• Spend: Displays a graph detailing your estimated daily spending for a selected billing cycle. You can check
details for the current and last two billing cycles. You can apply filters to the graph for individual units of
measure. A summary table with detailed information about the current billing cycle is also displayed.
• Usage: Displays an estimate of your total usage for the billing cycle that you select. You can filter the usage
by clusters and units of measure. Individual units of measure are a breakdown of total usage on the latest day
of the billing cycle that you select. You can apply filters to see more details, such as usage information of each
cluster and find out whether a usage is processed through licensing or subscription.
Select the billing period on the top-right corner of the usage graph to see the total usage for the selected billing
cycle in the form of a graph.
Under Usage broken down by individual units of measure, click Clusters, and then select a cluster
ID and choose a unit of measure to see the total usage of each cluster for a selected billing cycle in a graphical
view. Hover over the bars in the graph to see the number of licenses and subscriptions you used.
Click Units and select a unit of measure to see the total usage of all the clusters by that unit of measure.
A breakdown of the total usage of the same billing cycle you selected is displayed in a table after the graph.
You can view the usage graph for three billing cycles.
Note: Ensure to save your Azure subscription ID (GUID), a 32-digit GUID associated with your subscription.
For up-to-date and detailed instructions on creating a free Azure account, see the Microsoft Azure documentation.
Note: Do not perform any tasks in the NC2 console until the Azure support case for allowlisting is closed.
Perform the following steps to get your Azure subscription allowlisted for NC2 on Azure:
1. Sign into the Azure portal, go to Subscriptions and your target subscription context.
2. In the Support + troubleshooting section, select New Support Request. The New Support Request
page appears.
Note: The Service field might take approximately 2-3 minutes to load.
6. Click Next.
7. On the Review + create tab, review the summary. If the summary is correct, click Create.
8. A support ticket gets created and an acknowledgement email is sent to the email address with which you signed
into the Azure portal.
9. After the allowlisting is complete, you receive an email confirmation for the closure of the support ticket.
For more information on how to register a resource provider, see the Microsoft Azure documentation.
Note: If you already assigned the Azure built-in Contributor role, you must first assign the Azure Custom role and then
remove the Contributor role. For more information, see Removing the Contributor Role Assignment.
Procedure
Note: Ensure that you replace the <subscription_id> with your Azure subscription ID and update the value for
<assignableScopes> to specify the scopes that the role is available for assignment. You can also update the values
for <roleName> to specify the display name of the role and <description> to specify the description of the role.
2. Sign in to the Azure portal, go to Subscriptions, and select your Azure subscription.
5. On the Basics tab, specify the following details for your custom role:
Note: The name must be unique for the Azure AD directory. The name can include letters, numbers, spaces,
and special characters.
10. Check that the new custom role appears in the Roles list. Click Refresh if you do not see your custom role.
It can take a few minutes for your custom role to appear everywhere.
To learn more about how to create or update Azure custom roles using the Azure portal, see Microsoft
Documentation.
• Global Administrator
• Cloud Application Administrator
• Application Administrator
For more information, see the Microsoft documentation.
Procedure
1. Log on to https://portal.azure.com.
6. Specify who can use the application, sometimes called its sign-in audience.
Procedure
1. Sign in to https://portal.azure.com.
5. Under Role, select Custom role from the Type dropdown list, then select the custom role that you created.
6. Click Next.
7. Under Members, select Assign access to > User, group, or service principal and then click Select
members.
Note: You must first assign the Azure Custom role to the App registration before removing the Contributor role
assignment.
Procedure
1. Sign in to https://portal.azure.com.
4. In the list of role assignments, select the checkbox for the App that you registered with the role assignment to be
removed.
5. Click Remove.
Note: Copy and save the client secret value for later usage while adding an Azure cloud account to NC2.
1. Log on to https://portal.azure.com.
Note: Set the expiration date as desired. After the client secret expiration date, you must generate a new client
secret and update the cloud account with the new client secret value.
7. Click Add.
8. Copy and save the value of the client secret because you would not be able to retrieve the key later. You need to
provide the client secret value while adding an Azure cloud account to NC2.
• Directory ID – The Tenant ID of the Microsoft Entra ID (formerly Azure Active Directory) in which you created
the application. For more information, see Get tenant ID.
• Application ID - The Client ID of the application created earlier in Microsoft Entra ID. For more information, see
Get application ID and authentication key.
• Client Secret - The client secret, which is an authentication key string, used for password-based authentication
of the Azure services. You must have copied and saved the client secret value while creating and registering
an app as explained in Creating an App Registration. For more information, see Get application ID and
authentication key.
• Azure Subscription ID – An ID that uniquely identifies your subscription to use Azure services. For more
information, see Find your Azure subscription.
Note: An NC2 cluster deployment might fail when a policy conflict is detected during the cluster deployment.
Below are the high-level steps to add a policy exemption in Azure; for more information, see Azure Documentation.
You can also create a policy exemption using Azure PowerShell; see Azure PowerShell Documentation.
Procedure
1. Sign in to the Azure portal, go to Subscriptions, and your target subscription context.
3. Click the ellipsis in the row of the policy you want to exempt, and then click Create exemption.
Note: If you use a private DNS server, then the nodes must be able to reach that DNS server during the Booting stage
itself. If the DNS server is reachable only through VPN or ExpressRoute, you must set up VPN or ExpressRoute and
then peer the VPN/ER (Hub) VNet with the Prism Central VNet and the Cluster VNet.
If the Cluster VNet and Prism Central VNet are created as part of cluster creation from the NC2 console,
then you must peer these VNets with the VPN/ER (Hub) VNet as soon as they become visible in the Azure
portal, or the nodes will not progress past the Booting state. If you create these VNets yourself and use a
private DNS server, you must perform the VNet peering before you create a cluster.
Note: You must create a Cluster VNet and set up VPN or ExpressRoute connectivity to the on-prem DNS server.
Note: Microsoft does not support the Basic SKU and any gateway in an Active-Active mode. Only VpnGw1 and
higher VPN gateway SKUs are supported. For more information on Azure VPN gateway configuration, see Microsoft
documentation.
Note: If direct access to the Cloud Cluster through VPN or ExpressRoute is not possible, you can deploy a Jump Host
instance to access Prism Element and Prism Central. You can deploy the Jump Host instance in the Prism Central
VNet inside a non-delegated subnet. Alternatively, you can deploy it in an external VNet and peer the VNets for
communication between Prism Central VNet and the Jump Host VNet.
For on-prem prefixes to reach the VPC subnets through a No-NAT option, a user-defined route (UDR) needs to be
pointed towards the Flow Gateway external IP on the VPN Gateway subnet where the VPN gateway is created. Also,
the respective No-NAT configuration must be done on the VPC. For more information, see Network Connectivity
for User VMs. For reaching the user VMs through floating IPs using NAT, a UDR is not needed on the VPN
Gateway subnet.
Procedure
Note: While establishing the VNet peering between VPN/ER (Hub) VNet and Prism Central VNet or Cluster
VNet, ensure that you specify the Virtual network gateway or Route server options as follows:
• Under This virtual network: Virtual network gateway or Route Server > Use the
remote virtual network's gateway or Route Server
• Under Remote virtual network: Virtual network gateway or Route Server > Use this
virtual network's gateway or Router Server
• For peering from Hub VNet to Prism Central or Cluster VNet:
• Under This virtual network: Virtual network gateway or Route Server > Use this
virtual network's gateway or Router Server
• Under Remote virtual network: Virtual network gateway or Route Server > Use the
remote virtual network's gateway or Route Server
These settings ensure that the Hub VNet is defined as the Route Server and the spoke VNet use
the peer's Route Server. These settings must be configured when you add peering for the first time,
and not while updating the existing peering. If you already have established peering without these
Note: When ExpressRoute or VPN connectivity is terminated on the Hub VNet or Cluster Management VNet, you
must add a route rule in the VNet route table for Nutanix VNet subnets with the next hop IP address of the Flow
Gateway. When VMs in the on-prem subnets need to communicate with the user VMs in Nutanix VNet subnets
using the VM IPs and not the floating IP, you must do the No NAT configurations in the VPC as described in
Network Connectivity for User VMs.
What to do next
Nutanix recommends that you run a packet capture on your Azure VPN gateway to confirm that the on-
prem VPN gateway is forwarding the packets to the Azure VPN gateway.
Note: These steps are not needed if you choose to create Azure resources while creating a cluster from the NC2
console.
Procedure
2. Create a NAT gateway for the cluster management subnet and the Prism Central subnet.
For more information, see Creating a NAT Gateway in Azure.
For detailed instructions on configuring the NAT gateway, see the Microsoft Azure documentation at Set up a
NAT Gateway.
Note: Delegate the cluster management/bare-metal instance subnet to the Microsoft. BareMetal/
AzureHostedService service. Specify the DNS server listed earlier. In your Azure portal, go to your cluster
management VNet > under Subnets, click the cluster management subnet > in the right pane, select
Microsoft.BareMetal/AzureHostedService in the Delegate subnet to a service list.
For detailed instructions on delegating a subnet, see the Microsoft Azure documentation at Add or remove a
subnet delegation.
Note: Attach the NAT gateway to the cluster management subnet and the Prism Central subnet.
4. If you have chosen to create the Prism Central VNet in advance, then you must create the subnet for the Prism
Central.
Note: Delegate the Prism Central subnet to the Microsoft. BareMetal/AzureHostedService service.
