Nutanix Cloud Clusters

on AWS Deployment
and User Guide
Cloud Clusters (NC2) Hosted
November 7, 2023
Contents

About This Document............................................................................. 6

Reference Information for NC2...................................................................................................7

Nutanix Cloud Clusters (NC2) Overview..................................................8

Use Cases................................................................................................................................ 10
AWS Infrastructure for NC2......................................................................................................11
NC2 on AWS Deployment Models............................................................................................. 12
Single Availability Zone Deployment............................................................................... 12
Multiple Availability Zone Deployment.............................................................................13
Multicluster Deployment................................................................................................. 14
AWS Components Installed...................................................................................................... 14
NC2 Architecture......................................................................................................................17
Preventing Network Partition Errors............................................................................... 18
Resolving Bad Disk Resources....................................................................................... 19
Maintaining Availability: Node and Rack Failure.............................................................. 19
Maintaining Availability: AZ Failure................................................................................. 20
NC2 Security Approach............................................................................................................21

Getting Started With NC2..................................................................... 23

Requirements for NC2 on AWS.................................................................................................23
Supported Regions and Bare-metal Instances..........................................................................25
Installing NVIDIA grid host driver for AHV on G4dn.metal instance................................. 28
Limitations................................................................................................................................ 29
Non-Applicable On-Prem Configurations and Settings..............................................................30
NC2 Infrastructure Deployment................................................................................................ 33
Creating My Nutanix Account................................................................................................... 34
Starting a Free Trial for NC2.................................................................................................... 37

NC2 Deployment...................................................................................39
Creating an Organization..........................................................................................................39
Updating an Organization............................................................................................... 40
Adding an AWS Cloud Account................................................................................................ 41
Deactivating a Cloud Account........................................................................................ 43
Reconnecting a Cloud Account...................................................................................... 44
Adding a Cloud Account Region..................................................................................... 44
Updating AWS Stack Configurations............................................................................... 45
Creating a Cluster.................................................................................................................... 47
AWS VPC Endpoints for S3...................................................................................................... 61
Creating a Gateway Endpoint......................................................................................... 61
Associating Route Tables With the Gateway Endpoint.....................................................63

Prism Central Configuration................................................................. 64

Deploying and Configuring Prism Central.................................................................................64
Logging into a Cluster by Using the Prism Element Web Console............................................. 65
Logging into a Cluster by Using SSH........................................................................................67

ii
NC2 Payment Methods..........................................................................69
Nutanix Licenses for NC2.........................................................................................................70
New Portfolio Licenses................................................................................................... 70
Legacy Portfolio Licenses............................................................................................... 73
Managing Licenses......................................................................................................... 75
Subscription Plans for NC2...................................................................................................... 76
NC2 Subscription Workflow......................................................................................................77
Nutanix Direct Subscription............................................................................................ 78
Subscribe to NC2 From AWS Marketplace...................................................................... 82
Changing Payment Method.......................................................................................................88
Canceling the Subscription Plan.............................................................................................. 91
Billing Management.................................................................................................................. 94
Viewing Billing and Usage Details...................................................................................94
Using the Usage Analytics API....................................................................................... 96

User VM Network Management and Security...................................... 102

Creating a UVM Network........................................................................................................ 102
Creating a UVM Network using Prism Element..............................................................103
Creating a UVM Network using Prism Central............................................................... 105
Updating a UVM Network....................................................................................................... 108
Updating a UVM Network using Prism Element.............................................................108
Updating a UVM Network using Prism Central.............................................................. 109
Using EC2 Instances on the Same Subnet as UVMs............................................................... 110
AWS Elastic Network Interfaces (ENIs) and IP Addresses...................................................... 110
Adding a Virtual Network Interface (vNIC) to a User VM.........................................................110
Enabling Outbound Internet Access to UVMs......................................................................... 111
Enabling Inbound Internet Access to UVMs............................................................................111
Deploying a Load Balancer to Allow Internet Access............................................................. 113
Prism Central UI Access for Site-to-Site VPN Setup............................................................... 115

Network Security using AWS Security Groups.................................... 116

Default Security Groups......................................................................................................... 117
Custom Security Groups........................................................................................................ 118
Ports and Endpoints Requirements........................................................................................ 122

Cluster Management...........................................................................126
Updating the Cluster Capacity............................................................................................... 126
Manually Replacing a Host..................................................................................................... 129
Creating a Heterogeneous Cluster......................................................................................... 130
Hibernate and Resume in NC2............................................................................................... 131
Hibernating Your NC2 Cluster.......................................................................................131
Resuming an NC2 Cluster.............................................................................................132
Limitations in Hibernate and Resume............................................................................133
Terminating a Cluster............................................................................................................. 134
Multicast Traffic Management.................................................................................................134
Configuring AWS Transit Gateway for Multicast............................................................ 139
AWS Events in NC2................................................................................................................ 140
Displaying AWS Events................................................................................................. 141
Viewing Licensing Details.......................................................................................................142
Support Log Bundle Collection...............................................................................................142

iii
Cluster Protect Configuration............................................................. 143
Prerequisites for Cluster Protect............................................................................................ 144
Limitations of Cluster Protect................................................................................................. 145
Protecting NC2 Clusters......................................................................................................... 146
Creating S3 Buckets..................................................................................................... 147
Protecting Prism Central Configuration.........................................................................147
Deploying Multicloud Snapshot Technology.................................................................. 150
Protecting UVM and Volume Groups Data.....................................................................152
Disabling Cluster Protect.............................................................................................. 155
Recovering NC2 Clusters....................................................................................................... 156
Setting Clusters to Failed State.................................................................................... 157
Recreating a Cluster..................................................................................................... 159
Recovering Prism Central and MST.............................................................................. 165
Recovering UVM and Volume Groups Data................................................................... 167
Reprotecting Clusters and Prism Central...................................................................... 170
CLI Commands Library...........................................................................................................171

NC2 Management Consoles............................................................... 178

NC2 Console.......................................................................................................................... 178
Main Menu.................................................................................................................... 178
Navigation Menu........................................................................................................... 179
Audit Trail..................................................................................................................... 182
Notification Center........................................................................................................183

NC2 User Management....................................................................... 185

User Roles..............................................................................................................................185
Adding Users from the NC2 Console...................................................................................... 186
Managing Support Authorization............................................................................................ 198

API Key Management for NC2.............................................................200

NC2 Planning Guidance.....................................................................204

Costs...................................................................................................................................... 204
Sizing......................................................................................................................................204
Capacity Optimizations...........................................................................................................204
Compression................................................................................................................. 204

Cost Analytics.....................................................................................205
Integrating Cost Governance with NC2.................................................................................. 205
Displaying Cost Analytics in the Cost Governance Console.................................................... 205

File Analytics...................................................................................... 207

NC2 System and Operational Features................................................208

Health Check.......................................................................................................................... 208
Backup and Recovery.............................................................................................................208
Disaster Recovery for Instance, AZ, and Region Failure................................................208

iv
 Integration with Third-Party Backup Solutions.............................................................. 209
Routine Maintenance.............................................................................................................. 209
Monitoring Certificates................................................................................................. 209
Nutanix Software Updates............................................................................................ 209
Managing Nutanix Licenses.......................................................................................... 209
System Credentials....................................................................................................... 210
Managing Access Keys and AWS Service Limits........................................................... 210
Emergency Maintenance........................................................................................................ 210
Automatic Node Failure Detection................................................................................ 210
Troubleshooting Deployment Issues....................................................................................... 211
Documentation Support and Feedback...................................................................................211
Support.................................................................................................................................. 212
AWS Support................................................................................................................ 212

Copyright............................................................................................ 213

v
ABOUT THIS DOCUMENT
This user guide describes the deployment processes for NC2 on AWS. The guide provides instructions
for setting up the Nutanix resources required for NC2 on AWS deployment, subscribing to NC2 payment
plans. It also provides detailed steps on UVM network management, end-to-end steps for creating a
Nutanix cluster, and more.
This document is intended for users responsible for the deployment and configuration of NC2 on AWS.
Readers must be familiar with AWS concepts, such as AWS EC2 instances, AWS networking and security,
AWS storage, and VPN/Direct Connect. Readers must also know other Nutanix products, such as Prism
Element, Prism Central, and NCM Cost Governance (formerly Beam).

Document Organization
The following table shows how this user guide is organized and helps you find the most relevant sections in
the guide for the tasks that you want to perform.

Table 1: NC2 on AWS User Guide Roadmap

For information about See the following

A high-level overview of NC2, essential concepts Nutanix Cloud Clusters (NC2) Overview on
for NC2 on AWS, architecture, and infrastructure page 8
guidance.
Data encryption and network security details for NC2 Security Approach on page 21
NC2 clusters.
Details on various subscription and payment plans, NC2 Payment Methods
billing workflow. How to cancel and manage your
existing subscription plans.
Getting started with NC2 on AWS, its requirement Getting Started With NC2 on page 23
and limitation, and how to create a My Nutanix
account and start a free trial for NC2.
How to create an organization and add your cloud NC2 Deployment
account to NC2. How to create an NC2 cluster and
create an AWS VPC endpoint for S3.
How to deploy and configure Prism Central and Prism Central Configuration
log into a cluster by using the Prism Element web
console or SSH.
How to create and manage UVM networks. User VM Network Management and Security on
page 102
Identify security groups and policies for traffic Network Security using AWS Security Groups
control, modify default UVM security groups, and
create custom security groups. Details about the
port and endpoints requirements for inbound and
outbound communication.
How to create a heterogeneous cluster, update Cluster Management on page 126
cluster capacity. Hibernate, resume, and terminate
a cluster.
How to configure and use the Cluster Protect Cluster Protect Configuration
feature to protect your NC2 clusters.

Cloud Clusters (NC2) | About This Document | 6

 For information about See the following
How to add users to NC2, manage NC2 user roles NC2 User Management
and manage authorization to Nutanix Support.
Planning guidance for size and cost optimization. NC2 Planning Guidance on page 204
Supported regions for various bare-metal instances Supported Regions and Bare-metal Instances on
and its limitations while using NC2 on AWS. page 25
How to analyze your cloud consumption using Cost Cost Analytics on page 205
Governance.
Reference information on the system and NC2 System and Operational Features on
operational features, such as health check, backup page 208
and disaster recovery, and routine maintenance
tasks.

Reference Information for NC2

In addition to the User Guide, Nutanix also publishes a Nutanix Validated Design document as an example
of a typical NC2 customer deployment that has been validated by Nutanix.
The following documentation is available for NC2. While using NC2, you need to use several other Nutanix
products, such as Prism, Flow Virtual Networking, and Nutanix Disaster Recovery. Nutanix recommends
that you read product documentation for these products to understand how you can use these products.

• NC2 on AWS:

• Nutanix Cloud Clusters on AWS - Solution Tech Note

• Hybrid Cloud Design Guide
• Nutanix Cloud Clusters on AWS GovCloud Supplement
• Nutanix Cloud Clusters on AWS Release Notes
• Nutanix University
• Supporting Nutanix products:

• Prism Central Infrastructure Guide

• Prism Central Admin Center Guide
• Prism Central Alerts and Events Reference Guide
• Prism Web Console Guide
• Flow Virtual Networking Guide
• Nutanix Disaster Recovery Guide

Cloud Clusters (NC2) | About This Document | 7

NUTANIX CLOUD CLUSTERS (NC2)
OVERVIEW
Nutanix Cloud Clusters (NC2) delivers a hybrid multicloud platform designed to run applications in private
or multiple public clouds. NC2 operates as an extension of on-prem datacenters and provides a hybrid
cloud architecture that spans private and public clouds, operated as a single cloud.
NC2 extends the simplicity and ease of use of the Nutanix software stack to public clouds using a unified
management console. Using the same platform on both clouds, NC2 on AWS reduces the operational
complexity of extending, bursting, or migrating your applications and data between clouds. NC2 runs AOS
and AHV on the public cloud instances and packages the same CLI, GUI, and APIs that cloud operators
use in their on-prem environments.
NC2 resources, including bare-metal hosts, are deployed in your AWS account so that you can leverage
your existing cloud provider relationships, credits, commits, and discounts. Nutanix provisions the full bare-
metal host for your use, and the bare-metal hosts are not shared by multiple customers. Every customer
that deploys NC2 will be provisioning bare-metal hosts independent of other customers’ bare-metal hosts.
The bare-metal hosts are not shared by multiple tenants.

Figure 1: Overview of the Nutanix Hybrid Multicloud Platform

NC2 on AWS place the complete Nutanix hyperconverged infrastructure (HCI) stack directly on a bare-
metal instance in Amazon Elastic Compute Cloud (EC2). This bare-metal instance runs a Controller VM
(CVM) and Nutanix AHV as the hypervisor like any on-premises Nutanix deployment, using the AWS
Elastic Network Interface (ENI) to connect to the network. AHV user VMs do not require any additional
configuration to access AWS services or other EC2 instances.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 8

AHV runs an embedded distributed network controller that integrates user VM networking with AWS
networking. Instead of creating an overlay network, NC2 on AWS integrates IP address management with
AWS Virtual Private Cloud (VPC). AWS allocates all user VM IP addresses from the AWS subnets in the
existing VPCs. Native integration with AWS networking allows you to seamlessly use AWS services on
AHV user VMs without a complex network deployment or performance loss.
AOS can withstand hardware failures and software glitches and ensures that application availability and
performance are managed as per the configured resilience. Combining features such as native rack
awareness with AWS partition placement groups allows Nutanix to operate freely in a dynamic cloud
environment.
In addition to the traditional resilience solutions for Prism Central, NC2 on AWS also provides the Cluster
Protect feature that helps to protect Prism Central. UVM, and volume groups data in case of full cluster
failures caused by scenarios, such as Availability Zones (AZs) failures or users shutting down all nodes
from the AWS console. For details, see Cluster Protect Configuration.
NC2 on AWS provides on-prem workloads, a home in the cloud, offering native access to available AWS
services without requiring you to reconfigure your software.
You use the NC2 console to deploy a cluster in a VPC in AWS. After you launch a Nutanix cluster in AWS
by using NC2, you can operate the cluster in the same manner as you operate your on-prem Nutanix
cluster with no change in nCLI, the Prism Element and Prism Central web console, and APIs. You use the
NC2 console to create, hibernate, resume, update, and delete your Nutanix cluster.

Figure 2: Overview of NC2 on AWS

Following are the key points about NC2 on AWS:

• Runs on the EC2 bare-metal instances. For more information on the supported EC2 bare-metal
instances, see Supported Regions and Bare-metal Instances.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 9

 • Supports three or more EC2 bare-metal instances. See the Limitations section for more information
about the number of nodes supported by NC2.
• Supports only the AHV hypervisor on Nutanix clusters running in AWS.
• Supports both existing on-prem Prism Central instance or Prism Central instance deployed on NC2 on
AWS.

Use Cases
NC2 on AWS is ideally suited for the following key use cases:

• Disaster Recovery on AWS: Configure a Nutanix Cloud Cluster on AWS as your remote backup and
data replication site to quickly recover your business-critical workloads in case of a disaster recovery
(DR) event for your primary data center. Benefit from AWS’ worldwide geographical presence and
elasticity to create an Elastic DR configuration and save DR costs by only expanding your pilot light
cluster when DR need arises.
• Capacity Bursting for Dev/Test: Increase your developer productivity by provisioning additional capacity
for Dev/Test workloads on NC2 on AWS if you may be running out of capacity on on-prem. Utilize a
single management plane to operate and manage your workloads across your data center and NC2 on
AWS environments.
• Modernize Applications with AWS: Significantly accelerate your time to migrate applications to AWS
with a simple lift-and-shift operation—no need to refactor your workloads or rewrite your applications.
Get your on-prem workloads to AWS faster and modernize your applications with direct integrations
with all AWS services.
For more information, see NC2 Use Cases.
NC2 eliminates the complexities in managing networking, using multiple infrastructure tools, and
rearchitecting the applications.
NC2 offers the following key benefits:

• Cluster management:

• A single management console to manage private and public clouds

• Built-in integration into public cloud networking
• Burst into public clouds to meet a seasonal increase in demand
• Modernize applications and connect natively to cloud services
• Use public clouds for high availability and disaster recovery
• Easy to deploy and manage
• App mobility:

• Lift and shift applications with no retooling and refactoring

• Same performance as on-prem cloud and public clouds
• Cost management:

• Flexible subscription options

• Pay based on your actual usage or make an upfront commitment
• Use your existing Nutanix licenses for NC2

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 10

AWS Infrastructure for NC2
The NC2 console places the complete Nutanix hyperconverged infrastructure (HCI) stack directly on a
bare-metal instance in Amazon Elastic Compute Cloud (EC2). This bare-metal instance runs a Controller
VM (CVM) and Nutanix AHV as the hypervisor like any on-premises Nutanix deployment, using the AWS
Elastic Network Interface (ENI) to connect to the network. AHV user VMs do not require any additional
configuration to access AWS services or other EC2 instances.
Within the VPC where NC2 is deployed, you need the following subnets to manage inbound and outbound
traffic:

• One private management subnet for the internal cluster management and communication between
CVM, AHV, and so on.
• One public subnet with an Internet gateway and NAT gateway to provide external connectivity to the
NC2 portal.
• One or more private subnets for UVM traffic, depending on your needs.

Note: All NC2 cluster deployments are single AZ deployments. Therefore, your UVM subnets will be in the
same AZ as the Management subnet. You must not add the Management subnet as a UVM subnet in Prism
Element because UVMs and Management VMs must be on separate subnets.

Figure 3: AWS Infrastructure for NC2

When you deploy a Nutanix cluster in AWS by using the NC2 console, you can either choose to deploy the
cluster in a new VPC and private subnet, or choose to deploy the cluster in an existing VPC and private
subnet. If you opt to deploy the cluster in a new VPC, during the cluster creation process, the NC2 console
provisions a new VPC and private subnet for management traffic in AWS. You must manually create one or
more separate subnets in AWS for user VMs.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 11

NC2 on AWS Deployment Models
NC2 on AWS supports several deployment models that help deploying NC2 in varying customer
environments. The following are the most common deployment models:

• Single Availability Zone Deployment

• Multiple Availability Zone Deployment
• Multicluster Deployment
Several AWS components get installed as part of NC2 on AWS deployment. For more information, see
AWS Components Installed.
Nutanix cluster is deployed in AWS in approximately 45 to 60 minutes. If there are any issues with
provisioning the Nutanix cluster, see the Notification Center on the NC2 console.
The following table lists the time taken by each stage of cluster deployment.

Table 2: Cluster Deployment Stages

Deployment Stage Duration

AHV Download and Installation Approximately 35 to 45 minutes.
Happens in parallel on all nodes.

AOS Tar Download Approximately 4 minutes

Happens in parallel on all nodes.

AOS Installation Approximately 15 minutes

Happens in parallel on all nodes.

Cluster creation Approximately 3 minutes per node

Happens in sequence on all nodes.

Restore from AWS S3 Applicable for Hibernate - Resume use

case.
Approximately 1.5 hours per 10 TB of
data to hydrate the cluster once the
nodes are available.

Regardless of your deployment model, there are a few general outbound requirements for deploying
a Nutanix cluster in AWS on top of the existing requirements that on-premises clusters use for support
services. For more information on the endpoints the Nutanix cluster needs to communicate with for a
successful deployment, see Outbound Communication Requirements.

Single Availability Zone Deployment

NC2 on AWS deploys a cluster in a single availability zone by default. Deploying a single cluster in AWS is
beneficial for more ephemeral workloads where you want to take advantage of performance improvements
and use the same automation pipelines you use on-prem. You can use backup products compatible with
AHV to target S3 as the backup destination, and, depending on the failure mode you want to recover from,
you can also replicate that S3 bucket to a different Region. HYCU and Veeam are compatible with AHV.
Alternatively, you can use a third-party partner, such as Veeam or HYCU to backup your data to S3. For
more information, see Tech Note.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 12

Multiple Availability Zone Deployment
If you do not have an on-prem cluster available for data protection or you want to use the low-latency links
between Availability Zones, you can create a second NC2 cluster in a different Availability Zone.

Figure 4: Multiple Availability Zone Deployment

You can isolate your private subnets for UVMs between clusters and use the private Nutanix management
subnets to allow replication traffic between them. All private subnets can share the same routing table. You
must edit the inbound access in each Availability Zone’s security group as shown in the following tables to
allow replication traffic.

Table 3: Availability Zone 1 NC2 on AWS Security Group Settings

Type Protocol Port Range Source Description

Custom TCP rule TCP 9440 10.88.4.0/24 UI access
Custom TCP rule TCP 2020 10.88.4.0/24 Replication
Custom TCP rule TCP 2009 10.88.4.0/24 Replication

Table 4: Availability Zone 2 NC2 on AWS Security Group Settings

Type Protocol Port Range Source Description

Custom TCP rule TCP 9440 10.88.2.0/24 UI access
Custom TCP rule TCP 2020 10.88.2.0/24 Replication
Custom TCP rule TCP 2009 10.88.2.0/24 Replication

If Availability Zone 1 goes down, you can activate protected VMs on the cluster in Availability Zone 2.
Once Availability Zone 1 comes back online, you can redeploy a Nutanix cluster in Availability Zone 1 and
reestablish data protection. New clusters require full replication.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 13

Multicluster Deployment
To protect your Nutanix cluster if there is an Availability Zone failure, use your existing on-prem Nutanix
cluster as a disaster recovery target.

Figure 5: Hybrid Deployment

The following table lists the inbound ports you need to establish replication between an on-premises cluster
and a Nutanix cluster running in AWS. You can create these ports on the infrastructure subnet security
group that was automatically created when you deployed NC2 on AWS. The ports must be open in both
directions.

Table 5: Inbound Security Group Rules for AWS

Type Protocol Port Range Source Description

SSH TCP 22 On-premises CVM SSH into the AHV
subnet node
Custom TCP rule TCP 2222 On-premises CVM SSH access to the
subnet CVM
Custom TCP rule TCP 9440 On-premises CVM UI access
subnet
Custom TCP rule TCP 2020 On-premises CVM Replication
subnet
Custom TCP rule TCP 2009 On-premises CVM Replication
subnet

Note: Make sure you set up the cluster virtual IP address for your on-premises and AWS clusters. This IP
address is the destination address for the remote site.

Nutanix has native inbuilt replication capabilities to recover from complete cluster failure. Nutanix
supports asynchronous replication. You can set your Recovery Point Objective (RPO) to be one hour with
asynchronous replications.

AWS Components Installed

When deploying NC2 on AWS, several AWS components get installed.
The following table lists the mandatory AWS components that are either installed when the option to create
a new VPC is selected during NC2 on AWS deployment or you need to install manually when you choose
to use an existing VPC.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 14

 Note: You can configure Prism to be accessible from the public network and then manually configure the
AWS resources, such as Load Balancer, NAT Gateway, Public IPs, and Internet Gateway for public access.

Table 6: Mandatory AWS Components Installed on Deployment

AWS Component Charged by AWS Description

Compute (Dedicated EC2 Hosts)
Bare metal Instances Yes For the lists of the supported AWS EC2 bare-metal
instance, see Supported Regions and Bare-metal
Instances.
Networking and Security
Elastic Network Interfaces No ENIs are used for UVMs on each host in the cluster.
(ENIs) Each ENI can have up to 50 IP addresses with 49
usable IPs (because the host will use 1 IP). If the IPs
are exhausted by the UVMs, then another ENI will be
added to the host. There can be a maximum of 14
ENIs per host.
Load Balancer Yes A load balancer is deployed only when deploying in
new VPC from the NC2 portal and only when Prism
access from the Internet is set to public. If deploying
in existing VPC, you can leverage an existing Load
Balancer.
Charges are also applicable for additional items.

NAT Gateway Yes A NAT gateway is deployed only when deploying in

new VPC. If deploying in an existing VPC, you can
leverage an existing NAT Gateway.
Charges are also applicable for data traffic.

Internet Gateway No Internet Gateway is deployed only when deploying in

new VPC. If deploying in an existing VPC, you can
leverage an existing Internet Gateway.
Charges are only applicable for data traffic.

Public IP Yes Public IP is deployed if Load Balancer is deployed

upon deployment.
Security Groups No You can create and associate AWS security groups
with an EC2 instance to control outbound and inbound
traffic for that instance. A default security group gets
created for every AWS VPC. You can create additional
security groups for each VPC and then associate them
with the resources in that VPC.
Access Control Lists (ACLs) No You can use the default ACL, or you can create a
custom ACL with rules that are similar to the rules for
your security groups.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 15

AWS Component Charged by AWS Description
VPC No A VPC is deployed only when you choose to create
a new VPC at the time of cluster creation on the NC2
portal.
Charges are also applicable for data traffic.

Subnets No When you deploy a Nutanix cluster in AWS by using

the NC2 console, you can either choose to deploy the
cluster in a new VPC and private subnet, or choose
to deploy the cluster in an existing VPC and private
subnet. If you opt to deploy the cluster in a new
VPC, during the cluster creation process, the NC2
console provisions a new VPC and private subnet for
management traffic in AWS. You must manually create
one or more separate subnets in AWS for user VMs.
Storage
Elastic Block Store (EBS) Yes Each node in the NC2 cluster has two EBS volumes
attached (AHV EBS and CVM EBS). Both are
encrypted gp3 volumes. The size of AHV EBS volume
is 100 GB and CVM EBS is 150 GB. Software, configs,
and logs require 250GB per host.
Storage is needed during cluster creation also.

EBS Snapshots Yes Upon hibernating a cluster, snapshots of the EBS

volumes on each host are taken.
S3 Yes An S3 bucket is created at the time of cluster creation,
which remains empty until the Hibernate feature is
used. When the Hibernate feature is used, all data
from your NC2 cluster is placed in the S3 bucket. Once
the cluster is resumed, data is hydrated back onto
hosts but also stays in the S3 bucket as a backup.

Note: The S3 bucket used must not be publicly

accessible.

If you intend to protect your clusters using the Cluster

Protect feature, you need two more S3 buckets.
For more information, see Prerequisites for Cluster
Protect.
Charges are also applicable for data traffic.

The following table lists the optional AWS components that can be used with the NC2 on AWS deployment.

Table 7: Optional AWS Components

AWS Component Charged by AWS Description

Network Connectivity

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 16

 AWS Component Charged by AWS Description
VPN Yes A VPN or Direct Connect is needed for connectivity
between on-prem and AWS.
Direct Connect Yes
Charges are also applicable for data traffic.

Transit Gateway Yes Charges are also applicable for data traffic.

Network Services
AWS DNS Used by clusters for VMs by default.
You can configure AHV to use own DNS.

You can view all the resources allocated to a cluster running on AWS.
To view the cloud resources created by NC2, perform the following:
1. Sign in to NC2 from the My Nutanix dashboard.
2. In the Clusters page, click the name of the cluster.
3. On the left navigation pane, click Cloud Resources.
The Cloud Resources page displays all the resources associated with the cluster.

Figure 6: Viewing Cloud Resources

NC2 Architecture
The bare-metal instance runs the AHV hypervisor and the hypervisor, like any on-premises deployment,
runs a Controller Virtual Machine (CVM) with direct access to NVMe instance storage hardware.
AOS Storage uses the following three core principles for distributed systems to achieve linear performance
at scale:

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 17

 1. Must have no single points of failure (SPOF).
2. Must not have any bottlenecks at any scale (must be linearly scalable).
3. Must apply concurrency (MapReduce).
Together, a group of Nutanix nodes forms a distributed system (Nutanix cluster) responsible for providing
the Prism and Acropolis capabilities. Each cluster node has two EBS volumes attached. Both are
encrypted gp3 volumes. The size of AHV EBS volume is 100 GB and CVM EBS is 150 GB. All services
and components are distributed across all CVMs in a cluster to provide for high-availability and linear
performance at scale.

Figure 7: NC2 on AWS Architecture

This enables our MapReduce Framework (Curator) to use the full power of the cluster to perform
activities concurrently. For example, activities such as data reprotection, compression, erasure coding,
deduplication, and more.

Figure 8: Cluster Deployment in a VPC

Preventing Network Partition Errors

AOS Storage uses the Paxos algorithm to avoid split-brain scenarios. Paxos is a proven protocol for
reaching consensus or quorum among several participants in a distributed system.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 18

 Before any file system metadata is written to Cassandra, Paxos ensures that all nodes in the system agree
on the value. If the nodes do not reach a quorum, the operation fails in order to prevent any potential
corruption or data inconsistency. This design protects against events such as network partitioning, where
communication between nodes may fail or packets may become corrupt, leading to a scenario where
nodes disagree on values. AOS Storage also uses time stamps to ensure that updates are applied in the
proper order.

Resolving Bad Disk Resources

AOS Storage incorporates a Curator process that performs background housekeeping tasks to keep the
entire cluster running smoothly.
The multiple responsibilities of Curator include ensuring file system metadata consistency and combing the
extent store for corrupt and under replicated data.
Also, Curator scans extents in successive passes, computes each extent’s checksum, and compares it
with the metadata checksum to validate consistency. If the checksums do not match, the corrupted extent
is replaced with a valid extent from another node. This proactive data analysis protects against data loss
and identifies bad sectors you can use to detect disks that are about to fail.

Maintaining Availability: Node and Rack Failure

The cluster orchestrator running in the cloud service is responsible for maintaining your intended capacity
under rack and node failures.
Instances in the cluster are deployed using a partition placement group with seven partitions. A placement
group is created for each instance type and the instances are maintained well balanced within the
placement group. The placement group + partition number is translated into a rack ID of the node. This
enables AOS Storage to place meta data and data replicas in different fault domains.

Figure 9: NC2 on AWS –- Partition Placement (Multi)

Setting up a cluster with redundancy factor 2 (RF2) protects data against a single rack failure and setting it
up with RF3 protects against a two-rack failure. Also, to protect against multiple correlated failures within a
data center and an entire AZ failure, Nutanix recommends you set up sync replication to a second cluster
in a different AZ in the same Region or an Async replication to an AZ in a different Region. AWS data
transfer charges may apply.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 19

 AWS deploys each node of the Nutanix cluster on a separate AWS rack (also called AWS partition) for fault
tolerance.
If a cluster loses rack awareness, an alert is displayed in the Alerts dashboard of the Prism Element web
console and the Data Resiliency Status dashboard displays a Critical status.
A cluster might lose rack awareness if you:
1. Update the cluster capacity.
For example, if you add or remove a node.
2. Manually replace a host or the replace host action is automatically triggered by the NC2 console.
3. Change the Replication Factor (RF), that is from RF2 to RF3.
4. Create a cluster with either 8 or 9 nodes and configure RF3 on the cluster.
5. Deploy a cluster in an extremely busy AWS region.
This is a rare scenario in which the cluster might get created without rack awareness due to limited
availability of resources in that region. For more details on the Nutanix metadata awareness conditions,
visit the AOS Storage section in the Nutanix Bible.
The Strict Rack Awareness feature helps to maintain rack awareness in the scenarios listed above. To
maintain the rack awareness for Clusters on AWS, you need to enable the Strict Rack Awareness feature
and maintain at least three racks for RF2 or at least five racks for RF3. This feature is disabled by default.
You can run the following nCLI command to enable Strict rack Awareness:
ncli cluster enable-strict-domain-awareness

If you want to disable Strict rack Awareness, run the following nCLI command:
ncli cluster disable-strict-domain-awareness

Contact Nutanix Support for assistance if you receive an alert in the Prism Element web console that
indicates your cluster has lost rack awareness.

Maintaining Availability: AZ Failure

AWS Availability Zones are distinct locations within an AWS Region that are engineered to be isolated from
failures in other Availability Zones. They provide inexpensive, low-latency network connectivity to other
Availability Zones in the same AWS Region.
Similarly, the storage is also designed to be ephemeral in nature. Although rare, failures can occur that
affect the availability of instances that are in the same AZ. If you host all your instances in a single AZ that
is affected by such a failure, none of your instances are available.
Deployment of a production cluster in an AZ without protection either by using disaster recovery to on-prem
or Nutanix Disaster Recovery results in data loss if there are AZ failures. You can use Nutanix Disaster
Recovery to protect your data to another on-prem cluster, or another Nutanix NC2 cluster in a different
Availability Zone. For more information, see Nutanix Disaster Recovery Guide.

Note: If your cluster is running in a single AZ without protection either by using disaster recovery to on-prem
or Nutanix Disaster Recovery beyond 30 days, the Nutanix Support portal displays a notification indicating
that your cluster is not protected.
The notification includes a list of all the clusters that are in a single AZ without protection.
Hover over the notification for more details and click Acknowledge. Once you acknowledge the
notification, the notification disappears and appears only if another cluster exceeds 30 days in a
single availability zone without protection.

Nutanix has native inbuilt replication capabilities to recover from complete cluster failure. Nutanix supports
asynchronous replication where you can set your Recovery Point Objective (RPO) to be 1 hour with
asynchronous replication.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 20

NC2 Security Approach
Nutanix takes a holistic approach to security and mandates the following to deploy a secure NC2
infrastructure:
1. An AWS account with the following permissions.
1. IAMFullAccess
2. AWS_ConfigRole
3. AWSCloudFormationFullAccess
These permissions are only required for the creation of CloudFormation template and NC2 does not use
these for any other purpose.
You can view information about your CloudFormation stack, namely Nutanix-Clusters-High-Nc2-
Cloud-Stack-Prod, on the Stacks page of the CloudFormation console.

Figure 10: Viewing CloudFormation Template

The CloudFormation template creates the Nutanix-Clusters-High-Nc2-Cluster-Role-Prod and

Nutanix-Clusters-High-Nc2-Orchestrator-Role-Prod IAM roles. To view the permissions and policies
attached to these IAM roles, you can sign into the AWS Management Console and open the IAM
console at https://console.aws.amazon.com/iam/ and then choose Roles > Permissions.

