A Review Of Accurate NCP-CI-Azure Training Materials

✑ Role Requirements: The task involves creating and managing multiple organizations and clusters, along with managing user access across the company.
✑ Role Capabilities: The "Customer Administrator" role is designed to provide extensive administrative capabilities, including:
✑ Comparison of Roles:
✑ Conclusion: The "Customer Administrator" role meets all the requirements for managing organizations, clusters, and user access comprehensively.
References:
✑ Nutanix Role-Based Access Control Documentation
✑ NC2 on Azure User Roles Guide

✑ ERP Configuration: ERP (External Route Prefix) settings determine how traffic is routed between subnets and VPCs.
✑ Objective: The goal is to isolate Darren-Tier3 while ensuring proper routing for Tier1 and Tier2.
✑ Transit VPC ERP: Setting it to 10.0.0.0/16 ensures that it covers the entire VPC range, allowing traffic within Tier1 and Tier2.
✑ Servers ERP: Setting it to 10.0.4.0/24 ensures isolation for Darren-Tier3 by limiting
traffic to that specific subnet and preventing external traffic from reaching it.
✑ Conclusion: This configuration achieves the isolation of Darren-Tier3 while allowing proper routing for Tier1 and Tier2.
References:
✑ Nutanix Networking Documentation
✑ Azure Virtual Network Documentation

✑ Payment Method Options:When using a Pay As You Go subscription plan and opting to pay directly to Nutanix, wire transfer is a valid and secure payment method.
✑ Direct Payment:Wire transfers allow for the direct transfer of funds from the organization's bank account to Nutanix, ensuring a straightforward and efficient payment process.
References:
✑ Nutanix Billing and Payment Documentation
✑ Pay As You Go Subscription Payment Methods Guide

✑ Jump Host Deployment:A Jump Host is a secure server used to access other systems in a network. In the context of an NC2 cluster on Azure, it serves as an intermediary for accessing Prism Element and Prism Central.
✑ Flexible Deployment Options:The Jump Host can be deployed in either the Prism Central VNet or an external VNet, providing flexibility in network design and access strategies. This allows the organization to choose the most suitable network for deploying the Jump Host based on their security and connectivity requirements.
References:
✑ Nutanix NC2 on Azure Deployment Guide
✑ Azure Virtual Network Configuration Documentation

✑ Flow Virtual Networking: Nutanix Flow Virtual Networking allows for the creation of overlay networks to segment and manage network traffic.
✑ Network Types:
✑ Requirement: Creating a subnet for new workloads within Flow Virtual Networking suggests using an overlay network for logical separation and management.
✑ Conclusion: An overlay network within Flow Virtual Networking will satisfy the task of accommodating a new type of workload in the NC2 Azure instance.
References:
✑ Nutanix Flow Networking Guide
✑ Azure Virtual Network Documentation

✑ Azure AD App Registration: When setting up an application registration in Azure AD, specific permissions are required to delegate access.
✑ User Access Administrator Role: This role has the necessary permissions to manage user access to Azure resources, including delegating permissions for app registrations.
✑ Comparison of Roles:
✑ Conclusion: The Azure User Access Administrator role is required to delegate minimum permissions for Azure AD App registration.
References:
✑ Azure Role-Based Access Control Documentation
✑ Azure AD App Registration Guide

For configuring connectivity between an on-premises datacenter and Azure, the two supported options are:
✑ VPN (Virtual Private Network):Site-to-Site VPN allows you to create a secure
connection from your on-premises network to Azure over the public internet using IPsec/IKE protocols.
✑ ExpressRoute:Provides a private connection between your on-premises
infrastructure and Azure, ensuring traffic does not traverse the public internet. Both options provide secure and reliable connectivity, with ExpressRoute offering enhanced performance and security due to its private connection.References
✑ Azure VPN Gateway
✑ Azure ExpressRoute Overview

✑ Azure Subscription Validation: When deploying an NC2 cluster, the Azure subscription must be validated and allowlisted by Microsoft. This is a crucial step to ensure that the necessary permissions and configurations are set up for the deployment.
✑ Booting State Issue: If the nodes are stuck in the Booting state, it often indicates that the subscription has not been properly validated and allowlisted. This prevents the deployment from progressing as required resources and permissions are not fully accessible.
✑ Checking Allowlisting Status: Administrators should verify that their subscription has been allowlisted by contacting Azure support or checking the status through the Azure portal.
✑ Resolution: Once the subscription is validated and allowlisted by Microsoft, the deployment should proceed without the nodes getting stuck in the Booting state.
References:
✑ Nutanix NC2 on Azure Documentation
✑ Azure Subscription Management

✑ Flow Gateway Network Security Group (NSG):NSGs control the traffic flow to and from network interfaces associated with VMs and other resources. Configuring the NSG correctly is crucial for ensuring that required traffic is allowed.
✑ Internal NIC Configuration:To allow Native Azure instances in the Prism Central VNet (10.20.0.0/24) to access the web servers in the Tier1 subnet, the internal NIC of the Flow Gateway must be configured to allow traffic from 10.20.0.0/24. This ensures that inbound traffic from these instances is permitted and properly routed to the web servers.
References:
✑ Azure Network Security Group Documentation
✑ Nutanix Flow Gateway Configuration Guide