5. Verify that you have applied the fastpathenabled tag with the true value to the NAT gateway.
6. Verify that the cluster management subnet has the NAT gateway and AzureHostedService configured.
In your Azure portal, go to your cluster management VNet > under Subnets, click the cluster management
subnet > in the right pane, you can see the NAT gateway name in the NAT gateway list, and the subnet
delegation in the Delegate subnet to a service list.
7. Create two subnets in the Prism Central VNet to deploy a Flow gateway.
• One non-delegated subnet (Azure native subnet) in the Prism Central VNet.
• Another non-delegated (external) subnet for Flow gateway.
• Attach the Azure NAT gateway to the external non-delegated subnet.
Note: In a configuration where the Flow Gateway external subnet does not have Azure NAT Gateway attached,
UVM internet reachability does not work. You must use a customized user-defined route (UDR) on the Flow
Gateway external subnet to provide internet reachability for UVMs.
9. Ensure that the Azure Directory Service resolves the specified FQDN:
gateway-external-api.cloud.nutanix.com
You can use tools like host, nslookup, ping to do a regular DNS lookup.
Note: The following steps are only needed if you want to use your existing Azure resources to deploy NC2. These
steps are not needed if you choose to create Azure resources while creating a cluster from the NC2 console.
1. Sign in to the Azure portal with your Azure account and then go to Subscriptions.
3. Click +Add.
4. On the New page, in the Search box, enter Virtual Network. Select Virtual Network in the search results.
6. In Create virtual network, enter, or select the following information in the Basics tab:
8. In the IPv4 address space, select the IPv4 address space, and then click +Add subnet.
9. On the Add subnet page, add a name for the subnet (such as host-subnet) and enter the subnet address range.
Click Add.
10. Click Next: Security and Next: Tags at the bottom of the page.
12. When the deployment is complete, click Go to resource. You are redirected to the VNet that is created.
13. Click Subnets. On the Subnets page, click the name of the host-subnet.
Note: The following steps are only needed if you want to use your existing Azure resources to deploy NC2. These
steps are not needed if you choose to create Azure resources while creating a cluster from the NC2 console.
Note: Ensure that you add the fastpathenabled tag with the true value while creating the NAT gateway, and not
after the NAT gateway is created.
Ensure that you attach the Azure NAT gateway to the cluster management subnet, the Prism Central subnet,
and the external non-delegated Flow Gateway subnet.
In a configuration where the Flow Gateway external subnet does not have Azure NAT Gateway attached,
UVM internet reachability does not work. You must use a customized user-defined route (UDR) on the
Flow Gateway external subnet to provide internet reachability for UVMs.
1. Sign in to the Azure portal with your Azure account and then go to Subscriptions.
3. Click +Add.
4. On the New page, in the search box, enter NAT gateway. Select NAT gateway in the search results.
5. On the NAT gateway page, click Create. The Create network address translation (NAT) gateway
page appears.
8. On the Outbound IP page, add public IP addresses and public IP prefixes. You can click the Create a new
public IP address link to add a new IP address. The IP prefix is optional.
10. Select the host VNet that you have created and then the host-subnet as a subnet.
12. Add the tag fastpathenabled and set its value as true.
16. Click the host VNet and then the host-subnet that you created.
17. Select the NAT gateway in the NAT gateway list and click Save.
Note: Ensure that your Azure subscription is allowlisted. For more information, see Allowlisting Your Azure
Subscription. Also, ensure that you have a free trial or a subscription for NC2 on Azure.
1. Create an organization in the NC2 console as described in Creating an Organization in the NC2 Console.
2. Add your Azure account to the NC2 console as described in Adding your Azure Account to the NC2 Console.
3. Create a Nutanix cluster in Azure using the NC2 console as described in Creating a Cluster.
Creating an Organization
An organization in the NC2 console allows you to segregate your clusters based on your specific requirements.
For example, create an organization Finance and then create a cluster in the Finance organization to run only your
finance-related applications. In the NC2 console, you can use the default organization or create a new organization
and then create a cluster within that organization.
Perform the following procedure to create an organization:
Procedure
3. In the Create a new organization dialog, type or select the following details:
• Customer. Select the customer account in which you want to create the organization.
• Organization name. Enter a name for the organization.
• Organization URL. The URL name is automatically generated, but you can modify the name if you want.
Updating an Organization
Administrators can update the basic information for your organization from the NC2 console.
Procedure
2. In the Organization page, select the ellipsis button of a corresponding organization and click Update.
a. Navigate to the Basic Info tab of the Organization entity's update page.
b. You can edit any of the fields listed below if required:
Note: You can add one Azure account to multiple organizations within the same customer entity. However, you cannot
add the same Azure account to two or more different customer (tenant) entities.
If you have already added an Azure account to an organization and want to add the same Azure account to another
organization, follow the same process, but you do not need to create the Azure subscription.
Perform the following procedure to add an Azure account to NC2:
Procedure
5. In the Name field, type a name for your Azure cloud account.
• Enter your Azure cloud account directory ID in the Directory ID field. You can find the directory ID in the
Azure portal by clicking Azure Active Directory.
• Skip the Enable the usage of hardware for your Azure Subscription step.
• Enter your Azure cloud account subscription ID in the Subscription ID field. You can find the subscription
ID in the Azure portal by clicking Subscriptions.
• To access your Azure account and resources, you must provide authentication by creating an app registration
in the Azure portal. You can find the credentials in the Azure portal by clicking App registrations.
1. Application ID: Type the ID of your Azure cloud account.
Note: Enter the application ID that you generated while creating and registering an application in the
Azure portal. See Creating and Registering NC2 as an Application with Azure .
Note: Enter the Secret value (not the secret ID) you copied earlier while creating and registering an
App. See Creating and Registering NC2 as an Application with Azure .
7. Click Verify Credentials to verify the connection status. A message indicating that the cloud account setup is
verified appears after this field.
• All supported regions: if you want to create clusters in any of the supported Azure regions
• Specify regions: if you want to create clusters in specific Azure regions and select the regions of your
choice from the list of available Azure regions.
10. Click Add Account at the bottom of the Add a Cloud Account page.
You can monitor the status of the cloud account on the Cloud account page. The R status indicates that your
cloud account is ready.
To create and manage resources in your Azure account, NC2 requires several IAM resources.
Note: A cloud account that has existing NC2 accounts cannot be deactivated. You must terminate all NC2 accounts
using the cloud account resources first.
Procedure
1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.
Procedure
1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.
2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.
3. Find the cloud account you want to reconnect. Click the ellipsis icon against the cloud account and click
Reconnect.
4. If the underlying issue(s) were addressed and the NC2 console can communicate with the cloud account
infrastructure, the account status will change to R.
Note: Administrators must ensure they have sufficient resource limits in the regions they decide to add before adding
those regions through the NC2 console.
Procedure
1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.
2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.
3. Find the cloud account where you want to add a new cloud region. Click the ellipsis icon against the cloud
account and click Add regions. A new window appears.
• All supported regions: Select this option if you would like to add all other supported regions besides those
you have already specified.
• Specify regions: Select this option if you would like to add just a few additional supported regions to your
cloud account. Click inside the regions field and select as many regions as you want from the drop-down
menu.
5. Once you have made your selection, click Save. You will receive updates in your notification center regarding
the status.
Procedure
1. Navigate to the Customer or Organization dashboard in the NC2 console, where the cloud account is
registered.
2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.
3. Find the cloud account for which you want to update the configurations. Click the ellipsis icon against the cloud
account and click Update.
• If your client secret has expired, you can re-enter your cloud credentials here and click Verify credentials.
Your Application ID and Directory ID can be found in the Overview section of yourNC2 app registration in
the Azure Portal.
• NC2 uses the client secret to manage your BYO Azure account. Microsoft implemented a maximum expiration
date of 2 years from the client secret creation date. When your key expires, you must re-enter your cloud
account credentials from the cloud account management view of your NC2 console. If you fail to update
your client secret before it expires, NC2 will no longer be able to manage your Azure account, and you will
experience an outage.
Creating a Cluster
You can create a cluster in Azure using NC2. Your Nutanix cluster is deployed in an Azure virtual network (VNet)
which is an isolated environment in the cloud provider’s region run and maintained by Nutanix.
Note: Ensure that you have created the VPN/ExpressRoute (Hub) VNet before you create a cluster. For more
information, see Setting up VPN or ExpressRoute.
Note: The default configuration for CVMs on NC2 with AOS 6.7 or earlier is 32 GiB of RAM. On NC2 with AOS
6.7.1.5, the CVM memory size is set to 48 GiB.
Note: On the My Nutanix dashboard, ensure that you select the correct workspace from the dropdown list that
shows the workspaces you are part of and that you have used while subscribing to NC2.
3. Select one of the following cluster options based on how you want to use the new cluster:
• General Purpose: A cluster that utilizes general purpose Nutanix licenses. For more information on NCI
licensing, see Nutanix Licenses for NC2.
• Virtual Desktop Infrastructure (VDI): A cluster that utilizes Nutanix licenses for virtual desktops. For
more information on NCI and EUC licensing, see Nutanix Licenses for NC2.
• Organization. Select the organization in which you want to create the cluster.
• Cluster Name. Type a name for the cluster.
• Cloud Provider. Select Azure.
• Cloud Account. Select your Azure cloud account.
• Region. Select the Azure region in which you want to create the cluster.
• Availability zone. Based on the selected Azure region, the Azure availability zone is pre-populated. You
cannot change the availability zone.
If you have selected the Virtual Desktop Infrastructure cluster option in the previous step, you get an
additional option to choose the Consumption Method. Under User-based, add or remove the maximum
number of concurrent users.