Figure 11: Viewing IAM Roles

Note: Do not use the AWS root user for any deployment or operations related to NC2.
NC2 on AWS does not use AWS Secrets Manager for maintaining any stored secrets. All
customer-sensitive data is stored on customer-managed cluster. Local NVMe storage on the
bare-metal is used for storing customer-sensitive data. Nutanix does not have any visibility
into customer-sensitive data stored locally on the cluster. Any data sent to Nutanix concerning
cluster health is stripped of any Personal Identifiable Information (PII).

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 21

2. Access control and user management in the NC2 console.

Note: Nutanix recommends following the policy of least privilege for all access granted while deploying
NC2. For more information, see NC2 User Management.

For more information about how security is implemented in a Nutanix Cluster environment, see Network
Security using AWS Security Groups.

Data Encryption
To help reduce cost and complexity, Nutanix supports a native local key manager (LKM) for all clusters with
three or more nodes. The LKM runs as a service distributed among all the nodes. You can activate LKM
from Prism Element to enable encryption without adding another silo to manage.
You can activate LKM from Prism Element to enable encryption without adding another silo to manage. If
you are looking to simplify your infrastructure operations, you can also use one-click infrastructure for your
key manager.
Organizations often purchase external key managers (EKMs) separately for both software and hardware.
However, because the Nutanix LKM runs natively in the CVM, it is highly available and there is no variable
add-on pricing based on the number of nodes. Every time you add a node, you know the final cost.
When you upgrade your cluster, the key management services are also upgraded. When upgrading the
infrastructure and management services in lockstep, you are ensuring your security posture and availability
by staying in line with the support matrix.
Nutanix software encryption provides native AES-256 data-at-rest encryption, which can interact with any
KMIP-compliant or TCG-compliant external KMS server (Vormetric, SafeNet, and so on) and the Nutanix
native KMS, introduced in AOS version 5.8. The system uses Intel AES-NI acceleration for encryption and
decryption processes to minimize any potential performance impacts. Nutanix software encryption also
provides in-transit encryption. Note that in-transit encryption is currently applicable within a Nutanix cluster
for data RF.

Cloud Clusters (NC2) | Nutanix Cloud Clusters (NC2) Overview | 22

GETTING STARTED WITH NC2
Perform the tasks described in this section to get started with NC2 on AWS.
Before you get started, ensure that you have registered for NC2 on AWS from the My Nutanix portal. See
NC2 Payment Methods on page 69 for more information.
For more information on AOS and other software compatibility details, visit Release Notes and Software
Compatibility.
After you create a cluster in AWS, set up the network and security infrastructure in AWS and the cluster for
your user VMs. For more information, see User VM Network Management and Security on page 102 and
Network Security using AWS Security Groups.

Requirements for NC2 on AWS

This guide assumes prior knowledge of the Nutanix stack and AWS EC2, VPC, and CloudFormation
services and familiarity of AWS framework is highly recommended to operate significant deployments on
AWS.
Following are the requirements to use NC2 on AWS.

AWS Account Requirements

1. Configure an AWS account to access the AWS console.

Note: You must have CreateRole access to the AWS account.

2. Configure an AWS IAM user with the following permissions:

• IAMFullAccess: Grants the NC2 console access to your AWS account, and grants AWS API access
to the AHV instances
• AWS_ConfigRole: Grants AWS Config permission to get configuration details for supported AWS
resources
• AWSCloudFormationFullAccess: Used to create the initial AWS resources required to link your
AWS account and create a CloudFormation stack
Use the credentials of this IAM user when you are adding your AWS cloud account to the NC2
console. When you are adding your AWS cloud account, you run a CloudFormation template, and the
CloudFormation script adds two IAM roles to your AWS account. One role allows the NC2 console to
access your AWS account by using APIs and the other role is assigned to each of your bare-metal
instances. For more information on IAM roles, see NC2 Security Approach.
See Security Best Practices in IAM for more information on securing your AWS resources.

Cloud Clusters (NC2) | Getting Started With NC2 | 23

3. Review the supported regions and bare-metal instances. For details, see Supported Regions and Bare-
metal Instances.
AWS supports the following vCPU limits for the bare-metal instances available for NC2.

• i4i.metal - 128 vCPUs for each instance

• m6id.metal - 128 vCPUs for each instance
• m5d.metal: 96 vCPUs for each instance
• i3.metal: 72 vCPUs for each instance
• i3en.metal: 96 vCPUs for each instance
• z1d.metal: 48 vCPUs for each instance
• g4dn metal: 96 vCPUs for each instance

Note: Before you deploy a cluster, check if the EC2 instance type is supported in the Availability Zone in
which you want to deploy the cluster.
All instance types are not supported in all the availability zones in an AWS region. An error
message is displayed if you try to deploy a cluster with an instance type that is not supported
in the availability zone you selected.

Configure a sufficient vCPU limit for your AWS account. If you do not have the sufficient vCPU limit set
for your AWS account, cluster creation fails.
You can calculate your vCPU limit in the AWS console under EC2 > Limits > Limits Calculator.

Note: Each node in a Nutanix cluster has two EBS volumes attached (AHV EBS and CVM EBS). Both are
encrypted gp3 volumes. The size of AHV EBS volume is 100 GB and CVM EBS is 150 GB.

To learn more about setting AWS vCPU Limits for NC2, see the Nutanix University video.
NC2 on AWS supports accessing the instance metadata from a running instance using one of the following
methods:

• Instance Metadata Service Version 1 (IMDSv1) – a request/response method

• Instance Metadata Service Version 2 (IMDSv2) – a session-oriented method
By default, you can use either IMDSv1 or IMDSv2, or both. For more information on how to configure the
instance metadata options, see AWS Documentation.

My Nutanix Account Requirements

Configure a My Nutanix account, that is an account to access the NC2 console. See NC2 Payment
Methods for more information.

Cluster Protect Requirements

If you intend to protect your clusters using the Cluster Protect feature, you need to meet additional
requirements. For more information, see Prerequisites for Cluster Protect.

Cloud Clusters (NC2) | Getting Started With NC2 | 24

 Networking Requirements
1. Configure connectivity between your on-prem datacenter and AWS VPC by using either VPN or Direct
Connect if you want to pair both the clusters for data protection and other reasons.
See AWS Site-to-Site VPN to connect AWS VPC by using VPN.
To learn more about setting up a VPN to on-prem, see the Nutanix University video.
See Connect Your Data Center to AWS to connect AWS VPC by using Direct Connect.
2. Allow outbound internet access on your AWS VPC, so that the NC2 console can successfully provision
and orchestrate Nutanix clusters in AWS.
See AWS VPC documentation for more information about how to allow outbound internet access on
your AWS VPC.
3. If you deploy AWS Directory Service in a selected VPC or subnet to resolve DNS names, ensure that
AWS Directory Service resolves the following FQDN successfully to avoid deployment failure.
FQDN: gateway-external-api.cloud.nutanix.com
4. Configure the AWS VPC infrastructure. You can choose to create a new VPC as part of cluster creation
from the NC2 portal or use an existing VPC.
To learn more about setting up an AWS Virtual Private Cloud (VPC) manually, see the Nutanix
University video.
5. If you use an existing VPC, you need two private subnets, one for user VMs and one for cluster
management. If you choose to create a new VPC during the cluster creation workflow, then the NC2
console creates the required private subnets.
6. Create an internet gateway and attach it to your VPC. Set the default route on your Public Route Table
to the internet gateway.
7. Create a public NAT gateway and associate it with the public subnet and assign a public elastic IP
address to the NAT gateway. Set the default route for your default route table to the NAT gateway.
8. If you use AOS 5.20, ensure that the cluster virtual IP address is set up for your on-premises and NC2
on AWS cluster after the cluster is created. This is not needed for NC2 with AOS 6.x as the orchestrator
automatically assigns these IPs. This IP address is the destination address for the remote site.

Supported Regions and Bare-metal Instances

Nutanix Cloud Clusters (NC2) running on AWS supports certain EC2 bare-metal instances in various AWS
regions.

Note: NC2 might not support some bare-metal instance types in certain regions due to limitations in the
number of partitions available. NC2 supports EC2 bare-metal instances in regions with three or more
partitions. The support for g4dn.metal instance type is only available on clusters with AOS 6.1.1 and 5.20.4
or later releases.
You can use a combination of i3.metal, i3en.metal, and i4i.metal instance types or
z1d.metal, m5d.metal, and m6id.metal instance types while creating a new cluster or
expanding the cluster capacity of an already running cluster. The combination of these instance
types is subject to bare-metal support from AWS in the region where the cluster is being
deployed. For more details, see Creating a Heterogeneous Cluster.
You can only create homogenous clusters with g4dn.metal instances; it cannot be used to create
a heterogeneous cluster.

The following table lists the AWS EC2 bare-metal instance types supported by Nutanix.

Cloud Clusters (NC2) | Getting Started With NC2 | 25

Table 8: EC2 Bare-metal Instance Details

Metal types Details

i4i.metal 64 physical cores, 1024 GiB Memory, 27.28 TiB

NVMe SSD storage
m6id.metal 64 physical cores, 512 GiB memory, 7.42 TiB NVMe
SSD storage
m5d.metal 48 physical cores, 384 GiB memory, 3.27 TiB NVMe
SSD storage
i3.metal 36 physical cores, 512 GiB memory, 13.82 TiB
NVMe SSD storage
i3en.metal 48 physical cores, 768 GiB memory, 54.57 TiB
NVMe SSD storage
z1d.metal 24 physical cores, 384 GiB memory, 1.64 TiB NVMe
SSD storage
g4dn.metal 48 physical cores, 384 GiB Memory, 128 GiB GPU
Memory, 1.64 TiB NVMe SSD storage

For more information, see Hardware Platform Spec Sheets. Select NC2 on AWS from the Select your
preferred Platform Providers list.
The following table lists the detailed information for each bare-metal instance type supported in each AWS
region.

Table 9: AWS Clusters - Available Regions and Supported Bare-metal Types

Region i4i.metal m6id.metal m5d.metal i3.metal i3en.metal z1d.metal g4dn.metal

name

US-East Yes Yes Yes Yes Yes Yes Yes

(N.Virginia)
US-East Yes Yes Yes Yes Yes Yes Yes
(Ohio)
US-West Yes No Yes Yes Yes Yes Yes
(N.California)
US-West Yes Yes Yes Yes Yes Yes Yes
(Oregon)
Africa Yes No Yes Yes Yes No Yes
(Cape
Town)*
Asia Pacific Yes No Yes Yes Yes No Yes
(Hong
Kong)*
Asia Pacific Yes No Yes No Yes No No
(Jakarta)*
Asia Pacific Yes No Yes Yes Yes Yes Yes
(Mumbai)

Cloud Clusters (NC2) | Getting Started With NC2 | 26

Region i4i.metal m6id.metal m5d.metal i3.metal i3en.metal z1d.metal g4dn.metal
name
Asia Pacific Yes No Yes No Yes No No
(Hyderabad)*
Asia Pacific Yes No Yes Yes Yes Yes Yes
(Seoul)
Asia Pacific Yes No Yes Yes Yes Yes Yes
(Singapore)
Asia Pacific Yes Yes Yes Yes Yes Yes Yes
(Sydney)
Asia Pacific Yes No Yes No Yes No No
(Melbourne)*
Asia Pacific Yes Yes Yes Yes Yes Yes Yes
(Tokyo)
Asia Pacific Yes No Yes Yes Yes No Yes
(Osaka)
Canada Yes No Yes Yes Yes No Yes
(Central)
EU Yes Yes Yes Yes Yes Yes Yes
(Frankfurt)
EU Yes Yes Yes Yes Yes Yes Yes
(Ireland)
EU Yes No Yes Yes Yes Yes Yes
(London)
EU (Milan)* Yes No Yes Yes Yes No Yes
EU (Paris) Yes No Yes Yes Yes No Yes
EU Yes No Yes Yes Yes No Yes
(Stockholm)
EU (Spain)* No No Yes No Yes No No
EU Yes No Yes No Yes No No
(Zurich)*
Israel (Tel No No Yes No Yes No No
Aviv)*
Middle East Yes No Yes No Yes No Yes
(Bahrain)*
Middle East Yes No Yes No Yes No No
(UAE)*
South Yes No Yes Yes Yes No Yes
America
(Sao Paulo)
AWS No No Yes No Yes No No
GovCloud
(US-East)

Cloud Clusters (NC2) | Getting Started With NC2 | 27

 Region i4i.metal m6id.metal m5d.metal i3.metal i3en.metal z1d.metal g4dn.metal
name
AWS No No Yes Yes Yes No No
GovCloud
(US-West)

* - These regions are not auto-enabled by AWS. Ensure you first enable them in your AWS account before
using them with NC2. For more information on how to enable a region, see AWS documentation. Once you
have enabled these regions in your AWS console, ensure they are also selected in your NC2 portal. For
more information, see the instructions about adding cloud regions to the NC2 console in Adding an AWS
Cloud Account.

Note: An instance type may not be supported in a region because the number of partitions is less than the
minimum three partitions required by NC2 or the instance type is not supported by AWS in the specified
region.

Installing NVIDIA grid host driver for AHV on G4dn.metal instance

Nutanix Cloud Clusters (NC2) supports AWS G4dn.metal bare-metal instances from AOS 6.1.1 (STS)
and AOS 5.20.4 (LTS) release onwards. G4dn.metal is the only GPU-enabled instance provided by
AWS currently being supported in NC2. Users wanting to use NC2 on AWS with G4dn.metal instances
need to install the NVIDIA grid host driver for AHV on each node running with G4dn.metal instances. It
supports NVIDIA T4 GPUs. Visit https://aws.amazon.com/ec2/instance-types/g4/ to learn more about AWS
G4dn.metal instances. To find more details on the GPU PCIs, run lspci | grep "NVIDIA" command
from the AHV host.

Note: You have to manually install the NVIDIA driver on each new node when you expand the cluster size.
Also, NC2 may automatically replace nodes in your cluster if there are issues with node availability. In such a
scenario, the user must also install the NVIDIA driver on the new node procured by NC2.

Note: If a GPU card is present in your cluster, LCM restricts update to AHV if it does not detect a compatible
NVIDIA GRID driver in its inventory. To fetch a compatible NVIDIA GRID driver for your version of AHV, see
Updating the NVIDIA GRID Driver with LCM.

Perform the following steps to install the NVIDIA driver on the G4dn hosts:
1. Download the NVIDIA host driver version 13.0 from the Nutanix portal at https://portal.nutanix.com/
page/downloads?product=ahv&bit=NVIDIA.

2. For detailed installation instructions on NVIDIA driver, see Installing the NVIDIA grid driver.

Note: Users have to sign in to controller VMs in the cluster with the SSH key pair provided during the
cluster creation instead of the default user credentials.
For more information about assigning and configuring a vGPU profile to a VM, see "Creating a
VM (AHV)" in the "Prism Web Console Guide".

Cloud Clusters (NC2) | Getting Started With NC2 | 28

 3. Perform the following steps to install the NVIDIA guest driver into guest VMs:
1. Ensure the guest driver version/build matches the host driver version/build. For more information
about the build number and version number matrix, see NVIDIA Virtual GPU (vGPU) Software
Documentation web page.
2. Install the NVIDIA vGPU Software Graphics Driver. For more information, see "Installing the NVIDIA
vGPU Software Graphics Driver" in the NVIDIA "Virtual GPU Software User Guide".
3. Download the NVIDIA GRID drivers for the guest driver from the NVIDIA dashboard.

Note: NVIDIA vGPU guest OS drivers for product versions 11.0 or later can be acquired using
NVIDIA Licensing Software Downloads under:

• All Available
• Product Family = vGPU
• Platform = Linux KVM
• Platform Version = All Supported
• Product Version = (match host driver version)
AHV-compatible host and guest drivers for older AOS versions can be found on the NVIDIA
Licensing Software Downloads site under 'Platform = Nutanix AHV'.

Limitations
Following are the limitations of NC2 in this release:

• A maximum of 28 nodes are supported in a cluster. NC2 supports 28-node cluster deployment in AWS
regions that have seven placement groups.

Note: NC2 does not recommend using single-node clusters in production environments.

• Two-node clusters are not supported.

• There can be a maximum of 14 ENIs per host. Each ENI can have up to 50 IP addresses with 49 usable
IPs. For more information, see AWS Elastic Network Interfaces (ENIs) and IP Addresses.
• You can create a heterogeneous cluster using a combination of i3.metal, i3en.metal, and
i4i.metal instance types or z1d.metal, m5d.metal, and m6id.metal instance types. However,
you can only create homogenous clusters with g4dn.metal instances; it cannot be used to create a
heterogeneous cluster. See Creating a Heterogeneous Cluster for more details.
• NC2 does not support sharing of AWS subnets among multiple clusters.
• Only IPv4 is supported.
• Do not use 192.168.5.0/24 CIDR for the VPC being used to deploy the NC2 on AWS cluster. All Nutanix
nodes use that CIDR for communication between the CVM and the installed hypervisor.
• Unmanaged networks are not supported in this release.
• Broadcast and unknown unicast traffic are dropped.
• The default configuration for CVMs on NC2 is 32 GiB of RAM
• If you choose to create a new VPC by using the NC2 console when you are creating a cluster, you
cannot deploy other clusters in that VPC. However, if you choose to deploy a cluster in an existing VPC
(VPC you created using the AWS console), you can deploy multiple clusters in that VPC.

Cloud Clusters (NC2) | Getting Started With NC2 | 29

 • For Prism Central scale-out deployments used in an NC2 on AWS environment, reconfiguration of
Prism Central VM IP addresses is not supported.
If you intend to protect your clusters using the Cluster Protect feature, understand the limitations of using
this feature listed in Limitations of Cluster Protect.

Non-Applicable On-Prem Configurations and Settings

Following is a list of the configurations and settings that are supported in an on-prem Nutanix cluster, but
are not applicable to a cluster running in AWS.

Prism Element and Prism Central Configurations

VLAN ID:
AWS does not support VLANs. Therefore, if you deploy a cluster on AWS, you do not need to
provide the VLAN ID when you create or update the network in the cluster. The VLAN ID is replaced
by the subnet ID, which uniquely identifies a given network in a VPC.
Network Visualization:
The Network Visualization feature of the on-prem Prism Element (Prism Element) web console is
a consolidated graphical representation of the network of the Nutanix cluster VMs, hosts, network
components (as physical and logical interfaces), and attached first-hop switches (alternately
referred to as Top-of-Rack (ToR) switch or switches in this document). In an on-prem cluster, the
information about ToR Switches is configured by using a CLI command. The cluster also uses
SNMP and LLDP to fetch more information from the switch.

In a cluster running in AWS, you have no visibility into the actual cloud infrastructure such as the
ToR switches. API support is not available to discover the cloud infrastructure components in
Nutanix clusters. Given that the cluster is deployed in a single VPC, the switch view is replaced
by the VPC. Any configuration options on the network switch are disabled for clusters deployed in
AWS.
Uplink Configuration:
The functionality to update the uplink configuration is disabled for a cluster running in AWS.
Hardware Configuration:
The Switch tab in the Hardware menu of the Prism Element web console is disabled for a cluster
running in AWS.
Rack Configuration:
The functionality to configure racks is disabled for a cluster running in AWS. Clusters are deployed
as rack-aware by default. APIs to create racks are also disabled on clusters running in AWS.
Broadcast and LLDP:
AWS does not support broadcast and any link layer information based on protocols such as LLDP.
Host NIC:
Elastic Network Interfaces (ENIs) provisioned on bare-metal AWS instances are virtual interfaces
provided by Nitro cards. AWS does not provide any bandwidth guarantees for each ENI, but
provides an aggregate multi-flow bandwidth of 25G. Also, when clusters are deployed on AWS, ENI
creation and deletion is dynamic based on UVMs and you do not need to perform these workflows.
Hence, the Prism Element web console displays only single host NIC information, that is eth0,
which is the primary ENI of the bare-metal instance. All the configuration and statistical attributes
are associated with eth0.

Cloud Clusters (NC2) | Getting Started With NC2 | 30

 Hosts Only No Blocks:
Hosts are independent and not put together as a block. The block view is changed to host view in
the Prism Element web console.
Field Replaceable Units:
The functionality to replace and repair disks is disabled for a cluster running in AWS.
Backplane LAN:
NC2 on AWS do not support RDMA based vNICs and hence the support for backplane LAN is
disabled.
Firmware Upgrades:
For an on-prem cluster, Life Cycle Manager (LCM) allows you to perform upgrades of the BMC,
BIOS, and any hardware component firmware. However, these components are not applicable to
clusters deployed in AWS. Therefore, LCM does not list these items in the upgrade inventory.
License Updates:
You cannot update your NC2 licenses by using the Prism Element web console. Update your NC2
licenses by using the NC2 console.

Cluster Operations
Perform the following actions using the NC2 console:

• Cluster deployment and provisioning must be performed by using the NC2 console and not by using
Foundation.
• Perform add node and remove node operations by using the NC2 console and not by using the Prism
Element web console.

aCLI Operations
The following aCLI commands are disabled in a cluster in AWS:

Namespace Options
net create_cluster_vswitch
delete_cluster_vswitch
get_cluster_vswitch
list_cluster_vswitch
update_cluster_vswitch

host enter_maintenance_mode
enter_maintenance_mode_check
exit_maintenance_mode

nCLI Operations
The following nCLI commands are disabled in a cluster in AWS:

Cloud Clusters (NC2) | Getting Started With NC2 | 31

Entity Options
network add-switch-config,
edit-switch-config,
delete-switch-config,
list-switch,
list-switch-ports,
get-switch-collector-config,
edit-switch-collector-config

cluster edit-hypervisor-lldp-params
, get-hypervisor-lldp-config
edit-param disable-degraded-state-monitoring
disk delete, remove-start, remove-status
software download, list, remove, upload

API Operations
The following API calls are disabled or changed in a Nutanix cluster running in AWS:

API Changes
POST : /hosts/{hostid}/enter_maintenance_mode Not supported
POST : /hosts/{hostid}/exit_maintenance_mode Not supported
GET /clusters Values for the rack and block configuration are not
displayed.
POST /cluster/block_aware_fixer Not supported
DELETE /api/nutanix/v1/cluster/rackable_units/ Not supported
{uuid}
DELETE /api/nutanix/v3/rackable_units/{uuid} Not supported
DELETE /api/nutanix/v3//disks/{id} Not supported

Cloud Clusters (NC2) | Getting Started With NC2 | 32

 API Changes
GET /hosts: Returns the instance ID of the AWS instance as
compared to the serial number of the host in an on-
prem cluster.
Returns no values for the following attributes:

• ipmiAddress (string, optional),

• ipmiPassword (string, optional),
• ipmiUsername (string, optional),
• backplaneIp (string, optional),
• bmcModel (string, optional): Specifies the model
of bmc, present on the node,
• bmcVersion (string, optional): Specifies the
version of bmc, present on the node,
• controllerVmBackplaneIp (string, optional),

NC2 Infrastructure Deployment

To deploy an NC2 infrastructure, configure the entities listed in this topic in AWS and the NC2 console.
1. In AWS:
1. Configure an AWS account to access the AWS console.
See How do I create and activate a new AWS account? for more information.
2. Configure an AWS IAM user with the following permissions:
See Creating an IAM User in Your AWS Account for more information.

• IAMFullAccess: Enables the NC2 console to run the CloudFormation template in AWS to link
your AWS and NC2 account.
You use the credentials of this IAM user when you are adding your AWS cloud account to
the NC2 console. When you are adding your AWS cloud account, you run a CloudFormation
template, and the CloudFormation script adds two IAM roles to your AWS account. One role

Cloud Clusters (NC2) | Getting Started With NC2 | 33

 allows the NC2 console to access your AWS account by using APIs and the other role is
assigned to each of your bare-metal instances.

Note: Only the user account you use to add your AWS account to NC2 has the IAMFullAccess
privilege and the NC2 console itself does not have the IAMFullAccess privilege.

• AWS_ConfigRole: Grants AWS Config permission to get configuration details for supported AWS
resources
• AWSCloudFormationFullAccess: Used to create the initial AWS resources needed to link your
AWS account and create a CloudFormation stack

Note: These permissions are only required for the creation of CloudFormation template and NC2
does not use these for any other purpose.

3. A VPC
4. A private subnet for management traffic
5. One or more private subnets for user VM traffic
6. Two new AWS S3 buckets with Nutanix IAM role if you want to use the Cluster Protect feature to
protect Prism Central, UVM, and volume groups data.
See the AWS documentation for instructions about how to configure these requirements.
2. In the NC2 console:
1. A My Nutanix account to access the NC2 console.
See NC2 Payment Methods on page 69 for more information.
2. An organization
See Creating an Organization on page 39 for more information.

Creating My Nutanix Account

You need a My Nutanix account to access the NC2 console. A My Nutanix account allows you to subscribe
to, access, and manage NC2. After creating a My Nutanix account, you can access the NC2 console
through the My Nutanix dashboard. You can use NC2 for a 30-day free trial period (one common free trial
period for NC2 on all supported clouds) or sign up to pay for NC2 usage beyond the free trial period. You
can pay for NC2 using your Nutanix licenses or with one of the subscription plans.
Perform the following procedure to create a My Nutanix account.

Procedure

1. Go to https://my.nutanix.com.

2. Click Sign up now.

3. Enter your details, including first name, last name, company name, Job title, phone number,
country, email, and password.
Follow the specified password policy while creating the password. Personal domain email addresses,
such as gmail.com or yahoo.com are not allowed. You must sign up with a company email address.

4. Click Submit.
A confirmation page appears and you receive an email from [email protected] after you
successfully complete the sign-up process.

5. Click the link in the email to verify your email address.

A confirmation message briefly appears, and you are directed to the Nutanix Support portal.

6. Sign in to the portal using the credentials you specified during the sign-up process.

Cloud Clusters (NC2) | Getting Started With NC2 | 34

7. Click My Nutanix to go to the My Nutanix dashboard.

Cloud Clusters (NC2) | Getting Started With NC2 | 35

8. An educational tutorial explaining the multiple workspaces appears when you access the My Nutanix
for the first time. Click Take a Tour to learn more about workspaces. If you have an existing My Nutanix
account and are familiar with workspaces, click Skip.

Figure 12: Take a tour - multiple workspaces

A default Personal workspace is created after you successfully create a My Nutanix account. You can
rename your workspaces. For more information on workspaces, see Workspace Management.

Note: The default Personal workspace name contains the domain followed by the email address of the
user and the tenant word.

Cloud Clusters (NC2) | Getting Started With NC2 | 36

 Figure 13: Workspace

Starting a Free Trial for NC2

Before you sign up for a paid subscription plan to use NC2, you can start a 30-day free trial. While NC2
supports multiple public clouds (AWS, Azure), Nutanix offers only one 30-day free trial period for NC2. The
free trial is for Nutanix AOS software usage. If your free trial period is expired, consider subscribing to a
paid subscription plan.
After your NC2 trial expires, your cluster will still be accessible, but you will not be able to change the
cluster capacity, hibernate a cluster, or create new clusters until you subscribe to NC2. You will not be
billed for Nutanix software usage while your trial is expired; however, your cloud provider might charge you
for hardware. If needed, the NC2 team can work with you during this period to offer you an extension on
your expired trial.
Your trial remains expired for a grace period of 30 days, after which your NC2 trial gets cancelled, and
no more trial extensions are possible. The NC2 cluster stays running, but you cannot modify the capacity
of an existing cluster, create new clusters, or hibernate a cluster. Billing from your cloud provider will
continue as usual. You can still switch to a paid subscription and regain the capabilities to use the existing
configurations and NC2 features fully. For more information on subscribing to NC2, see Changing Payment
Method.

Note: The owner of the My Nutanix workspace that has been used to start the free trial for NC2 must add
other users from the NC2 console with appropriate RBAC if those users need to manage clusters in the
same tenant. For more information on adding users and the roles that can be assigned, see NC2 User
Management.

Note: You are responsible for any hardware and cloud services costs incurred during the NC2 free trial.

Perform the following procedure to start a free trial of NC2:

Cloud Clusters (NC2) | Getting Started With NC2 | 37

Procedure

1. Sign in to https://my.nutanix.com using your My Nutanix credentials.

Note: Ensure that you select the correct workspace from the Workspace dropdown list on the My
Nutanix dashboard. For more information on workspaces, see Workspace Management.

Figure 14: Selecting a Workspace

2. On the My Nutanix dashboard, scroll to Cloud Services, and under Nutanix Cloud Clusters (NC2),
click Get Started.

Figure 15: Cloud Services - NC2 Get Started

3. On the Nutanix Cloud Clusters (NC2) on Public Clouds page, under Try NC2, click Start your 30
day free trial.

4. You are redirected to the NC2 console. When prompted to accept the Nutanix Cloud Services Terms of
Service, Click I Accept. The NC2 console opens in a new tab. You can now start using NC2.

Note: If you want to subscribe to NC2 instead of using a free trial, you can click the Select from our
available subscription options to get started option, and then complete the subscription on the
Nutanix Billing Center.

Cloud Clusters (NC2) | Getting Started With NC2 | 38

NC2 DEPLOYMENT
The NC2 deployment includes the following steps:

• Create an organization in the NC2 console.

• Add your AWS cloud account to NC2.
• Create a cluster.

Creating an Organization
An organization in the NC2 console allows you to segregate your clusters based on your specific
requirements. For example, create an organization Finance and then create a cluster in the Finance
organization to run only your finance-related applications.

About this task

In the NC2 console, create an organization and then create a cluster within that organization.
To create an organization, perform the following steps:

Procedure

1. Sign in to Nutanix Cloud Clusters (NC2) from the My Nutanix dashboard.

Note: On the My Nutanix dashboard, ensure that you select the correct workspace from the Workspace
dropdown list that shows the workspaces you are part of and that you have used while subscribing to
NC2.

Figure 16: Selecting a Workspace

Cloud Clusters (NC2) | NC2 Deployment | 39

 2. In the Organizations tab, click Create Organization.

Figure 17: NC2 Create Organization

3. In the Create a new organization dialog box, do the following in the indicated fields:

a. Customer. Select the customer account in which you want to create the organization.
b. Organization name. Enter a name for the organization.
c. Organization URL. The URL name is automatically generated. If needed, the name can be
modified.

4. Click Create.
After a successful creation, the new organization will be listed in the Organizations tab.

Updating an Organization
Administrators can update the basic information for your organization from the NC2 console.

Note: Changes applied to the organization entity affect the entirety of the organization and any accounts
listed underneath it.

To update your organization, perform the following:

Procedure

1. Sign in to the NC2 console: https://cloud.nutanix.com.

2. In the Organization page, select the ellipsis button of a corresponding organization and click Update.

3. To update the organization’s basic details:

a. Navigate to the Basic Info tab of the Organization entity's update page.
b. You can edit any of the fields listed below if required:

• Name: Edit the name of your organization in this field.

• URL name: This specifies the slug of the URL unique to your organization. For example,
specifying documentation would look like this:
https://cloud.nutanix.com/[customer_URL]/documentation/[account_URL]

• Description: Add a description of the organization.

• Website: Specify the web address for your organization. For example, https://
www.google.com.

c. Click Save.

Cloud Clusters (NC2) | NC2 Deployment | 40

Adding an AWS Cloud Account
To add your AWS account to NC2, specify your AWS cloud details, create and verify a CloudFormation
stack in the AWS console, and select AWS regions in which you want to create Nutanix clusters.

About this task

Note: You can add one AWS account to multiple organizations within the same customer entity. However,
you cannot add the same AWS account to two or more different Customer (tenant) entities. If you have
already added an AWS account to an organization and want to add the same AWS account to another
organization, follow the same process, but you do not need to create the CloudFormation template.
If a cluster is present, do not delete the CloudFormation stacks.

To add an AWS account to NC2, perform the following procedure:

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

Note: On the My Nutanix dashboard, ensure that you select the correct workspace from the
Workspace dropdown list that shows the workspaces you are part of and that you have used while
subscribing to NC2.

Figure 18: Selecting a Workspace

2. In the left navigation pane, click Organizations.

3. Click the ellipsis next to the organization that you want to add the cloud account to and click Cloud
accounts.

4. Click Add Cloud Account.

5. Under Select Cloud Provider, select AWS.

6. In the Name field, type a name for your AWS cloud account.

Cloud Clusters (NC2) | NC2 Deployment | 41

7. In the Enter Account ID field, type your AWS cloud account ID.

Note: You can find your Account ID in My Account in the AWS cloud console. Ensure that you enter
the AWS cloud account ID without hyphens.

8. Under Prepare AWS Account, click Open AWS Console.

The AWS console opens in a new tab.
To create and manage resources in your AWS account, NC2 requires several IAM resources. Nutanix
has created a CloudFormation template that creates all the necessary resources.
Do the following in the AWS console:

a. Sign in to the AWS account in which you want to create Nutanix clusters.
This account is the same AWS account that is linked to the Account ID you entered in step 7.
b. In the Quick create stack screen, note the template URL, stack name, and other parameters.
c. Select the I acknowledge that AWS CloudFormation might create IAM resources with
custom names check box.
d. Click Create stack.
e. Monitor the progress of the creation of the stack in the Events tab.
f. Wait until the Status changes to CREATE_COMPLETE.
You can view information about your CloudFormation stack, namely Nutanix-Clusters-High-Nc2-
Cloud-Stack-Prod, on the Stacks page of the CloudFormation console.