To allow access from the native Azure VMs to the workloads running in the Nutanix User VPC, the administrator needs to:
✑ Adjust the Inbound Network Security Group (NSG) on the Flow Gateway VM's
Internal NIC.
✑ Specifically, allow traffic from the subnet range of the native Azure VMs (10.20.80.0/20) in the Inbound rules of the NSG associated with the Internal NIC of the Flow Gateway VM.
This configuration change permits the desired network traffic, ensuring that the native Azure VMs can communicate with the workloads in the Nutanix User VPC.References
✑ Azure Network Security Groups Overview
✑ Nutanix Networking and Security Best Practices

✑ Azure Private Endpoint:A Private Endpoint provides secure connectivity to Azure resources by enabling private access through the Azure backbone network. This ensures that the traffic does not traverse the internet, providing enhanced security and performance.
✑ Delegated Subnet:By creating an Azure Private Endpoint for VMs in a delegated subnet, the administrator ensures that the VMs can access Azure resources directly and securely without using the public internet.
References:
✑ Azure Private Endpoint Documentation
✑ Nutanix NC2 Networking Configuration Guide

✑ Azure Directory Service Role: Azure Directory Service must be able to resolve specific Nutanix URLs to ensure proper communication and functionality during the deployment of an NC2 cluster.
✑ Critical Endpoint: The address "Gateway-external-api.cloud.nutanix.com" is critical for establishing external API communications required for the deployment and management of the NC2 cluster.
✑ DNS Resolution: Proper DNS resolution of this address ensures that the Azure Directory Service can interact with Nutanix services and APIs necessary for cluster operations.
✑ Verification Process:
✑ Importance: Without resolving this address, the deployment process might face connectivity issues, leading to potential deployment failures.
References:
✑ Nutanix NC2 on Azure Setup Guide
✑ Azure Active Directory Integration

To collect the appropriate logs (Cluster_agent, Host_agent, and Hostsetup) for diagnosing the deployment issue with Nutanix Support, the administrator should:
✑ Log in to Prism Element to access the Controller VM (CVM) console.
✑ Run thelogbay collectcommand from the CVM console. This command collects the necessary logs and packages them for support.
This method ensures that the correct logs are gathered in a format that Nutanix Support can analyze.References
✑ Nutanix Support Documentation on Log Collection

To efficiently terminate a Nutanix cloud cluster, the NC2 (Nutanix Cloud Clusters) Console should be used. The NC2 Console provides the necessary tools and interface specifically designed for managing and terminating Nutanix clusters within cloud environments, ensuring a seamless and efficient process.References
✑ Nutanix Cloud Clusters Documentation

✑ DNS Server Options:
✑ Connectivity Requirements:
✑ Conclusion: An on-premises DNS server would require VPN or ExpressRoute connectivity to be accessible and integrated with the Azure environment.
References:
✑ Azure DNS Overview
✑ VPN Gateway Configuration
✑ ExpressRoute Overview

✑ Outbound Rule Necessity: For successful cluster deployment, certain outbound connections must be allowed to ensure proper download and configuration of resources.
✑ Critical Destination: "Https://downloads.cloud.nutanix.com/*" is a critical endpoint from which the Nutanix software and updates are downloaded during the cluster
deployment process.
✑ Functionality: Ensuring an outbound rule for this destination allows the deployment to fetch necessary files and updates, enabling smooth cluster setup and operation.
✑ Other Destinations:
✑ Conclusion: Outbound connectivity to "Https://downloads.cloud.nutanix.com/*" is essential for downloading deployment resources.
References:
✑ Nutanix NC2 on Azure Network Configuration Guide
✑ Azure Network Security Documentation

In the NC2 on Azure cluster scenario, the existing workloads were using floating IPs for inbound traffic before the addition of new Flow Gateways (FGW3 and FGW4). The NAT traffic path established initially will continue to direct traffic through the originally assigned Flow Gateways (FGW1 and FGW2). The existing workloads will not automatically utilize the new Flow Gateways (FGW3 and FGW4) without a reconfiguration or reboot, which reassigns the NAT paths.
References
✑ Nutanix Flow Networking and Configuration Guide

In this scenario, the issue arises from overlapping IP address ranges between the Transit VPC and the User VPC. Here??s a detailed breakdown:
✑ Understanding ERPs (Elastic Routing Prefixes):
✑ IP Address Overlap:
✑ Communication Issue:
✑ Resolution:
By ensuring that the ERPs are in different CIDR ranges, the network can properly route traffic between the VPCs without any conflicts or ambiguities, thereby enabling the VM in the User VPC to communicate with other resources effectively.

✑ Instance Termination Detection:When an instance in Azure is reported as being in a terminated state but NC2 expects it to be running, the system will automatically take corrective actions.
✑ Host Condemnation and Replacement:NC2 will condemn the host, marking it as unusable, and will then trigger the replacement process to ensure that the cluster maintains its required capacity and performance levels. This automatic handling ensures minimal disruption to the workloads running on the cluster.
References:
✑ Nutanix NC2 Automated Management Features
✑ Azure Instance State Documentation