In Advanced Settings, with Scheduled Cluster Termination, NC2 can delete the cluster at a scheduled
time if you are creating a cluster for a limited time or for testing purposes. Select one of the following:
• Terminate on. Select the date and time when you want the cluster to be deleted.
• Time zone. Select a time zone from the available options.
Note: The cluster will be destroyed, and data will be deleted automatically at the specified time. This is an
irreversible action and data cannot be retrieved once the cluster is terminated.
Click Next.
• NCI (Nutanix Cloud Infrastructure): Select this license type and appropriate add-ons to use NCI
licensing.
Note: You must manually apply the NCI licenses in Prism Central.
• AOS: Select this license type and appropriate add-ons to reserve and use AOS (legacy) licenses. For
more information on how to reserve AOS (legacy) licenses, see Reserving License Capacity.
• EUC (End User Computing): Select this option if you want to use EUC licenses for a specified
number of users.
Note: For more information on how to reserve VDI licenses, see Reserving License Capacity.
• AOS Version. Select the AOS version that you want to use for the cluster.
Note: The cluster must be running the minimum versions of AOS 6.0.1.7 for NCI and EUC licenses, and
AOS 6.1.1 for NUS license.
• Software Tier. In the AOS Software Tier drop-down list, select the license type that you want to
apply to your NCI or AOS cluster:
Note: If you have selected VDI and User-based licensing, then the Ultimate software edition is
automatically selected, as only the VDI Ultimate license tier is supported on NC2.
This option is used for metering and billing purposes. Usage is metered every hour and charged based on
your subscription plan. Any AOS (legacy) and VDI reserved licenses will be picked up and applied to your
NC2 cluster to cover its usage before billing overages to your subscription plan.
c. Under Add-on Products: If the AOS or VDI license option is selected: You can optionally select the
following add-on products:
• Advanced Replication
• Data-at-Rest Encryption
Note: The Advanced Replication and Data-at-Rest Encryption add-ons are selected by default for AOS and
VDI Ultimate; you need to select these add-ons for AOS Pro manually.
6. In the Capacity tab of the Create Cluster dialog, provide the following information in the indicated fields:
• Redundancy Factor. Select one of the following redundancy factors (RF) for your cluster.
• Number of copies of data replicated across the cluster is 1. Number of nodes for RF1 must be 1.
Note: RF1 can only be used for single-node clusters. Single-node clusters are not recommended in
production environments. You can configure the cluster with RF1 only for clusters created for Dev, Test,
or PoC purposes. You cannot increase the capacity of a single-node cluster.
• Number of copies of data replicated across the cluster is 2. Minimum number of nodes for RF2 must be 3.
• Number of copies of data replicated across the cluster is 3. Minimum number of nodes for RF3 must be 5.
• Host type. Enter the type of bare-metal instance that you want your cluster to run on.
• Number of Hosts. Select the number of nodes that you want in your cluster.
Note: A maximum of 28 nodes are supported in a cluster. AOS 6.6 or higher version and Prism Central
pc.2022.9 or higher version provides the ability to create a cluster with 28 nodes. However, with AOS
Click Next.
• Use an existing VNET: to choose an existing Virtual Private Network (VNet) in which you want to create
the cluster.
• Create New VNET: to create a new VNet in the NC2 console.
• Resource Group: Enter a name of the existing resource group or click Create New Resource Group
and then provide a name for the resource group.
• Virtual Private Network (VNet): Select a VNet in which you want to create the cluster.
• Management Subnet: A dedicated private subnet for communication between Nutanix CVMs or
Management Services, such as hypervisor.
If you choose to create a new VNet for this cluster and do not want to use any of your existing VNet, provide the
following information:
Note: If you choose to create a new VNet in the NC2 console, Nutanix creates a resource group and delegates a
management subnet for your cluster.
Note: The VNet must have a CIDR notation between /16 and /22, including both.
NC2 requires a unique CIDR for each subnet in the Azure resource group. Cluster creation fails
when subnets use the same CIDR.
Ensure that you do not use 192.168.5.0/24 CIDR for the VNet being used to deploy the NC2 on
Azure cluster.
Note: If you do not use your internal DNS servers, Nutanix recommends using two DNS servers, preferably
from different providers. For example, 8.8.4.4 and 1.0.0.1. For more information, see Configuring DNS
Settings.
Note: The NC2 console does not allow using IPs 192.168.0.0/16, 10.100.0.0/16, 10.200.0.0/24, or
10.200.0.0/22 for Prism Central VNet. These IPs are reserved for internal cluster usage. You must not use
these IPs to avoid IP address conflicts.
The Cluster VNet and Prism Central VNet are peered automatically.
• Resource Group: The Azure resource group you provide on the Network tab is displayed.
• VNET CIDR: The range of private IP addresses for the new Prism Central VNet.
• Resource Group: The resource group that you provided on the Network tab is displayed.
• Virtual Private Network (VNET): The VNet you want to use for Prism Central.
• Management Subnet: Select the delegated, empty subnet as a management subnet.
Note: Reconfiguration of Prism Central VM IP addresses is not supported post cluster deployment.
If you have selected the Connect to existing PC option, provide the following details under Prism Central
Registration:
• Selected Region: The Azure region that is being used for cluster deployment is displayed.
• Select Prism Central Instance: Select the Prism Central instance to which you want to connect this
cluster.
Note: Only those Prism Central instances that are in the same Azure subscription and region are displayed.
The Cluster VNet and Prism Central VNet are peered automatically. Cluster VNets of clusters
registered with the same Prism Central need to be peered manually. Contact Nutanix Support for
assistance.
• Username: Enter the username used to access the selected Prism Central.
• Password: Enter the password used to access the selected Prism Central.
Details of the Prism Central instance and the associated Flow Gateway are displayed.
Under Advanced Settings > Advanced Prism Central Networking Settings, add a specific NTP server
that you want to use in the NTP Server box or remove any of the default NTP server. You can click Restore
default to restore the default NTP servers that were removed.
Note: The default NTP servers, including 0.pool.ntp.org,1.pool.ntp.org, 2.pool.ntp.org, are added by default. You
can add another NTP server if required. A minimum of three to five NTP servers are recommended for a good
configuration. These NTP servers must be reachable from the Management and Prism Central subnet.
Click Next.
9. In the Flow Gateway tab, configure Flow Networking and deploy one or more Flow Gateway VMs for
connectivity between the Nutanix cluster and Azure native network.
Note: If you use Prism Central 2023.3, AOS 6.7, and Network Controller 3.0.1 or later, then NC2 uses the Flow
Gateway scaled-out deployment model by default. However, the Flow Gateway scaled-out deployment works as
desired only for ExpressRoute. You must use Prism Central 2023.3 or later only if you use ExpressRoute. If you
For more information about the scaled-out Flow Gateway deployment and required networking configurations,
see User VM Network Management and Security.
Follow these steps and click Next:
• Under Desired Network Bandwidth: The traffic routed through Flow Gateway VMs is limited by the
bandwidth of the native Azure VMs. In addition to the Flow Gateway VMs, two additional native VMs are
deployed to host the Border Gateway Protocol (BGP) service.
The total network bandwidth is determined by the total number and type of Flow Gateway VMs. The
bandwidth of the native BGP VMs is not used for traffic.
• Desired Network Bandwidth: Use the slider to choose the desired network bandwidth for the Flow
Gateway VMs. Based on the network bandwidth you select, the number and size of Flow Gateway VMs
get updated.
Note: There would be a minimum of 2 Flow Gateway VMs with 10 Gbps bandwidth each and a
maximum of 4 Flow Gateway VMs with 16 Gbps bandwidth each. The minimum bandwidth would be 20
Gbps, and the maximum bandwidth would be 64 Gbps.
You can hover over the FGW VMs to view the Flow Gateway VM specification and hover over BGP
VMs to view the BGP VM specifications.
• Subnets:
If you have selected the Create New VNet option on the Network tab of the Create Cluster
dialog: A list of subnets from the Prism Central VNet and their corresponding CIDR is displayed. Two
Note: The minimum CIDR for the two Flow Gateway subnets is /24, and for BGP Subnet is /28.
Note: You can create a subnet for BGP in either Prism Central VNet or Cluster VNet. If the BGP subnet
is in Prism Central VNet, you must manually perform peering between the Prism Central VNet and
the VNet where the Azure Route Server is deployed. If the BGP subnet is in Cluster VNet, you must
• Use an existing Key Pair: Select an existing key pair from the Select SSH Key list.
• Create a New Key Pair: In Key Resource Group, select an existing SSH key resource group or
click Create New Resource Group and enter the SSH key name.
Note: You must not delete an API key that is registered with a cluster to avoid disrupting the cluster
operations where you have registered this API key.
• Under Azure Route Server: The Azure Route Server enables NC2 to exchange route information with
Azure native virtual networks dynamically. Perform the following:
• Route Server is in a different Azure Subscription: Select this checkbox and then specify the
Azure Subscription ID with which the Azure Route Server you want to use is associated.
Note: The Route Server must be in the same region as the NC2 cluster. Only Resource Groups that are
part of this Azure subscription are shown in the Resource Group field.
• Resource Group: Select the Azure resource group where these VMs would be deployed. If you do not
see the resource group, click Refresh to refresh the list.
• If you have selected the Create New VNet option on the Network tab of the Create Cluster dialog,
NC2 deploys a new Route Server in the selected VNet.
Hub Virtual Network (Hub vNet) CIDR: Specify the CIDR of the Hub VNet.
Route Server Subnet CIDR: Specify the subnet CIDR in which the Route Server must be deployed.
NC2 automatically assigns an IP address.