Figure 19: Viewing CloudFormation Template

The CloudFormation template creates the Nutanix-Clusters-High-Nc2-Cluster-Role-Prod and

Nutanix-Clusters-High-Nc2-Orchestrator-Role-Prod IAM roles. To view the permissions and

Cloud Clusters (NC2) | NC2 Deployment | 42

 policies attached to these IAM roles, you can sign into the AWS Management Console and open the
IAM console at https://console.aws.amazon.com/iam/ and then choose Roles > Permissions.

Figure 20: Viewing IAM Roles

9. In the NC2 console, click Verify Connection.

If CloudFormation is successfully verified, a message indicating that the cloud account setup is
verified appears below this field.

10. Under Select data centers, do one of the following:

» Select All supported regions if you want to create clusters in any of the supported AWS regions.
» Select Specify regions if you want to create clusters in specific AWS regions and select the
regions of your choice from the list of available AWS regions.

Note: Some regions are not auto-enabled by AWS. Ensure you first enable them in your AWS
account before using them with NC2. For more information, see Supported Regions and Bare-
metal Instances.

11. Select the add cloud account disclaimer checkbox for acknowledgment.

12. Click Add Account.

You can monitor the status of the cloud account in the Cloud account page. An R status indicates that
your cloud account is ready.

Deactivating a Cloud Account

NC2 administrators can deactivate a cloud account from the NC2 console when they want to de-register a
cloud account from their Customer or Organization entity. Once the cloud account is deactivated, the cloud
administrator can terminate the corresponding resources that are not managed by NC2.

Note: A cloud account that has existing NC2 accounts cannot be deactivated. You must terminate all NC2
accounts using the cloud account resources first.

To deactivate a cloud account, perform the following steps:

Procedure

1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.

2. Select Cloud Accounts in the left-hand menu.

Cloud Clusters (NC2) | NC2 Deployment | 43

 3. Find the cloud account that you want to deactivate. Click the ellipsis icon against the desired cloud
account and select Deactivate.

Figure 21: Deactivate a cloud account

Reconnecting a Cloud Account

When the NC2 console is unable to communicate with the cloud account infrastructure, the status for the
cloud account in the Cloud Accounts list is displayed as U for Unavailable (instead of R for Ready). The
administrator can correct the issue and manually trigger a reconnection of the cloud account.
A cloud account might become unavailable when the required IAM roles and permissions are removed
from the AWS IAM role.
To reconnect an unavailable cloud account after the issues have been addressed, perform the following
steps:

Procedure

1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.

2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.

3. Find the cloud account you want to reconnect. Click the ellipsis icon against the cloud account and click
Reconnect.

4. If the underlying issue(s) were addressed and the NC2 console can communicate with the cloud
account infrastructure, the account status will change to R.

Adding a Cloud Account Region

Administrators can add additional regions after their cloud account has been set up.

Note: Administrators should ensure they have sufficient resource limits in the regions they decide to add
before adding those regions through the NC2 console.

Procedure

1. Navigate to the Customer or Organization dashboard in the NC2 console where the cloud account is
registered.

2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.

3. Find the cloud account where you want to add a new cloud region. Click the ellipsis icon against the
cloud account and click Add regions. A new window appears.

Cloud Clusters (NC2) | NC2 Deployment | 44

 4. Choose the region from:

• All supported regions: Select this option if you would like to add all other supported regions
besides those you have already specified.
• Specify regions: Select this option if you would like to add just a few additional supported regions
to your cloud account. Click inside the regions field and select as many regions as you want from the
drop-down menu.

Figure 22: Adding a region to a cloud account

5. Once you have made your selection, click Save. You will receive updates in your notification center
regarding the status.

Updating AWS Stack Configurations

For an AWS cloud account, administrators can update the stack or recreate the stack when needed.
Perform the following steps:

Procedure

1. Navigate to the Customer or Organization dashboard in the NC2 console, where the cloud account is
registered.

2. Click the ellipsis icon against the desired organization or customer and then click Cloud Accounts.

3. Find the cloud account for which you want to update the configurations. Click the ellipsis icon against
the cloud account and click Update.

Cloud Clusters (NC2) | NC2 Deployment | 45

4. Update the AWS Configurations:

• Update Stack: The Update Stack tab provides your CloudFormation Stack template URL and
Stack parameters. These details can be used to update IAM (Identity and Access Management)
roles.
For example, to use new product features, you may need to use the CloudFormation Stack template
URL to expand your IAM permissions after an NC2 product update.

Figure 23: Configuration - Update Stack (AWS)

• Recreate Stack: Use the Recreate Stack sub-tab to recreate your CloudFormation stack to a
known good state and verify the connection. Typically, most administrators will access this page
when troubleshooting permissions/account setup issues.

Note: To recreate your CloudFormation stack, you must delete the existing stack in your AWS
Console, which you can access directly from the Recreate Stack sub-tab.

Cloud Clusters (NC2) | NC2 Deployment | 46

 Figure 24: Configuration - Recreate Stack (AWS)

Creating a Cluster
Create a cluster in AWS by using NC2. Your Nutanix cluster runs on an EC2 bare-metal instance in AWS.
For more information on the AWS components that are either installed when the option to create a new
VPC is selected during NC2 on AWS deployment or you need to install manually when you choose to use
an existing VPC, see AWS Components Installed.

About this task

Note: Each node in a Nutanix cluster has two EBS volumes attached (AHV EBS and CVM EBS). Both are
encrypted gp3 volumes. The size of AHV EBS volume is 100 GB and CVM EBS is 150 GB.
AWS charges you for EBS volumes regardless of the cluster state (running or hibernate). These
charges are incurred once the cluster is created until it is deleted. See the AWS Pricing Calculator
for information about how AWS bills you for EBS volumes.
AWS bills you an additional charge for the EBS volumes and S3 storage for the time the cluster is
hibernated. If a node turns unhealthy and you add another node to a cluster for evacuation of data
or VMs, AWS also charges you for the new node.

To create a Nutanix cluster on AWS, perform the following:

Cloud Clusters (NC2) | NC2 Deployment | 47

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

Note: On the My Nutanix dashboard, ensure that you select the correct workspace from the
Workspace dropdown list that shows the workspaces you are part of and that you have used while
subscribing to NC2.

Figure 25: Selecting a Workspace

2. In the Clusters page, do one of the following:

» If you are creating a cluster for the first time, under You have no clusters, click Create Cluster.
» If you have created clusters before, click Create Cluster in the top-right corner of the Clusters
page.

Figure 26: NC2 Create Access Page

Cloud Clusters (NC2) | NC2 Deployment | 48

3. Select one of the following cluster options:

» General Purpose: A cluster that utilizes general purpose Nutanix licenses. For more information
on NCI licensing, see Nutanix Licenses for NC2.
» Virtual Desktop Infrastructure (VDI): A cluster that utilizes Nutanix licenses for virtual desktops.
For more information on NCI and EUC licensing, see Nutanix Licenses for NC2.

Figure 27: Create a cluster - select a cluster type

4. In the Cloud Provider tab of the Create Cluster dialog box, do the following:

a. Organization. Select the organization in which you want to create the cluster.
b. Cluster Name. Type a name for the cluster.
c. Cloud Provider. Select AWS.
d. Cloud Account. Select the AWS cloud account in which you want to create the cluster.
e. Region. Select the AWS region in which you want to create the cluster.
f. (If you select VDI) Under Consumption Method, the User-based consumption method is
selected by default. In this case, the consumption and cluster pricing are based on the number

Cloud Clusters (NC2) | NC2 Deployment | 49

 of users concurrently using the cluster. Enter the maximum number of users allowed to use the
cluster.

Note: The general purpose cluster uses a capacity-based method by default where the
consumption and cluster pricing is based on the capacity provisioned in the cluster.

g. In Advanced Settings, with Scheduled Cluster Termination, NC2 can delete the cluster at a
scheduled time if you are creating a cluster for a limited time or for testing purposes. Select one of
the following:

• Terminate on. Select the date and time when you want the cluster to be deleted.
• Time zone. Select a time zone from the available options.

Note: The cluster will be destroyed, and data will be deleted automatically at the specified time.
This is an irreversible action and data cannot be retrieved once the cluster is terminated.

5. In the Capacity tab, do the following on the Capacity and Redundancy page:
Under Cluster Capacity and Redundancy

• Under Host Configuration:

• Host type: The instance type used during initial cluster creation is displayed.
• Number of Hosts. Click + or - depending on whether you want to add or remove nodes.

Note: A maximum of 28 nodes are supported in a cluster. NC2 supports 28-node cluster
deployment in AWS regions that have seven placement groups. Also, there must be at least
three nodes in a cluster.

• Add Host Type: The other compatible instance types are displayed depending on the instance
type used for the cluster. For example, if you have used i3.metal node for the cluster, then
i3en.metal, and i4i.metal instance types are displayed.

Note: You can create a heterogeneous cluster using a combination of i3.metal, i3en.metal,
and i4i.metal instance types or z1d.metal, m5d.metal, and m6id.metal instance types.

The Add Host Type option is disabled when no compatible node types are available in
the region where the cluster is being deployed.

• Under Redundancy: Select one of the following redundancy factors (RF) for your cluster.

• RF 1: The number of copies of data replicated across the cluster is 1. The number of nodes for
RF1 must be 1.

Note: RF1 can only be used for single-node clusters. Single-node clusters are not
recommended in production environments. You can configure the cluster with RF1 only for

Cloud Clusters (NC2) | NC2 Deployment | 50

 clusters created for Dev, Test, or PoC purposes. You cannot increase the capacity of a single-
node cluster.

• RF 2: The number of copies of data replicated across the cluster is 2. The minimum number of
nodes for RF2 must be 3.
• RF 3: The number of copies of data replicated across the cluster is 3. The minimum number of
nodes for RF3 must be 5.
• Host type. Select the type of bare-metal instance that you want your cluster to run on.
• Number of Hosts. Select the number of hosts that you want in your cluster.

Note: A maximum of 28 nodes are supported in a cluster. NC2 supports 28-node cluster
deployment in AWS regions that have seven placement groups.

Figure 28: Create a cluster - capacity

Cloud Clusters (NC2) | NC2 Deployment | 51

6. In the Network tab, do the following:

a. Under Networking, select a Virtual Private Network (VPC) in which you want to create the cluster
from one of the following options:

• Use an existing VPC

• Select a VPC from the Virtual Private Network (VPC) drop-down list.
• Select a subnet (from the VPC that you selected in the previous step) from the
Management Subnet drop-down list that you want to use as the management subnet for
your cluster.

Note: This subnet must be a dedicated private subnet for communication between Nutanix
CVMs or management services like Hypervisor.

Cloud Clusters (NC2) | NC2 Deployment | 52

 Figure 29: Create a cluster - use an existing VPC
• Create New VPC. Select this option to create a new VPC for this cluster and do not want to
use any of your existing VPCs.

• Enter a VPC CIDR.

Note: Ensure that you do not use 192.168.5.0/24 CIDR for the VPC being used to deploy
the NC2 on AWS cluster. All Nutanix nodes use that CIDR for communication between the
CVM and the installed hypervisor.

• Availability Zone. Select the AZ in which you want to create the cluster.

Cloud Clusters (NC2) | NC2 Deployment | 53

 Note: Two subnets will be created along with the VPC in the selected AZ. One private subnet
without outgoing internet access for the management network and one public subnet providing
connectivity to NC2 from the VPC.

Figure 30: Create a cluster - use an existing VPC

b. Under Host Access through SSH, do one of the following:

• Use an existing Key Pair. Select an existing SSH key from the drop-down list.
• Create a New Key Pair. Type a Key name and click Generate to generate a new SSH key.
You can use this SSH key to sign in to a node in the cluster, without a password.
c. Under Access Policy, specify the following options to control the user management and UVM's
AWS security groups that are deployed when you create the cluster:

Cloud Clusters (NC2) | NC2 Deployment | 54

• Prism (Cluster Management Console): Select one of the following options to control access
of the public Internet to and from your Nutanix cluster:

• Public: Allow cluster access to and from the public Internet.

When you select Access Policy as Public, NC2 will automatically provision a Network Load
Balancer that enables access to Prism Element from the Internet.

Note: This Public option is only available when you choose to either import a VPC or create
a new VPC in the Network tab.
Allowing Internet access could have security ramifications. Use of a load balancer
is optional and is not a recommended configuration. For securing network traffic
when using a load balancer, you can consider using secure listeners, configuring
security groups, and authenticating users through an identity provider. For more
information, see AWS Documentation.
You can also use a Bastion server (jump box) to gain SSH access to the CVMs
and AHV hosts of Nutanix clusters running on AWS. See Logging into a Cluster by
Using SSH.

• Restricted: Restrict access only to a select number of IP addresses. In the IP addresses

field, provide a list of source IP addresses and ranges that must be allowed to access Prism
Element. NC2 creates security group rules.
• Disabled: Disable cluster access to and from the public Internet. The security group
attached to the cluster hosts will not allow access to Prism Element.
• Management Services (Core Nutanix services running on this cluster). Select to allow or
restrict access to management services (access to CVMs and AHV hosts).

• Restricted: If any IP addresses require access to CVMs and AHV hosts, specify a list of
such source IP addresses and ranges. NC2 creates security group rules accordingly.
• Disabled: Disable access to management services in the security group attached to the
cluster nodes.

Note: If you intend to use the Cluster Protect feature, ensure that the Cluster Management
Services can be accessed from the VPC and the Prism Central subnet. Ports 30900 and 30990 are
opened while creating a new NC2 cluster and are required for communication between AOS and
Multicloud Snapshot Technology (MST) to back up the VM and volume groups data.

Cloud Clusters (NC2) | NC2 Deployment | 55

7. In the Software Configuration tab, do the following in the indicated fields:

a. Under License Option, select one of the following:

• For the General Purpose cluster option selected in step 3:

• NCI (Nutanix Cloud Infrastructure): Select this license type and appropriate add-ons to
use NCI licensing.

Note: You must manually register the cluster to Prism Central and apply the NCI licenses in
Prism Central.

• AOS: Select this license type and appropriate add-ons to reserve and use AOS (legacy)
licenses. For more information on how to reserve AOS (legacy) licenses, see Reserving
License Capacity.

Figure 31: License Option

• For the Virtual Desktop Infrastructure (VDI) cluster option selected in step 3:

• EUC (End User Computing): Select this option if you want to use EUC licenses for a
specified number of users.

Cloud Clusters (NC2) | NC2 Deployment | 56

 Note: You need to manually register the cluster to Prism Central and manually apply the
EUC licenses.

• VDI: Select this option if you want to use VDI licenses for a specified number of users. For
more information on how to reserve VDI licenses, see Reserving License Capacity.

Figure 32: License Option

For more information on license options, see NC2 Licensing Models.
b. Under AOS Configuration:

• AOS Version. Select the AOS version that you want to use for the cluster.

Note: The cluster must be running the minimum versions of AOS 6.0.1.7 for NCI and EUC
licenses, and AOS 6.1.1 for NUS license.

• Software Tier. In the Software Tier drop-down list, select the license type based on your
cluster type and the license option you selected.

Cloud Clusters (NC2) | NC2 Deployment | 57

 • For General Purpose cluster: Select the Pro or Ultimate license tier that you want to apply
to your NCI or AOS cluster. Click the View Supported Features list to see the available
features in each license type.
• For VDI cluster: The only available license tier for the VDI or EUC cluster, that is, Ultimate,
is selected by default.

Note: If you have selected VDI and User-based licensing, then the Ultimate software edition
is automatically selected, as only the VDI Ultimate license tier is supported on NC2.

This option is used for metering and billing purposes. Usage is metered every hour and charged
based on your subscription plan. Any AOS (legacy) and VDI reserved licenses will be picked up
and applied to your NC2 cluster to cover its usage before billing overages to your subscription plan.
c. Under Add-on Products:

• If the NCI (Nutanix Cloud Infrastructure) or EUC (End User Computing) license option is
selected: you can optionally select Use NUS (Nutanix Unified Storage) on this cluster and
specify the storage capacity that you intend to use on this cluster.

Note: You need to manually apply the NCI and the NUS licenses to your cluster.

• If the AOS or VDI license option is selected, you can optionally select the following add-on
products:

• Advanced Replication
• Data-at-Rest Encryption
• Use Files on this cluster: Specify the capacity of files you intend to use in the Unified
Storage Capacity field.

Note: The Advanced Replication and Data-at-Rest Encryption add-ons are selected by default
for AOS and VDI Ultimate; you need to select these add-ons for AOS Pro manually.

For more information, see Software Options.

Cloud Clusters (NC2) | NC2 Deployment | 58

8. During initial cluster creation, in the Cluster Protect tab, record your intention whether you want to
protect your cluster data, UVM data, and Prism Central configuration data against failures impacting
the whole cluster and click Next.

• I want to protect the cluster: Select this option if you want to protect the cluster using the Cluster
Protect feature.

Note: You must register this cluster to a new or an existing Prism Central instance that runs in
the same availability zone. If you are going to use this cluster as a source or target for Disaster
Recovery, then you cannot also use the Cluster Protect feature to protect your cluster.

To protect the cluster using the Cluster Protect feature, you must perform the steps listed in Cluster
Protect Configuration.
• I will protect the cluster myself/ I do not need protection: Select this option if you do not want
to use the Cluster Protect feature to protect your cluster.

Note: You can select this option if you need to use this cluster as a source or target for a Disaster
Recovery setup. Nutanix recommends enabling the automatic backup of VM and Volume Groups
data.

Note: The Cluster Protect feature is available only with AOS Ultimate or NCI Ultimate license tier and
needs AOS 6.7 or higher and Prism Central 2023.3 or higher. The Cluster Protect feature is available
only for new cluster deployments. Any clusters created before AOS 6.7 cannot be protected using this
feature.

Figure 33: Cluster Protect

Cloud Clusters (NC2) | NC2 Deployment | 59

9. In the Summary tab, do the following:

a. Review your cluster configuration.

b. To reinitiate the resource allocation check for the cluster, under Cloud Resources > AWS Cloud
Account, click Show details, and click Check quotas.
AWS Quota Check
A quota check for the cluster is automatically triggered prior to cluster creation. The NC2 console
automatically checks your resource quota. Ensure that your AWS subscription has enough quotas
(such as vCPUs).
Amazon EC2 service quotas are managed in terms of the number of virtual central processing
units (vCPUs) with 1 physical core = 2 vCPUs conversion ratio. The required vCPU quota should
be at least enough to cover n+1 nodes (for RF = 2 or 3) where n is the number of nodes you are
deploying in your cluster. The quota for the additional nodes is required in case a node needs to be
replaced, then during the node replace cycle, you will temporarily have n+1 nodes while the new
node is being added and an old node is being removed.
If the quotas for the resource allocation are insufficient, you will not be blocked from creating the
cluster, but your cluster will likely not form successfully. The available quotas for resource allocation
changes dynamically depending on the resources used by other clusters in your organization. You
can also change the default resource allocation through the AWS console.

Figure 34: AWS Service Quota Check

c. Click Create.

Cloud Clusters (NC2) | NC2 Deployment | 60

 10. Monitor the cluster creation progress in the Clusters page.
When the cluster creation is in progress, the status is Creating. After the cluster is created, the status
changes to Running.

Note: Nutanix cluster is deployed in AWS in approximately 45 to 60 minutes. If there are any issues
with provisioning the Nutanix cluster, see the Notification Center on the NC2 console.

11. After the cluster is created, click the name of the cluster to view the cluster details.

What to do next
After you create a cluster in AWS, set up the network and security infrastructure in AWS and the cluster for
your user VMs. See User VM Network Management and Security on page 102 for more information.

AWS VPC Endpoints for S3

You can leverage the AWS VPC endpoints to connect to AWS Services privately from your VPC without
going through the public internet. When using VPC endpoints, you can optimize the network path by
avoiding traffic to internet gateways and incurring costs associated with NAT gateways, NAT instances, or
maintaining firewalls. With VPC endpoints, you have finer control over how users and applications access
AWS services.
Nutanix recommends using the following VPC endpoints:

• Gateway endpoints: These gateways are used for connectivity to Amazon S3 without using an internet
gateway or a NAT device for your VPC. A gateway endpoint targets specific IP routes in the AWS VPC
route table. Gateway endpoints do not use AWS PrivateLink, unlike interface endpoints. There is no
additional charge for using gateway endpoints.
For more information on how to create a new gateway endpoint, see Creating a Gateway Endpoint.
You can create a new or use an existing gateway endpoint. When using an existing gateway endpoint,
you only need to modify the route tables associated with the gateway endpoint. For more information,
see Associating Route Tables With the Gateway Endpoint.
• Interface endpoints: These gateways are used for connectivity to services over AWS PrivateLink.
An interface endpoint is a collection of one or more elastic network interfaces (ENIs) with a private IP
address that serves as an entry point for traffic destined to a supported service. Interface endpoints
allow the use of security groups to restrict access to the endpoint.
For more information, see AWS Documentation.

Creating a Gateway Endpoint

A gateway endpoint can be used for connectivity to Amazon S3 without using an internet gateway or a NAT
device for your VPC. A gateway endpoint targets specific IP routes in an AWS VPC route table in the form
of a prefix-list, used for traffic destined to AWS S3.
You can configure resource policies on both the gateway endpoint and the AWS resource that the endpoint
provides access to. This enables granular access control and private network connectivity from within a
VPC.
For more information about gateway endpoints, see AWS Documentation.

Note: Ensure that you create your gateway endpoint in the same AWS Region as your S3 buckets. Also,
add the gateway endpoint in the routing table of the resources that need to access S3. The outbound rules
for the security group for instances that access Amazon S3 through the gateway endpoint must allow traffic
to Amazon S3.

Cloud Clusters (NC2) | NC2 Deployment | 61

You can add a new endpoint route to a route table and associate it with the gateway endpoint. The
endpoint route is deleted when you disassociate the route table from the gateway endpoint or when you
delete the gateway endpoint.
All instances in the subnets associated with a route table associated with a gateway endpoint automatically
use the gateway endpoint to access the service. Instances in subnets that are not associated with these
route tables use the public service endpoint, not the gateway endpoint. Nutanix recommends using the
gateway endpoint instead of the public service endpoint.
The following instructions are for your quick reference; Nutanix recommends referring to AWS
Documentation for the most up-to-date instructions.
Follow these steps to create a gateway endpoint that connects to Amazon S3:

Procedure

1. Sign into the AWS VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, select Endpoints, which is a VPC-level feature.

Note: Ensure that you do not select the Endpoints services option.

3. Click Create endpoint.

4. Provide a name for the gateway endpoint.

5. Under Service category, select AWS services.

6. Under Services, search with the S3 keyword, and then select the service with the name:
com.amazonaws.<region>.s3 and type as Gateway.

7. Under VPCs, select the VPC where you want to create the endpoint.

Note: The VPC must be the same where your cluster is created. All NC2 clusters in that VPC will be
able to access the S3 endpoint. You must create a different endpoint for each VPC where an NC2
cluster is running.

8. Under Route tables, select the route tables corresponding to your NC2 cluster’s private subnet in the
VPC.
This must be the route table associated with the cluster management subnet.

Note: You must add all route tables that are associated with the management subnet of all your
clusters.

9. Under Policy, use the default selection as Full access.

10. Click Create endpoint.

11. After successfully creating the endpoint, verify that the route table pointed to the S3 endpoint has the
gateway endpoint in its routes.

a. Navigate to Endpoints and click the gateway endpoint you created.

b. Click the Route tables tab.
c. Click the route table name.
d. Click the Routes tab and verify the route.

Cloud Clusters (NC2) | NC2 Deployment | 62

Associating Route Tables With the Gateway Endpoint
If you want to use an existing gateway endpoint, you must change the route tables that are associated with
the gateway endpoint.
The following instructions are for quick reference; Nutanix recommends referring to AWS Documentation
for the most up-to-date instructions.
Follow these steps to associate route tables with the gateway endpoint:

Procedure

1. Sign into the AWS VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, select Endpoints.

3. Select the gateway endpoint that you want to use for AWS S3.

4. Click Actions > Manage route tables.

5. Select or deselect route tables as needed.

6. Click Modify route tables.

7. Under Route tables, select the route tables corresponding to your NC2 cluster’s private subnet in the
VPC.
This must be the route table associated with the cluster management subnet.

Note: You must add all route tables that are associated with the management subnet of all your clusters.

8. Under Policy, make sure you have selected Full access.

Cloud Clusters (NC2) | NC2 Deployment | 63

PRISM CENTRAL CONFIGURATION
This section lists the steps on how to:

• Deploy and configure Prism Central.

• Log into a cluster by using Prism Element web console.
• Log into a cluster by using SSH.

Deploying and Configuring Prism Central

After the cluster is successfully deployed, deploy a new Prism Central instance or register the cluster to an
existing Prism Central instance. Ensure that you have created the Prism Central subnet and management
subnet. The Prism Central subnet must be different from the UVM subnet.
For more information about installing a new Prism Central instance, see Installing a new Prism Central.

Note: While deploying Prism Central, you need to specify the CIDR of the subnet created for your NC2
cluster. You can find this CIDR from your AWS console listed under IP Address Management > Network
Prefix Length.

For more information about registering your cluster with Prism Central, see Registering Cluster with Prism
Central.
After you deploy Prism Central, perform the following additional networking and security configurations:

Procedure

1. Configure the name servers to host a network service for providing responses to queries against a
directory service, such as a DNS server. For more information, see Configuring Name Servers for Prism
Central.

Note: Ensure that the name server IP address is similar to the one you entered during the deployment of
Prism Central.

2. Configure the NTP servers to synchronize the system clock. For more information, see Configuring NTP
Servers for Prism Central.
You can use:

• 0.pool.ntp.org
• 1.pool.ntp.org
• 2.pool.ntp.org
• 3.pool.ntp.org

3. Add an authentication directory. For more information, see Adding An Authentication Directory (Prism
Central).

4. Configure role permissions. For more information, see Assigning Role Permissions.

5. Configure SSL certificate management. For more information, see Importing an SSL Certificate.

6. Deploy a load balancer to allow Internet access. For more information, see Deploying a Load Balancer
to Allow Internet Access.

Cloud Clusters (NC2) | Prism Central Configuration | 64

 7. Create and associate AWS security groups with an EC2 instance to control outbound and inbound
traffic. For more information, see Controlling Inbound and Outbound Traffic Using Security Groups.

8. Enable the inbound access to the Prism Central UI to configure the Site-to-Site VPN setup. For more
information, see Prism Central UI Access for Site-to-Site VPN Setup.

9. Register Prism Central with the Prism Element cluster. For more information, see Registering or
Unregistering Cluster with Prism Central.

What to do next
For more information about how to sign into the Prism Element web console, see Logging into a Cluster by
Using the Prism Element Web Console.
For more information about how to sign into the Prism Central web console, see Logging Into Prism
Central.

Logging into a Cluster by Using the Prism Element Web Console

Use the Prism Element web console to sign in to your Nutanix cluster running in AWS.
Perform the following to sign in to your Nutanix cluster.

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Go to the Clusters page and click the name of the cluster.

Cloud Clusters (NC2) | Prism Central Configuration | 65

3. On the Summary page, click Launch Prism Element.

Figure 35: NC2 Prism Element Access

The Prism Element sign in page opens in a new tab.

4. Use the following default credentials to sign in.

• Username: admin
• Password: Nutanix/4u
The default password is Nutanix/4u. You are prompted to change the default password if you are
logging on for the first time.
For more information, see Logging Into the Web Console.

What to do next
After you create a cluster in AWS, set up the network and security infrastructure in AWS and the cluster for
your user VMs. See User VM Network Management and Security on page 102 for more information.

Cloud Clusters (NC2) | Prism Central Configuration | 66

Logging into a Cluster by Using SSH
You can also use SSH to sign in to a node and CVMs in your cluster. Sign in to your cluster by using the
SSH key pair you created or selected when you created the cluster.

Before you begin

If you have not configured VPN or Direct Connect to access your clusters, you can configure a Linux
bastion host to gain SSH access to the CVMs and AHV hosts of Nutanix clusters running on AWS.
For instructions about how to configure a Linux bastion host, see the AWS documentation. The URL varies
depending on the region you are in.

Note: When you configure a Linux bastion host, ensure that you do the following:

• Open the EC2 console in the same region as the Nutanix cluster.
• When you are configuring an instance, ensure that you do the following:

• Under Network, change the default VPC to the same VPC being used by the Nutanix
cluster running on AWS.
• Under Subnet, select the subnet containing Nutanix Cluster xxxxxxxxx Public.
• Enable the Auto-assign Public IP option.
• You must restrict access to Management services (access to CVMs and AHV hosts) while
configuring the cluster. To do this, launch the NC2 console, click on the ellipsis for the cluster,
and then click Update Configuration. Select the Access Policy tab, and then select
Restricted under Management Services (Core Nutanix services running on this cluster).

About this task

Sign in to CVM with the Nutanix user and then sign in to a host in the cluster with the root user.
Perform the following to sign in to your cluster with SSH.

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Go to the Clusters page and click the name of the cluster.

Select the Hosts pane.
The details such as the name of the host, IP address of the host, IP address of the CVM, host type, and
state of the host are displayed.

3. Open a terminal session.

Cloud Clusters (NC2) | Prism Central Configuration | 67

4. Sign in to a host in the cluster by using the private key. Use the private key you created or selected
when you created the cluster.

Note: You can either upload (secure copy (scp)) the key.pem file from your local machine to the host or
create a new pem file on the host by using the content of the key.pem file via vim key.pem, and then
run the chmod 400 key.pem command.

$ ssh -i private-key-file root@node-ip-address

Replace the variables in the command with their appropriate values as follows:

• Replace private-key-file with the file name of the private key.

• Replace node-ip-address with the IP address of the node you want to sign in to (determined in
step 4).

5. Sign in to a CVM in the cluster.

user@host$ ssh nutanix@ip-address-of-the-cvm

Replace ip-address-of-the-cvm with the IP address of the CVM (determined in step 5).

6. Type the password of the Nutanix user.

The default password of the Nutanix user is nutanix/4u. You are prompted to change the default
password if you are logging on for the first time.

What to do next
After you create a cluster in AWS, set up the network and security infrastructure in AWS and the cluster for
your user VMs. See User VM Network Management and Security on page 102 for more information.

Cloud Clusters (NC2) | Prism Central Configuration | 68

NC2 PAYMENT METHODS
Nutanix offers a simplified licensing experience in purchasing and consuming NC2. In addition to the
legacy licensing model for AOS, Nutanix has introduced the Nutanix Cloud Platform packages that support
the new and consolidated Nutanix product portfolio. The packages are:

• Nutanix Cloud Infrastructure (NCI)

• Nutanix Cloud Manager (NCM)
• Nutanix Cloud Platform (NCP, bundle of NCI and NCM)
• Nutanix Unified Storage (NUS)
• Nutanix Database Service (NDB)
• Nutanix End User Computing (EUC)
If you have a paid subscription for NC2, you can choose to select the NCI or AOS licensing tier while
creating a cluster. You can also switch from an already running cluster with AOS licensing to a cluster with
NCI licensing. You must deploy Prism Central and configure your NC2 cluster with that Prism Central in
order to use NCI licenses.

Note: You cannot switch back from NCI licensing to AOS licensing.

During the free trial period of NC2, you can only use the AOS licensing option. NC2 enables your cluster
with all AOS features during the free trial. When you switch to a paid NC2 subscription, you have the
choice to continue with the AOS licensing or switch to the NCI licensing.
Nutanix also provides flexible subscription options that help you select a suitable subscription type and
payment method for NC2.
You can use the legacy portfolio licenses and pay using a subscription plan, such as Pay As You Go
(PAYG) or Cloud Commit, for overages above the legacy license capacity used.
For more information on the pricing that is used to charge for overages above legacy AOS license capacity,
see NC2 pricing options.
For the new NCI licensing, NC2 does not charge for overages above the NCI license capacity used. For
more details on the new NCI licenses, see Nutanix Cloud Platform Software Options.
You can choose to be invoiced either directly by Nutanix or through your cloud marketplace account, if you
choose to use your cloud marketplace.
NC2 supports Advanced Replication and Security add-ons for NCI Pro and Nutanix Unified Storage (NUS)
Pro, and you have to manually apply these licenses to Prism Central managing your NC2 cluster. NC2
supports Advanced Replication, Data-at-Rest Encryption, and Files add-ons for AOS (legacy) Pro, and you
have to reserve capacity from these licenses, after which they are automatically picked up and applied to
your NC2 cluster.
The following table lists the combination of license types based on the software configuration and the
subscription plans available for these license types.

Cloud Clusters (NC2) | NC2 Payment Methods | 69

 Table 10: Summary of license types

Cluster Type Available License Types Available Software Tier

General Purpose NCI
• NCI Pro + Advanced Replication +
Data-at-Rest Encryption + NUS
• NCI Ultimate + Advanced
Replication + Data-at-Rest
Encryption + NUS

General Purpose AOS

• AOS Pro + Advanced Replication +
Data-at-Rest Encryption + Files
• AOS Ultimate + Files

Note: Advanced Replication

and Data-at-Rest Encryption
add-ons are included in AOS
Ultimate license.

VDI EUC EUC Ultimate + NUS

VDI VDI VDI Ultimate + Files

Note: Advanced Replication and

Data-at-Rest Encryption add-
ons are included in VDI Ultimate
license.

Nutanix Licenses for NC2

Your Nutanix licenses are given priority when covering your NC2 usage. Any overages above your legacy
license capacity can be paid using a subscription plan, such as Pay As You Go (PAYG) or Cloud Commit.
There is currently no charge for overages above the NCI license capacity used for the new NCI licensing.
For more information on how to select AOS or NCI license during cluster creation, see Creating a Cluster.
For more information on how to switch an already running cluster with AOS legacy licensing to NCI
licensing, see Applying NCI, EUC, and NUS Licenses.

