NSX Application Platform Automation Appliance (NAPP-AA) – Part 5 – NAPP Upgrade

Welcome to Part 5 of the blog series on NSX Application Platform Automation Appliance (NAPP-AA) where we demonstrate NAPP lifecycle management.

When I completed Part 4 of this blog series last month, a minor update to NAPP (version 4.1.2.1) was released in order to address an issue while activating Network Traffic Analysis (NTA) with an Advanced Threat Protection (ATP) license. The patch dropped in at the right time, and that’s why this blog post. Please check out NAPP 4.1.2.1 release notes below to learn more:

https://docs.vmware.com/en/VMware-NSX/4.1.2.1/rn/vmware-nsx-application-platform-4121-release-notes/index.html

NAPP lifecycle management is performed from the NSX manager console. NAPP upgrade is orchestrated by NAPP upgrade coordinator that is deployed as a pod in the core platform namespace (nsxi-platform) on the TKGS guest cluster for the respective NAPP instance. NAPP upgrade coordinator is responsible for upgrading the NAPP core components and all the activated features – NSX Intelligence, Malware Prevention and NDR. The upgrade coordinator is removed automatically after the upgrade operation is completed. Let’s walk through the process in more detail:

If you missed any of the previous articles in this blog series, please check them out below:

Part 1 : Topology and Appliance Deployment : 
https://vxplanet.com/2024/04/16/nsx-application-platform-automation-appliance-napp-aa-part-1-topology-and-appliance-deployment/

Part 2 : NAPP Instance Deployment :
https://vxplanet.com/2024/04/18/nsx-application-platform-automation-appliance-napp-aa-part-2-napp-instance-deployment/

Part 3 : Deploying multiple NAPP Instances :
https://vxplanet.com/2024/04/20/nsx-application-platform-automation-appliance-napp-aa-part-3-deploying-multiple-napp-instances/

Part 4 : NAPP Scale-Out :
https://vxplanet.com/2024/04/20/nsx-application-platform-automation-appliance-napp-aa-part-4-napp-scale-out/

Upgrade Pre-requisites

Let’s make sure NAPP pre-requisites are met before starting the upgrade. The official documentation below has a checklist of items that need to be checked prior to the upgrade.

https://docs.vmware.com/en/VMware-NSX/4.1/nsx-application-platform/GUID-D54C1B87-8EF3-45B3-AB27-EFE90A154DD3.html

As I have already done this during the NAPP deployment in Part 1 and since nothing has changed in my homelab, I will skip most of the checks and focus only on the interoperability checks.

• We see that the current NSX manager version (4.1.2.1) is supported with the new NAPP version 4.1.2.1

• We also see that the existing TKR 1.23.8 of the TKGS guest cluster is supported with the new NAPP version 4.1.2.1

• We also have direct internet access on the management VLAN and the workload VLAN (where the TKGS cluster is hosted), hence images for the new NAPP version can be pulled automatically during the upgrade.

Deploying the NAPP Upgrade Coordinator

The first step in the upgrade process is to deploy NAPP upgrade coordinator that orchestrates the upgrade of NAPP core platform and the activated features. Upgrade coordinator is deployed as a pod on the “nsxi-platform” namespace in the TKGS guest cluster of the NAPP instance.

Navigate to System -> Upgrade and click on the Upgrade button of the NSX Application Platform tile to start the upgrade process.

As NSX manager nodes and the TKGS worker nodes for NAPP have direct internet access, we will choose the default public URLs for Helm repository and Docker repository.

Select version 4.1.2.1 under the “Platform Target Version” and click on “Deploy Upgrade Coordinator”.

We see that the upgrade coordinator pod is deployed on the “nsxi-platform” namespace of the TKGS cluster.

Once upgrade coordinator is deployed successfully, we should be able to see tiles for the NAPP core platform and other features that are activated on NSX Application Platform.

Stage 1 – Upgrading NAPP Core Platform

Before upgrading NAPP core components and the activated features, let’s run pre-checks to identify any inconsistencies or incompatibilities that could prevent the upgrade from succeeding.

We will perform pre-checks for all the components that are scheduled for upgrade.

Success!!! Prechecks have succeeded and let’s move on to the component upgrade menu.

NAPP core components need to be upgraded first before any of the activated NAPP features like NSX Intelligence, Malware Prevention or NDR.

We see that the components marked for upgrade are organized into upgrade groups. Each upgrade group has components that can be upgraded parallelly. For eg: for the NSX core platform, we have four upgrade groups – Cert-Manager, Project-Contour, Platform and Metrics.

Component upgrade within an upgrade group happens parallelly and multiple upgrade-groups are upgraded serially.

Clicking Upgrade will start the upgrade process for the core platform. This process will take some time.

Looking at the namespace, we see that existing pods are drained, stopped and new pods are deployed.

Once the upgrade is done, perform post-checks to identify any issues with the upgraded components.

Stage 2 – Upgrading Activated Features

As stated earlier, NAPP core platform components need to be upgraded first before any activated features like NSX Intelligence, Malware Prevention or NDR.

In our setup, we have only NSX Intelligence enabled, so let’s upgrade it.

Clicking on Upgrade under the NSX Intelligence menu will start the upgrade for NSX Intelligence components. We notice that there is only one upgrade group for the components.

Once the upgrade is done, perform post-checks to identify any issues with the upgraded components.

At this moment, the upgrade process is completed, and the new version should reflect in the UI.

We also see that the NAPP upgrade coordinator gets deleted after the completion of upgrade process.

Finally, lets connect to the NAPP dashboard and confirm that the platform is stable, and that we don’t have any open alarms.

If you have activated other NAPP features like malware prevention or NDR, the upgrade process works like the same.

Let’s break for now and will meet shortly in Part 6 where we discuss about air-gapped (internet-restricted) NAPP deployments.

Stay tuned!!!

I hope this article was informative. Thanks for reading.

Continue reading? Here are the other parts of this series:

Part 1 – Topology and Appliance Deployment :
https://vxplanet.com/2024/04/16/nsx-application-platform-automation-appliance-napp-aa-part-1-topology-and-appliance-deployment/

Part 2 – NAPP Instance Deployment :
https://vxplanet.com/2024/04/18/nsx-application-platform-automation-appliance-napp-aa-part-2-napp-instance-deployment/

Part 3 – Deploying multiple NAPP Instances :
https://vxplanet.com/2024/04/20/nsx-application-platform-automation-appliance-napp-aa-part-3-deploying-multiple-napp-instances/

Part 4 – NAPP Scale-Out :
https://vxplanet.com/2024/04/20/nsx-application-platform-automation-appliance-napp-aa-part-4-napp-scale-out/

Part 6 – Air-gapped Deployment
https://vxplanet.com/2024/07/07/nsx-application-platform-automation-appliance-napp-aa-part-6-air-gapped-internet-restricted-deployments/