• If you have selected the Use an existing VNet option on the Network tab of the Create Cluster
dialog, ensure that you have configured an Azure Route Server. If an existing Azure Route Server is
found, the Route Server Subnet CIDR and Route Server IP address are displayed.
• (Optional) Under Advanced Settings, you can change the BGP ASN value under BGP Custom ASN.
All selections are captured and displayed on the Summary tab before creating the cluster.
Note: Depending on your choice to deploy a single Flow Gateway or scaled-out Flow Gateway while creating
a cluster, Flow Gateway VMs and BGP VMs are deployed. For deploying these VMs, the NC2 console needs a
dedicated resource group, a storage account, and a storage container within that resource group to store the disk
images. During this process, the NC2 console performs the following:
• Check if any existing storage account is available in your subscription and if any existing disk
images are available.
• Create a new Resource Group and associate a storage account with this resource group if disk
images are not available.
• Copy the disk images. Copying the disk images to the storage container might take several
minutes.
• Create a managed disk from the disk images.
• Deploy the required VMs for Flow Gateway and BGP service.
NC2 does not remove the images or delete the storage account after the VMs are deployed, keeping
the High Availability of the Flow Gateway on priority. In case the Flow Gateway VM goes down for
On the successful deployment of the cluster, you can view the details specific to VNet configurations, Prism
Central, and Flow Gateway from the Network tab on the cluster details page. For example, the following figure
shows the Flow Gateway details for a given cluster.
Note: The internal and external subnets must be in the Prism Central VNet or the AHV VNet so that these
subnets are reachable from the Prism Central and AHV nodes. You must peer these two VNets.
Any network interface attached to a Flow Gateway VM must have the IP forwarding option enabled
for it in the Azure portal and in the operating system of the Flow Gateway VM. For more information,
see Turn on IP forwarding.
10. Review your cluster configuration on the Summary page and click Create Cluster. If required, you can edit
the settings.
12. After the cluster is created, click the name of the cluster to view the cluster details.
Note: If you are running Prism Central 2023.3, AOS 6.7, and Network Controller 3.0.1 or later, then NC2 uses the
Flow Gateway scaled-out deployment model by default. However, the Flow Gateway scaled-out deployment works as
desired only for ExpressRoute. You must use Prism Central 2023.3 or later only if you use ExpressRoute. If you use a
VPN, then you must use the pre-6.7 version of AOS and pre-2023.3 version of Prism Central, where NC2 uses a single
Flow Gateway deployment model.
• While deploying a cluster, the NC2 console creates VNets for Prism Central and an Azure Route Server, deploys
an Azure Route Server, and performs the required peering between VNets.
• While deploying a cluster, the NC2 console uses existing Cluster VNet, Prism Central VNet, and Azure Route
Server, and the user performs the peering between VNets. The NC2 console provides an option to deploy BGP
VMs in both Cluster VNet and Prism Central VNet.
Note: The Flow Gateway scaled-out deployment is not supported when the VNets are created by the NC2 console and
the Azure Route Server is deployed by the user. In this case, NC2 recommends deploying a new Azure Route Server
from the NC2 console and then migrating the required configurations from the existing Route Server to the new Route
Server.
Depending on your choice to deploy a single Flow Gateway or scaled-out Flow Gateway while creating a cluster,
Flow Gateway VMs and BGP VMs are deployed. For deploying these VMs, the NC2 console needs a dedicated
resource group, a storage account, and a storage container within that resource group to store the disk images. During
this process, the NC2 console performs the following:
1. Check if any existing storage account is available in your subscription and if any existing disk images are
available.
2. Create a new Resource Group and associate a storage account with this resource group if disk images are not
available.
3. Copy the disk images. Copying the disk images to the storage container might take several minutes.
4. Create a managed disk from the disk images.
5. Deploy the required VMs for Flow Gateway and BGP service.
Note:
NC2 does not remove the images or delete the storage account after the VMs are deployed, keeping the
High Availability of the Flow Gateway on priority. In case the Flow Gateway VM goes down for any
reason, a new VM is quickly deployed using the same images and storage account, which reduces or
A standalone Azure Route Server without vWAN is used when you need to use ExpressRoute. The Route Server
cannot be created in the same VNet where an active-passive VPN Gateway is present. NC2 on Azure does not support
the Active-Active VPN Gateway topology as delegated VNets are used.
Each Flow Gateway instance has two NICs – one NIC on the internal subnet for exchanging traffic with the AHV
and another NIC on the external subnet for exchanging traffic with the Azure network. Each Flow Gateway instance
is registered with Prism Central and is added to the traffic path. A p2p external subnet is created for each Flow
Gateway, and the transit VPC is attached to it with the Flow Gateway instance hosting the corresponding logical-
router gateway port.
The transit VPC has an Equal Cost Multipath (ECMP) default route for northbound traffic, with all the p2p external
subnets as possible next hops. In this case, the transit VPC distributes traffic across multiple external subnets hosted
on different Flow Gateways.
When using more than one Flow Gateway for southbound traffic, BGP VMs are deployed as Azure native VM
instances in the Prism Central VNet. Azure Route Server can be deployed and configured in the Hub VNet. The BGP
VM advertises the ERPs to the Azure Route Server, with each active Flow Gateway external IP as the next hop. Thus,
the Azure network distributes southbound packets across all the Flow Gateway instances.
Prism Central determines which Flow Gateway instance must host a given NAT IP and configures those NAT IPs
as secondary IPs on each Flow Gateway; thus, packets sourced from those IPs can only be forwarded through the
corresponding Flow Gateway. The No NAT traffic gets distributed across all Flow Gateways.
By default, the transit VPC consists of an overlay external subnet with NAT enabled, and the Azure physical network
prefix to which the Flow Gateway is connected. If you must have a No NAT connectivity to the Azure underlay
network, you must create a No NAT overlay external subnet in the transit VPC.
While creating a user VPC, you can add a maximum of two external subnets - one external subnet with NAT and one
external subnet without NAT to the VPC. Both external subnets cannot be of the same type. NAT gateways perform
the required IP-address translations required for external routing. You can also have external connectivity without
NAT.
A user VPC is connected to the common transit VPC to get the connectivity to the underlay Azure subnet. User VPC
uses the overlay subnet in the transit VPC as an external subnet. The Azure subnet (with the Flow gateway) provides
external access for the workloads running in user VPCs. A set of IP addresses from this subnet is reserved to use for
SNAT IP and floating IP allocation.
Note: In a configuration where the Flow Gateway external subnet does not have Azure NAT Gateway attached,
UVM internet reachability does not work. You must use a customized user-defined route (UDR) on the Flow Gateway
external subnet to provide internet reachability for UVMs.
• NAT overlay external subnet: A NATed external network can be preferred when you want to use floating IPs
for inbound connectivity.
The traffic that exits through the NAT external subnet (the overlay-external-subnet-with-nat in the transit
VPC) has the source IP translated to the SNAT IP. Outbound connectivity uses the source NAT and inbound
connectivity uses the floating IP. Both SNAT and floating IPs are the Azure-native IPs hosted on the Flow
gateway.
In a scaled-out Flow gateway deployment, a given NAT IP is bound to a specific Flow Gateway’s NIC. The NAT
IPs are distributed across the Flow Gateways to distribute the load.
For more information, see Configuring Connectivity for User VMs with NAT.
• No NAT overlay external subnet: A routed external network (No NAT) can be preferred when your Azure
service needs multiple connections to your workloads that run on NC2 or when on-prem workloads need direct
Note: While creating a user VPC, you can add a maximum of two external subnets - one external subnet with NAT and
one external subnet without NAT to the VPC. Both external subnets cannot be of the same type.
The workflow to create a complete network with NAT based on a VPC includes the following steps:
1. Create a user VPC.
Deploy a user VPC on Nutanix cluster infrastructure to manage the internal and external networking requirements.
See Creating a User VPC.
2. Add an Overlay subnet to the user VPC.
Create an overlay subnet in the user VPC where the VMs would be hosted. For example, 20.1.1.0/24.
Note: It must not overlap with Azure VNet prefixes and the overlay external subnet in the transit VPC.
Resource IP Address/CIDR
Overlay external subnet without NAT in the transit VPC 100.64.1.0/24
ERP in the transit VPC 10.1.0.0/16
ERP in the user VPC 10.1.1.0/24
Overlay subnets in the user VPC 10.1.1.128/26, 10.1.1.64/26
The workflow to create a complete No NAT network based on a VPC includes the following steps:
1. Create an overlay (No NAT) subnet in the transit VPC with a prefix that does not overlap with the destination
prefixes, including Azure VNet prefixes and on-prem subnets. For example, 100.64.1.0/24. Follow the steps listed
in Creating an Overlay External Subnet in Transit VPC for No NAT.
2. Configure the externally routable prefix list (ERP) in the transit VPC for the entire range of user VM IPs across
all user VPCs that need to get No-NAT access. For example, 10.1.0.0/16. It must not overlap with the destination
prefixes, including Azure VNet prefixes and on-prem subnets. For more information, see Configuring ERP in
Transit VPC.
3. Based on the scaled-our or a single Flow Gateway deployment, perform the following:
• For a single Flow Gateway (non-scaled-out Flow Gateway deployment): Configure route table entries in
Azure. See Configuring a Route Table for No NAT Connectivity.
• For a scaled-out Flow Gateway deployment: While deploying a cluster, the NC2 console uses any existing
Azure Route Server or deploys a new Route Server in the specified Hub VNet if no existing Azure Route
Server is available. NC2 performs the required peering between the Route Server ad BGP VMs.