New Portfolio Licenses

When creating a cluster, you can select your general purpose type NC2 cluster to use either NCI Pro or
NCI Ultimate licenses. Or, you can select your VDI type NC2 cluster to use the End User Computing (EUC)
Ultimate license. The rest of the new portfolio, such as Nutanix Cloud Manager (NCM), Nutanix Unified
Storage (NUS), and Nutanix Database Service (NDB), is also supported with NC2. Steps to apply licenses
are similar for all products and services in the new portfolio - manually apply licenses to Prism Central. For
more information, see Applying and Managing Cloud Platform Licenses.
For the new NCI licensing, there is currently no charge for overages above the NCI license capacity used.
You must not reserve license capacity for the new portfolio licenses, unlike you do it for the legacy portfolio
licenses.

Note: Your NC2 cluster is enabled with legacy AOS licenses during the free trial. Once you get a paid
subscription for NC2, you can switch from AOS to NCI licenses. You must deploy Prism Central and
configure your NC2 cluster with that Prism Central in order to use NCI licenses.

Cloud Clusters (NC2) | NC2 Payment Methods | 70

For more information on how to switch an already running cluster with AOS legacy licensing to NCI
licensing, see Applying NCI, EUC, and NUS Licenses.
Once you have configured Prism Central with the cluster, you can manually apply the NCI licenses to that
Prism Central to cover the usage of the cloud usage.
When switching cloud cluster from one Prism Central to another Prism Central, you must manually re-
license that new Prism Central with the NCI license you want to use.

Note: You can use the same Prism Central with both AOS and NCI-licensed clusters.

Applying cloud platform licenses, excluding NUS, requires that the cluster is running the minimum versions
of the following software:

• AOS 6.0.1.7
• Nutanix Cluster Check (NCC) 4.3.0
• Prism Central pc.2021.9
Applying NUS licenses requires that the cluster is running the minimum versions of the following software:

• AOS 6.1.1
• NCC 4.5.0
• pc.2022.4

Applying NCI, EUC, and NUS Licenses

You must manually apply the NCI, NUS, and EUC licenses. Perform the following steps to use these
licenses:

Procedure

1. After the cluster is successfully deployed, register the cluster to a Prism Central instance.

Note: You can register this cluster to an existing Prism Central instance or deploy a new Prism Central
on this cluster.

For more information, see Registering Cluster with Prism Central and Installing a new Prism Central.

2. If you are using a free trial for NC2, you can only select AOS as the option during the free trial period.
If you are ready to switch your cluster type from AOS to NCI, subscribe to NC2 by following the
instructions listed in NC2 Subscription Workflow.

Cloud Clusters (NC2) | NC2 Payment Methods | 71

3. If you have an already running cluster with AOS legacy licensing, then while using the new portfolio
licenses, you must switch the license type to NCI before manually applying the new portfolio licenses in
Prism Central.

Note: You must perform this step with every NC2 cluster that use the new portfolio licenses, for both
general purpose and VDI clusters.

Perform the following steps to change the license type from AOS to NCI:

a. Sign in to the NC2 console: https://cloud.nutanix.com

b. In the Clusters page, click the name of the cluster for which you want to update the license type.
c. On the Settings page, click the Cluster Configuration tab.

Figure 36: Switch to NCI License

d. Your current selection of AOS license type is displayed. Click Switch to NCI.

Cloud Clusters (NC2) | NC2 Payment Methods | 72

 Figure 37: Switch to NCI Manual Steps
e. Click Switch to NCI Licensing to confirm the switch of license type to NCI.
Ensure that you want to switch to NCI, as you would not be able to switch back to AOS after
switching to NCI.

4. If you already have the following licenses that you are ready to use, you can manually apply these
licenses by following the procedures described in Applying and Managing Cloud Platform Licenses.

• Nutanix Cloud Infrastructure (NCI)

• Nutanix Cloud Manager (NCM)
• Nutanix Cloud Platform (NCP, bundle of NCI and NCM)
• Nutanix Unified Storage (NUS)
• Nutanix Database Service (NDB)
• Nutanix End User Computing (EUC)
If you do not have these licenses, you can also convert your legacy AOS licenses to the new NCI
licenses. For more information, see Converting to Cloud Platform Licenses.

Legacy Portfolio Licenses

While Nutanix is transitioning from our legacy portfolio packaging, you can still use the legacy portfolio
licenses for your NC2 clusters. Overages above the license capacity used can be paid using a subscription
plan and will be invoiced directly by Nutanix. For more information on the pricing that will be used to charge
for overages above legacy AOS license capacity, see NC2 Pricing.
Under the legacy portfolio licenses, you can reserve AOS Pro, AOS Ultimate, Files, and VDI Ultimate
license for NC2 on AWS. These licenses are automatically applied to the cloud clusters to cover their
configuration and usage. Rest of the legacy portfolio licenses can be manually applied to an NC2 cluster.

Cloud Clusters (NC2) | NC2 Payment Methods | 73

Reserving License Capacity

Note: License reservation is required for AOS (legacy) licenses and the associated Advanced Replication
and Data-at-Rest Encryption add-ons. License reservation is not required for NCI licenses and the
associated Advanced Replication and Data-at-Rest Encryption add-ons, as you need to manually apply the
NCI licenses.
You do not need to delete the license reservation when terminating an NC2 cluster if you intend to
use the same license reservation quantity for a cluster you might create in the future.

To reserve licenses for NC2, do the following:

Procedure

1. Sign in to the Nutanix Support portal at https://portal.nutanix.com and then click the Licenses link on
the portal home page. You are redirected to the Licensing portal.

2. Under Licenses on the left pane, click Active Licenses and then click the Available tab on the All
Active Licenses page.

Figure 38: Active Licenses Page

3. Select the licenses that you want to reserve for NC2 and then select Update reservation for Nutanix
Cloud Clusters (NC2) from the Actions list.

Note: This option becomes available only after you select at least one license for reservation.

Cloud Clusters (NC2) | NC2 Payment Methods | 74

 4. On the Manage Reservation for Nutanix Cloud Clusters (NC2) page, click the hamburger icon
available in the row of the license you want to reserve, and then click Edit.

Figure 39: Manage License Reservation

5. Enter the number of licenses that you want to reserve in the Reserved for AWS and Reserved for
Azure columns for the license. The available licenses appear in the Total Available to Reserve
column.

6. Click Save to save the license reservations.

Reclaiming a CBL License

Your reserved licenses can only be used on an NC2 cluster provided the license reservation is active.
When you terminate or hibernate a cloud cluster, the license capacity that was being used by that cloud
cluster is returned to the reserved licenses pool and can be used for any other NC2 cluster.
If you want to use the reserved license for an on-prem cluster, ensure that you update the capacity that
was reserved for cloud clusters to zero so that it can be used by on-prem clusters.
To reclaim the NC2 license and use the license for an on-prem cluster, perform the following steps:

Procedure

1. Terminate your cluster from the NC2 console. For more information, see Terminating a Cluster.

2. Update the license reservation for the NC2 cluster under Reserved for AWS or Reserved for Azure
columns as 0 on the Licensing portal. For more information, see Modifying License Reservations.

3. Your license capacity is now available for use with any other Nutanix cluster, including on-prem clusters.

Managing Licenses
Follow these steps to manage licenses and change license type or add add-on products to your running
NC2 cluster.

Procedure

1. Sign in to the NC2 console: https://cloud.nutanix.com

2. In the Clusters page, click the cluster name for which you want to update the add-on product selection.

Cloud Clusters (NC2) | NC2 Payment Methods | 75

 3. On the Settings page, click the Cluster Configuration tab.

Figure 40: Manage add-on products

4. Under Software Configuration, you can change your license tier Pro to Ultimate or vice versa from the
Software Tier list.

5. Under Add-on Products, based on the cluster type (General Purpose or VDI cluster) and the license
tier, the available add-on products are displayed. Select or remove the add-on product based on your
requirements.

6. Click Save.

Subscription Plans for NC2

You have a choice of paying directly to Nutanix or using your cloud marketplace account to pay for NC2
software usage.
NC2 is a multicloud product, and you must have a payment method on file to pay for NC2 usage on all
supported clouds. The default payment method is Nutanix Direct subscription for both NC2 on AWS and
NC2 on Azure.
If you choose not to use your cloud marketplace account to pay for NC2, your entire NC2 usage, including
NC2 on Azure and AWS, is billed to the payment method for your Nutanix Direct subscription.

Table 11: NC2 Subscription Plans

Subscription Plan Description Payment Method

Nutanix Direct subscription for NC2 on AWS

Cloud Clusters (NC2) | NC2 Payment Methods | 76

 Subscription Plan Description Payment Method
Pay As You Go You are billed every month for When you choose to pay for your NC2
the NC2 software usage of usage directly to Nutanix, you can use
that month. There is no term one of the following payment methods:
commitment in this plan.
• Credit Card – Allows you to
Cloud Commit A consumption-based subscription
purchase a payment plan using
in which you pay a certain amount
your credit card details.
upfront for a one-year term (min
$10,000) in return for discounted • ACH Bank Transfer – Allows
billing over the Pay As You you to pay using your ACH bank
Go rate. The discounted rate transfer details. The ACH payment
is based on your commitment method is available only if the bill-
amount, and your monthly usage to address of your organization is
is drawn down from your upfront in the United States of America.
annual payment. This annual Nutanix enables the ACH bank
payment can be used to cover transfer payment method to you
Nutanix software usage across all either after at least one positive
supported cloud platforms. The credit card transaction or if you
unused amount does not roll over make a request to use this payment
to the next year. method through your Nutanix sales
representative.
• Invoice Me – Direct invoicing by
Nutanix at the end of every billing
cycle. You need to discuss with your
account team if you prefer to be
invoiced by Nutanix.

Cloud Marketplace subscription for NC2 on AWS

Nutanix licenses and You can work with your Nutanix The full $ value of your Nutanix
associated overages Account Manager and Nutanix software licenses goes towards
reseller to get a customized meeting your AWS spend
offer based on your specific commitments that may be part of your
needs for NC2 consumption. AWS Enterprise Discount Program
You can subscribe to NC2 and (EDP). You need to pay the total cost
pay for the required Nutanix of Nutanix software for the entire
Cloud Infrastructure (NCI) Pro duration of any multi-year license
and Ultimate licenses and End contract in a single upfront payment.
User Computing (EUC) Ultimate
licenses from AWS Marketplace.

Note: For more information on pricing, see https://www.nutanix.com/products/nutanix-cloud-clusters/

pricing.

NC2 Subscription Workflow

To continue to use NC2 after the trial period ends, you must subscribe to NC2. You can also subscribe to
NC2 anytime during your free trial period.
You can subscribe to NC2 from the My Nutanix dashboard > Administration > Billing Center > Launch.
In the Billing Center, under Nutanix Cloud Clusters, click Subscribe Now.
At the beginning of the subscription steps, the following options are presented:

Cloud Clusters (NC2) | NC2 Payment Methods | 77

 • Would you like to use your existing Nutanix capacity-based licenses?
You can choose to use your Nutanix licenses to cover your NC2 usage. You still need to select a
subscription plan to cover any overage above your reserved license capacity.

Note: Ensure that you have reserved enough license capacity for NC2 if you plan to use Nutanix
licenses for NC2 usage. For more information on the license reservation process, see Reserving
License Capacity.

• How would you like to pay for overage above any reserved license capacity?
You have a choice of paying directly to Nutanix or using your cloud marketplace account to pay for NC2
software usage.
Based on your answers to the above questions, you are presented with the appropriate subscription steps.
The following sections describe the most common subscription workflows.

• Nutanix Direct Subscription: Use this workflow when you want to use your Nutanix licenses and a
Nutanix Direct subscription to pay for NC2 on AWS and NC2 on Azure consumption. You pay directly to
Nutanix and have the ability to choose between two plans - Pay As You Go or Cloud Commit.
For more information, see Nutanix Direct Subscription.
• Cloud Marketplace Subscription: Use this workflow when you want to use Nutanix licenses and a Cloud
marketplace subscription.
For more information, see Subscribe to NC2 From AWS Marketplace.

Nutanix Direct Subscription

Perform the following procedure to pay for NC2 on AWS and NC2 on Azure consumption with a Nutanix
Direct subscription plan:

Procedure

1. Sign in to https://my.nutanix.com using your My Nutanix credentials.

Cloud Clusters (NC2) | NC2 Payment Methods | 78

2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard. For
more information on workspaces, see Workspace Management.

Figure 41: Selecting a Workspace

3. Perform one of the following:

• On the My Nutanix dashboard, scroll down to Administration > Billing Center and click Launch.
In the Billing Center, under Nutanix Cloud Clusters, click Subscribe Now.
• On the NC2 console, click the Nutanix billing center link in the banner displayed on the top of the
NC2 console.
You are directed to the Nutanix Billing Center.

Cloud Clusters (NC2) | NC2 Payment Methods | 79

4. At the beginning of your subscription steps, the Would you like to use your existing Nutanix
Capacity based licenses?: option is presented.

Figure 42: Payment Plan - Pay directly to Nutanix

• Select Yes, use my reserved license capacity to cover NC2 usage if you want to use Nutanix
licenses for NC2. You must reserve the exact amount of Nutanix licenses capacity from the Nutanix
License portal.
If you select this option, the reserved license capacity is used to cover the NC2 usage first, and
once the licenses are consumed, any overage is charged to the subscription plan you select in the
next step.
You can click Reserve your license capacity from the License Portal now to reserve licenses
for the NC2 usage.
• Select Don’t use licenses. Invoice all NC2 usage to my subscription plan option if you do not
want to use any licenses for NC2. All NC2 usage will be charged to the subscription plan that you
select in the next step.

5. Next, the How would you like to pay for overage above any reserved license capacity? option is
presented.

• Pay directly to Nutanix: The NC2 software usage on all supported clouds (AWS and Azure) is
paid to a single subscription plan.
• Pay via Cloud Marketplace: The cloud marketplace subscription option is only available for NC2
on Azure.
Select Pay directly to Nutanix and then click Next.

Cloud Clusters (NC2) | NC2 Payment Methods | 80

6. Click Next.

Figure 43: Payment Plan - Reserve Existing Licenses

7. On the next screen, the payment plan is presented to you based on the choices made in the previous
step.

Figure 44: Pay directly to Nutanix

Select the type of payment plan for your Nutanix cluster:

• Pay As You Go (For NC2 on AWS and Azure): Provides a plan in which you are billed at the end
of each month for the NC2 usage for that month without any term commitments.
• Cloud Commit (For NC2 on AWS and Azure): Provides a payment plan in which you pay upfront
for a year and receive a discount over the PAYG rate. In the Upfront Commitment box, commit

Cloud Clusters (NC2) | NC2 Payment Methods | 81

 a certain amount upfront to cover your usage of NC2. A minimum of $10,000 is required for the
Cloud Commit plan. Discounting tiers are based on commitment amount.
Click Next.

8. On the Company Details page, type the details about your organization and then click Next.
Nutanix Cloud Services considers the address that you provide in the Address 1 and Address 2
fields as the Bill To Address and uses this location to determine your applicable taxes.
If the address where you consume the Nutanix services is different than your Bill To Address, under
the Sold to Address section, clear the Same information as provided above checkbox and then
provide the address of the location where you use the Cloud services. However, only the Bill To
Address is considered to determine your applicable taxes.

9. On the Payment Method page, select one of the following payment methods, and then click Next.

• Credit Card: Enter your credit card details.

• ACH Bank Transfer: Enter your Automated Clearing House (ACH) bank transfer details. You
must discuss with your account team if you prefer to use the ACH Bank Transfer option. The ACH
payment method is available only if the bill-to address of your organization is in the United States
of America, and you must at least have made one positive payment from your account for the
same or any other service.
• Invoice Me: Direct invoicing by Nutanix at the end of every billing cycle. You must discuss with
your account team if you prefer to be invoiced by Nutanix.

10. On the Review & Confirm page, review all the details, click Edit next to each section if you want to
edit any of the details.

11. (Optional) If you have received a promotional code from Nutanix, type the code in the Promo code
field and click Apply.

12. Click Accept & Place Order.

A message confirming the success of your subscription displays. You also receive a confirmation
email. You can now begin using the NC2.

What to do next
You can now begin using the NC2.
You can do one of the following:

• Proceed to NC2: Start using the NC2 service.

• Go to Billing Center: Proceed to the Billing page of your cloud services account.
• Go to Admin Center: Proceed to the administration page of your cloud services account.

Subscribe to NC2 From AWS Marketplace

Nutanix provides a convenient and cost-beneficial way to pay for NC2 through AWS Marketplace. You can
work with your Nutanix Account Manager and Nutanix reseller to get a customized private offer for Nutanix
licenses or subscription plans and pay for Nutanix Cloud Infrastructure (NCI) Pro, NCI Ultimate licenses,
or End User Computing (EUC) Ultimate licenses included in your customized private offer through AWS
Marketplace.
For more information on AWS Marketplace Private Offers, see AWS Documentation.
When you subscribe to NC2 using a private offer sent to you through AWS Marketplace, you will be
invoiced by AWS. The full $ value of your Nutanix software licenses goes towards meeting your AWS

Cloud Clusters (NC2) | NC2 Payment Methods | 82

spend commitments that might be part of your AWS Enterprise Discount Program (EDP). You need to pay
the total cost of Nutanix software for the entire duration of any multi-year license contract in a single upfront
payment.

Note: Any overages above the license capacity purchased through AWS Marketplace will also be billed
through AWS Marketplace, and the same discounted rate used for the initial license purchase through AWS
Marketplace will be used to calculate the billable amount for overages. The overages will be billed and
invoiced monthly by AWS.
You must manually apply NCI and EUC licenses to Prism Central to manage your NC2 clusters.
For more information, see Applying NCI, EUC, and NUS Licenses.

Perform the following steps to subscribe to NC2 from the AWS marketplace:

Procedure

1. Contact your Nutanix Account Manager with your NC2 sizing requirements, such as the number of
licenses required and the term for usage.
Your Nutanix Account Manager works with a Nutanix reseller, if applicable, to create customized
pricing and convert that into a private offer in AWS Marketplace. Once the offer is ready for you to
accept through AWS Marketplace, you will receive an email from the Nutanix reseller with the private
offer details, including the pricing that is specific to you.

Note: You need to provide your AWS billing account details to the Nutanix Account Manager. You can
find your billing account ID in the AWS Management Console.

2. Sign in to the AWS Marketplace console and click the Private Offer URL in the email you receive from
the Nutanix reseller.
Alternatively, in the AWS Marketplace console, navigate to the Private offers page > Available
offers > select the Offer ID for the offer of interest, and click View offer.

Figure 45: Available private offers

You are redirected to the Nutanix Cloud Clusters (NC2) listing page, where you need to configure
your software contract.

Cloud Clusters (NC2) | NC2 Payment Methods | 83

3. Under Offer selection, select the private offer to view its terms and pricing information.

Figure 46: Configure your software contract

4. Under How long do you want your contract to run?, review the tenure of your contract.

5. Under Dates, review the Service start date, Service end date, and Offer expiration date. You
must accept the offer before the offer expiration date.

Cloud Clusters (NC2) | NC2 Payment Methods | 84

6. Under Renewal Settings, review the terms related to the automatic renewal of your contract expiry.

Note: You can contact your Nutanix reseller when you need to renew the contract.

Figure 47: Contract options

7. Under Contract Options, review the number of units you want to purchase for the required Nutanix
licenses.

8. Under Additional Usage Fees, review the pay-as-you-go monthly charges for additional usage.
You will be charged this rate for any NC2 usage on AWS above the license capacity you purchase.

9. Review the Total Contract Price.

The Total Contract Price changes based on the number of units under Contract Options.

10. Click Create contract.

You are redirected to the payment screen.

Cloud Clusters (NC2) | NC2 Payment Methods | 85

11. Click Pay now to make the payment for your contract price.

Figure 48: Pay for your contract price

12. After successful payment, click Set up your account to set up your billing subscription with NC2.

Figure 49: Set up your Nutanix billing subscription

13. You are redirected to the Nutanix Billing Center to complete your NC2 Billing configuration.

Cloud Clusters (NC2) | NC2 Payment Methods | 86

14. When you are redirected to My Nutanix Billing Center, sign in with your My Nutanix account
credentials.

Note: If you do not already have an existing My Nutanix account, you must sign up for a new My
Nutanix account and verify the email address used to sign up for My Nutanix. After verifying your email
address, you will be automatically redirected to My Nutanix Billing Center. For more information, see
Creating My Nutanix Account.

15. Select the correct workspace from the Workspace list on the My Nutanix dashboard.
The workspace should be the same workspace you used when creating NC2 clusters. For more
information on workspaces, see Workspace Management.

16. Click Add Addresses to add your billing address and the address where the NC2 subscription will be
used.

Figure 50: Billing and service address

Cloud Clusters (NC2) | NC2 Payment Methods | 87

 17. On the Add Address page, type the details about your organization and then click Save.
The address you provide in the Address 1 and Address 2 fields are considered as the Bill To
Address.
If the address where you consume NC2 is different than your Bill To Address, under the Address
where service will be provided section, clear the Same information as provided above checkbox
and then provide the address of the location where you use NC2.

Figure 51: Add addresses

18. Click Accept and Continue to NC2.

You are redirected to the NC2 console: https://cloud.nutanix.com

19. Sign in with your My Nutanix credentials.

Changing Payment Method

You can update your existing payment plan at any time. Changes to the payment plan can take effect
either immediately, or at the end of the current billing schedule depending on your existing plan.
The following options are available if you want to change your payment plans:

Cloud Clusters (NC2) | NC2 Payment Methods | 88

• Change the selection to use reserved licenses:

• Add your reserved Nutanix licenses for NC2 usage.

• Remove the selection for using the reserved licenses and just use the subscription plans.
• Change the existing subscription plan: You can change your payment plan for the following:

• Switch from the Pay directly to Nutanix - Pay As You Go payment plan to the Pay directly to Nutanix
- Cloud Commit payment plan.

Note: You cannot change the Cloud Commit plan to Pay As You Go plan.

Perform the following steps to change the existing payment plan:

1. Sign in to https://my.nutanix.com using your My Nutanix credentials.
2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard. For
more information on workspaces, see Workspace Management.

Figure 52: Selecting a Workspace

3. On the My Nutanix dashboard, scroll down to Administration > Billing Center and click Launch.

Cloud Clusters (NC2) | NC2 Payment Methods | 89

4. Under Subscriptions, next to Nutanix Cloud Clusters, click View plan details.

Figure 53: View plan details

5. Under NC2, click Change under Subscription Plan section.

Figure 54: Change subscription plan

Cloud Clusters (NC2) | NC2 Payment Methods | 90

 6. Click Change under Reserved Licenses to make the necessary changes to the use of reserved
Nutanix licenses or your subscription plan.

Figure 55: Change reserved licenses capacity

7. Change the subscription plan based on your requirements.
8. Click Activate & Place Order to save the changes in the subscription plan selection.

Canceling the Subscription Plan

When you cancel your Pay As You Go plan, your plan is deactivated at the end of the current billing
schedule. You can revoke the cancellation of your plan at the most two times before the plan is
deactivated. You cannot revoke the cancellation after the plan has been deactivated. Nutanix bills you for
the usage of the NC2 service from the time you cancel the plan until the end of the current billing schedule.
Your Cloud Commit subscription expires one year from the subscription start date. Any amount paid upfront
is not refundable and there is no rollover of unused amount if you want to renew your Cloud Commit
subscription.
Perform the following procedure to cancel your subscription plan:

Procedure

1. Sign in to your My Nutanix account.

Cloud Clusters (NC2) | NC2 Payment Methods | 91

2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard. For
more information on workspaces, see Workspace Management.

Figure 56: Selecting a Workspace

3. On the My Nutanix dashboard, go to Administration > Billing Center and click Launch.

4. Under Subscriptions, in Nutanix Cloud Clusters, click View plan details.

Figure 57: View plan details

Cloud Clusters (NC2) | NC2 Payment Methods | 92

5. Under NC2, next to the Subscription Plan, click Cancel.

Figure 58: Cancel a Subscription Plan

6. In the Cancel Plan dialog, click Yes, Cancel to cancel the subscription plan or click Nevermind to
close the Cancel Plan dialog.

7. In the Share Your Feedback dialog, you can specify your reasons to cancel the plan, and click Send.

What to do next
Your plan is deactivated at the end of the current billing schedule. The Cancel Plan dialog displays the
date on which your plan is scheduled to be deactivated.

Note: You can revoke the cancellation of your plan at the most two times before the plan is deactivated.

Figure 59: NC2 - Revoke Cancellation

Cloud Clusters (NC2) | NC2 Payment Methods | 93

Billing Management
The Billing Summary page allows you to do the following:

• Update your payment method and company information.

• Change the primary and secondary billing contacts.
Both primary and secondary billing contacts receive all billing and payment-related communications,
such as invoices, subscription updates, and reminders.

Note: Only the primary billing contact can modify any billing or subscription details.

• Upload tax documents.

• Apply promotional codes.
• Download invoices.
• Manage the subscription of NC2, which includes the following:

• If you have applied the Nutanix software licenses, you can change the licenses allocated to NC2.
• View details about the unbilled amount for the current month.
• View details of usage, such as rate, quantity, and the amount charged for each entity (CPU hours,
public IP address hours, disk size, and memory hours) for each cluster.
For more information on how to manage billing, see Nutanix Cloud Services Administration Guide.

Viewing Billing and Usage Details

The Subscriptions tab on the Billing Center displays information about the estimated total spend and total
usage for your current and the last two billing cycles of NC2. You can see a breakdown of all your unbilled
spend and usage in the Analytics graph and the summary table displayed on the page.
The Subscriptions - NC2 page displays the following details:

• Details about the rate, quantity, and amount charged per unit for a selected billing cycle. You can check
the details for the current and last two billing cycles.
• Details about the usage of clusters by units of measure for a selected billing cycle.
Perform the following procedure to display the billing and usage details of NC2:
1. Sign in to your My Nutanix account.

Cloud Clusters (NC2) | NC2 Payment Methods | 94

2. Select the correct workspace from the Workspace dropdown list on the My Nutanix dashboard. For
more information on workspaces, see Workspace Management.

Figure 60: Selecting a Workspace

3. On the My Nutanix dashboard, go to Administration > Billing Center, and click Launch.
4. Under Subscriptions, in Nutanix Cloud Clusters, click View plan details.
5. Select one of the following to either view the billing details or the usage details.

• Spend: Displays a graph detailing your estimated daily spending for a selected billing cycle. You
can check details for the current and last two billing cycles. You can apply filters to the graph for
individual units of measure. A summary table with detailed information about the current billing cycle
is also displayed.
• Usage: Displays an estimate of your total usage for the billing cycle that you select. You can filter the
usage by clusters and units of measure. Individual units of measure are a breakdown of total usage
on the latest day of the billing cycle that you select. You can apply filters to see more details, such
as usage information of each cluster and find out whether a usage is processed through licensing or
subscription.
Select the billing period on the top-right corner of the usage graph to see the total usage for the
selected billing cycle in the form of a graph.
Under Usage broken down by individual units of measure, click Clusters, and then select
a cluster ID and choose a unit of measure to see the total usage of each cluster for a selected
billing cycle in a graphical view. Hover over the bars in the graph to see the number of licenses and
subscriptions you used.
Click Units and select a unit of measure to see the total usage of all the clusters by that unit of
measure.
A breakdown of the total usage of the same billing cycle you selected is displayed in a table after the
graph. You can view the usage graph for three billing cycles.

Note: You can also download this table as a CSV file.

Cloud Clusters (NC2) | NC2 Payment Methods | 95

 Figure 61: Usage Details

Using the Usage Analytics API

You can use the https://usage-api.nutanix.com/data API to access the usage analytics for your
Nutanix clusters running in AWS. With this API you can get the details on usage data. For an effective rate
card, you would need to check the invoices.
Perform the following steps to use the Usage Analytics API:

Cloud Clusters (NC2) | NC2 Payment Methods | 96

Procedure

1. Create an API key:

a. Sign in to https://my.nutanix.com with your My Nutanix account.

b. In the My Nutanix dashboard, go to the API Key Management tile and click Launch.
c. If you have previously created API keys, a list of keys is displayed. To create a new key, click Create
API Keys. The Create API Key dialog appears.

Figure 62: Creating an API Key

d. Select or enter the following details:

• Name: Enter a unique name for your API key to help you identify the key.
• Scope: Select the Usage Analytics scope category under Billing from the Scope drop-down
list.
e. Click Create. The Created API dialog is displayed.

Cloud Clusters (NC2) | NC2 Payment Methods | 97

 Figure 63: Created API Key
f. Copy the API Key and Key ID field values and store them securely for use. You can use the
clipboard button to copy the value to your clipboard.

Note: You cannot recover the generated API key and key ID after you close this dialog.

For more details on API Key management, see the API Key Management section in the Licensing
Guide.

Cloud Clusters (NC2) | NC2 Payment Methods | 98

2. Generate a JSON Web Token (JWT) token for authentication to call the REST APIs. You can clone the
script from https://github.com/nutanix/generate-jwt-key.

Note: This step uses Python to generate a JWT token. You can use other programming languages, such
as Javascript and Golang.

a. Run the following command to install the PyJwt package:

pip install PyJWT==2.3.0

b. Replace the API Key and Key ID in the following Python script and then run it to generate a JWT
token. Also, you can specify expiry time in seconds for the JWT token to remain valid. In the
requesterip attribute, enter the requester IP.
from datetime import datetime
from datetime import timedelta
import base64
import hmac
import hashlib
import jwt

api_key = "enter the API Key" # API_KEY

key_id = "enter the Key ID" # KEY_ID
aud_url = "https://apikeys.nutanix.com"

def generate_jwt():
curr_time = datetime.utcnow()
payload = {
"aud": aud_url,
"iat": curr_time,
"exp": curr_time + timedelta(seconds=120),
"iss": key_id,
"metadata": {
"reason": "fetch usages",
"requesterip": "enter the requester IP",
"date-time": curr_time.strftime("%m/%d/%Y, %H:%M:%S"),
"user-agent": "datamart"
}
}
signature = base64.b64encode(hmac.new(bytes(api_key, 'UTF-8'), bytes(key_id,
'UTF-8'), digestmod=hashlib.sha512).digest())
token = jwt.encode(payload, signature, algorithm='HS512',
headers={"kid": key_id})
print("Token (Validate): {}" .format(token))

generate_jwt()

c. A JWT token is generated. Copy the JWT token on your system for further use. The JWT token can
be used as an Authorization header when validating the API call. The JWT token remains valid for
the duration that you have specified.

Cloud Clusters (NC2) | NC2 Payment Methods | 99

3. In the headers, add the generated JWT token with key as X-API-KEY and hit the Usage Analytics
API:
Usage Analytics supports two queries.

• getFilters - to get the filters associated with a usage

• getUsages - to get the usages of a subscription
In the following queries are in graphQL query language. The accountid attribute in the query is specific
for a user.

• accountid is the tenantuuid of the user.

• startdate is the start date of the usages to fetch.
• end date is the end date of the usages to fetch.
• appid is the service type. It can be NUTANIX_CLUSTERS or MSP.
Query to getFilters for a cluster:
'https://usage-api.nutanix.com/data' \
--
header 'X-API-KEY: <enter your JWT token>' \
--header 'Content-Type: application/json' \
--data-raw '{
"query": "query { getFilters (appid: \"NUTANIX_CLUSTERS\", accountid: \"enter
account ID\", sno: \"\", startdate: \"2021-12-06\", enddate: \"2022-01-05\"){ data
{ metereditem, value1, dimension1 } } }"
}'
Query to getUsages from a specific clusterID:
{
"query": "query { getUsages (appid: \"MSP\", accountid: \"e**e**c3-e5fe-****-
b746-*****2d393fa\", value1: \"000*****-5d0b-****-0000-0000000***80\", startdate:
\"2022-07-11\", enddate: \"2022-08-11\") { data { metereditem, value1, startdate,
enddate, qty } } }"
}
Here, value1 is clusterID. The usages returned are specific to this clusterID.
Query to getUsage for Unit of Measure (UOM):
{
"query": "query { getUsages (appid: \"MSP\", accountid: \"e**e**c3-e5fe-****-b746-
*****2d393fa\", value1: \"000*****-5d0b-****-0000-0000000***80\", metereditem:
\"UOM_PPC_AOS_PRO_CORE_1H\" startdate: \"2022-07-11\", enddate: \"2022-08-11\")
{ data { metereditem, value1, startdate, enddate, qty } } }"
}
Here, metereditem is the UOM. The usages returned are specific to this UOM.
The following is an example of the API response:
{
"data": {
"getUsages": {
"data": [
{
"metereditem": "UOM_PPC_AOS_PRO_CORE_1H",
"value1": "000*****-5d0b-****-0000-0000000***80",
"startdate": "2022-07-11",
"enddate": "2022-07-11",
"qty": 2484
},

Cloud Clusters (NC2) | NC2 Payment Methods | 100

{
"metereditem": "UOM_PPC_AOS_PRO_CORE_1H",
"value1": "000*****-5d0b-****-0000-0000000***80",
"startdate": "2022-07-11",
"enddate": "2022-07-12",
"qty": 108
},
]
}
},
"success": true
}

Cloud Clusters (NC2) | NC2 Payment Methods | 101

USER VM NETWORK MANAGEMENT AND
SECURITY
Nutanix Cloud Clusters (NC2) natively integrates the AWS networking infrastructure. This means Nutanix
clusters run in the AWS VPC without any overlay networking and consume all underlying AWS networking
resources natively. For this, the network management of the clusters running in AWS is tightly integrated
with AWS by using the AWS SDK APIs.
AHV networking workflow continues to work seamlessly when a cluster is running in AWS with the
following changes to the User VM (UVM) networks:

• You create UVM networks by specifying a CIDR value that matches the CIDR value of the AWS subnet.
• NC2 supports only AHV managed networks.
• UVMs use only the DHCP servers provided by the cluster.
• You do not need to specify the VLAN ID when you are creating a network.
• AWS Gateway is used as the default gateway for the UVM networks and cannot be changed.
Nutanix clusters consume the AWS subnets from Prism Element. You must add the AWS subnets you
created for UVMs as networks by using the Prism Element web console. Before you create networks for
UVMS in Prism Element, create AWS subnets manually either by using the AWS console, AWS Cloud
Formation template, or any other tools of your choice.
Nutanix recommends the following:

• Create private AWS subnets for UVM networks.

See AWS documentation for instructions about how to create a private AWS subnet.
• Do not share AWS subnets between clusters running in the same VPC.
• Have separate subnets for management (AHV and CVM) and user VMs.
• If you plan to use VPC peering, use nondefault subnets to ensure uniqueness across AWS Regions.
• Divide your VPC network range evenly across all usable Availability Zones in a Region.
• In each Availability Zone, create one subnet for each group of hosts that has unique routing
requirements (for example, public versus private routing).
• Size your VPC CIDR and subnets to support significant growth.

Creating a UVM Network

The subnets you create in AWS for Nutanix clusters are referred to as networks in a Nutanix cluster
running in AWS. After you create a cluster in AWS by using the NC2 console, you can add the AWS
subnets as networks to the Nutanix cluster by using the Prism Element or Prism Central web console.

Note: In NC2 on AWS with AOS 6.6.x, while creating a subnet from the Settings > Network Configuration
> Subnets tab, the list of (AWS) Cloud Subnets does not appear. As a workaround, you can add the Cloud
Subnets using Network Prefix Length and Gateway IP Address based on Cloud Subnet CIDR.

Cloud Clusters (NC2) | User VM Network Management and Security | 102

Creating a UVM Network using Prism Element

Before you begin

Ensure that you create the subnet in AWS first before you add it to the Nutanix cluster. The AWS network
must be in the same AZ as the Nutanix cluster.
To learn more about setting up AWS subnets for use in Prism Element web console, see the Nutanix
University video.

About this task

To create a UVM network in the Prism Element web console, perform the following:

Procedure

1. Sign in to the Prism Element web console.

2. You can navigate to the Create Subnet dialog box in any of the following way:

• Click Network Config on the VM Dashboard.

• Click the gear icon in the main menu and select Network Configuration in the Settings page. The
Network Configuration window appears.

Figure 64: Add an AWS Network

Cloud Clusters (NC2) | User VM Network Management and Security | 103

3. On the Subnets tab, click Create Subnet.
The Create Subnet dialog box appears.

Figure 65: Add an AWS Network

Do the following in the indicated fields:

a. Subnet Name: Enter a name for the subnet.

b. Review the Cloud VPC, Associated VPC CIDR(s), and Cloud Availability Zone of the VPC where
the cluster is created and to which the cloud subnets belong.
c. Select the desired cloud subnet from the Cloud Subnet list. You can search the subnets by Subnet
ID or Subnet CIDR blocks.
d. When you select the cloud subnet, the following details are populated under IP Address
Management:

• Network Prefix Length: Associated VPC CIDR of the cloud subnet that you have selected.
• Gateway IP Address: Gateway IP address of the cloud subnet that you have selected.

Note: IP Address Management is enabled by default and indicates that the network is an AHV
managed network. AHV networking stack manages the IP addressing of the UVMs in the network.

e. Under IP Address Pools, provide the following details:

You can choose to define the range of IP addresses to be used on the network for automatic
assignment to UVMs by AHV. Optionally, you can choose to leave this field blank, in which case it is
populated with the default DHCP pool range valid in AWS. The first four and last IP addresses from

Cloud Clusters (NC2) | User VM Network Management and Security | 104

 the CIDR block are reserved for use by AWS. Additionally, the last (IP address - 1) from the CIDR
block is reserved for the AHV managed DHCP server.
To define a range of addresses for automatic assignment to virtual NICs, click Create Pool (under IP
Address Pools) and enter the following in the Add IP Pool dialog box:

• Network IP Prefix: The associated VPC CIDR of the cloud subnet that you have selected is
populated.
• Start Address: Enter the starting IP address of the range.
• End Address: Enter the ending IP address of the range.
• Click Submit to close the window and return to the Create Subnet dialog box.
f. Under DHCP Settings, provide the following details:

• DHCP Settings: Select this checkbox to define a domain. When this checkbox is selected, the
fields to specify DNS servers and domains are displayed. Clearing this checkbox hides those
fields.
• Domain Name Servers (comma separated): Enter a comma-delimited list of DNS servers. If
you leave this field blank, the cluster uses the IP address of the AWS VPC DNS server.
• Domain Search (comma separated): Enter a comma-delimited list of domains.
• Domain Name: Enter the domain name.
• TFTP Server Name: Enter the hostname or IP address of the TFTP server from which virtual
machines can download a boot file. It is required in a Pre-boot execution Environment (PXE).
• Boot File Name: Enter the name of the boot file to download from the TFTP server.

4. Click Save to configure the network connection, close the Create Subnet dialog box.

Creating a UVM Network using Prism Central

About this task

Ensure that you create the subnet in AWS first before you add it to the Nutanix cluster. The AWS network
must be in the same AZ as the Nutanix cluster.
To create a UVM network in the Prism Central web console, perform the following:

Procedure

1. Sign in to the Prism Central web console.

2. Click the entities menu in the main menu, expand Network & Security, and then select Subnets. The
Subnets window appears.

Cloud Clusters (NC2) | User VM Network Management and Security | 105

3. On the Subnets tab, click Network Config. The Network Configuration dialog box appears. On the
Subnets tab, click Create Subnet.

Note: Ensure that you do not use the Create Subnet option displayed adjacent to the Network Config
option on the Subnets window.

Figure 66: Add an AWS Network using Prism Central

4. On the Create Subnet dialog box, provide the required details in the indicated fields:

• Name: Enter a friendly name for the subnet.

• Type: Cloud type is selected by default.
• Cluster: Select the cloud cluster to which the cloud subnet belongs.
• Review the Cloud Availability Zone, Cloud VPC, VPC Address Space (Associated VPC
CIDR(s)) details of the VPC where the cluster is created and to which the cloud subnets belong.
• Map to Cloud Subnet: Select the desired cloud subnet from the Cloud Subnet list. You can search
the subnets by Subnet ID or Subnet CIDR blocks.

Note: AHV Subnets are mapped to the Cloud Subnets.

• IP Address Management: When you select the cloud subnet, the following details are populated
under IP Address Management:

• Network Prefix Length: Associated VPC CIDR of the cloud subnet that you have selected. This
maps to the CIDR block on the Cloud subnet.
• Gateway IP Address: Gateway IP address of the cloud subnet that you have selected.

Note:
IP Address Management is enabled by default and indicates that the network is an AHV
managed network. AHV networking stack manages the IP addressing of the UVMs in the
network.

• IP Address Pools: Provide the following details:

You can choose to define the range of IP addresses to be used on the network for automatic
assignment to UVMs by AHV. Optionally, you can choose to leave this field blank, in which case it is
populated with the default DHCP pool range valid in AWS. The first four and last IP addresses from

Cloud Clusters (NC2) | User VM Network Management and Security | 106

 the CIDR block are reserved for use by AWS. Additionally, the last (IP address - 1) from the CIDR
block is reserved for the AHV managed DHCP server.
To define a range of addresses for automatic assignment to virtual NICs, click Create Pool (under IP
Address Pools) and enter the following in the Add IP Pool dialog box:

• Network IP Prefix: The associated VPC CIDR of the cloud subnet that you have selected is
populated.
• Start Address: Enter the starting IP address of the range.
• End Address: Enter the ending IP address of the range.
• Click Submit to close the window and return to the Create Subnet dialog box.
• DHCP Settings: Select the DHCP Settings checkbox to define a domain. Select this checkbox to
define a domain. When this checkbox is selected, the fields to specify DNS servers and domains are
displayed. Provide the following details:

• Domain Name Servers (comma separated): Enter a comma-delimited list of DNS servers. If
you leave this field blank, the cluster uses the IP address of the AWS VPC DNS server.
• Domain Search (comma separated): Enter a comma-delimited list of domains.
• Domain Name: Enter the domain name.
• TFTP Server Name: Enter the hostname or IP address of the TFTP server from which virtual
machines can download a boot file. It is required in a Pre-boot eXecution Environment (PXE).
• Boot File Name: Enter the name of the boot file to download from the TFTP server.

Cloud Clusters (NC2) | User VM Network Management and Security | 107

 Figure 67: Add an AWS Network using Prism Central

5. Click Save to configure the network connection, close the Create Subnet dialog box.

Updating a UVM Network

If you modify the UVM network, AOS only updates the network attributes that are specific to the cluster.
This operation does not update the underlying AWS subnet.
You can update a UVM network by using the Prism Element or Prism Central web console.

Updating a UVM Network using Prism Element

About this task

Perform the following procedure to update a UVM network:

Procedure

1. Sign in to the Prism Element web console.

Cloud Clusters (NC2) | User VM Network Management and Security | 108

 2. Do one of the following:

• Click the gear icon in the main menu and select Network Configuration in the Settings page. The
Network Configuration window appears.
• Go to the VMs dashboard and click the Network Config button.

3. On the Network Configuration window, select the UVM network you want to update and click the
pencil icon on the right.
The Update Network dialog box appears, which contains the same fields as the Create Network
dialog box (see Creating a UVM Network using Prism Element on page 103).

4. Update the field values as desired.

You can change the CIDR only if no UVM is configured on the existing CIDR. CIDR disassociates UVM
network from existing AWS subnet and associates with AWS subnet with new CIDR (if found).

5. Click Save to update the network configuration and return to the Network Configuration window.

6. To delete a UVM network, in the Network Configuration window, select the UVM network you want to
delete and click the X icon (on the right).
A window prompt appears to verify the action; click OK. The network is removed from the list.

Note: This operation does not delete the AWS subnet associated with the UVM network.

Updating a UVM Network using Prism Central

About this task

Perform the following procedure to update a UVM network:

Procedure

1. Sign in to the Prism Central web console.

2. Click the entities menu in the main menu, expand Network & Security, and then select Subnets. The
Subnets window appears.

3. On the Subnets window, click Network Config. The Network Configuration dialog box appears. On
the Network Configuration window, select the UVM network you want to update and click the pencil
icon on the right.
The Update Subnet dialog box appears, which contains the same fields as the Create Subnet dialog
box. See Creating a UVM Network using Prism Central on page 105.

4. Update the field values as desired.

You can change the CIDR only if no UVM is configured on the existing CIDR. CIDR disassociates UVM
network from existing AWS subnet and associates with AWS subnet with new CIDR (if found).

5. Click Save to update the network configuration.

6. To delete a UVM network, in the Network Configuration window, select the UVM network you want to
delete and click the X icon on the right.
A window prompt appears to verify the action; click OK. The network is removed from the list.

Note: This operation does not delete the AWS subnet associated with the UVM network.

Cloud Clusters (NC2) | User VM Network Management and Security | 109

Using EC2 Instances on the Same Subnet as UVMs
You can choose to use EC2 instances for running applications or services on the same AWS subnet used
by a cluster.
In such use cases, you must block the IP addresses of the EC2 instances from AHV IPAM by using the
following aCLI commands:

• net.add_to_ip_blacklist: Blocks IP addresses for a managed network.

• net.delete_from_ip_blacklist: Removes IP addresses from the blocklist of a managed network.

See the Command Reference guide for detailed information about how to block an IP address on a
managed network.
The cluster does not use the IP addresses blocked by using AHV IPAM for any UVM vNIC assignments.

AWS Elastic Network Interfaces (ENIs) and IP Addresses

AHV assigns IP addresses to vNICs of UVMs from a DHCP pool configured on an AHV-managed network.
The vNIC IP addresses are natively integrated with AWS Elastic Network Interfaces (ENI) and are
configured as secondary IP addresses on ENI by the AHV networking service. ENI creation mandates a
primary IP address, which must be allocated from AHV IPAM. ENI primary IP addresses are never used as
vNIC IP addresses for use by UVMs. For this reason, you may notice reduced availability of IP addresses
for use by UVMs from what is configured in the DHCP pool.

Note: ENIs can have upto 49 secondary IP addresses and NC2 implements sharing of ENIs for vNIC IP
addresses until the ENI IP address capacity is reached.

Bare-metal instances support up to 15 ENIs. One ENI is dedicated for AHV or CVM connectivity and the
rest of the 14 ENIs are dynamically created as UVMs are powered on or migrated to the AHV node. Note
that an ENI belongs to a single AWS subnet and so UVMs from more than 14 subnets on a given AHV
node is not supported.
To learn more about the number of AWS ENIs on bare metal instances, see AWS Documentation.

Adding a Virtual Network Interface (vNIC) to a User VM

Network interfaces added to UVMs are referred to as vNICs. You can add vNICs to a UVM at the time of
creating or updating a UVM. Add at least one vNIC to a UVM for network reachability. You can add multiple
vNICs from the same or different UVM networks to a UVM.

About this task

Before you begin

Ensure the following before you add an NIC to a VM:
1. Create a subnet in AWS for the user VM.
2. Add that subnet to the cluster as a network as described in Creating a UVM Network using Prism
Element on page 103.

About this task

You must add the NIC to the VM when you are creating the VM in the Prism Element web console.
Perform the following procedure to add a vNIC to a VM:

Procedure

1. Sign in to the Prism Element web console.

Cloud Clusters (NC2) | User VM Network Management and Security | 110

 2. See the Creating a VM (AHV) topic in the Prism Web Console Guide to proceed with creating a VM in
the cluster.

3. In the Create VM dialog box, scroll down to Network Adaptors (NIC) and click Add New NIC.

4. In the Network Name drop-down list, select the UVM network to which you want to add the vNIC.

5. Select (click the radio button for) Connected or Disconnected to connect or disconnect the vNIC to
the network.

6. The Network Address / Prefix is a read-only field that displays the IP address and prefix of the
network.

7. In the IP address field, enter an IP address for the NIC if you manually want to assign an IP address to
the vNIC.
This is an optional field. Clusters in AWS support only managed networks. Therefore, an IP address to
the vNIC is automatically assigned if you leave this field blank.

8. Click Add to create the vNIC.

Enabling Outbound Internet Access to UVMs

Enable outbound internet access to UVMs by using a NAT gateway.

About this task

By default, the cluster is deployed in a private subnet in AWS with a NAT gateway and load balancer if you
choose to create a new VPC when you are creating a cluster. However, if you choose to deploy a cluster
on an existing VPC, manually configure a NAT gateway.
In AWS, perform the following to enable outbound internet access to UVMs:

Note: See the AWS documentation for instructions about how to perform these tasks.

Procedure

1. Create a public subnet in the VPC in which your cluster is deployed.

2. Create a NAT gateway, associate the gateway with the public subnet, assign a public elastic IP address
to the NAT gateway.

3. Create a route table and add a route to that route table with the target as the NAT gateway (created in
step 2).

4. Add the route table you created in step 3 with the private subnet you have created for UVMs.

5. Sign in to the Prism Element web console.

6. Create a UVM network as described in Creating a UVM Network using Prism Element on page 103.

7. Go to the UVM in the Prism Element web console and add a vNIC to the UVM by using the AWS private
subnet as described in Adding a Virtual Network Interface (vNIC) to a User VM on page 110.
Your UVM can now access the internet.

Enabling Inbound Internet Access to UVMs

Enable inbound internet access to an application running on NC2 by using a physical load balancer.

Cloud Clusters (NC2) | User VM Network Management and Security | 111

About this task
By default, the cluster is deployed in a private subnet in AWS with a NAT gateway and load balancer if you
choose to create a new VPC when you are creating a cluster. However, if you choose to deploy a cluster
on an existing VPC, manually configure a load balancer and use the domain name of the network load
balancer for internet access.
You can instead create a network load balancer in AWS and use the domain name of the network load
balancer.

Note: Additional AWS charges might apply for the use of a network load balancer. Check with your AWS
representative before you create a network load balancer.

Perform the following to create a network load balancer in AWS:

Procedure

1. Sign in to your AWS account.

2. Create a network load balancer.

See Getting Started with Network Load Balancers for information about how to create a network load
balancer in AWS.
Ensure the following when you are creating a network load balancer in AWS:

a. Set the Scheme to internet-facing.

b. For Listeners, select the TCP port depending on your application. For example, select the TCP
port 443 for a Hycu VM.
c. For Availability Zones, select the availability zone and VPC you used to create a cluster in AWS
through NC2.
d. Select a public subnet in the VPC.
e. Skip the Configure Security Settings step.
f. In the Configure Routing page, create a new target group.
g. Set Protocol to TCP, Port to a number depending on your application, and Target type to ip.

Note: Make sure the port you want to access is open in an inbound policy of the security group
associated with bare-metal instances of the cluster.

h. For Health checks, retain the default protocol.

i. Proceed to Register targets.
j. For Network, select Other private IP address, select the availability zone you used for creating
a cluster in AWS through NC2, and add the IP address and port number of the user VM running on
the cluster.
k. Click Add to list to add this target.
l. Click Preview and after validating all the values, click Create.
Wait until the newly created load balancer becomes active, check the target health, and you can
then use the domain name of this load balancer.

Cloud Clusters (NC2) | User VM Network Management and Security | 112

Deploying a Load Balancer to Allow Internet Access
About this task
Set up a load balancer if your cluster is deployed in an existing VPC to allow internet access to Prism
Central or Prism Element on the CVM.

Note: Additional AWS charges might apply if you use the network load balancer. Check with your AWS
representative before you create a network load balancer.

Perform the following procedure to set up the network load balancer in AWS.

Procedure

1. Sign in to your AWS account.

Cloud Clusters (NC2) | User VM Network Management and Security | 113

2. Create a network Load Balancer.
See Getting Started with Network Load Balancers for more information about how to create a network
load balancer in AWS.
Ensure the following when you create a network load balancer in AWS:

a. Set the Scheme to internet-facing.

b. For Listeners, select the TCP port 9440.
c. For Availability Zones, select the availability zone and VPC you used to create a cluster in AWS
through NC2.
d. Select a public subnet in the VPC.

Note: If you choose a private subnet in the VPC, the Prism Element or Prism Central cannot be
accessed from the Internet.

e. Skip the Configure Security Settings step.

f. In the Configure Routing page, create a new target group and provide a name to the target group.
g. Choose the Target type as IP, set Protocol to TCP and Port number to 9440.

Note: Make sure the port you want to access is open in an inbound policy of the security group
associated with bare-metal instances of the cluster.
The IP address you choose for the target group must be one of the CVM IP addresses
that you can see on the NC2 portal.

h. For Health checks, retain the default protocol.

i. Proceed to Register targets.
j. For Network, select Other private IP address, select the availability zone you used for creating
a cluster in AWS through NC2, and add the CVMs IP address or Prism Central VM IP address and
leave the default port number as 9440.

Note: Nutanix recommends you manually blacklist the virtual IP address configured on Prism
Central to avoid IP address conflicts.

k. Click Add to list to add this target

l. Click Preview and after you validate all the values, click Create.
Wait until the newly created load balancer becomes active, check the target health, and you can
then use the domain name of this load balancer.

What to do next
Note down the DNS name of the load balancer. To find the DNS name, open the load balancer on your
AWS console and then navigate to Description > Basic Configuration. Then to get the IP address of
the load balancer, navigate to Network & Security > Network Interfaces > search the name of the load
balancer and then copy the Primary Private IPv4 address. You would need the load balancer IP address
while modifying the inbound rules under the UVM security group.

Cloud Clusters (NC2) | User VM Network Management and Security | 114

Prism Central UI Access for Site-to-Site VPN Setup
About this task
To configure the Site-to-Site VPN setup, you must enable the inbound access to the Prism Central UI.
To access the Prism Central UI using virtual IP or Prism Central VM IP(s), the TCP port 9440 must be
allowlisted for the Prism Central VM.
Perform the following procedure to allowlist the inbound port for the UVM.

Procedure

1. Sign in to your AWS account.

2. Filter and select the cluster node on which the Prism Central is deployed, and then click the Security
tab.

3. Select the corresponding UVM security group.

4. For the selected UVM security group, in the Inbound rules tab, click Add rule, and then enter the TCP
port as 9440 and the custom source IP as the load balancer IP.

5. Click Save rule..

Cloud Clusters (NC2) | User VM Network Management and Security | 115

NETWORK SECURITY USING AWS
SECURITY GROUPS
AWS security groups offer a firewall-like method of filtering traffic to Elastic Network Interfaces (ENIs)
typically used with EC2 instances, and control the traffic allowed to and from the resources in the VPC
where the security groups are set up. You can add separate rules for each security group by defining
appropriate ports and communication protocols to control inbound and outbound traffic. To learn more
about controlling traffic using security groups, see AWS documentation.
Three default security groups - Internal management, User management, and UVM security group - are
created by the NC2 console at the time of initial cluster creation. The Internal management security group
and User management security groups are attached to ENIs associated with the Management subnet. The
default UVM security group is attached to ENIs associated with the UVM subnet.

Note: These default security groups are created for each cluster. Amending security group rules in one
cluster does not affect the security group rules in another cluster. When you amend inbound and outbound
rules within the default UVM security group, the policies are applied to all UVMs that are part of the cluster.

You can also create custom security groups to more granularly control traffic to your NC2 environment. You
can:

• create a security group that applies to the entire VPC, if you want the same security group rules applied
to all clusters in that VPC.
• create a security group that applies to a specific cluster if you want certain security group rules applied
only to that particular cluster.
• create a security group that applies to a subset of UVMs in a specific cluster, if you want certain security
group rules to only apply those subsets of UVMs.
You must configure Prism Central VM security group and all the UVM security groups in a way that allows
communication between Prism Central VM and UVMs. In a single cluster deployment, the Prism Central
VM and UVM communication is open by default. However, if your Prism Central is hosted on a different
NC2 cluster, then you must allow communication between the Prism Central VM on the cluster hosting
Prism Central and the management subnets of the remaining NC2 clusters.
You do not need to configure security groups for communication between the CVM of the cluster hosting
Prism Central and Prism Central VM.
You cannot deploy Prism Central in the Management subnet. You must deploy Prism Central in a separate
subnet.
Suppose your Prism Central is hosted on a different NC2 cluster (say, NC2-Cluster2). In that case, you
must modify the security groups associated with the management subnet on NC2-Cluster1 to include
inbound and outbound security group rules for communication between the Prism Central subnet on NC2-
Cluster2 and Management subnet on NC2-Cluster1. This might extend to management subnets across
multiple clusters managed by the same Prism Central.

Note: Ensure that all AWS subnets used for NC2, except the Management subnet, use the same route
table. For more information on AWS route tables, see AWS documentation.

For more information on the ports and endpoints the NC2 cluster needs, see Ports and Endpoint
Requirements.
For more details on the default Internal management, User management, and UVM security groups, see
Default Security Groups. For more information on creating custom security groups, see Custom Security
Groups.

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 116
 Perform the following steps to control inbound and outbound traffic:
1. Determine if you want to use the default UVM security group to control inbound and outbound traffic
for all UVMs in the cluster or if you want more granular control over UVM security rules with different
security groups for different UVMs.
2. Edit the default UVM security group to add inbound and outbound rules if you want those rules to apply
to all UVMs on your cluster.
3. You may also create additional custom security groups for more granular control of traffic flow in your
NC2 environment:
1. Create a security group in AWS.
2. Add appropriate tags to the security group. For more details on the tags needed with custom security
groups, see Custom Security Groups.
3. Add rules to enable or restrict inbound and outbound traffic.

Default Security Groups

By default, network security for UVMs is managed by the internal networking service of the cluster. NC2
creates the following default security groups with recommended default rules at the time of cluster creation:

• Internal Management: Controls AHV to CVM communication within a cluster.

• User Management: Controls UVM to CVM communication.
• UVM: Controls external traffic entering or leaving the UVMs.
You can identify the default UVM security group by the following AWS tags:

• Tag: key=nutanix:clusters:cluster-uuid, value=cluster UUID

• Tag: key=nutanix:clusters:networks, value=all-uvms
The following figure shows an example of tags applied for the default UVM security group.

Figure 68: Tags in the default UVM security group

The Internal management, User management, and UVM security groups have the recommended
default rules set up by NC2 at cluster creation. All management ENIs created, even after initial cluster

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 117
 deployment, have the default Internal management (internal_management) and User management
(user_management) security groups attached.

Note: Nutanix recommends that you do not modify Internal management and User management security
groups or change any security group attachments.

All elastic network interfaces (ENIs) for CVMs and the EC2 bare-metal hosts are present on the private
Management subnet.
All UVMs on a cluster are associated with the default UVM security group unless you create additional
UVM security groups. The default UVM security group controls all traffic that enters the ENIs belonging to
the UVM subnets. Additional custom security groups can be created to control traffic at the VPC, individual
cluster, or UVM subnet levels.
To allow communication from external sources to the UVMs, you must modify the default UVM security
group to add new inbound rules for the source IP addresses and the load balancer IP addresses.

Note: Each cluster in the same VPC has its default security group. When you amend inbound and outbound
rules within the default UVM security group, the policies are applied to all UVMs that are part of the cluster.

The default UVM security group is configured to allow the following:

• All outbound traffic.

• Communication between UVMs in the same cluster.
• Traffic from AHV or CVMs over default ports of the cluster.
For more information on the ports, see Ports and Endpoint Requirements.

Custom Security Groups

While you can use the default UVM security group configured for all UVMs in a cluster, you can also create
custom security groups to more granularly control network traffic at the VPC level, individual cluster level,
or individual UVM subnet level. You can create custom security groups by adding the appropriate tags, and
those security groups will get attached to the appropriate ENIs.

Note: NC2 supports the ability to create custom security groups when it uses AOS 6.7 or higher.

A custom security group at the VPC level is attached to all ENIs in the VPC. A custom security group at
the cluster level is attached to all ENIs of the cluster. Custom security groups at the UVM subnet level are
attached to all ENIs of all specified UVM subnets.
You can use custom security groups to apply security group rules across all clusters in a VPC or a specific
cluster or a subset of UVM Subnets in a specific cluster. A custom security group per UVM subnet can
be beneficial when controlling traffic for specific UVMs or restricting traffic between UVMs from different
subnets. To support custom security groups at the UVM subnet level, NC2 assigns tags with key-value
pairs that can be used to identify the custom security groups. For more information about default security
groups for internal management and UVMs, see Default Security Groups.

Note: To be able to increase the custom security groups quota beyond the default limit, you must add the
GetServiceQuota permission to the Nutanix-Clusters-High-Nc2-Cloud-Stack-Prod IAM role. To change
the permissions and policies attached to the IAM role, sign into the AWS Management Console, open the
IAM console at https://console.aws.amazon.com/iam/, and choose Roles > Permissions. For more
information, see AWS documentation.

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 118
 Figure 69: GetServiceQuota permission

The default AWS service quota allows you to create a maximum of five custom security groups per ENI.
Out of the five security groups per ENI quota, one is used for the default UVM security group. You can add
only one custom security group at the VPC level and one custom security group at the cluster level. You
can add the remaining custom security groups at the UVM subnet level.
For example, if you create one custom security group at the VPC level and one at the cluster level, you can
create two security groups at the UVM subnet level, assuming you have the default AWS Service quota
limit of 5 security groups per ENI. Similarly, if you create one security group at the cluster level and no
security group at the VPC level, you can create three security groups at the UVM subnet level.

Note: If you need more security groups, you can contact AWS support to increase the number of security
groups per ENI in your VPC.

The following table lists the AWS tags for custom security groups and the level at which these security
groups can be applied. These three tags have hierarchical order that defines the order in which the
security groups with these tags are honoured. A higher hierarchical tag is a prerequisite for the lower
hierarchical tag, and therefore the higher hierarchical tag must be present in the security group with the
lower hierarchical tag. For example, if you use the networks tag (the lowest hierarchical tag) for a security
group, both the cluster-uuid (middle hierarchical) tag and external (higher hierarchical) tag must also be
present in that security group. Similarly, if you add the cluster-uuid tag, the external tag must be present
in that security group.

Table 12: Tags in custom security groups

Tag Key Value Level Hierarchical order Tags included

in the Security
Group
tag:nutanix:clusters:external
none VPC 1 Highest external
tag:nutanix:clusters:external:cluster-
cluster-uuid Cluster 2 Middle external and
uuid cluster-uuid
tag:nutanix:clusters:external:networks
CIDR1, CIDR2, UVM subnet CIDR 3 Lowest external, cluster-
CIDR3 uuid, and networks

For example, if you want to create a security group to apply rules to all clusters in a certain VPC, you must
attach the following tag to the security group. The tag value can be left blank:

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 119
Table 13: Tag example for VPC-level security group

Tag Key Tag Value

tag:nutanix:clusters:external none

The following figure shows an example of tags applied for the custom security group at the VPC level.

Figure 70: Example for VPC-level security group

If you want to create a security group to apply rules to a cluster with UUID 1234, then you must apply both
of these tags to the security group:

Table 14: Tag example for cluster-level security group

Tag Key Tag Value

tag:nutanix:clusters:external none
tag:nutanix:clusters:external:cluster-uuid 1234

The following figure shows an example of tags applied for the custom security group at the cluster level.

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 120
 Figure 71: Example for cluster-level security group

If you want to create a security group to apply rules to a UVM subnet 10.70.0.0/24 in a cluster with UUID
1234, then you must apply all three of these tags to the security group:

Table 15: Tag example for subnet-level security group

Tag Key Tag Value

tag:nutanix:clusters:external none
tag:nutanix:clusters:external:cluster-uuid 1234
tag:nutanix:clusters:external:networks 10.70.0.0/24

The following figure shows an example of tags applied for the custom security group at the subnet level.

Figure 72: Example for subnet-level security group

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 121
Ports and Endpoints Requirements
This section lists the ports and endpoint requirements for the following:

• Outbound communication
• Inbound Communication
• Communication to UVMs
For more information on the general firewall support requirements, see the Port and Protocols guide.

Requirements for Outbound Communication

There are a few general outbound requirements for deploying a Nutanix cluster in AWS on top of the
existing requirements that on-premises clusters use for support services. The following tables show the
endpoints the Nutanix cluster needs to communicate for a successful deployment. The list of endpoints is
not comprehensive; there are several other endpoints that you might need to allowlist depending on the
Nutanix software components you use and the firewall support requirements. For more information on port
requirements for Nutanix products and services, see the Port and Protocols guide and select the Nutanix
product from the Software Type list.

Note: Many of the destinations listed here use DNS failover and load balancing. For this reason, the IP
address returned when resolving a specific domain may change rapidly. Nutanix cannot provide specific IP
addresses in place of domain names.

Table 16: Cluster Outbound to the NC2 Portal

Source Destination Protocol Purpose

Management subnet https://portal.nutanix.com/* TCP/443 (HTTPS) Nutanix service
portal.
Management subnet https://download.nutanix.com/* TCP/443 (HTTPS) Life Cycle Manager
(LCM) required to
upgrade NCI and
NC2 components.
Management subnet https://insights.nutanix.com/* TCP/443 (HTTPS) Pulse to provide
diagnostic system
data to Nutanix
Support.
Management subnet 169.254.169.123 TCP/443 (HTTPS) NTP server.
Management subnet 169.254.169.254/* TCP/443 (HTTPS) Access the instance
metadata related
to the AWS service
role.
Management subnet https://gateway-external- TCP/443 (HTTPS) The NC2 portal
api.cloud.nutanix.com/* orchestration.
Management subnet https://downloads.cloud.nutanix.com/ TCP/443 (HTTPS) Download NC2
clusters/* RPMs.

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 122
Table 17: Cluster Outbound to EC2

Source Destination Protocol Purpose

Management subnet ec2.<region>.amazonaws.com/* TCP/443 (HTTPS) Access the AWS
metadata.
For example, a cluster in
us-west-2 requires ec2.us-
west-2.amazonaws.com/*.

Requirements for Inbound Communication

The following ports are open by default in the User management security group for inbound traffic to the
cluster management services such as CVM and AHV.

Table 18: Cluster Outbound to the NC2 Portal

Description Protocol Port Source: Any Source: User-

UVM in Cluster provided Range
SSH to CVM and TCP 22 default: allow default: allow
hypervisor
Prism web TCP 80 default: allow default: allow
console
Prism web TCP/UDP 9440 default: allow default: allow
console
Cluster remote TCP 80 default: allow default: allow
support
Cluster remote TCP 8443 default: allow default: allow
support
Nutanix Move TCP/UDP 111 default: allow default: allow
Nutanix Move TCP/UDP 2049 default: allow default: allow
NTP Service UDP 123 default: allow default: allow
Disaster recovery TCP 2009 default: allow default: allow
Disaster recovery TCP 2020 default: allow default: allow
Stargate iscsi TCP 3205 default: allow default: allow
access for Files
Stargate iscsi TCP 3260 default: allow default: allow
access for Files
Files Services TCP 7501 default: allow default: allow
Citrix MCS TCP 9440
NGT tools TCP 9440 default: allow default: allow
NGT tools TCP 2073 default: allow
NGT tools TCP 2074 default: allow default: allow
NGT UVM TCP 5000 (dynamic), default: allow default: allow
23578.