If you choose to use existing Azure resources, such as VNets, you can create a subnet for BGP in either Prism
Central VNet or Cluster VNet. If the BGP subnet is in Prism Central VNet, you must manually perform
peering between the Prism Central VNet and the VNet where the Azure Route Server is deployed. If the BGP
subnet is in Cluster VNet, you must manually perform peering between the Cluster VNet and the VNet where
the Azure Route Server is deployed.
See No NAT Connectivity in Scaled-out Flow Gateway Deployment.
4. Deploy a user VPC on Nutanix cluster infrastructure to manage the internal and external networking requirements.
Connect the user VPC to the No-NAT external overlay subnet in the transit VPC.
See Creating a User VPC.
5. Configure ERP in the user VPC with a prefix that is taken from the transit VPC ERP. For example, 10.1.1.0/24.
This ERP must be a sub-prefix of the ERP in the transit VPC. For more information, see Configuring ERP in
User VPC.
6. Create an overlay subnet in the user VPC with the same prefix or sub-prefix of the ERP on the user VPC. See
Creating an Overlay Subnet in the User VPC.
Note: Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for
different VPCs do not overlap.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
3. Select the transit VPC for configuring external connectivity without NAT.
Note: The transit VPC ERP must not be the same as user VPC ERPs, it must be a superset of all ERPs.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
4. In the Externally Routable IP Addresses field, specify the prefixes of the user VPC subnets that need to be
accessed through the No NAT option.
5. Click Update.
Procedure
a. Go to the Azure portal home page and then search for and select Route tables.
b. In the route table list, choose the route table you created in step 1 to add a route to.
c. From the route table menu bar, choose Routes and then click Add.
d. Enter the following details:
• Name: Enter a unique name for the route within the route table.
• Address prefix destination: Select IP Addresses.
• Destination IP addresses/CIDR ranges: Enter the Address prefix CIDR that you want to route traffic
to. Here, the ERP prefix of the transit VPC subnet must be the destination IP address.
Note: You must not duplicate the prefix in more than one route within the route table. The prefix can be
within another prefix. For example, if you used 10.0.0.0/16 as a prefix in one route, you can still use another
route with the 10.0.0.0/22 address prefix.
• Next hop type: Choose Virtual Appliance as the next hop type.
• Next hop address: Enter an IP address for Next hop address. Here, the Flow gateway external IP
must be the next hop address.
e. Click OK.
a. Go to the Azure portal home page, and then search for and select Virtual networks.
b. In the virtual network list, choose the virtual network that contains the subnet you want to associate a route
table to.
c. In the virtual network menu bar, choose Subnets.
d. Select the subnet you want to associate the route table to.
e. In Route table, choose the route table you want to associate to the subnet.
f. Click Save.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
Note: You can add a maximum of two external subnets - one external subnet with NAT and one external
subnet without NAT to a VPC. Both external subnets cannot be of the same type. For example, you cannot add
two external subnets, both with NAT. You can update an existing VPC similarly.
• External Subnets: Select an external subnet from the dropdown list. By associating the VPC with the
external subnet, you can provide external connectivity to the VPC.
The following subnets are displayed:
Note: Ensure that the externally routable IP addresses (subnets with external connectivity without NAT) for
different VPCs do not overlap.
• Domain Name Servers (DNS): DNS is advertised to user VMs through DHCP. This can be overridden
in the subnet configuration.
Note: User VPC cannot resolve the domain names if the DNS server is not provided. For more information
on DNS servers, see Configuring a DNS Server.
5. Click Save.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
4. In the Externally Routable IP Addresses field, specify the entire range of IP addresses taken from the transit
VPC ERP.
5. Click Update.
Note: Floating IP gets allocated from the NAT pool of the external overlay subnet (overlay-external-subnet-with-
nat) in the transit VPC.
2. Click the entities menu in the main menu, expand Network & Security, and then select Floating IPs. The
Floating IPs List page appears.
3. Click Request Floating IP. The Request Floating IP(s) dialog appears.
5. Click Save.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
3. Click the user VPC name under which you want to create the subnet.
Note: For No-NAT connectivity, the overlay subnet in the user VPC must use the same prefix or sub-prefix of
the ERP on the user VPC. For example, 10.1.1.0/24.
• IP Pool: Defines a range of addresses. Specify at least one IP address pool. IP addresses are used for
assigning external IPs to VPCs. These external IPs can also be consumed as SNAT and floating IPs.
1. Click the Create Pool button and enter the following on the Add IP Pool page.
2. Enter the starting IP address of the range in the Start Address field.
3. Enter the ending IP address of the range in the End Address field.
4. Under Actions, click the check mark to submit the starting and ending IP addresses you entered. You can
click the X mark to remove the entries.
• Domain Settings: Select this checkbox to display fields for defining a domain.
Selecting this checkbox displays fields to specify DNS servers and domains. Clearing this checkbox hides
those fields.
Note: User VPC cannot resolve the domain names if the DNS server is not provided. For details on DNS
servers, see Configuring DNS Settings.
• Domain Name Servers: Provide a comma-separated list of DNS IP addresses. Example: 8.8.8.8, or
9.9.9.9
• Domain Search: Enter a comma-separated list of domain names. Use only the domain name format.
Example: nutanix.com
• Domain Name: Enter the domain name. Use only the domain name format. Example: nutanix.com
• TFTP Server Name: Enter a valid TFTP host server name of the TFTP server where you host the host
boot file. The IP address of the TFTP server must be accessible to the virtual machines to download a boot
file. Example: tftp_server103
• Boot File Name: The name of the boot file that the VMs must download from the TFTP host server.
Example: boot_ahv202010
6. Click Create.
Procedure
2. Select the VM that you want to attach a subnet to. Click Actions > Update.
Procedure
2. Click the entities menu in the main menu, expand Network & Security, and then select Virtual Private
Clouds. The Virtual Private Clouds List page appears.
• Destination Prefix: Provide the IP address with the prefix of the destination subnet.
• Next Hop: Select the next hop link from the dropdown list. The next hop is the IP address that the traffic must
be sent for the static route you are configuring.
• Add Static Route: You can create multiple static routes using this option. Click the Add Static Route link
to add another set of Destination Prefix and Next Hop to configure another static route.
5. Click Save.
Procedure
3. Go to the Flow Gateway VM, and then click Settings > Networking.
5. Click the Inbound port rules tab, and then click Add inbound port rule to configure port rules for inbound
traffic.
• Source: Select Source IP addresses to provide IP addresses from which you want to connect.
• Source IP addresses/CIDR ranges: Enter the IP addresses and CIDR of the source from where you
want to access the user VPC. For example, IP addresses/CIDR of the Nutanix on-prem Prism Central subnet.
• Source port ranges: Keep the default *.
• Destination: Keep the default value, which is Any or enter the real IP of the user VPC subnet or the
floating IP.
• Service: Select Custom to provide a specific port to use.
• Destination port ranges: Enter the destination port range based on your requirements. For example, 22
for SSH.
• Protocol: Keep the default value, which is Any.
• Action: Select Allow.
• Priority: Provide the priority. The priority affects the order in which rules are applied: the lower the
numerical value, the earlier the rule is applied.
• Name and Description: Enter a name and description for the inbound security rule.
8. Click the Outbound port rules tab, and then click Add outbound port rule to configure port rules for
outbound traffic without NAT.
• NC2 console: You can access the NC2 console from your existing My Nutanix account. You can use the NC2
console to create, update, and delete a Nutanix cluster running on Azure.
• Prism Central web console: While deploying NC2 on Azure, a new Prism Central instance is deployed, or an
existing Prism Central instance is registered based on your selections, and Flow Virtual Networking is enabled to
provide overlay networking. Prism Central is used to manage multiple Nutanix clusters.
For more information on how to sign into the Prism Central web console, see Logging Into Prism Central.
Prism Central can manage your deployed NC2 on Azure clusters alongside your on-prem clusters and other
clouds. Prism Central also manages AOS upgrades for on-prem and cloud-based Nutanix clusters. For more
information on creating a user VM and managing multiple Nutanix clusters, see Prism Central Infrastructure
Guide.
• Prism Element web console: You can use the Prism Element web console to manage routine Nutanix tasks in
a single console. Unlike Prism Central, Prism Element is used to manage a specific Nutanix cluster. For more
information on managing Nutanix tasks, see Prism Web Console Guide.
NC2 Console
The NC2 console displays information about clusters, organizations, and customers.
The following section explains all the tasks that you can perform and view from this console.
Navigation Menu
The navigation menu has three tabs: Clusters, Organizations, and Customers.
Tasks
1. The circle icon displays ongoing actions performed in a system that takes a while to complete.
For example, actions like creating a cluster or changing cluster capacity.
The circle icon also displays the progress of each ongoing task, and a success message appears if the task is
complete, or an error message appears if the task fails.
2. The gear icon displays the source details of each task performed.
For example, Account, Organization, or Customer.
Notifications
1. The bell icon displays notifications if some event in the system occurs or if there is a need to act and resolve the
existing issue.
Note: You can choose to Dismiss notifications from the Notification Center. However, the dismissed
notifications no longer appear to you or any other user.
2. The gear icon displays source details and a tick mark to acknowledge notifications.
3. The dropdown arrow to the right of each notification displays more information about the notification.
Note: If you want to receive notifications about a cluster that you do not create, you must be an organization admin
and subscribe to notifications of the respective clusters in the Notification Center. The cluster creator is subscribed to
notifications by default.
User Menu
Displays the username option to edit the account details.
• General: Edit your First name, Last name, Email, and Change password from this screen. This screen
also displays various roles assigned.