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 123
 Figure 73: Inbound Rules in User Management Security Group

Figure 74: Outbound Rules in User Management Security Group

Requirements for Communication to UVMs

The following ports are opened by default in the UVM security group during cluster creation to enable
communication between the CVM and UVMs.

Table 19: Open Ports

Description Protocol Number Source: User

Management Security
Group
SSH TCP 22 default: allow
CVM to file server VMs TCP 2027 default: allow
(FSVM) management
CVM to file server TCP 2090 default: allow
Cluster configuration TCP 2100 default: allow
Files Services TCP 7501 default: allow
Files Services TCP 7502 default: allow
RESP API and Prism TCP 9440 default: allow
access
Communication between TCP 30900 and 30990 default: allow
AOS and Multicloud
Snapshot Technology
(MST)

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 124
Description Protocol Number Source: User
Management Security
Group
Prism Central to Prism TCP 9300 and 9301 default: allow
Element communication
Note: You must
manually open
these ports in
the default UVM
security group.

Figure 75: Inbound Rules in UVM Security Group

Figure 76: Outbound Rules in UVM Security Group

Cloud Clusters (NC2) | Network Security using AWS Security Groups | 125
CLUSTER MANAGEMENT
Modify, update, manually replace, display AWS events, hibernate, resume and delete NC2 running on AWS
by using NC2 console.

Updating the Cluster Capacity

You can expand the cluster by adding more nodes to the cluster or shrink the cluster by removing nodes
from the cluster.
You can use a combination of instance types while expanding the cluster capacity of an already running
cluster.

• i3.metal, i3en.metal, i4i.metal: Any combination of these instance types can be mixed, subject to
the bare-metal availability in the region where the cluster is being deployed.
• z1d.metal, m5d.metal, m6id.metal: Any combination of these instance types can be mixed, subject
to the bare-metal availability in the region where the cluster is being deployed.
For more details, see Creating a Heterogeneous Cluster.

Note: The tasks to add or remove nodes are executed sequentially while updating the capacity of a cluster.

Before you begin

Ensure the following before you expand the cluster:

• Your cluster is at least a three-node cluster.

• Your cluster is in a Running state.
• Your AWS subscription has enough quotas (such as vCPUs).

About this task

Note: You must update the cluster capacity by using the NC2 console only. Support to update the cluster
capacity by using the Prism Element web console is not available.
When expanding an NCI cluster beyond what the NCI license covers, you need to purchase
and manually apply additional license capacity. Contact your Nutanix account representative to
purchase an additional license capacity.

Follow these steps to update the capacity in your cluster:

Procedure

1. Sign in to the NC2 console: https://cloud.nutanix.com

2. In the Clusters page, click the name of the cluster for which you want to update the capacity.

Cloud Clusters (NC2) | Cluster Management | 126

3. Do one of the following:

• Navigate to the Settings tab and click Capacity.

• Click Update Capacity under the Actions drop-down list in the Cloud Summary section.

Figure 77: Update Capacity

4. Under Host Configuration, specify the following details:

• Host type. The instance type used during initial cluster creation is displayed.
• Number of Hosts. Click + or - depending on whether you want to add or remove nodes from the
cluster.

Note: A maximum of 28 nodes are supported in a cluster. NC2 supports 28-node cluster deployment
in AWS regions that have seven placement groups. Also, there must be at least three nodes in a
cluster for RF2 and five nodes when RF3.
Nutanix recommends that the number of hosts should match the RF number or multiples of
the RF number that has been selected for the base cluster.

• Add Host Type: Depending on the instance type used for the cluster, the other compatible instance
types are displayed. For example, if you have used i3.metal node for the cluster, then i3en.metal,
and i4i.metal instance types are displayed.

Note: You can create a heterogeneous cluster using a combination of i3.metal, i3en.metal, and
i4i.metal instance types or z1d.metal, m5d.metal, and m6id.metal instance types.

The Add Host Type option is disabled when no compatible node types are available in the region
where the cluster is deployed.

Note: UVMs that have been created and powered ON in the original cluster running a specific node
or a combination of compatible nodes, as listed below, cannot be live migrated across different node

Cloud Clusters (NC2) | Cluster Management | 127

types when other nodes are added to the cluster. After successful cluster expansion, all UVMs must be
powered OFF and powered ON to enable live migration.

• If z1d.metal is present in the heterogeneous cluster either as the initial node type of the
cluster or as the new node type added to an existing cluster.
• If i4i.metal is the initial node type of the cluster and any other compatible node is added.
• If m6id.metal is the initial node type of the cluster and any other compatible node is added.
• If i3en.metal is the initial node type of the cluster and the i3.metal node is added.

Figure 78: Host Configuration

Cloud Clusters (NC2) | Cluster Management | 128

 5. Under Redundancy, select the redundancy factor:
The redundancy factor (RF) selected during initial cluster creation is displayed.

• RF 1. Data is not replicated across the cluster for RF1. The minimum cluster size must be 1.
• RF 2. The number of copies of data replicated across the cluster is 2. The minimum cluster size
must be 3.
• RF 3. Number of copies of data replicated across the cluster is 3. The minimum cluster size must be
5.

6. Under Service Quotas, the service quotas for AWS resources under your AWS quota are displayed.
Click Check quotas to verify the cluster creation or expansion limits.

7. Click Save. The Increase capacity? or Reduce capacity? dialog appears based on your choice to
expand or shrink the cluster capacity in the previous steps.

8. Click Yes, Increase Capacity or Yes, Reduce Capacity to confirm your action.

Note: The cluster expansion to the target capacity might fail if enough AWS nodes are unavailable in the
current region. The NC2 console will automatically retry to provision the nodes. If the error in provisioning
the nodes is consistent, you should check with your AWS account representative to ensure enough
nodes are available from AWS in your target AWS region and Availability Zone.
Ensure that all VMs on the nodes you want to remove must be turned off before performing the
node removal task.
You can cancel any pending operations to expand the cluster capacity and try to expand the
cluster capacity with a different instance type. See Creating a Heterogeneous Cluster for more
details.

What to do next
For more information when you see an alert in the Alerts dashboard of the Prism Element web console or
if the Data Resiliency Status dashboard displays a Critical status, see Maintaining Availability: Node and
Rack Failure.

Manually Replacing a Host

If any issue occurs in a host in a cluster, you can choose to replace that host. The replace host operation
first adds a new host to the cluster, migrates the VMs running on the host you want to replace with the
newly added host, and then removes the host you want to replace.

About this task

Note: The replace host operation is not supported in a single-node cluster.

To replace a host in a cluster, perform the following:

About this task

Note: If a host turns unhealthy and you add another host to a cluster for evacuation of data or VMs, AWS
charges you additionally for the new host.

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

Cloud Clusters (NC2) | Cluster Management | 129

 2. In the Clusters page, click the name of the cluster.

3. In the Hosts page, click the ellipsis of the corresponding host you want to replace, and click Replace
Host.

4. In the Replace Host dialog box, specify why you want to replace the host and click Confirm.

What to do next
For more information when you see an alert in the Alerts dashboard of the Prism Element web console or
if the Data Resiliency Status dashboard displays a Critical status, see Maintaining Availability: Node and
Rack Failure.

Creating a Heterogeneous Cluster

NC2 on AWS allows you to use a combination of i3.metal, i3en.metal, and i4i.metal instance types
or z1d.metal, m5d.metal, and m6id.metal instance types while creating a new cluster or expanding the
cluster capacity of an already running cluster.
NC2 on AWS allows you to create a heterogeneous cluster depending on the following conditions:

• NC2 on AWS supports a combination of i3.metal, i3en.metal, and i4i.metal instance types or
z1d.metal, m5d.metal, and m6id.metal instance types. The AWS region must have these instance
types supported by NC2 on AWS. For more information, see Supported Regions and Bare-metal
Instances.

Note: You can only create homogenous clusters with g4dn.metal; it cannot be used to create a
heterogeneous cluster.

• Nutanix recommends that the minimum number of additional nodes should be equal to or greater
than your cluster's redundancy factors (RF), and the cluster should be expanded in multiples of RF for
the additional nodes. A warning is displayed if the number of nodes is not evenly divisible by the RF
number.
• UVMs that have been created and powered ON in the original cluster running a specific node or a
combination of compatible nodes, as listed below, cannot be live migrated across different node types
when other nodes are added to the cluster. After successful cluster expansion, all UVMs must be
powered OFF and powered ON to enable live migration.

• If z1d.metal is present in the heterogeneous cluster either as the initial node type of the cluster or
as the new node type added to an existing cluster.
• If i4i.metal is the initial node type of the cluster and any other compatible node is added.
• If m6id.metal is the initial node type of the cluster and any other compatible node is added.
• If i3en.metal is the initial node type of the cluster and the i3.metal node is added.
• You can expand or shrink the cluster with any number of i3.metal, i3en.metal, and i4i.metal
instance types or z1d.metal, m5d.metal, and m6id.metal instance types as long as the cluster size
remains within the cap of a maximum of 28 nodes.

Note: You must update the cluster capacity using the NC2 console. You cannot update the cluster capacity
using the Prism Element web console.

For more information on how to add two different node types when expanding a cluster, see Updating the
Cluster Capacity.

Cloud Clusters (NC2) | Cluster Management | 130

Hibernate and Resume in NC2
You can hibernate your NC2 cluster running on AWS if you will not be using it for an extended period of
time. Once the cluster is hibernated, your data is stored in Amazon S3 buckets, and all instances in the
cluster are stopped and released to AWS. This operation can deliver cost savings for your AWS cluster
when you do not need the cluster in a running state while keeping your data and metadata safe in your S3
buckets.
An S3 bucket is created at the time of cluster creation, which remains empty until the Hibernate feature is
used. When the Hibernate feature is used, all data from your NC2 cluster is placed in the S3 bucket. Once
the cluster is resumed, data is hydrated back onto hosts but also stays in the S3 bucket as a backup.
The S3 bucket gets created with a policy that grants s3:GetObject, s3:PutObject, s3:DeleteObject,
s3:ListBucket, s3:ListBucketVersions, and s3:DeleteBucket permissions to the user.

The default encryption, Amazon S3 managed keys (SSE-S3), is enabled for the S3 bucket.

Note: The S3 buckets used must not be publicly accessible.

You can use a gateway endpoint for connectivity to Amazon S3 without using an internet gateway or a NAT
device for your VPC. For more information, see AWS VPC Endpoints for S3.
Hibernate and resume feature is generally available with the AOS 6.5.1 version. All previously hibernated
clusters running AOS 6.0.1 or prior versions must be resumed once and then upgraded to AOS 6.5.1 or
later versions to hibernate the cluster again in future. Henceforth, if you want to use the GA version of this
feature, upgrade to AOS 6.5.1 version.
After you hibernate your cluster, you will not be billed for any Nutanix software usage or the AWS bare-
metal instance for the duration the cluster is in the hibernated state. However, you may be charged
by AWS for the data stored in Amazon S3 buckets for the duration the cluster is hibernated. For more
information about the Amazon S3 billing, see the AWS documentation.
NC2 does not consume any of your reserved license capacities while a cloud cluster is in the hibernated
state. Once a cloud cluster is resumed, an appropriate license will be automatically applied to the cluster
from your reserved license pool, provided that enough reserved capacity is available to cover your cluster
capacity. To learn more about license reservations for cloud clusters, visit Reserving License Capacity on
page 74.
You can hibernate and resume a single-node and three or more node clusters.

Note: You cannot hibernate the clusters that are protected by the Cluster Protect feature. You must stop
protecting the cluster before triggering hibernation.
You cannot hibernate a cluster if any of the following conditions are met:

• The cluster is protected.

• The cluster is hosting Prism Central, which is protecting other clusters.
To hibernate a cluster that is not hosting Prism Central, you must first unprotect the cluster. To
hibernate a cluster that is hosting Prism Central, you must first unprotect the cluster, and all other
clusters managed by Prism Central and then turn off Prism Central.

For more architectural details on the hibernate/resume operation, visit the Tech Note for NC2 on AWS.

Hibernating Your NC2 Cluster

You can hibernate a cluster that is in a running state. After you hibernate a cluster, your data will be stored
in an Amazon S3 bucket and AWS bare-metal nodes will be stopped.

Note: The encryption will be enabled by default on all S3 buckets used for hibernation.

Cloud Clusters (NC2) | Cluster Management | 131

 Before you begin
To avoid unexpected issues, you must shut down all user VMs, Prism Central, and Files servers before
hibernating your Nutanix cluster running on AWS. See the Nutanix Files User Guide for instructions on how
to stop a Files cluster.

About this task

To hibernate your cluster, perform the following steps.

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Click on the cluster that you want to hibernate. The cluster summary page will open.

3. Select the Actions dropdown and, click Hibernate.

Figure 79: Hibernate a cluster

4. In the Hibernate cluster "Cluster Name" dialog box, review the hibernation guidelines and limitations,
and then type the name of the cluster in the text box.

5. Click Hibernate Cluster.

Visit the Nutanix Hibernate and Resume walkthrough video for more details. The time required to
hibernate your cluster depends on the amount of data in your cluster. Your cluster is hibernated when
the status of the cluster changes to Hibernated.

Resuming an NC2 Cluster

You can resume a cluster that is in a hibernated state. After you resume a cluster, your data is recovered
from the Amazon S3 bucket in the same state it was before you hibernated it.

Note: Your data is retained in S3 buckets for 6 days post a successful resume operation.
When a hibernated cluster is resumed, it returns to the same licensing state it had before entering
hibernation. The IP addresses of hosts and CVMs remain the same as pre-hibernate.

Cloud Clusters (NC2) | Cluster Management | 132

 About this task
To resume a cluster, perform the following:

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Select the hibernated cluster that you want to resume, and click Resume Cluster.

Figure 80: Resume a cluster

3. In the Resume "Cluster Name" dialog box, click Resume Cluster.

Wait for the status to change to Running and click one of the cluster IP addresses to launch the Prism
Element web console. Visit the Nutanix Hibernate and Resume walkthrough video for more details.

Limitations in Hibernate and Resume

To prevent the hibernate operation from getting stuck or failing, consider the following limitations and take
appropriate action:

• Do not attempt failover, failback, VM restore or create new DR configurations during hibernate or
resume. Any such running operations might fail if you start hibernating a cluster.
• Disable SyncRep schedules from Prism Central for a cluster that is used as a source or target for
SyncRep before hibernating that cluster. Failure to do so might result in data loss.
• Ensure that no ongoing synchronous or asynchronous replications are happening when you initiate the
cluster hibernation.
• Disable existing near-sync/minutely snapshots and do not configure new minutely snapshots during
the hibernate or resume operation. You may have to wait until the data of the minutely snapshots
gets garbage collected before trying to hibernate again. The waiting period could be approximately 70
minutes.
• Remove remote schedules of protection policies and suspend remote schedules of protection domains
targeting a cluster until the cluster is hibernated.

Cloud Clusters (NC2) | Cluster Management | 133

 • Snapshot retention is not guaranteed after the cluster has been resumed. Long-term snapshot retention
is subject to hibernate and resume durations and retention policies.
• If a node in the cluster goes down or degrades, or the CVM goes down, the hibernate or resume
operation might not succeed.
• Hibernate and resume works for Autonomous Extent Store (AES) containers only. For NC2 on AWS,
every container is automatically enabled with AES.

Terminating a Cluster
You can terminate an NC2 cluster if you do not want to use the cluster anymore.

Note: You should only terminate the clusters from the NC2 console and not from your public cloud console.
If you try to terminate the cluster or some nodes in the cluster from your cloud console, then NC2 will
continue to attempt to re-provision your nodes in the cluster.
You do not need to delete the license reservation when terminating an NC2 cluster if you intend to
use the same license reservation quantity for a cluster you might create in the future.

Note: Ensure that the cluster on which Prism Central is deployed is not deleted if Prism Central has multiple
Prism Elements registered with it.

To terminate an NC2 cluster, perform the following procedure.

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Go to the Clusters page, click the ellipsis in the row of the cluster you want to terminate, and click
Terminate.

3. In the Terminate tab, select the confirmation message to terminate the cluster.

Figure 81: Terminate an NC2 cluster

Multicast Traffic Management

NC2 leverages the multicast capability of AWS Transit Gateway to support multicast traffic. You can enable
dynamic multicast group membership to forward multicast traffic between subnets of a VPC where NC2 is
running. The transit gateway controls how traffic is routed among all the connected spoke networks using
AWS route tables.

Cloud Clusters (NC2) | Cluster Management | 134

IP Multicast allows efficient one-to-many and many-to-many traffic by sending IP traffic to a group of
interested receivers in a single transmission. The use of IP Multicast helps maintain an efficient network as
the source sends a single copy of IP traffic irrespective of the number of receivers. The interested receivers
subscribe to a Multicast group. The group is dynamic because interested receivers can join or leave the
group as required. For more information on AWS Transit Gateway, see AWS Documentation. For more
information on how to enable multicast and configure AWS Transit Gateway for multicast, see Configuring
AWS Transit Gateway for Multicast.

Note: Multicast traffic is disabled by default in NC2. You can enable multicast traffic for each cluster so that
clusters running in AWS do not drop the multicast traffic egressing from AHV.
UVMs use Internet Group Management Protocol (IGMP) for subscribing to multicast groups.
When a subnet is added to the AWS Transit Gateway Multicast domain, AWS snoops all the
IGMP traffic on the ENI within the added subnets and maintains a multicast state to route the
multicast traffic to intended users. When multicast traffic is enabled for UVMs, clusters running
in AWS do not drop the multicast traffic egressing from AHV. A set of hosts that send and
receive the same multicast traffic is called a multicast group. The multicast traffic is routed to the
subscribed UVMs for a given multicast group based on the multicast membership table.

For more information on multicast concepts, see Multicast on transit gateways - Amazon VPC, and on how
to manage multicast domains and groups, see Managing multicast domains - Amazon VPC and Managing
multicast groups - Amazon VPC.
For multicast traffic to work in NC2, IGMP snooping must be enabled on AHV so that AHV can send
multicast traffic to only subscribed UVMs. If IGMP snooping is disabled, AHV will send multicast traffic to
all UVMs, which might be undesirable. This unwanted traffic results in consuming more computing power,
slowing down normal functions, and making the network vulnerable to security risks. With IGMP snooping
enabled, networks use less bandwidth and operate faster.

Note: A default virtual switch is created automatically when multicast is enabled. You can enable or disable
IGMP snooping only for the UVMs attached to the default virtual switch. You cannot enable or disable IGMP
snooping at the subnet level. All UVMs associated with the default virtual switch will have IGMP snooping
enabled or disabled. Multicast traffic is supported only for UVM subnets and not for CVM (management
cluster) subnets. For instructions, see Enabling or Disabling IGMP Snooping.

When a UVM with multicast traffic enabled is migrated to another NC2 node in the same cluster, multicast
traffic can be forwarded to that UVM even after migration.
The following figure shows a typical topology where both the multicast sender and receiver are in the same
VPC. Various scenarios with different multicast senders and receivers are described below.

Figure 82: Multicast traffic with the multicast sender and receiver are in the same VPC

In this example, the AWS transit gateway is configured on AWS Subnet X. The UVMs in Blue are in
Subnet X, and the UVMs in Green are in Subnet Y. EC2 instance can be any AWS-native (non-bare metal)

Cloud Clusters (NC2) | Cluster Management | 135

compute instance, outside of NC2. All the components shown in this example, other than the EC2-native
instance, belong to a single cluster.
A multicast sender is a host that sends multicast traffic; it can be any EC2-native instance or any UVM on
an NC2 host with IGMP snooping enabled. A multicast receiver is a host that receives multicast traffic;
it can be any EC2-native instance and UVMs that share a subnet. UVMs that are not configured as the
receiver will still receive multicast traffic if snooping is disabled when those UVMs share the subnet with
a UVM that is configured as a receiver UVM. UVMs that are not configured as a receiver and that are
not sharing the subnet with another UVM that is configured as a receiver will not receive multicast traffic
regardless of the snooping status.
The following table shows how multicast traffic will be routed for different senders and receivers based on
the IGMP snooping status.

Table 20: Multicast traffic routing for multicast senders and receivers

Configured Multicast Configured Multicast IGMP Snooping Status Multicast Traffic Status
Sender Receivers
EC2-native UVM1, UVM2, UVM4 Enabled Traffic from the sender
(EC2-native) is received
by the configured
receivers UVM1, UVM2,
and UVM4.
EC2-native UVM1, UVM2, UVM4 Disabled Traffic from EC2-native is
received by:

• All UVMs on NC2-

Host1 that share the
subnet with UVM1/
UVM2. This includes
UVM1, UVM2, and
UVM3.
• All UVMs on NC2-
Host2 that share the
subnet with UVM4.
This includes UVM4,
UVM5, and UVM6.

UVM8 UVM1, UVM2, UVM4 Enabled Traffic from UVM8

is received by the
configured receivers
UVM1, UVM2, and
UVM4.

Cloud Clusters (NC2) | Cluster Management | 136

Configured Multicast Configured Multicast IGMP Snooping Status Multicast Traffic Status
Sender Receivers
UVM8 UVM1, UVM2, UVM4 Disabled Traffic from UVM8 is
received by:

• All UVMs on NC2-

Host1 that share
the subnet with
configured receiver
UVM1/UVM2, that is,
UVM1, UVM2, UVM3.
• All UVMs on NC2-
Host2 that share
the subnet with
configured receiver
UVM4, that is, UVM4,
UVM5, and UVM6.
• Also, UVM9 receives
traffic because UVM9
is sharing a subnet
with the sender
UVM8 on NC2-Host3.

UVM8 or EC2-native None Enabled or Disabled No UVM or EC2-

instance native receives traffic
because no receivers are
configured.
UVM7 UVM1, UVM2, UVM4 Enabled Traffic from UVM7
is received by the
configured receivers
- UVM1, UVM2, and
UVM4.

Note: When
IGMP Snooping
is enabled,
traffic from the
multicast sender
is received only
by the multicast
receivers.

Cloud Clusters (NC2) | Cluster Management | 137

Configured Multicast Configured Multicast IGMP Snooping Status Multicast Traffic Status
Sender Receivers
UVM7 UVM1, UVM2, UVM4 Disabled Traffic from UVM7 is
received by:

• All UVMs on NC2-

Host1 that share
the subnet with the
configured receiver
UVM1/UVM2, that is,
UVM1, UVM2, UVM3.
• All UVMs on NC2-
Host2 that share
the subnet with the
configured receiver
UVM4, that is, UVM4,
UVM5, and UVM6.
• All UVMs that share
a subnet with the
sender UVM7 on
NC2-Host3. In this
case, no such UVM
is available on NC2-
Host3.

UVM8 EC2-native instance on Enabled Configured receiver

Subnet Y EC2-native instance on
Subnet Y receives traffic.
UVM8 EC2-native instance on Disabled Traffic from UVM8 is
Subnet Y received by:

• Configured receiver
EC2-native instance
on Subnet Y.
• UVM9 because it
shares the subnet
with the sender
UVM8 on NC2-Host3.

The following figure shows an example topology where both the multicast sender and receiver are in
different VPCs.

Cloud Clusters (NC2) | Cluster Management | 138

 Figure 83: Multicast traffic with the multicast sender and receiver are in different VPCs

The transit gateway is configured on Subnet X in VPC 1. The transit gateway allows connecting different
VPCs (for example, Subnet X in VPC 1 to Subnet Y in VPC 2). The following table shows how multicast
traffic will be routed for certain senders and receivers based on the IGMP snooping status.

Table 21: Multicast traffic routing for multicast senders and receivers

Configured Multicast Configured Multicast AOS IGMP Snooping Multicast Traffic Status
Sender Receiver/s Status
EC2-native2 / UVM3 UVM1, EC2-native1 Enabled Traffic from the sender
is received by the
configured receivers
UVM1 and EC2-native1.

Note: When
IGMP Snooping
is enabled,
traffic from the
multicast sender
is received only
by the multicast
receivers.

EC2-native2 UVM1, EC2-native1 Disabled Traffic from EC2-native2

is received by EC2-
native1, and all UVMs
on NC2-Host1 that share
the subnet with UVM1,
that is, UVM2.
UVM3 UVM1, EC2-native1 Disabled Traffic from UVM3 is
received by EC2-native1,
and all UVMs on NC2-
Host1 that share the
subnet with UVM1.

Configuring AWS Transit Gateway for Multicast

Follow these steps to configure the AWS transit gateway and enable multicast traffic:

Cloud Clusters (NC2) | Cluster Management | 139

 Procedure

1. Run the following command on the CVM to enable IGMP snooping using aCLI.
net.update_virtual_switch virtual-switch-name enable_igmp_snooping=true
enable_igmp_querier=[true | false] igmp_query_vlan_list=VLAN IDs
igmp_snooping_timeout=timeout
The default timeout is 300 seconds. The AWS Transit Gateway acts as a multicast querier, and you
have the option to add additional multicast queries. You can set enable_igmp_querier variable as
true or false if you want to enable or disable AOS IGMP querier.

If you want to enable IGMP queries to only specific subnets, then you must specify the list of VLANs
for igmp_query_vlan_list. You can get the subnet to VLAN mapping using the net.list aCLI
command.
For instructions, see Enabling or Disabling IGMP Snooping.
IGMP snooping allows the host to track which UVMs need the multicast traffic and send the multicast
traffic to only those UVMs.

2. Configure a transit gateway for multicast traffic.

For more information, see Create a transit gateway.

Note: While creating an AWS transit gateway, ensure that you select the Multicast support option. You
can enable the transit gateway for multicast traffic only when you create the transit gateway; you cannot
modify an existing transit gateway to enable multicast traffic.

3. Attach an AWS Transit Gateway to a VPC.

For more information, see Create a transit gateway attachment to a VPC.

4. Configure a multicast domain for IGMP support.

For more information, see Creating an IGMP multicast domain. Use the following settings:

• Enable IGMPv2 support

• Disable Static sources support

5. Create an association between subnets in the transit gateway VPC attachment and the multicast
domain.
For more information, see Associating VPC attachments and subnets with a multicast domain.

6. Change the default IGMP version for all IGMP group members by running the following command on
each UVM that is intended to be a multicast receiver on the cluster:
sudo sysctl net.ipv4.conf.eth0.force_igmp_version=2

7. Update AWS security groups:

• Configure the inbound security group rule to allow traffic from the sender by specifying the sender’s
IP address.
• Configure the outbound security rule that allows traffic to the multicast group IP address.
Also, allow IGMP queries from the Transit Gateway; add the source IP address as 0.0.0.0/32, and the
protocol should be IGMP. For more information, see Multicast routing - Amazon VPC.

AWS Events in NC2

Events raised by AWS are sent to the cluster and the NC2 console displays these events in the notification
center.

Cloud Clusters (NC2) | Cluster Management | 140

 The following table shows the AWS events displayed in the notification center and actions taken by the
NC2 console to handle them:

Event Description Action

Instance Retirement At the scheduled time, the bare- Nutanix automatically condemns
metal instance is stopped if it the host, triggering replacement of
is backed by Amazon EBS, or the host.
terminated if it is backed by an
instance store.
System reboot At the scheduled time, the Nutanix restarts the AHV host.
host running on the bare-metal
instance is restarted.
Instance status impaired An EC2 instance status check is No action is taken.
failing for the bare-metal instance.
System Status impaired An EC2 system status check is No action is taken.
failing for the bare-metal instance
Instance Stopped EC2 reports that the bare-metal Nutanix automatically condemns
instance is in stopped state the host, triggering replacement of
when Nutanix expects it to be in the host.
running state. When an instance
enters a stopped state, the
hardware reservation is lost and
the instance store is erased.
Instance Terminated EC2 reports that instance is in Nutanix automatically condemns
terminated state when Nutanix the host, triggering replacement of
expects it to be in running state. the host.
When an instance enters a
terminated state, the hardware
reservation is lost and the
instance store erased.

Displaying AWS Events

About this task

This section provides instructions about how to display AWS events in the NC2 console. The NC2 console
does not display AOS events. View the AOS alerts in the Prism Element web console.
To display the AWS events, perform the following:

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

2. Select the ellipsis button of a corresponding cluster and click Notification Center.
View AOS specific alerts from Prism Web Console.

3. Navigate to the Notifications tab.

The Notifications page displays the AWS events such as message, entity details, severity of the AWS
events that occur in your NC2 on AWS environment.

4. To acknowledge a notification, in the row of a notification, click the corresponding ellipsis, and select
Acknowledge.

Cloud Clusters (NC2) | Cluster Management | 141

Viewing Licensing Details
The Clusters page displays the details of the licenses that you have applied to a cluster and also provides
a link to the licensing portal where you can view and manage all your Nutanix licenses.

About this task

To display the licensing details of a cluster, perform the following:

Procedure

1. Sign in to NC2 from the My Nutanix dashboard.

Note: Ensure that you select the correct workspace from the Workspace dropdown list on the My
Nutanix dashboard. For more information on workspaces, see Workspace Management.

2. In the Clusters page, click the name of the cluster whose licensing details you want to display.

3. In the Properties section, click View Details in Licensing.

This section displays information such as number of cores, memory capacity, and storage capacity of
the cluster based on the license that you have applied to the cluster.
The Nutanix licensing portal where you can view and manage all your Nutanix licenses is displayed.

Support Log Bundle Collection

You can generate a support logbay bundle that you can send to Nutanix Support if you need further
assistance with a reported issue.
Support logbay bundle of NC2 on AWS contains all the standard on-prem AOS logs and also the following
logs specific to NC2:

• Clusters_agents_upgrader
• Cluster_agent
• Host_agent
• Hostsetup
• Infra_gateway
• cloudnet
You can collect the logs either by using the Prism Element web console or Nutanix Cluster Check (NCC)
command line.
See Collecting Logs from the Web Console with Logbay for instructions about how to collect the logs by
using the Prism Element web console.
See Logbay Log Collection (Command Line) for instructions about how to collect the logs by using the
NCC command line.
You can collect the logs using logbay for a certain time frame and share the respective log bundle with
Nutanix Support to investigate the reported issue. You can upload logs collected by logbay on the Nutanix
SFTP or FTP server.
See Uploading Logbay Logs for more information on how to upload the collected logs.

Cloud Clusters (NC2) | Cluster Management | 142

CLUSTER PROTECT CONFIGURATION
Nutanix Cloud Clusters (NC2) on AWS run on bare metal instances that capitalize on local NVMe storage.
A data loss risk might occur in case of failures caused by scenarios including but not limited to Availability
Zones (AZ) failures or users terminating bare-metal nodes from the AWS console.
With the Cluster Protect feature, you can protect your NC2 cluster data, including Prism Central
configuration, UVM data, and volume group data, with snapshots stored in AWS S3 buckets. When using
Cluster Protect, you can recreate your cluster with the same configurations and recover your UVM data
and Prism Central configuration from S3 buckets. The Cluster Protect feature thus helps ensure business
continuity even in the event of a complete AWS AZ-level failure.
With Cluster Protect, you can protect the following entities:

• VM configuration and data, such as VM Disks and Volume Groups.

• Prism Central configuration data.
To learn more about the services that can be protected using Prism Central Disaster Recovery, see
Prism Central Disaster Recovery.
• Policies, such as Flow Network Security policies and security policies.
• DR configurations, such as Protection Policies, Recovery Plans, and VM categories.
To use the Cluster Protect feature, you must set up two Amazon S3 buckets, one to back up the UVM
and Volume Groups data and another to back up the Prism Central data. You must also use AOS or NCI
Ultimate licensing tier.
You can use a gateway endpoint for connectivity to Amazon S3 without using an internet gateway or a NAT
device for your VPC. For more information, see AWS VPC Endpoints for S3.
The following figure illustrates a deployment scenario where multiple VMs run on various NC2 clusters
within the same AZ. At least one Prism Central instance runs on one of the clusters and is configured to
manage multiple NC2 clusters in the same AZ.

Figure 84: Cluster Protect Illustration

In the event of a failure event that impacts multiple clusters, you can first recover a cluster that will be used
to recover Prism Central (if the failure event also impacted Prism Central) and then recover the remaining
failed clusters and their associated VMs, and Volume Groups from the backups in the S3 buckets. If the
failure is not AZ-wide and Prism Central of the impacted cluster is hosted on another cluster and that Prism
Central is not impacted, then you can restore the impacted cluster from that existing Prism Central.

Note: With Cluster Protect, all the VMs in a cluster are auto-protected using a single category value and
hence are recovered by a single Recovery Plan. A single Recovery Plan can recover up to 300 entities.

Cloud Clusters (NC2) | Cluster Protect Configuration | 143

 Nutanix does not support multiple recovery plans in parallel, irrespective of the number of entities in the
recovery plan.

You can register multiple clusters with Prism Central in the same AWS AZ and enable Cluster Protect to
back up those clusters on that Prism Central.

Note: Currently, up to five NC2 clusters registered with one Prism Central in the same AWS AZ can be
protected by Cluster Protect.

You need to follow various protection and recovery procedures individually for each cluster that needs to
be protected and recovered. Prism Central can be recovered on any AWS cluster that it was previously
registered with. All UVMs and volume groups data are protected automatically to an Amazon S3 bucket
with a 1-hour Recovery Point Objective (RPO). Only the two most recent snapshots per protected entity
are retained in the S3 bucket.
When the cluster recovery process is initiated, the impacted clusters are marked as failed, and new
recovery clusters with the same configurations are created through the NC2 console. If you had previously
opted to use the NC2 console to create VPCs, subnets, and associated security groups, then NC2
automatically creates those resources again during the recovery process. Else, you will need to first
manually recreate those resources in your AWS console if you did not use NC2 to create them before the
failure event.
Cluster Protect can protect the following services and recover the associated metadata:

• Leap
• Flow Network Security
• Prism Pro (AIOps)
• VM management
• Cluster management
• Identity and Access Management (IAMv1)
• Categories
• Networking
The following services continue to run though these services are not protected, so data associated with
them is not recovered.

• Nutanix Files
• Self-Service
• LCM
• Nutanix Kubernetes Engine
• Objects
• Catalog
• Images
• VM templates
• Reporting Template

Prerequisites for Cluster Protect

You must meet the following requirements for using the Cluster Protect feature:

Cloud Clusters (NC2) | Cluster Protect Configuration | 144

 • AOS version must be 6.7 or higher and Prism Central version must be 2023.3 or higher.
• License tier must be AOS Ultimate or NCI Ultimate.
• Subnets used for Prism Central and Multicloud Snapshot Technology (MST) must be different than the
UVM subnet.

Note: You can use the same subnet or different subnets for Prism Central and MST.

• Clusters to be protected by Cluster Protect must be registered with the same Prism Central instance.

Note: Prism Central that manages protected clusters can also be protected by Prism Central Disaster
Recovery.

• Two new AWS S3 buckets must be manually created with the bucket names prefixed with nutanix-
clusters.
• Nutanix Guest Tools (NGT) must be installed on all UVMs.
• You must re-run the CloudFormation script if you have already added your AWS account in the NC2
console, so that the IAM role that has the required permissions to access only the S3 buckets with the
nutanix-clusters prefix comes into effect.

Note: If you already have run the CloudFormation template, you must run it again to use Cluster Protect
on newly deployed NC2 clusters.

For more information, see https://portal.nutanix.com/kb/15256.

Note: Ports 30900 and 30990 are opened by default while creating a new NC2 cluster and are required for
communication between AOS and MST to back up the VM and Volume Groups data.

Limitations of Cluster Protect

Understand the following limitations while using the Cluster Protect feature:

• The Cluster Protect feature and Protection Policies cannot be used at the same time in the same cluster
to protect the data. If a user-created protection or DR policy already protects a VM or Volume Group,
it cannot also be protected with the Cluster Protect feature. If you need to use DR configurations for a
cluster, you must use those protection policies instead of Cluster Protect to protect your data. A new DR
policy creation fails if the cluster is already protected using the Cluster Protect feature.
• You cannot hibernate or terminate the clusters that are protected by the Cluster Protect feature. You
must disable Cluster Protect before triggering hibernation or termination.
• All clusters being protected must be in the same Availability Zone. Prism Central must be deployed
within the same Availability Zone as the clusters it is protecting.
• The Cluster Protect feature is available only for new cluster deployments. Any clusters created before
AOS 6.7 cannot be protected using this feature.
• A recovered VDI cluster might consume more storage space than the initial storage space consumed
by the protected VDI cluster. This issue might arise because the logic that efficiently creates VDI clones
is inactive during cluster recovery. This issue might also occur if there are multiple clones on the source
that are created from the same image. As a workaround, you can add additional nodes to your cluster if
your cluster runs out of space during the recovery process.
For more information, see https://portal.nutanix.com/kb/14558.

Cloud Clusters (NC2) | Cluster Protect Configuration | 145

 • With the Cluster Protect feature, up to 300 entities (VMs or Volume Groups) per Prism Element and
500 entities per Prism Central can be protected. Based on the tests Nutanix has performed, Multicloud
Snapshot Technology (MST) can manage a maximum of 15 TB of data across all managed clusters.
The recovery process will be blocked if the number of entities exceeds the allowed limit. When there are
more than 300 entities, you can contact Nutanix Support to continue recovery. For more information,
see https://portal.nutanix.com/kb/14961.
• A storage leak might occur after MST rebuild for VM and Volume Group disks whose garbage data
processing might not have been completed by MST at the time of cluster failure. In such a case, extra
data objects might be stored in S3, leading to more storage usage than expected.
• The Mantle Master Key, stored on the local disk on all Prism Central VMs, gets lost on Prism Central
failure. You must reactivate the Mantle after recovering Prism Central. Any Playbook with stored
credentials might fail on the restored Prism Central until the credentials are reentered in the playbook.
• When the protected cluster has data-at-rest encryption enabled, the entity data is written back to the
recovered Prism Element in cleartext without encryption. An originally encrypted entity will now be
unencrypted. Nutanix recommends reenabling data-at-rest encryption immediately after recovery of the
cluster.
• The CHAP authentication encrypted keys stored inside the Prism Central IDF tables are not backed up.
A Prism Central backup in S3 cannot restore these keys. After restoring the cluster and Prism Central,
you must manually configure and activate CHAP between the VM and corresponding Volume Groups.
• After recovering the cluster and Prism Central, you can manually update the storage container
properties from the Prism Element web console as they might not be recovered automatically.
• Volume Groups created by Nutanix Docker Volume Plugin (DVP) for internal management might get
backed up to S3 instead of being deleted. In this case, you can run the following CLI command on the
Prism Central VM before protecting the cluster so that these Volume Groups are marked as internal in 1
minute and are not backed up to S3.
nutanix@pcvm$ mspctl controller flag set vg-internal-operator-period 1

• ENI IP might sometimes overlap with an IP previously used by a VM on the failed cluster before
restoring that VM on a recovered cluster, which results in the VM being restored without a NIC attached.

Protecting NC2 Clusters

Follow these steps to protect your NC2 clusters:

Procedure

1. Get ready for cluster protection:

a. Create clusters in a new VPC or an existing VPC using the NC2 console.

Note: While deploying a cluster, ensure that you select the option to protect the cluster.

For more information, see Creating a Cluster.

b. Create two new S3 buckets in the AWS console.
For more information, see Creating S3 Buckets.
c. Deploy Prism Central on one of these clusters and then register the remaining NC2 clusters with
Prism Central.
For more information, see Protecting Prism Central Configuration.

Cloud Clusters (NC2) | Cluster Protect Configuration | 146

 2. Protect the cluster:

a. Protect Prism Central data by running CLI commands.

For more information, see Protecting Prism Central Configuration.
b. Enable the Multicloud Snapshot Technology (MST) by running CLI commands to protect UVM data.
For more information, see Deploying Multicloud Snapshot Technology.
c. Protect NC2 clusters by running CLI commands.

Note: You can protect your NC2 clusters even without protecting the Prism Central instance that is
managing these NC2 clusters; however, Nutanix recommends protecting your Prism Central instance
as well.

For more information, see Protecting UVM and Volume Groups Data.

Creating S3 Buckets
You must set up two new Amazon S3 buckets, one to back up the UVMs and volume group data, and
another to back up the Prism Central data. These S3 buckets must be empty and exclusively used only for
UVMs, volume groups, and Prism Central backups.
For instructions on how to create an S3 bucket, see the AWS documentation. While creating the S3
buckets, follow the NC2-specific recommendations:

• The S3 bucket names are prefixed with nutanix-clusters.

Note: NC2 creates an IAM role with the required permissions to access S3 buckets with the
nutanix-clusters prefix. This IAM role is added to the CloudFormation template. You must run
the CloudFormation template while adding your AWS cloud account. If you already have run the
CloudFormation template, you must run it again to be able to use Cluster Protect on newly deployed NC2
clusters. For more information, see https://portal.nutanix.com/kb/15256.
If the S3 buckets do not have the nutanix-clusters prefix, the commands to protect Prism
Central and clusters fail.

• Ensure that public access to these S3 buckets is blocked by default.

Protecting Prism Central Configuration

After creating an NC2 cluster and the cluster status becoming Running, you can see the Cluster
Protection section on the cluster Summary page.

Cloud Clusters (NC2) | Cluster Protect Configuration | 147

 Figure 85: Cluster Protection Summary

The Cluster Protect section instructs you to:

1. Deploy a new Prism Central instance on this cluster or register the cluster with an existing Prism
Central.

Note: These clusters must be in the same AWS AZ as Prism Central.

• To deploy a new Prism Central: Perform the instructions described in Installing Prism Central (1-Click
Internet) to install Prism Central.
When deploying Prism Central, follow these recommendations:

• The Prism Central subnet must be a private subnet, and should only be used for Prism Central.
The Prism Central subnet must not be used for UVMs.
• When creating a DHCP pool in Prism Element, ensure that at least 3 IP addresses are reserved
to be used by MST.
• While deploying Prism Central, do not change the Microservices Platform (MSP) settings
because these are required to enable MST. You must choose Private network (defaults) in the
MSP configuration when prompted.

Note: You must not use managed networks for CMSP clusters with Cluster Protect enabled.
CMSP cluster is deployed in the VXLAN/kPrivateNetwork mode only.

• Modify the User management security group of the cluster hosting Prism Central to allow traffic
from the Internal Management subnet of the cluster hosting Prism Central to the Prism Central

Cloud Clusters (NC2) | Cluster Protect Configuration | 148

 subnet. You must add a rule to allow traffic on all protocols and use Management Subnet CIDR
as the source. For more information, see Port and Endpoint Requirements

Note: Ports 30900 and 30990 are opened by default while creating a new NC2 cluster and are
required for communication between AOS and Multicloud Snapshot Technology (MST) to back up
the VM and Volume Groups data.

• To register a cluster with Prism Central: After you deploy Prism Central on one of the NC2 clusters
in the VPC, you must register your remaining NC2 clusters in that VPC to Prism Central that you
deployed.
To register a cluster with Prism Central, follow the steps described in Registering a Cluster with
Prism Central.

Note: Any NC2 clusters that are not configured with the Prism Central that is hosting the Multicloud
Snapshot Technology will not be protected by Prism Central.

2. Configure the Prism Central protection and UVMs data protection. For more information, see Protecting
Prism Central Configuration and Protecting UVM and Volume Groups Data.

Protecting Prism Central Configuration

After creating an NC2 cluster and registering the cluster with Prism Central, you can perform the following
steps to protect your Prism Central configuration to an S3 bucket. Ensure that you have created a new
AWS S3 bucket for Prism Central backup as described in Creating S3 Buckets.

Note: In addition to protecting Prism Central to the S3 bucket, if your Prism Central instance is registered
with multiple NC2 clusters, then you must also protect Prism Central to one or more of the NC2 clusters
it is registered with. In this case, you must prioritize recovery of Prism Central configuration from another
NC2 cluster where Prism Central configuration was backed up if that NC2 cluster has not also been lost to a
failure event. For more information, see Protecting Prism Central.

To protect the Prism Central configuration data, perform these steps:

1. Sign in to the Prism Central VM using the credentials provided while installing Prism Central.

Cloud Clusters (NC2) | Cluster Protect Configuration | 149

 2. Run the following CLI command:
nutanix@pcvm$ pcdr-cli protect -b s3_bucket_name -r aws_region
Replace s3_bucket_name with the name of the S3 bucket used for Prism Central protection and
aws_region with the region of the S3 bucket.

Note: The S3 bucket name must start with nutanix-clusters.

The Prism Central configuration gets backed up to the S3 bucket once every hour and is available in the
pcdr/ folder in the S3 bucket.

Figure 86: Prism Central Configuration Backup in S3

3. Run the following command to validate that the Prism Central replication to the S3 bucket is happening
successfully:
nutanix@pcvm$ pcdr-cli list-protection-targets
The command returns the details in the following format:

UUID NAME
TIME-ELAPSED-SINCE-LAST-SYNC BACKUP-PAUSED BACKUP-PAUSED-REASON
TYPE

8xxxxxf5-3xxx-3xxx-bxxc-dxxxxxxxxxx6 https://nutanix-clusters-xxxx-pcdr-3node.s3.us-
west-2.amazonaws.com 30m59s false
kS3
The CLI shows sync in progress until the Prism Central data is synced to S3 for the first time. After
that, the CLI shows a non-zero time elapsed since the last sync. This confirms that the Prism Central
backup has been completed.

Deploying Multicloud Snapshot Technology

The Cluster Protect feature uses Multicloud Snapshot Technology (MST) to replicate the protected
UVM and Volume Group entities to an AWS S3 bucket. The MST uses the Nutanix Disaster Recovery
infrastructure to periodically create recovery points with a Recovery Point Objective (RPO) of 1 hour and
push the snapshots to the S3 bucket.

Note: When creating a DHCP pool in Prism Element, ensure that at least 3 IP addresses are reserved to
be used with the MST and another 3 for the Prism Central VM to be deployed (that are added as Virtual IPs
during Prism Central deployment). The static IPs reserved for the MST must be outside the DHCP range of
the MST subnet. Also, 4 IPs from the DHCP range of the MST subnet will be used by the MST VMs.

Cloud Clusters (NC2) | Cluster Protect Configuration | 150

To define the IP addresses for the MST, update the subnet > Settings > Network Configuration > IP
Address Pool.

Figure 87: Define IP Addresses for MST

To enable the Multicloud Snapshot Technology:

Procedure

1. Sign in to the Prism Central VM using the credentials provided while installing Prism Central.

2. Run the following CLI command:

nutanix@pcvm$ clustermgmt-cli deploy-cloudSnapEngine -b S3_bucket_name -r aws region
-i IP1,IP2,IP3 -s Private Subnet

In this command, the CloudSnapEngine represents the Multicloud Snapshot Technology.

Replace the variables with their appropriate values as follows:

• S3_bucket_name: the S3 bucket configured for UVM snapshots.

Note: The S3 bucket name must start with nutanix-clusters.

• aws region: the AWS region where the S3 bucket is created.

• IP1,IP2,IP3: the 3 IP addresses used for the MST service VMs.
• Private Subnet: the AWS private subnet configured for Prism Central.
The deploy-cloudSnapEngine command deploys the MST in a 3 VM cluster. It can take up to 60
minutes for the MST service to deploy. This command also displays the MST deployment status. You
can rerun this command to check the MST deployment status. If MST deployment has failed, you need
to first clean up the failed deployment by running the clustermgmt-cli delete-cloudSnapEngine
command and then run the deploy-cloudSnapEngine command.

Cloud Clusters (NC2) | Cluster Protect Configuration | 151

 3. Check if the MST configuration data is being sent to the S3 bucket created for UVMs.

Figure 88: MST Configuration Data in the S3 Bucket

What to do next
Back up all UVM and Volume Groups data from NC2 clusters. For more information, see Protecting UVM
and Volume Groups Data.

Protecting UVM and Volume Groups Data

Follow these steps to back up all UVM and Volume Groups data from NC2 clusters:

Note: You must run this command separately for each NC2 cluster you want to protect by specifying the
UUID for each NC2 cluster. This command also creates a recovery point for the protected entities.

Procedure

1. Sign in to the Prism Central VM using the credentials provided while installing Prism Central.

Cloud Clusters (NC2) | Cluster Protect Configuration | 152

2. Run the following CLI command:
nutanix@pcvm$ clustermgmt-cli protect-cluster -u uuid
Replace uuid with the ID of the NC2 cluster you want to protect. You can find the UUID listed as
Cluster ID under General in the cluster Summary page in the NC2 console.
Your S3 bucket starts showing the UVMs data.

Figure 89: UVM Data in the S3 Bucket

Note:
If the clustermgmt-cli command fails, it might be due to the clustermgmt-nc2 service did
not get properly installed. You can run the following command to verify if the clustermgmt-
nc2 service is installed:
nutanix@pcvm$ allssh "docker ps | grep nc2"

An empty response in the output of this command indicates that the clustermgmt-
nc2 service did not get installed properly. To overcome this issue, you must restart the
pc_platform_bootstrap service to install the clustermgmt-nc2 service. To do this, run the
following commands on the Prism Central VM using CLI:
nutanix@pcvm$ allssh "genesis stop pc_platform_bootstrap"
nutanix@pcvm$ allssh "cluster start"

You can rerun the following command to verify that the clustermgmt-nc2 service is installed:
nutanix@pcvm$ allssh "docker ps | grep nc2"

After you verify that the clustermgmt-nc2 service is successfully installed, you must rerun the
clustermgmt-cli command:
nutanix@pcvm$ clustermgmt-cli deploy-cloudSnapEngine -b S3_bucket_name -r aws
region -i IP1,IP2,IP3 -s Private Subnet

Cloud Clusters (NC2) | Cluster Protect Configuration | 153

3. Check the NC2 cluster protection status under Protection Policies in Prism Central.
For more information, see Data Protection and Recovery Entities.
One protection policy is created for each NC2 cluster that is protected. You can identify the appropriate
protection policy by its name, which will be in the s3-protection-rule-UUID format.
Where UUID is the ID of the NC2 cluster that was protected. You can also see the protection target
being AWS S3.

Figure 90: Protection Policies

The Protection Summary page includes an overview of the protection status of all clusters. It also
provides details about the VMs that are lagging behind their RPO. You can see the cluster being
protected and the target being the AWS S3 bucket.

Figure 91: Protection Summary

Cloud Clusters (NC2) | Cluster Protect Configuration | 154

 4. Check the VMs that have been protected under the VM tab in Prism Central.

Figure 92: VMs list in Prism Central

The Recovery Points of the VM show when the VM was last backed up to S3. Only the two most recent
snapshots per protected entity are retained in the S3 bucket.

Figure 93: Recovery Points of the VM

Disabling Cluster Protect

Follow these steps to disable Cluster Protect for Prism Central and NC2 clusters:

Cloud Clusters (NC2) | Cluster Protect Configuration | 155

 Procedure

1. Run the following command to check the Prism Central protection status by listing protection targets:
nutanix@pcvm$ pcdr-cli list-protection-targets
As Prism Central can be protected to S3 and its registered clusters, you need to know the protection
target, S3 bucket, or one of the NC2 clusters where Prism Central configuration is backed up.
This command lists information about the Prism Central protection targets with their UUIDs. These
UUIDs are different from cluster UUIDs and are required when running the unprotect-cluster
command.

2. Run the following command on the Prism Central VM to disable Prism Central protection:
nutanix@pcvm$ pcdr-cli unprotect -u protection_target_uuid

Use the protection target UUID that you derived using the list-protection-targets command in
Step 1.
A warning is issued if Cluster Protect is enabled for any cluster managed by this Prism Central and asks
for your confirmation to proceed with unprotecting Prism Central. You can unprotect Prism Central even
if Cluster Protect is enabled for any cluster. Nutanix recommends keeping Prism Central protected for
seamless recovery of NC2 clusters.

Note: If the failure is not AZ-wide and Prism Central that is managing one of the failed clusters is hosted
on another cluster, and that cluster is not impacted, then you can restore the failed cluster from that
running Prism Central.

3. Run the following command to disable cluster protection for any NC2 cluster:
nutanix@pcvm$ clustermgmt-cli unprotect-cluster -u cluster_uuid
Replace cluster_uuid with the UUID of the NC2 cluster for which you want to disable Cluster Protect.
You can find the UUID listed as Cluster ID under General in the cluster Summary page in the NC2
console.

Recovering NC2 Clusters

When you have protected your NC2 clusters and the associated Prism Central by following the steps listed
in Protecting NC2 Clusters and you observed a cluster failure due to reasons, such as AWS Availability
Zones (AZs) failures or all nodes from the EC2 management console being shut down, you can configure
cluster recovery to recover your NC2 clusters and Prism Central.
Cluster recovery includes the following steps:
1. Set the cluster to the Failed state using the NC2 console to start the recovery workflow.
For more information, see Setting Clusters to Failed State.
2. Redeploy the cluster using the NC2 console.
For more information, see Recreating a Cluster.
3. If the Prism Central instance was running on a cluster that had failed, then you may recover Prism
Central by running CLI commands.
For more information, see Recovering Prism Central and MST.
4. Redeploy the Multicloud Snapshot Technology.
For more information, see Recovering Prism Central and MST.
5. Recover UVM data by running CLI commands.
For more information, see Recovering UVM and Volume Groups Data.

Cloud Clusters (NC2) | Cluster Protect Configuration | 156

 After the cluster recovery is finalized, you can protect the newly recovered cluster again. For more
information, see Reprotecting Clusters and Prism Central.

Setting Clusters to Failed State

When a protected cluster fails and you need to recover it, you need to first set the cluster to the Failed
state to initiate the recovery process.
Follow these steps to set a cluster to the Failed state:

Procedure

1. Sign in to the NC2 console: https://cloud.nutanix.com

2. On the Clusters page, click the name of the cluster you want to set to the Failed state.

Figure 94: Clusters page

3. Ensure that the cluster Summary page shows the Cluster Protect field under General settings as
Enabled.

Figure 95: Cluster Protection Status

Cloud Clusters (NC2) | Cluster Protect Configuration | 157

4. On the Settings page, click the Advanced tab.

Figure 96: Settings - Advanced tab

5. Under Cluster Failure, click Set Cluster to Failed State.

6. On the confirmation page, click Yes, Set Cluster State to Failed.

Figure 97: Set Cluster State to Failed

Cloud Clusters (NC2) | Cluster Protect Configuration | 158

 7. Ensure that the cluster status is changed to Failed for the cluster on the Clusters page.

Figure 98: Cluster Status - Failed

8. Go to the cluster Summary page to validate that the Cluster Recovery workflow is displayed.

Figure 99: Start Cluster Recovery

What to do next
After you set the cluster to the Failed state, redeploy the cluster. See Recreating a Cluster for more
information.
You must figure out on your own when the failure event, such as an AWS AZ failure, impacting your cluster
is over so that they can start the cluster recovery process. Nutanix does not indicate when an AWS AZ has
recovered enough for your recovery cluster to be deployed.

Recreating a Cluster
When a protected cluster fails, and you set the cluster state to Failed, you need to redeploy the cluster.
Follow these steps to redeploy the cluster:

Procedure

1. Sign in to the NC2 console: https://cloud.nutanix.com

Cloud Clusters (NC2) | Cluster Protect Configuration | 159

2. On the Clusters page, click the name of the failed cluster that you want to redeploy.

Figure 100: Clusters with Failed Status

3. On the cluster Summary page, under Cluster Recovery, click Start Cluster Recovery.

Figure 101: Start Cluster Recovery

Cloud Clusters (NC2) | Cluster Protect Configuration | 160

4. Click Recreate Cluster.
The Recreate Cluster page appears.

Figure 102: Recreate Cluster

Cloud Clusters (NC2) | Cluster Protect Configuration | 161

5. Review or specify the following details on the Cluster Configuration page, and then click Next.

• Under General:

• Cluster Name: Enter a name for the cluster.

Note: The recovery cluster name will be different than the failed cluster. It will be enforced by the
NC2 console during recovery cluster creation.

• Cloud Account, Region, and Availability Zone: These configurations from the failed cluster
that you are recreating are displayed. Your recovery cluster will use the same configuration.
• Under Network Configuration:

• When manually created VPC and subnets were used to deploy the failed cluster, the previously
used resources are displayed. You should recreate the same VPC and subnets that you had
previously created in your AWS console.
• When VPC and subnets created by the NC2 console were used to deploy the failed cluster, the
NC2 console will automatically recreate the same VPCs and subnets during the cluster recovery
process.

Cloud Clusters (NC2) | Cluster Protect Configuration | 162

 Figure 103: Cluster Configuration

6. Review the cluster summary on the Summary page and then click Recreate Cluster.

Cloud Clusters (NC2) | Cluster Protect Configuration | 163

7. To continue the cluster recovery process, click Go to new cluster to navigate to the redeployed cluster.
The failed cluster gets terminated.

Figure 104: Navigate to the Redeployed Cluster

Cloud Clusters (NC2) | Cluster Protect Configuration | 164

 8. The cluster Summary page of the newly created cluster shows the cluster status as Creating Cluster.

Figure 105: Cluster Status - Creating Cluster

After the cluster is created, the status changes to Recovery in Progress.

Figure 106: Cluster Status - Recovery in Progress

What to do next
After recreating the cluster, you must recover Prism Central if it was running on a cluster that suffered a
failure event and user VM or volume groups data. See Recovering Prism Central and User Data.

Recovering Prism Central and MST

In case the failure was not AZ-wide and one of the clusters protecting Prism Central survived, you must
restore Prism Central from the cluster that it was backed up to rather than from S3. For more information,
see Recovering Prism Central (1-Click Disaster Recovery).

Cloud Clusters (NC2) | Cluster Protect Configuration | 165

If all clusters protecting Prism Central are unavailable, then recover Prism Central from S3.
After you redeploy the NC2 clusters by following the instructions listed in Recreating a Cluster, you may
need to recover the Prism Central instance whose configuration you backed up earlier on the S3 bucket
and then recover the UVM data from the S3 basket created for UVM data backup.
Follow these steps to recover Prism Central:

Procedure

1. Ensure that you have redeployed a cluster.

For more information, see Recreating a Cluster.

2. On the redeployed cluster, run the following CLI command to recover Prism Central from the S3 bucket
where Prism Central data was backed up:
nutanix@pcvm$ pcdr-cli recover -b S3_bucket -r AWS_region -n PC-Subnet
Replace the variables with their appropriate values as follows:

• S3_bucket: the S3 bucket configured for Prism Central backup.

• AWS_region: the AWS region where the S3 bucket is created.
• PC-Subnet: the AWS private subnet configured for Prism Central.

3. Track the Prism Central recovery status in the Tasks section on the recreated Prism Element console.

Note: The Prism Central recovery might take approximately four hours. Also, the recovered Prism
Central and original Prism Central are of the same version.

What to do next
After you recover Prism Central, register any newly created NC2 clusters with the recovered Prism Central.
If the clusters that were registered with Prism Central prior to the recovery of Prism Central did not suffer
any failure, they will be auto-registered with the recovered Prism Central.

Note: After the cluster recovery is complete, the failed Prism Element remains registered with recovered
Prism Central. To remove this Prism Element, unregister the Prism Element from Prism Central. For detailed
instructions, see the KB article 000004944.

Redeploying Multicloud Snapshot Technology

After recreating NC2 clusters and redeploying Prism Central, you must redeploy Multicloud Snapshot
Technology before recovering UVM and Volume Groups data from the S3 bucket where they were backed
up.

Note: The configuration data for the recovery Prism Central must be recovered from the Prism Central S3
bucket before recovering the UVM data on the recovery clusters. For more information, see Recovering
Prism Central.

To redeploy Multicloud Snapshot Technology:

Procedure

1. Sign in to the Prism Central VM using the credentials provided while installing Prism Central.

Cloud Clusters (NC2) | Cluster Protect Configuration | 166

 2. Run the following CLI command:
nutanix@pcvm$ clustermgmt-cli deploy-cloudSnapEngine -recover -b S3_bucket -r
AWS_region -i IP1,IP2,IP3 -s PC-Subnet
Replace the variables with their appropriate values as follows:

• S3_bucket: the S3 bucket where you want to protect the user VMs data.
• AWS_region: the AWS region where the S3 bucket is created.
• IP1,IP2,IP3: the static IPs reserved for MST.

Note: These IPs can be different than the IPs used earlier while deploying MST prior to cluster
failure.

• PC-Subnet: the AWS private subnet configured for the recovery Prism Central.

Recovering UVM and Volume Groups Data

Before recovering the UVM and Volume Groups data from the S3 bucket where they were backed up,
ensure the following requirements are met:

• NC2 clusters are recreated. For more information, see Recreating a Cluster.
• Prism Central is redeployed.

Note: The configuration data for the recovery Prism Central must be recovered from the Prism
Central S3 bucket before recovering the UVM data on the recovery clusters. For more information, see
Recovering Prism Central and MST.

• Multicloud Snapshot Technology is redeployed. For more information, see Recovering Prism Central
and MST.

Note: The UVM subnet names on the failed and recovered clusters must be the same for the correct
mapping of subnets in the recovery plan. If the names do not match correctly, the cluster recovery might
proceed, but the VMs are recovered without the UVM subnet attached. You can manually attach the subnet
post-recovery. If there are multiple UVM subnets, then all UVM subnets must be recreated with the same
names for the correct mapping of subnets between failed and recovered clusters.

Follow these steps to recover UVM and Volume Groups data:

Procedure

1. Sign in to the Prism Central VM using the credentials provided while installing Prism Central.

Cloud Clusters (NC2) | Cluster Protect Configuration | 167

2. Run the following command to get a list of NC2 clusters that were registered with the recovery Prism
Central prior to failure:
nutanix@pcvm$ nuclei cluster.list
A list of the protected Prism Elements that failed and the recovery Prism Elements created by the NC2
console is displayed. The following figure shows an example of a list of Prism Element UUIDs on the
recovery Prism Central.

Figure 107: List of Failed and Recovered Clusters

3. Recreate subnets on the recovery Prism Elements:

a. Run the following command to list all the subnets associated with the protected Prism Elements:
nutanix@pcvm$ clustermgmt-cli list-recovery-info -u UUID_OldPE
Replace UUID_OldPE with the UUID of the old NC2 cluster.
A list of subnets is displayed.

NAME GATEWAY-IP CIDR TYPE IP-POOL-RANGES

PC-Subnet 10.0.xxx.1 10.0.xxx.0/24 VLAN

[{"begin":"10.0.xxx.50","end":"10.0.xxx.200"}]

b. Recreate these subnets on the recovery Prism Elements in the same way they were created in the
first place.
For more information, see Creating a UVM Network.

4. Run the following command to create a Recovery Plan to restore UVM data from the S3 buckets.
nutanix@pcvm$ clustermgmt-cli create-recovery-plan -o UUID_OldPE -n UUID_NewPE
Replace the variables with their appropriate values as follows:

• UUID_OldPE: the UUID of the old NC2 cluster.

• UUID_NewPE: the UUID of the new NC2 cluster.

Note: You must perform this step for each NC2 cluster you want to recover.

Cloud Clusters (NC2) | Cluster Protect Configuration | 168

5. Execute the recovery plans:

a. Sign in to Prism Central using the credentials provided while installing Prism Central.
b. Go to Data Protection > Recovery Plans.
You can identify the appropriate recovery plan to use by looking at the recovery plan name. It is in
the format: s3-recovery-plan-UUID_OldPE

Figure 108: View Recovery Plans

c. Start the recovery plan execution by triggering a failover.

Figure 109: Create a Failover

Once the failover is complete, your UVM and Volume Groups data is recovered on the recovery
Prism Element.
Once the recovery plan is finished, your VMs are recovered.

Cloud Clusters (NC2) | Cluster Protect Configuration | 169

 6. Go to Compute & Storage > VMs to see the list of recovered VMs.

Figure 110: View Recovered VMs

7. Run the following command on all NC2 clusters that are recovered after the cluster failure to remove the
category values and protection policies associated with the old clusters that no longer exist.
nutanix@pcvm$ clustermgmt-cli finalize-recovery -u UUID_OldPE
Replace UUID_OldPE with the UUID of the old NC2 cluster.

Reprotecting Clusters and Prism Central

After the cluster recovery is finalized, you can protect the newly recovered cluster again. By looking at the
VM protection status, you can verify that the new cluster is unprotected from the Prism Central UI. For
more information, see Finding the Protection Policy of an Entity.

Figure 111: View Cluster Protection Status

Run the following command on the Prism Central VM to reprotect the cluster:
nutanix@pcvm$ clustermgmt-cli protect-cluster -u UUID_NewPE
Replace UUID_NewPE with the UUID of the new NC2 cluster.

Cloud Clusters (NC2) | Cluster Protect Configuration | 170

CLI Commands Library
The following table lists the CLI commands you can use for the Cluster Protect feature end-to-end
workflow. While these commands and their examples are already listed in the respective procedures, this
table intends to provide additional reference information.

Table 22: CLI Commands for Cluster Protect

Purpose Command Command Flags Description

available on
Get Prism Central nutanix@cvm$ pcdr- CVM -h, --help Help for the
deployment cli deployment-info deployment-info
information from the [flags] command.
backup source.
For example, -b, --bucket string Name of the S3
nutanix@cvm$ pcdr- bucket.
cli deployment- -o, --output string Supported output
info -b nutanix-
formats: ['default',
clusters-xxxx-pcdr
-r us-west-2
'json'] (default
"default")
The output format
'default' is the same
as 'json'.

-c, -- UUID of the primary

pc_cluster_uuid Prism Central
string cluster.
-r, --region string Name of the AWS
region where the
provided S3 bucket
exists.
Recover Prism nutanix@cvm$ pcdr- CVM -h, --help Help for the recover
Central from a cli recover [flags] command.
backup source,
For example, -v, --pc_vip string Virtual IP of the
such as the NC2
Prism Central
cluster or S3 bucket nutanix@cvm$ pcdr-
cluster. If VIP is not
endpoint. cli recover -b
nutanix-clusters- provided, the older
xxxx-pcdr-3node VIP is used.
-r us-west-2 -
-i, --pc_vm_ips Comma-separated
n PC-Subnet -g
10.0.xxx.1 -m strings list of Prism Central
255.255.255.0 VM IPs. If VM IPs
are not provided,
the older VM IPs
are used.

Cloud Clusters (NC2) | Cluster Protect Configuration | 171

Purpose Command Command Flags Description
available on
-s, --storage_ctr Name or UUID
string of the storage
container. If the
name or UUID
is not specified,
then the container
whose name starts
with default is
used for the Prism
Central cluster.
-g, -- Gateway address
subnet_gateway for the provided
string subnet, If not
specified, then the
gateway address
of the old subnet is
used.
-m, -- Subnet mask
subnet_mask address for the
string provided subnet.
If not specified,
the subnet mask
address of the old
subnet is used.
-n, -- Name of the
subnet_name subnet on which
string Prism Central
cluster should be
deployed.
-b, --bucket string Name of the S3
bucket.
-o, --output string Supported output
formats: ['default',
'json'] (default
"default")
-c, -- UUID of the primary
pc_cluster_uuid Prism Central
string cluster.