• Preferences: Displays enable or disable slider options based on preference.
• Storage Providers: Displays storage providers, such as Google Drive, Dropbox, OneDrive, and Box.
• Advanced: Displays various assertion fields and values.
• Notification Center: Displays the list of Tasks, Notifications, and Subscriptions from this view.
2. Go back to return to the main menu, and Logout options are displayed.
Navigation Menu
The navigation menu has three tabs on the top; Clusters, Organizations, and Customers, and two tabs in the
bottom; Documentation and Support.
• Audit Trail: Contains the activity log of all actions performed by you on a specific cluster.
• Users: Contains all the screens for user management, such as Authentication Providers and Support
options.
• Notification Center: Shows a complete list of all the tasks and notifications.
• Settings: Contains screens to update the settings of clusters.
• Terminate: Opens the dialog where you can terminate the cluster.
Organizations
• Audit Trail: Contains the activity log of all actions performed on a specific organization.
• Users: Contains all screens for user management like User Invitations, Permissions, Authentication
Providers, and Support options.
• Sessions: Contains the basic information of the organizations and lists the active clusters and cloud
accounts.
• Notification Center: Shows a complete list of all Tasks and Notifications.
• Cloud Accounts: Displays the status of the Cloud Account if it is active (A-Green) or inactive (I-Red).
• Update: Contains options to update settings of organizations.
Customers
• Audit Trail: Contains the activity log of all actions performed on a specific cluster.
• Users: Contains all screens for user management like user invitations, permissions, authentication providers.
• Notification Center: Shows complete list of all tasks and notifications.
• Cloud Accounts: Displays the status of the cloud account if it is active (A-Green) or inactive (I-Red).
• Update: Contains options to update settings of customers.
Documentation
Directs you to the documentation section of NC2.
Support
Directs you to the Nutanix Support portal.
Audit Trail
Administrators can monitor user activity using the Audit Trail. Audit Trail provides administrators with an audit
log to track and search through account actions. Account activity can be audited at all levels of the NC2 console
hierarchy.
You can access the Audit Trail page for an Organization or Customer entity from the menu button to the right of the
desired entity.
The following figure illustrates the Audit Trail at the organization level.
Under the Audit Trail section header, you can search the audit trail by first name, last name, and email address. You
can also click the column titles to sort the Audit Trail by ascending or descending order.
If you want to search for audit events within a certain period, click the date range in the upper right corner of the
section. Set your desired period by clicking on the starting and ending dates in the calendar view.
You can filter your results using the filter icon in the top right corner by specific account action.
You can download the details of your Audit Trail in CSV format by clicking the Download CSV link in the upper
right corner. The CSV will provide all Audit Trail details for the period specified to the left of the download link.
Notification Center
Admins can easily stay up to date regarding their NC2 resources with the Notification Center. Real-time notifications
are displayed in a Notification Center widget at the top of the NC2 console. The Notification Center displays two
different types of information: tasks and notifications. The information displayed in the Notification Center can be for
organizations or customer entities.
Note: Customer Administrators can see notifications for all organizations and accounts associated with the tenant by
navigating to the Customer or Organization dashboard from the initial NC2 console view and clicking Notification
Center.
Tasks
Tasks (bullet list icon) show the status of various changes made within the platform. For example, creating an
account, changing capacity settings, and so on trigger a task notification informing the admin that an event has
started, is in progress, or has been completed.
Notifications
Notifications (bell icon) differ from tasks; notifications notify administrators when specific events happen. For
example, resource limits, cloud provider communication issues, and so on.). There are three types of notifications:
info, warning, or error.
Dismiss Tasks and Notifications
You can dismiss tasks or notifications from the Notification Center widget by selecting the task or notification icon
and click the dismiss (x) button inside the event.
Dismissing an event only dismisses the task or notification for your console view; other subscribed admins still see
the event.
Acknowledge Notifications
You can click the check mark icon to acknowledge and dismiss a notification for all users subscribed to that resource.
Acknowledging a notification removes it from the widget, but the notification is still available on the Notification
Center page.
Note: Acknowledging a notification will dismiss it for all administrators subscribed to the same resource.
Procedure
Note: If you want to set email notifications for an organization or customer entity, select the Organizations or
Customers tab.
• Receive email notifications: To enable automatic email notifications, turn on the Receive email
notifications toggle.
• Severity:
6. Click Save.
Note: You must update the cluster capacity using the NC2 console only. You cannot update the cluster capacity using
the Prism Element web console.
When expanding an NCI cluster beyond what the NCI license covers, you need to purchase and manually
apply additional license capacity. Contact your Nutanix account representative to purchase an additional
license capacity.
Procedure
• Host type. The host type used at the time of initial cluster creation is displayed. You cannot change the host
type.
• Number of Hosts. Click + or - depending on whether you want to add or remove nodes from the cluster.
Note: A maximum of 28 nodes are supported in a cluster. AOS 6.6 or higher version and Prism Central
pc.2022.9 or higher version provides the ability to expand an existing cluster capacity to 28 nodes. However,
with AOS versions earlier than 6.6 and Prism Central version earlier than pc.2022.9, a maximum of 13 nodes
are supported in a cluster.
5. In the Status column, you can track the progress of the update capacity operation. After the operation is
complete, the status changes to Cluster Ready.
The expansion operation is completed in approximately 25–30 minutes.
Note: If you use Prism Central 2023.3, AOS 6.7, and Network Controller 3.0.1 or later, then NC2 uses the Flow
Gateway scaled-out deployment model by default. However, the Flow Gateway scaled-out deployment works as desired
only for ExpressRoute. You must use Prism Central 2023.3 or later only if you use ExpressRoute. If you use a VPN,
then you must use the pre-6.7 version of AOS and pre-2023.3 version of Prism Central, where NC2 uses a single Flow
Gateway deployment model.
Before migrating from a single Flow Gateway deployment to the scaled-out Flow Gateway deployment, ensure that
you have the following:
Note: If you use an older version of Prism Central than 2022.9, then upgrade Prism Central to 2023.1.0.1 and Network
Controller to 2.2.0, and then upgrade to Prism Central 2023.3 and Network Controller 3.0.1. Ensure that you upgrade
Network Controller 3.0.1 from Network Controller 2.2.0 and not from Network Controller 2.1.0. The order of upgrades
must be Prism Central > AOS > AHV > Network Controller.
Procedure
2. On the Clusters page, click the cluster name for which you want to scale out the Flow Gateway.
4. Under Flow Gateway VMs, the current and available version of the Flow Gateway VMs is displayed.
If a higher version is available, the Upgrade option is displayed. You can choose to upgrade the Flow Gateway
VMs.
Note: The Flow Gateway VM upgrade process might take 20 to 60 minutes and cause downtime.
a. Click Scale out Flow Gateway VMs. The Scale-out Flow Gateway dialog appears.
b. Under Desired Network Bandwidth:
The traffic routed through Flow Gateway VMs is limited by the bandwidth of the native Azure VMs. In
addition to the Flow Gateway VMs, two additional native VMs are deployed to host the Border Gateway
Protocol (BGP) service.
The total network bandwidth is determined by the total number and type of Flow Gateway VMs. The
bandwidth of the native BGP VMs is not used for all traffic.
• Desired Network Bandwidth: Use the slider to choose the desired network bandwidth for the Flow
Gateway VMs. Based on the network bandwidth you select, the number of Flow Gateway VMs gets
updated.
You can hover over the FGW VMs to view the Flow Gateway VM specifications and hover over BGP
VMs to view the BGP VM specifications.
• Subnets:
If you have selected the Create New VNet option on the Network tab while creating the
cluster:
A list of subnets from the Prism Central VNet and their corresponding CIDR is displayed. Two subnets,
one as external and the other as internal, are created for Flow Gateway with the required CIDR. One
subnet is created for the BGP VM.
Note: The minimum CIDR for the two Flow Gateway subnets is /24, and for BGP Subnet is /28.
If you have selected the Use an existing VNet option on the Network tab while creating
the cluster:
Internal Subnet and External Subnet: Select the internal subnet and external subnet from the Prism
Central VNet.
BGP Subnet: Select a subnet for BGP from the Prism Central VNet or Cluster VNet.
Note: You can create a subnet for BGP in either Prism Central VNet or Cluster VNet. If the BGP subnet
is in Prism Central VNet, you must manually perform peering between the Prism Central VNet and
the VNet where the Azure Route Server is deployed. If the BGP subnet is in Cluster VNet, you must
manually perform peering between the Cluster VNet and the VNet where the Azure Route Server is
deployed.
a. Resource Group: Select the Resource Group where these VMs would be deployed. If you do not see the
Resource Group, click Refresh to refresh the list.
b. Route Server:
• If you have selected the Create New VNet option on the Network tab while creating the cluster, NC2
deploys a new Route Server in the selected VNet.
Hub Virtual Network (Hub vNet) CIDR: Specify the CIDR of the Hub VNet.
Route Server Subnet CIDR: specify the subnet CIDR in which the Route Server must be deployed.
NC2 automatically assigns an IP address.
• If you have selected the Use an existing VNet option on the Network tab while creating the cluster,
ensure that you have configured an Azure Route Server. If an existing Azure Route Server is found, the
Route Server Subnet CIDR and Route Server IP address are displayed.
7. (Optional) Under Advanced Settings, you can change the BGP ASN value under BGP Custom ASN.
All of your selections are captured and displayed on the Summary tab.
9. Check the status on the cluster Summary page. After the BGP and Flow Gateway VMs are provisioned, the
Flow Gateway configuration gets initiated.
10. On the successful configuration of the scaled-out Flow Gateway, the Flow Gateway Status is marked as
Running.
You can hover over Flow Gateway Status and click Details to view the Flow Gateway details.
Procedure
2. On the Clusters page, click the name of the cluster for which you want to scale out the Flow Gateway.
4. Under Flow Gateway, the current and available version of the Flow Gateway VM is displayed.
If a higher version is available, the Upgrade option is displayed. You can choose to upgrade the Flow Gateway
VMs.
Note: The Flow Gateway VM upgrade process might take 20 to 60 minutes and cause downtime.
5. Under Desired Network Bandwidth, use the slider to choose the desired network bandwidth for the Flow
Gateway VMs. After you select the bandwidth, the number of Flow Gateway VMs gets updated. You can hover
over FGW VMs to view the Flow Gateway VM specifications and hover over BGP VMs to view the BGP VM
specifications.
6. Under Flow Gateway VM Access through SSH: select the key pair that consists of a private key and a public
key used to prove your identity while connecting to the host.
a. Use an existing Key Pair: Select an existing key pair from the Select SSH Key list.
b. Create a New Key Pair: In Key Resource Group, select an existing SSH key resource group or click
Create New Resource Group and enter the SSH key name.
Note:
Note: If a node turns unhealthy and you add another node to a cluster for evacuation of data or VMs, Azure charges
you additionally for the new node.
Procedure
3. On the Hosts page, click the ellipsis of the corresponding host you want to replace, and click Replace Host.
4. In the Replace Host dialog, specify why you want to condemn the node and click Confirm.
Instance Retirement At the scheduled time, the bare- Nutanix automatically condemns
metal instance is stopped if it is the host, triggering replacement
backed by the Azure managed of the host.
disk or terminated if it is backed
by an instance store.
System reboot At the scheduled time, the Nutanix restarts the AHV host.
host running on the bare-metal
instance is restarted.
Instance status impaired An Azure VM status check is No action is taken.
failing for the bare-metal instance.
System Status impaired An Azure VM system status No action is taken.
check is failing for the bare-metal
instance
Instance Stopped Azure VM reports that the bare- Nutanix automatically condemns
metal instance is in stopped the host, triggering replacement
state when Nutanix expects it of the host.
to be in running state. When an
instance enters a stopped state,
the hardware reservation is lost,
and the instance store is erased.
Instance Terminated VM reports that the instance is in Nutanix automatically condemns
terminated state when Nutanix the host, triggering replacement
expects it to be in running state. of the host.
When an instance enters a
terminated state, the hardware
reservation is lost, and the
instance store erased.
Procedure
2. Select the ellipsis button of a corresponding cluster and click Notification Center.
View AOS-specific alerts from Prism web console.
4. To acknowledge a notification, in the row of a notification, click the corresponding ellipsis, and select
Acknowledge.
Procedure
2. On the Clusters page, click the name of the cluster whose licensing details you want to display.
Terminating a Cluster
You can terminate an NC2 cluster if you do not want to use the cluster anymore.
Note: You must only terminate the clusters from the NC2 console and not from your public cloud console. If you try
to terminate the cluster or some nodes in the cluster from your cloud console, then NC2 will continue to attempt to re-
provision your nodes in the cluster.
You do not need to delete the license reservation when terminating an NC2 cluster if you intend to use the
same license reservation quantity for a cluster you might create in the future.
Note: Ensure that the cluster on which Prism Central is deployed is not deleted if Prism Central has multiple Prism
Elements registered with it.
Procedure
2. Go to the Clusters page, click the ellipsis in the row of the cluster you want to terminate, and click Terminate.
• Clusters_agents_upgrader
• Cluster_agent
• Host_agent
• Hostsetup
• Infra_gateway
• cloudnet
You can collect the logs either by using the Prism Element web console or Nutanix Cluster Check (NCC) command
line.
For instructions about how to collect the logs by using the Prism Element web console, see Collecting Logs from
the Web Console with Logbay.
For instructions about how to collect the logs by using the NCC command line, see Logbay Log Collection
(Command Line).
You can collect the logs using logbay for a certain time frame and share the respective log bundle with Nutanix
Support to investigate the reported issue. You can upload logs collected by logbay on the Nutanix SFTP or FTP
server.
For more information on how to upload the collected logs, see Uploading Logbay Logs.
User Roles
The NC2 console uses a hierarchical approach to organizing administration and access to accounts.
The NC2 console has the following entities:
• Customer: This entity is the highest business entity in the NC2 platform. You create multiple organizations
under a customer and then create clusters within an organization. When you sign up for NC2, a Customer
entity is created for you. You can then create an Organization, add a cloud (Azure or AWS) account to that
organization, and create clusters in that organization. You cannot create a new Customer entity in your NC2
platform.
• Organization: This entity allows you to set up unique environments for different departments within your
company. You can create multiple clusters within an organization. You can separate your clusters based on your
specific requirements. For example, create an organization Finance and then create a cluster in the Finance
organization to run only your finance-related applications.
Note: One Azure cloud account can be part of only one organization. However, an organization can have multiple
Azure cloud accounts.
Users can be added from the Cluster, Organization, and Customer entities. However, the user roles that are available
while adding users vary based on whether the users are invited from the Cluster, Organization, and Customer entities.
Administrators can grant permissions based on their own level of access. For example, while a customer administrator
can assign any role to any cluster or organization under that customer entity, an organization administrator can only
grant roles for that organization and the clusters within that organization.
The following user roles are available in NC2.
Role Description
Customer Administrator Highest level of access. Customer administrators can create
and manage multiple organizations and clusters. Customer
administrators can also modify permissions for any of the user
roles.
Cluster Administrator Cluster Administrator can access and manage any clusters
assigned to them by the Organization or Customer administrators.
Cluster Admin can also open, close, or extend a support tunnel for
the Nutanix Support team.
Cluster Super Admin Cluster Super Admin can open, close, or extend a support tunnel
for the Nutanix Support team.
Cluster Auditor Cluster Auditor users have read only access to the clusters under
the organization.
Cluster User Cluster User can access a specific cluster assigned to them by the
Cluster, Organization or Customer Administrator.
See the Local User Management section of the Nutanix Cloud Services Administration Guide for more
information about the following:
Note: The user roles described in the Local User Management section of the Nutanix Cloud Services
Administration Guide guide are not applicable to NC2. For the user roles in NC2, see the user roles described in this
section.
See the Nutanix Cloud Services Administration Guide for more information about authentication mechanisms,
such as multi-factor authentication and SAML authentication.
Note: Users can be added from the Cluster, Organization, and Customer entities. However, the user roles that
are available while adding users vary based on whether the users are invited from the Cluster, Organization, and
Customer entities. Administrators can grant permissions based on their own level of access. For example, while a
customer administrator can assign any role to any cluster or organization under that customer entity, an organization
administrator can only grant roles for that organization and the clusters within that organization.
Procedure
3. Click the ellipsis icon against the desired customer entity, and click Users.
The Authentication tab displays the identity authentication providers that are currently enabled for your
account, and the relevant tabs for the enabled authentication providers are displayed. The NC2 account
administrator must have first unlocked the Enforce settings slider.
Perform the following steps to invite users based on the authentication provider.
• Application Id
• Auth provider metadata: URL or XML
• Metadata URL or Metadata XML
• Integration Name
• Custom Label
• Authentication token expiration
• Signed response
• Signed assertion
d. Click Add.
To add SAML 2 Permission:
a. Click the SAML 2 Permission tab. The SAML 2 Permissions dialog appears.
b. Click Add Permission. The Create A SAML2 Permission dialog appears.
• For provider: Select the SAML2 Provider you are designating permissions for.
• Allow Access:
• Always: Once the user is authenticated, they have access to the role you specify – no conditions
required.
• When all conditions are satisfied: The user must meet all conditions specified by the
administrator to be granted access to the role specified.
• When any condition is satisfied: The user can meet any conditions specified by the administrator
to be granted access to the role specified.
• Conditions: Specify your assertion claims and their values which correspond with the roles you wish to
grant.
• Grant roles: Select the desired roles you wish to grant to your users. You can add multiple role sets using
the Add button.
d. Click Save.
e. To update the SAML 2 permissions of the users in your account, click the SAML 2 Permissions tab. The
SAML 2 Permissions page displays the list of all users in your account.
f. Click the ellipsis icon against the user you want to edit the SAML 2 permissions for, and then click Update.
The Update a rule dialog appears.
9. To invite users with Secure Anonymous: You can create many users without email invitation or activation.
Mass user creation can be used to deliver training and certification tests to end users who are guest users (not
Procedure
3. Click the ellipsis icon against the organization entity, and then click Users.
• Full access to this organization and its accounts: Grants NC2 support engineers the same level of
access as a Customer Administrator.
• Full access without ability to start sessions and manage users: NC2 support engineers may not
start sessions to your workload VMs.
• No Access: NC2 support engineers have no access to your customer and organization(s).
6. If you choose to give full access, then you can choose to give full access to specific NC2 specialists. Click Add
Personnel and then enter the email address of the NC2 specialist.
To revoke access, click the trashcan symbol listed to the right of the Nutanix staff member you would like to
remove from the Authorized Nutanix Personnel list. Click Save to apply your changes.
Note: Ensure that you select the correct workspace from the Workspace list on the My Nutanix dashboard. For
more information on workspaces, see Workspace Management.
b. In the My Nutanix dashboard, go to the API Key Management tile and click Launch.
If you have previously created API keys, a list of keys is displayed.
c. Click Create API Keys to create a new key.
The Create API Key dialog appears.
• Name: Enter a unique name for your API key to help you identify the key.
• Scope: Select the NC2 scope category under Cloud from the Scope list.
• Admin: Create or delete a cluster and all permissions that are assigned to the User role.
• User: Manage clusters, update cluster capacity, perform Flow Gateway upgrade and all permissions
that are assigned to the Viewer role.
• Viewer: View account, organization, cluster, and tasks on the NC2 console.
e. Click Create.
The Created API dialog is displayed.
Note: You cannot recover the generated API key and key ID after you close this dialog.
For more details on API Key management, see the API Key Management section in the Licensing Guide.
Note: This step uses Python to generate a JWT token. You can use other programming languages, such as
Javascript and Golang.
b. Replace the API Key and Key ID in the following Python script and then run it to generate a JWT token.
Also, you can specify expiry time in seconds for the JWT token to remain valid. In the requesterip attribute,
enter the requester IP.
from datetime import datetime
from datetime import timedelta
import base64
import hmac
import hashlib
import jwt
def generate_jwt():
curr_time = datetime.utcnow()
payload = {
"aud": aud_url,
"iat": curr_time,
"exp": curr_time + timedelta(seconds=120),
"iss": key_id,
"metadata": {
"reason": "fetch usages",
"requesterip": "enter the requester IP",
"date-time": curr_time.strftime("%m/%d/%Y, %H:%M:%S"),
"user-agent": "datamart"
}
}
signature = base64.b64encode(hmac.new(bytes(api_key, 'UTF-8'), bytes(key_id,
'UTF-8'), digestmod=hashlib.sha512).digest())
token = jwt.encode(payload, signature, algorithm='HS512',
headers={"kid": key_id})
print("Token (Validate): {}" .format(token))
generate_jwt()
c. A JWT token is generated. Copy the JWT token on your system for further use. The JWT token can be used as
an Authorization header when validating the API call. The JWT token remains valid for the duration that you
have specified.
• Key: nutanix:clusters:cluster-uuid
• Value: UUID of the cluster created in Azure
See the NCM Cost Governance User Guide for more information about setting up and using Cost Governance.
Procedure
Note: For the up-to-date instructions about how to perform the following tasks, see the NCM Cost Governance
User Guide.
Procedure
2. Select Azure and your Azure account in the cloud and account selection menu.
NC2 supports Asynchronous and NearSync replication. NearSync replication is supported with AOS 6.7.1.5 and later,
while Asynchronous replication is supported with all supported AOS versions. NearSync replication is supported only
when clusters run AHV; NC2 does not support cross-hypervisor disaster recovery. For more information on Nutanix
Disaster Recovery capabilities, see Nutanix Disaster Recovery Guide.
If you want to use protection policies and recovery plans to protect applications across multiple Nutanix clusters,
set up Nutanix Disaster Recovery from Prism Central. Disaster Recovery allows you to stage your application to
be restored in the correct order. You can also use protection policies to failback to on-prem if necessary. For data
protection and disaster recovery, you can pair your Prism Central of the Nutanix cluster running in Azure with the
Prism Central of the Nutanix cluster running in your on-prem datacenter. You must configure connectivity between
your on-prem datacenter and Azure VNet using the Azure VPN or Azure ExpressRoute. NC2 on Azure also supports
disaster recovery from on-prem to Azure over layer 2 stretched subnets. Layer 2 subnet extension assumes that the
underlay reachability between on-prem and Azure is over a VPN or ExpressRoute.
For more information on disaster recovery over the Layer 2 stretch, see Disaster Recovery Over Layer 2 Stretch.
For more information on disaster recovery without the Layer 2 stretch, see Disaster Recovery Without Layer 2
Stretch.
Note: Ensure that the Prism Central version is not End of Maintenance and End of Support Life. For more information,
see https://portal.nutanix.com/page/documents/eol/list?type=pc. For more information about the
compatibility of Prism Central with AOS, see https://portal.nutanix.com/page/documents/kbs/details?
targetId=kA00e000000LIi9CAG.
Note: You can extend a subnet over VPN or VTEP gateway. These steps are validated using the Static route for
internal route configuration; however, OSPF, or eBGP route can also be used. eBGP is used for an external route
configuration.
The following steps cover both VPN and VTEP. The fields vary based on your selection for VPN or VTEP.
Procedure
1. Pair the Prism Central at the on-prem AZ with the Prism Central at the NC2 on Azure (remote AZ).
The Availability Zone Type must be selected as Physical Location. Ensure that the availability zone is
reachable.
For more information, see Pairing Availability Zones.
2. Create a subnet on the on-prem cluster. You can also use an existing subnet if that subnet is not used for user
VMs.
You can skip the IP Address Management and DHCP Settings fields for VLAN.
For more information, see Creating a Subnet.
5. Create a local gateway on the on-prem with the VLAN subnet created for the Nutanix VPN.
You can choose either VPN or VTEP gateway.
If you have selected the VPN gateway service: You must select the Gateway Attachment as VLAN. The
static IP address for the VPN comes from VLAN - the subnet created in step 2. The eBGP password must be the
same used earlier in step 4. This gateway creates the Nutanix VPN VM on the on-prem cluster.
Note: The subnet created for the overlay VPN must not be used to create UVMs.
If you have selected the VTEP gateway service: The VxLAN (UDP) port must be kept as default 4789.
For more information, see Creating a Network Gateway.
8. If you must extend the on-prem VLAN subnet over VPN, then perform these additional steps:
• Create a VPN connection on on-prem as an initiator. For more information, see Creating a VPN
Connection.
• Create a VPN connection on NC2 on Azure as an acceptor. For more information, see Creating a VPN
Connection.
• Make sure the IPSec and eBGP are enabled.
Note: Ensure that you perform the subnet extensions steps using the Networking & Security > Connectivity
> Subnet Extension option. You must not perform these steps using the Network and Security > Subnets
• To extend a subnet over VPN, see Layer 2 Virtual Subnet Extension Over VPN.
• To extend a subnet over VTEP, see Layer 2 Virtual Subnet Extension Over VTEP.
Note: You must select the Subnet Type as Overlay for NC2 on Azure and Overlay or VLAN for on-prem.
Ensure that you select the user VPC and do not select the transit VPC while extending the subnet over VPN. The
VPC option populates when the Overlay subnet type is selected.
Note: Ensure that you have installed Nutanix Guest Tools (NGT) on the user VMs for static IP address mapping
of user VMs between source and target virtual networks and static IP address preservation after failover.
Health Check
Nutanix provides robust mechanisms to monitor the health of your clusters using Nutanix Cluster Check and health
monitoring through the Prism Element web console.
For more information on how to assess and monitor the health of your cluster, See Health Monitoring.
Routine Maintenance
This section provides information about routine maintenance activities like monitoring certificates, software updates,
managing licenses, and system credentials.
Monitoring Certificates
You must monitor your certificates for expiration. Nutanix does not provide a process for monitoring certificate
expiration, but Azure provides an Azure subscription that can help you set up alarms.
See Microsoft documentation for more information. Follow the Azure best practices for certificate renewals.
• Licensed Clusters. Displays a table of licensed clusters including the cluster name, cluster UUID, license tier,
and license metric. NC2 clusters with AOS and NCI licensing appear under Licensed Clusters.
• Cloud Clusters. Displays a table of licensed Nutanix Cloud Clusters including the cluster name, cluster UUID,
billing mode, and status. NC2 clusters with AOS licensing appear under Cloud Clusters. NCI-licensed clusters
do not appear under Cloud Clusters.
To purchase and manage the software licenses for your Nutanix clusters, see the License Manager Guide.
System Credentials
See the Microsoft documentation to manage your Azure accounts and their permissions.
For NC2 credentials, see User Management.
A redundancy factor 2 (RF2) configuration of the cluster protects data against a single-rack failure, and an RF3
configuration protects against a two-rack failure. Also, to protect against multiple correlated failures within a
datacenter and an entire AZ failure, Nutanix recommends that you set up Disaster Recovery to a different AZ.
See Data Protection and Recovery with Prism Element for more information.
Note: NC2 detects a node failure in a few minutes and brings a replaced node online in approximately one hour; this
duration varies depending on the time taken for data replication, the customer’s specific setup, and so on.
Note: Only the Cluster Owner and Cluster Super Admin can open, close, or extend a support tunnel for the Nutanix
Support team.
Note: Before enabling a support tunnel for a specific cluster, ensure that at least one CVM is functional and accessible.
If enabling the support tunnel fails, you must contact the Nutanix Support team.
1. In the Duration (h) box, enter the number of hours you want to keep the support tunnel open.
2. Click Open Support Tunnel.
5. The circle icon in the Notification Center displays the progress of the task. A success message appears if the task
is complete, or an error message appears if the task fails. You receive an email notification stating that the support
tunnel has been opened.
Support
You can access the technical support services in several ways to troubleshoot issues with your Nutanix cluster.
Using your NC2 on Azure subscription, open a support case with Nutanix customer support when you have an issue
that requires assistance. See the Creating a Case topic in Support Portal Help for more information.
Nutanix recommends that you sign up for an Azure support plan subscription for technical support of the Azure
resources. See Azure Support for more information.
1. When accessing a document on https://portal.nutanix.com/, navigate to the Feedback dialog displayed at the
bottom of the page.
2. Select one to five stars to rate the page you referred to. Here, a single star means poor, and five stars mean
excellent.
3. Select the predefined feedback messages that are presented based on the number of stars selected.
• Changes or enhancements
• Known Issues
• Fixes and workarounds
• Software compatibility