Cloud Clusters (NC2) | Cluster Protect Configuration | 172

Purpose Command Command Flags Description
available on
-r, --region string Name of the AWS
region where the
provided S3 bucket
exists.
Get a list of all nutanix@pcvm$ Prism Central VM -h, --help Help for list-
protection targets pcdr-cli list- protection-
with the time protection-targets targets command.
elapsed since their [flags]
last sync. --verbose Print all details of
For example, protection targets.
nutanix@pcvm$ If the verbose flag
pcdr-cli list- is not specified,
protection-targets only the important
details, such as the
protection target's
name, UUID,
the time elapsed
since the last
backup, type, and
is_backup_paused
are returned.
-o, --output string Supported output
formats: ['default',
'json'] (default
"default")
Protect Prism nutanix@pcvm$ pcdr- Prism Central VM -b, --bucket string Name of the S3
Central to the cli protect [flags] bucket where Prism
backup target. Central config data
For example,
would be backed
nutanix@pcvm$ pcdr- up.
cli protect -b
nutanix-clusters- -h, --help Help for the
xxxx-pcdr-3node -r protect command.
us-west-2
-r, --region string Name of the AWS
region where the
provided S3 bucket
exists.

Cloud Clusters (NC2) | Cluster Protect Configuration | 173

Purpose Command Command Flags Description
available on
-o, --output string Supported output
formats: ['default',
'json'] (default
"default")
Unprotect Prism nutanix@pcvm$ pcdr- Prism Central VM -h, --help Help for unprotect
Central by removing cli unprotect command.
the specified [flags]
-u, -- Entity UUID of the
protection target.
Note: If the protection_target_uuid
protection target,
failure is not string which should be
AZ-wide and removed from the
Prism Central target list.
of the impacted
cluster is hosted -o, --output string Supported output
on another formats: ['default',
cluster and 'json'] (default
that Prism "default")
Central is not
impacted, then
you can restore
the impacted
cluster from that
existing Prism
Central.

For example:
nutanix@pcvm$ pcdr-
cli unprotect -u
8xxxxxx5-3xx4-3xx1-
bxxc-dbxxxxxxx0b6

Create a recovery nutanix@pcvm$ Prism Central VM -h, --help Help for create-
plan which can clustermgmt-cli recovery-plan
be executed from create-recovery- command.
Prism Central UI to plan [flags]
recover a cluster. -n, -- UUID of the new
For example: new_cluster_uuid recovery NC2
nutanix@pcvm$ string cluster.
clustermgmt-cli
-o, -- UUID of the old,
create-recovery-
plan -o 0xxxxxx6- old_cluster_uuid failed NC2 cluster.
cxxc-dxxx-8xxf- string
dxxxxxxxxx99 --output string Supported output
-n 0xxxxxxe-
formats: ['default',
dxxd-fxxx-fxxe-
cxxxxxxxxxe5 'json'] (default
"default")
Deploy MST, nutanix@pcvm$ Prism Central VM -b, --bucket string Name of the S3
which can be used clustermgmt- bucket that will be
to protect NC2 cli deploy- used to store the
clusters. cloudSnapEngine backup of NC2
[flags] clusters.
For example: -h, --help Help for the
nutanix@pcvm$ deploy-
clustermgmt- cloudSnapEngine
cli deploy- command.
cloudSnapEngine -b
nutanix-clusters- --recover Deploys MST using
xxxxx-xxxx-xxxxx Cloud Clusters (NC2) | Cluster Protect configuration| 174
Configuration
old
-r us-west-2 -i data, if available on
10.0.xxx.11,10.0.xxx.12,10.0.xxx.13 Prism Central. If old
Purpose Command Command Flags Description
available on
-r, --region string Name of the AWS
region where the
provided S3 bucket
exists.
-i, --static_ips Comma-separated
strings list of 3 static IPs
that are part of
the same subnet
specified by the
subnet_name flag.
-s, -- Name of the subnet
subnet_name which can be used
string for MST VMs.

Cloud Clusters (NC2) | Cluster Protect Configuration | 175

Purpose Command Command Flags Description
available on
--output string Supported output
formats: ['default',
'json'] (default
"default")
Delete or clean nutanix@pcvm$ Prism Central VM -f, --force Force delete the
up the failed MST clustermgmt- MST.
deployments. cli delete-
cloudSnapEngine -h, --help Help for delete-
[flags] cloudSnapEngine
command.
Note: If
the MST
--output string Supported output
deployment formats: ['default',
is deleted, 'json'] (default
clusters cannot "default")
be recovered in
the event of a
failure, such as
Availability Zone
failures.

For example:
nutanix@pcvm$
clustermgmt-
cli delete-
cloudSnapEngine

Mark completion nutanix@pcvm$ Prism Central VM -u, --cluster_uuid UUID of the old
of recovery of a clustermgmt-cli string NC2 cluster.
cluster. finalize-recovery
[flags] -h, --help Help for the finalize-
recovery command.
For example:
--output string Supported output
nutanix@pcvm$ formats: ['default',
clustermgmt-cli 'json'] (default
finalize-recovery
"default")
-u 0xxxxxxx-
cxxc-dxxx-8xxx-
dxxxxxxxxxx9

Get a list nutanix@pcvm$ Prism Central VM -u, --cluster_uuid UUID of the NC2
of recovery clustermgmt-cli string cluster.
information, such as list-recovery-info
-h, --help Help for the list-
subnets that were [flags]
recovery-info
available on the For example:
original(failed) NC2 command.
cluster. nutanix@pcvm$ --verbose With the verbose
clustermgmt-
flag, a detailed
cli list-
recovery-info -u JSON output is
00xxxxxb-0xxd-8xxx-6xx4-3xxxxxxxxx7d returned. If the
verbose flag is not
specified, only the
important fields,
such as subnet
name, IP Pool
ranges, and CIDR,
are returned.
Cloud Clusters (NC2) | Cluster Protect Configuration | 176
Purpose Command Command Flags Description
available on
--output string Supported output
formats: ['default',
'json'] (default
"default")
Protect clusters nutanix@pcvm$ Prism Central VM -u, --cluster_uuid NC2 cluster UUID
against AZ failures clustermgmt-cli string
by backing up the protect-cluster
-h, --help Help for the protect-
clusters in AWS S3. [flags]
cluster command.
For example:
-l, -- Local snapshot
nutanix@pcvm$ local_snapshot_count
retention count. The
clustermgmt-cli int default count is 2.
protect-cluster
-u 00xxxxxe- -r, --rpo int Protection RPO
dxxx-fxxx-fxxe- in minutes. The
cxxxxxxxxxe5 default RPO is 60
minutes.
--output string Supported output
formats: ['default',
'json'] (default
"default")
Unprotect a cluster. nutanix@pcvm$ Prism Central VM -u, --cluster_uuid UUID of the NC2
clustermgmt-cli string cluster.
unprotect-cluster
[flags] -h, --help Help for the
unprotect-
For example: cluster command.
nutanix@pcvm$ --output string Supported output
clustermgmt-cli
formats: ['default',
unprotect-cluster
-u 000xxxx6- 'json'] (default
cxxx-dxx0-8xxx- "default")
dxxxxxxxx999

Cloud Clusters (NC2) | Cluster Protect Configuration | 177

NC2 MANAGEMENT CONSOLES
The following management consoles are used to use and manage your NC2 clusters:

• NC2 Console: Use the NC2 console to create, hibernate, resume, update, and terminate a NC2 cluster
running on AWS.
• Prism Element Web Console: Use the Prism Element web console to manage routine Nutanix tasks
in a single console. For example, creating a user VM. Unlike Prism Central, Prism Element is used to
manage a specific Nutanix cluster.
For more information on how to sign into the Prism Element web console, see Logging into a Cluster by
Using the Prism Element Web Console.
For more information on how to manage Nutanix tasks, see Prism Web Console Guide.
• Prism Central Web Console: Use to manage multiple Nutanix clusters.
For more information on how to sign into the Prism Central web console, see Logging Into Prism
Central.
For more information on how to manage multiple NC2, see Prism Central Infrastructure Guide.

NC2 Console
The NC2 console displays information about clusters, organization, and customers.
The following section explains about all the tasks you can perform and view from this console.

Figure 112: NC2 Console

Main Menu
The following options are displayed in the main menu at the top of the NC2 console:

Navigation Menu
The navigation menu has three tabs: Clusters, Organizations, and Customers. The selected tab is
displayed in the top-left corner. For more information, see Navigation Menu on page 179.

Cloud Clusters (NC2) | NC2 Management Consoles | 178

 Tasks

• Circle icon displays ongoing actions performed in a system that takes a while to complete.
For example, actions like creating a cluster or changing cluster capacity.
Circle icon also displays progress of each ongoing task and a success message appears if the task is
complete or an error message appears if the task fails.
• Gear icon displays the source details of each task performed.
For example, account, organization, or customer.

Notifications

• Bell icon displays notifications if some event in the system occurs or if there is a need to act and resolve
an existing issue.

Warning: You can choose to Dismiss notifications from the Notification Center. However, the
dismissed notifications no longer appear to you or any other user.

• Gear icon displays source details and a tick mark to acknowledge notifications.
• Drop-down arrow to the right of each notification displays more information about the notification.

Note: If you want to receive notifications about a cluster that is not created by you, you must be an
organization administrator and subscribe to notifications of respective clusters in the Notification Center. The
cluster creator is subscribed to notifications by default.

User Menu
The Profile user name option from the drop-down list provides the following opitons:

• General: Edit your First name, Last name, Email, and Change password from this screen. This
screen also displays various roles assigned.
• Preferences: Displays enable or disable slider options based on your preference.
• Storage providers: Displays the storage options with various storage providers.
• Advanced: Displays various assertion fields and values.
• Notification Center: Displays the list of Tasks, Notifications, and Subscriptions.

Navigation Menu
The navigation menu has three tabs on the top; Clusters, Organizations, and Customers, two tabs in the
bottom; Documentation and Support.

Clusters

• Displays the Create Cluster option to create a new cluster.

• Provides a search bar to Search clusters.
• Displays a list of all active clusters by default.
Displays a filter button on the right of the search bar. Click Active or Terminated to switch the list of
currently visible active or terminated clusters, respectively.

Cloud Clusters (NC2) | NC2 Management Consoles | 179

• Displays details of each cluster like Name, Organization, Cloud, Created On, Capacity, Use-Case,
and Status.
The last created cluster is on top of the list by default. To change the order, click the Name heading to
change the value and direction by which the entries are ordered.
• The ellipsis icon against each cluster displays the following options:

• Audit Trail: Displays the activity log of all actions performed by the user on a specific cluster.
• Users: Displays the screens for user management like User Invitations, Permissions,
Authentication Providers.
• Notification Center: Displays the complete list of all the tasks and notifications.
• Update Configuration: Displays the screens to update the settings of clusters.
• Update Capacity: Displays a screen to update the resource allocation of clusters.
• Hibernate: Opens a dialog box for Cluster Hibernation or a Resume option appears if the cluster
is already hibernated.
• Terminate: Displays a screen to delete the cluster.

Figure 113: Clusters Console

Organizations

• Displays the Create Organization option to create a new organization.

• Provides a search bar to Search organizations.
• Displays a list of active organizations by default.
Displays a filter button to the right of the search bar. Click Active or Terminated to switch the list of
currently visible active or terminated organizations, respectively.
• Displays the details of each organization such as Name, Customer, Description, URL Name, and
Status.
The last created organization is on the top of the list by default. To change the order, click the Name
heading to change the value and direction by which the entries are ordered.

Cloud Clusters (NC2) | NC2 Management Consoles | 180

• The ellipsis icon against each organization displays the following options:

• Audit Trail: Displays the activity log of all actions performed on a specific organization.
• Users: Displays the screens for user management like User Invitations, Permissions,
Authentication Providers.
• Sessions: Displays the basic details of the organization and information about the terminating the
cluster.
• Notification Center: Displays the complete list of all Tasks and Notifications.
• Cloud accounts: Displays the status of the Cloud Account if it is active (A-Green) or inactive (I-
Red).
The ellipsis icon against each cloud account displays the following options:

• Add regions: Select this option to update the regions in which the cloud account can deploy
clusters to.
• Update: Select this option to create a new stack or update an existing stack.
• Deactivate: Select this option to deactivate the cloud account.
• Update: Displays the options to update settings of organizations.

Figure 114: Organizations Console

Customers

• Displays a search bar to Search Customers.

• Displays a list of active customers by default.
Displays a filter button to the right of the search bar. Click Active or Terminated to switch the list of
currently visible active or terminated customers, respectively.
• Displays details of each customer like Customer Name, Description, URL Name, Billing and Status.
The last created customer is on the top by default and to change the order, click on customer Name
heading to change the value and direction by which the entries are ordered.

Cloud Clusters (NC2) | NC2 Management Consoles | 181

 • The ellipsis icon against each customer displays the following options:

• Audit Trail: Displays the activity log of all actions performed on a specific cluster.
• Users: Displays the screens for user management like User Invitations, Permissions,
Authentication Providers.
• Notification Center: Displays the complete list of all tasks and notifications.
• Cloud accounts: Displays the status of the Cloud Account if it is active (A-Green) or inactive (I-
Red).
• Update: Displays the options to update settings of customers.

Figure 115: Customers Console

Documentation
Directs you to the documentation section of NC2.

Support
Directs you to the Nutanix Support portal.

Audit Trail
Administrators can monitor user activity using the Audit Trail. Audit Trail provides administrators with an
audit log to track and search through account actions. Account activity can be audited at all levels of the
NC2 console hierarchy.
You can access the Audit Trail page for an Organization or Customer entity from the menu button to the
right of the desired entity.

Cloud Clusters (NC2) | NC2 Management Consoles | 182

 Figure 116: Audit Trail

The following figure illustrates the Audit Trail at the organization level.

Figure 117: Audit Trail - Download CSV

Under the Audit Trail section header, you can search the audit trail by first name, last name, and email
address. You can also click the column titles to sort the Audit Trail by ascending or descending order.
If you want to search for audit events within a certain period, click the date range in the upper right corner
of the section. Set your desired period by clicking on the starting and ending dates in the calendar view.
You can filter your results using the filter icon in the top right corner by specific account action.
You can download the details of your Audit Trail in CSV format by clicking the Download CSV link in the
upper right corner. The CSV will provide all Audit Trail details for the period specified to the left of the
download link.

Notification Center
Admins can easily stay up to date regarding their NC2 resources with the Notification Center. Real-time
notifications are displayed in a Notification Center widget at the top of the NC2 console. The Notification
Center displays two different types of information: tasks and notifications. The information displayed in the
Notification Center can be for organizations or customer entities.

Note: Customer Administrators can see notifications for all organizations and accounts associated with
the tenant by navigating to the Customer or Organization dashboard from the initial NC2 console view and
clicking Notification Center.

Notification Center Widget

The Notification Center splits information into two categories: Tasks (bullet list icon) and notifications (bell
icon). Clicking these icons from the NC2 console view will display a list of pending tasks or notifications to
which the current user is subscribed.

Cloud Clusters (NC2) | NC2 Management Consoles | 183

 Figure 118: Notification Center

Tasks
Tasks (bullet list icon) show the status of various changes made within the platform. For example, creating
an account, changing capacity settings, and so on trigger a task notification informing the admin that an
event has started, is in progress, or has been completed.
Notifications
Notifications (bell icon) differ from tasks; notifications notify administrators when specific events happen.
For example, resource limits, cloud provider communication issues, and so on.). There are three types of
notifications: info, warning, or error.
Dismiss Tasks and Notifications
You can dismiss tasks or notifications from the Notification Center widget by selecting the task or
notification icon and click the dismiss (x) button inside the event.
Dismissing an event only dismisses the task or notification for your console view; other subscribed admins
still see the event.
Acknowledge Notifications
You can click the check mark icon to acknowledge and dismiss a notification for all users subscribed to that
resource. Acknowledging a notification removes it from the widget, but the notification is still available on
the Notification Center page.

Note: Acknowledging a notification will dismiss it for all administrators subscribed to the same resource.

Cloud Clusters (NC2) | NC2 Management Consoles | 184

NC2 USER MANAGEMENT
NC2 provides access control through which you can assign roles to users that you add to your My Nutanix
account. You have account administrator permissions by default when you sign up for a My Nutanix
account. You can add two more users with the account administrator role to the same account. Therefore,
one account can have only three users with the account administrator role at any given time. To add
users to your account, you can either integrate your organization's SAML authentication solution (Active
Directory, Okta, and others) with My Nutanix or invite specific users to access the NC2 console.
While the administrators can remove users from a tenant using the Global Admin Center, the users, tenant
owner, and administrators can choose to leave a tenant themselves on specific conditions using the Tenant
Details feature, which is available under My Nutanix > Profile > Profile Settings. When there are no
users in the tenant or there is no active subscription in the Billing Center, then the tenant owner can leave
and close the tenant. When a tenant is closed, all subscriptions and services associated with that tenant
are erased. As the user's tenant-related data also gets deleted, users will not be able to rejoin that tenant.
If you must retain the data, then instead of closing the tenant, invite a new account administrator from
the Admin Center before leaving the tenant. For more information on the Leave Tenant feature, see the
Nutanix Cloud Services Administration Guide.

User Roles
The NC2 console uses a hierarchical approach to organizing administration and access to accounts.
The NC2 console has the following entities:

• Customer: This entity is the highest business entity in the NC2 platform. You create multiple
organizations under a customer and then create clusters within an organization. When you sign up for
NC2, a Customer entity is created for you. You can then create an Organization, add a cloud (Azure
or AWS) account to that organization, and create clusters in that organization. You cannot create a new
Customer entity in your NC2 platform.
• Organization: This entity allows you to set up unique environments for different departments within
your company. You can create multiple clusters within an organization. You can separate your clusters
based on your specific requirements. For example, create an organization Finance and then create a
cluster in the Finance organization to run only your finance-related applications.
Users can be added from the Cluster, Organization, and Customer entities. However, the user roles
that are available while adding users vary based on whether the users are invited from the Cluster,
Organization, and Customer entities. Administrators can grant permissions based on their own level of
access. For example, while a customer administrator can assign any role to any cluster or organization
under that customer entity, an organization administrator can only grant roles for that organization and the
clusters within that organization.
The following user roles are available in NC2.

Table 23: User Roles in NC2

Role Description
Customer Administrator Highest level of access. Customer administrators can create
and manage multiple organizations and clusters. Customer
administrators can also modify permissions for any of the user
roles.
Customer Auditor Customer Auditor users have read only access to functionality at
the customer, organizations, and account levels.

Cloud Clusters (NC2) | NC2 User Management | 185

 Role Description
Customer Security Administrator Customer Security Administrator users can only access Audit
Trail and Users functions at the customer level to manage all
authentication providers (such as, Basic (username/password),
Google, SAML2, and API), configures SAML2 providers, manage
SAML2 permissions, and manages users for all organizations and
accounts.

Organization Administrator Organization administrators can manage any organizations

assigned to them by the Customer administrator and those
organizations’ accounts. Organization administrators can only be
created by Customer administrators.
Organization Auditor Organization Auditor users have read only access to the
organization and clusters under the organization.
Organization Security Administrator Organization Security Administrator users can only access
Audit Trail and Users functions at the specified organization
level to manage all authentication providers (such as, Basic
(username/password), Google, SAML2, and API), configures
SAML2 providers, manage SAML2 permissions, and add users for
all accounts under the specified organization.

Cluster Administrator Cluster Administrator can access and manage any clusters
assigned to them by the Organization or Customer administrators.
Cluster Admin can also open, close, or extend a support tunnel for
the Nutanix Support team.
Cluster Super Admin Cluster Super Admin can open, close, or extend a support tunnel
for the Nutanix Support team.
Cluster Auditor Cluster Auditor users have read only access to the clusters under
the organization.
Cluster User Cluster User can access a specific cluster assigned to them by the
Cluster, Organization or Customer Administrator.

See the Local User Management section of the Nutanix Cloud Services Administration Guide for more
information about the following:

• Invite additional My Nutanix administrators.

• Remove the My Nutanix administrator.
• Resend or cancel the invite for a My Nutanix administrator.

Note: The user roles described in the Local User Management section of the Nutanix Cloud Services
Administration Guide guide are not applicable to NC2. For the user roles in NC2, see the user roles
described in this section.

See the Nutanix Cloud Services Administration Guide for more information about authentication
mechanisms, such as multi-factor authentication and SAML authentication.

Adding Users from the NC2 Console

The NC2 Customer and Organization Security Administrators can enforce the authentication settings for
your NC2 account. Cluster administrators and users can add other users and assign roles based on their
own level of access to the NC2 resources. Users can be added at the customer account, organization, and
cluster level.

Cloud Clusters (NC2) | NC2 User Management | 186

 Note: Users can be added from the Cluster, Organization, and Customer entities. However, the user
roles that are available while adding users vary based on whether the users are invited from the Cluster,
Organization, and Customer entities. Administrators can grant permissions based on their own level of
access. For example, while a customer administrator can assign any role to any cluster or organization under
that customer entity, an organization administrator can only grant roles for that organization and the clusters
within that organization.

Perform the following to add users to NC2:

Procedure

1. Sign in to the NC2 console.

2. Click the Customers tab.

3. Click the ellipsis icon against the desired customer entity, and click Users.
The Authentication tab displays the identity authentication providers that are currently enabled for your
account, and the relevant tabs for the enabled authentication providers are displayed. The NC2 account
administrator must have first unlocked the Enforce settings slider.

Figure 119: User Authentication Enforcement

Perform the following steps to invite users based on the authentication provider.

Cloud Clusters (NC2) | NC2 User Management | 187

4. To invite users with the basic authentication method where username and password is used:

a. Click the Basic (username/password) tab.

Figure 120: Invite Users with Basic Authentication

b. Click Invite Users.

Figure 121: Invite Users - Basic Authentication

c. Enter a comma-separated email address of the users you want to add to NC2. You can invite 100
users at a time.
d. Select the desired user role for the invited user from the Roles list, and then select the desired
customer entity. Click Add to add more entries to assign more user roles.
e. Click Invite to invite the users to NC2.

Cloud Clusters (NC2) | NC2 User Management | 188

5. To invite users with the My Nutanix authentication method:

a. Click the My Nutanix tab.

Figure 122: My Nutanix Administrator Access

b. Enable or disable access to My Nutanix using the Allow Nutanix Admins on MyNutanix to
administer this customer slider. If you lock the My Nutanix slider, then the slider cannot be
unlocked at the Organization entity level.

Cloud Clusters (NC2) | NC2 User Management | 189

6. To invite users with Google authentication:

a. Click the Google tab.

Figure 123: Invite Users with Google Authentication

b. Click Add.

Figure 124: Add Google Authentication

c. Enter an email address or domain of the user you want to add to NC2.
d. Click Add Recipient to add more users.
e. Select the desired user role for the invited user from the Roles list, and then select the entity that the
role applies to. Click Add to add more entries to assign more user roles.
f. Click Add.

Cloud Clusters (NC2) | NC2 User Management | 190

7. To add users with SAML2 authentication, first add the SAML2 provider and then add the desired
permissions:
To add a SAML2 provider:

a. Click the SAML 2 Providers tab.

Figure 125: Adding SAML 2 Provider

b. Click Add SAML 2 Provider. The Add A SAML 2 Identity Provider dialog appears.

Cloud Clusters (NC2) | NC2 User Management | 191

 Figure 126: Adding a SAML 2 Identity Provider
c. Enter or select the following details:

• Application Id
• Auth provider metadata: URL or XML
• Metadata URL or Metadata XML
• Integration Name
• Custom Label
• Authentication token expiration
• Signed response
• Signed assertion
d. Click Add.
To add SAML 2 Permission:

a. Click the SAML 2 Permission tab. The SAML 2 Permissions dialog appears.
b. Click Add Permission. The Create A SAML2 Permission dialog appears.

Cloud Clusters (NC2) | NC2 User Management | 192

 Figure 127: Creating A SAML2 Permission
c. Enter or select the following details:

• For provider: Select the SAML2 Provider you are designating permissions for.
• Allow Access:

• Always: Once the user is authenticated, they have access to the role you specify – no
conditions required.
• When all conditions are satisfied: The user must meet all conditions specified by the
administrator to be granted access to the role specified.
• When any condition is satisfied: The user can meet any conditions specified by the
administrator to be granted access to the role specified.
• Conditions: Specify your assertion claims and their values which correspond with the roles you
wish to grant.
• Grant roles: Select the desired roles you wish to grant to your users. You can add multiple role
sets using the Add button.
d. Click Save.
e. To update the SAML 2 permissions of the users in your account, click the SAML 2 Permissions tab.
The SAML 2 Permissions page displays the list of all users in your account.
f. Click the ellipsis icon against the user you want to edit the SAML 2 permissions for, and then click
Update. The Update a rule dialog appears.

Cloud Clusters (NC2) | NC2 User Management | 193

 Figure 128: Updating a SAML 2 Permission Rule
g. Edit the details, such as roles.
h. Click Save.

Cloud Clusters (NC2) | NC2 User Management | 194

8. To invite users with API authentication:

a. Click the API tab. The APIs dialog appears.

b. Click Add API.

Figure 129: Adding an API

c. Enter a name for the API and select the desired role.
d. Click Add.
e. To update an API, click the API tab. The APIs page displays the list of all APIs in your account. Click
the ellipsis icon against the API you want to edit. You get Update, Delete, and Manage options. To
update the API, click Update. The Update API dialog appears.

Figure 130: Updating an API

f. Enter details, such as Roles.

Cloud Clusters (NC2) | NC2 User Management | 195

 g. Click Save.
To manage API credentials, Click Manage. The Manage API Credentials dialog appears. Click the
trash icon if you want to delete the API key.
To delete an API, click Delete.

9. To invite users with Secure Anonymous: You can create many users without email invitation or
activation. Mass user creation can be used to deliver training and certification tests to end users who

Cloud Clusters (NC2) | NC2 User Management | 196

are guest users (not employees, but clients or anonymous users). This solution does not rely on any
existing identity provider integration.

a. Click the Secure Anonymous tab.

Figure 131: Anonymous Access Provider

b. Click Add Provider. The Add Anonymous Access Provider dialog appears.

Figure 132: Adding Anonymous Access Provider

c. Enter or select Name, Description, Token Duration, and Roles. Click Save.

Cloud Clusters (NC2) | NC2 User Management | 197

 d. Once you have created a Secure Anonymous Token Provider and set the desired token duration
and roles, simply click on the ellipsis listed next to your Anonymous Access Provider and click
Playground.
e. Specify the number of tokens you need, enable the Embed token in a URL toggle, and then click
Generate Anonymous Tokens.
f. All tokens and their pre-constructed URLs are copied to your clipboard. You can now distribute these
URLs to your end users to give them access to your NC2 environment.

Managing Support Authorization

NC2 specialists, a group of Nutanix Support team, can view customer names, organization names, and the
cluster details. However, they cannot access these entities or make any changes to these entities.
When you report any issue with your NC2 cluster, the specialists can request admin-level access to
your cluster entities to be able to view the cluster details and aid you in the troubleshooting process. If
the specialist makes any changes, these changes are logged in the audit trail. The admin-level access
requests are granted by default; however, NC2 provides a way to manage the support authorization to
allow complete, partial, or block access to your entities.
Perform the following steps to manage support authorization:

Procedure

1. Sign in to the NC2 console.

2. Click the Organizations tab.

3. Click the ellipsis icon against the organization entity, and then click Users.

Cloud Clusters (NC2) | NC2 User Management | 198

4. Click the Support tab. The Support Options page appears.
Under Support Options, you can specify how much control you would like to grant NC2 support
engineers.

Figure 133: Support Authorization

5. Select the required option under Support Authorization:

• Full access to this organization and its accounts: Grants NC2 support engineers the same level
of access as a Customer Administrator.
• Full access without ability to start sessions and manage users: NC2 support engineers may not
start sessions to your workload VMs.
• No Access: NC2 support engineers have no access to your customer and organization(s).

6. If you choose to give full access, then you can choose to give full access to specific NC2 specialists.
Click Add Personnel and then enter the email address of the NC2 specialist.
To revoke access, click the trashcan symbol listed to the right of the Nutanix staff member you would
like to remove from the Authorized Nutanix Personnel list. Click Save to apply your changes.

Cloud Clusters (NC2) | NC2 User Management | 199

API KEY MANAGEMENT FOR NC2
You can create API keys that can be used to assign roles to NC2 users.
Follow these steps to create an API key for NC2:

Cloud Clusters (NC2) | API Key Management for NC2 | 200

Procedure

1. Create an API key:

a. Sign in to https://my.nutanix.com with your My Nutanix account.

Note: Ensure that you select the correct workspace from the Workspace list on the My Nutanix
dashboard. For more information on workspaces, see Workspace Management.

b. In the My Nutanix dashboard, go to the API Key Management tile and click Launch.
If you have previously created API keys, a list of keys is displayed.
c. Click Create API Keys to create a new key.
The Create API Key dialog appears.

Figure 134: Creating an API Key

d. Select or enter the following details:

• Name: Enter a unique name for your API key to help you identify the key.
• Scope: Select the NC2 scope category under Cloud from the Scope list.

Cloud Clusters (NC2) | API Key Management for NC2 | 201

 • Role: Select the NC2 role for which the API Key authorization/permissions will be used. You can
select one of these roles:

• Admin: Create or delete a cluster and all permissions that are assigned to the User role.
• User: Manage clusters, hibernate and resume a cluster, update cluster capacity, and all
permissions that are assigned to the Viewer role.
• Viewer: View account, organization, cluster, and tasks on the NC2 console.
e. Click Create.
The Created API dialog is displayed.

Figure 135: Created API Key

f. Copy the API Key and Key ID field values and store them securely for use. You can use the
clipboard button to copy the value to your clipboard.

Note: You cannot recover the generated API key and key ID after you close this dialog.

For more details on API Key management, see the API Key Management section in the Licensing
Guide.

Cloud Clusters (NC2) | API Key Management for NC2 | 202

2. Generate a JSON Web Token (JWT) token for authentication to call the REST APIs.
You can clone the script from https://github.com/nutanix/generate-jwt-key and update it as needed.

Note: This step uses Python to generate a JWT token. You can use other programming languages, such
as Javascript and Golang.

a. Run the following command to install the PyJwt package:

pip install PyJWT==2.3.0

b. Replace the API Key and Key ID in the following Python script and then run it to generate a JWT
token. Also, you can specify expiry time in seconds for the JWT token to remain valid. In the
requesterip attribute, enter the requester IP.
from datetime import datetime
from datetime import timedelta
import base64
import hmac
import hashlib
import jwt

api_key = "enter the API Key" # API_KEY

key_id = "enter the Key ID" # KEY_ID
aud_url = "https://apikeys.nutanix.com"

def generate_jwt():
curr_time = datetime.utcnow()
payload = {
"aud": aud_url,
"iat": curr_time,
"exp": curr_time + timedelta(seconds=120),
"iss": key_id,
"metadata": {
"reason": "fetch usages",
"requesterip": "enter the requester IP",
"date-time": curr_time.strftime("%m/%d/%Y, %H:%M:%S"),
"user-agent": "datamart"
}
}
signature = base64.b64encode(hmac.new(bytes(api_key, 'UTF-8'), bytes(key_id,
'UTF-8'), digestmod=hashlib.sha512).digest())
token = jwt.encode(payload, signature, algorithm='HS512',
headers={"kid": key_id})
print("Token (Validate): {}" .format(token))

generate_jwt()

c. A JWT token is generated. Copy the JWT token on your system for further use. The JWT token can
be used as an Authorization header when validating the API call. The JWT token remains valid for
the duration that you have specified.

Cloud Clusters (NC2) | API Key Management for NC2 | 203

NC2 PLANNING GUIDANCE
This section describes how you can plan costs, sizing, and capacity for your Nutanix Cloud Clusters (NC2)
infrastructure.

Costs
Costs for deploying an NC2 infrastructure include the following:
1. AWS EC2 bare-metal instances: AWS sets the cost for EC2 bare-metal instances. Engage with AWS or
see their documentation about how your EC2 bare-metal instances are billed. For more information, see
the following links:

• EC2 Pricing
• AWS Pricing Calculator
2. NC2 on AWS: Nutanix sets the costs for running Nutanix clusters in AWS. Engage with your Nutanix
sales representatives to understand the costs associated with running Nutanix clusters on AWS.

Sizing
You can use the Nutanix Sizer tool to enable you to create the optimal Nutanix solution for your needs. See
the Sizer User Guide for more information.

Capacity Optimizations
The Nutanix enterprise cloud offers capacity optimization features that improve storage utilization and
performance. The two key features are compression and deduplication.

Compression
Nutanix systems currently offer the following two types of compression policies:

Inline
The system compresses data synchronously as it is written to optimize capacity and to maintain high
performance for sequential I/O operations. Inline compression only compresses sequential I/O to avoid
degrading performance for random write I/O.

Post-Process
For random workloads, data writes to the SSD tier uncompressed for high performance. Compression
occurs after cold data migrates to lower-performance storage tiers. Post-process compression acts only
when data and compute resources are available, so it does not affect normal I/O operations.
Nutanix recommends that you carefully consider the advantages and disadvantages of compression for
your specific applications. For further information on compression, see the Nutanix Data Efficiency tech
note.

Cloud Clusters (NC2) | NC2 Planning Guidance | 204

COST ANALYTICS
NCM Cost Governance (formerly Beam) enables you to gain visibility into your Nutanix Cloud Clusters
(NC2) spend in AWS. The cost governance feature of Cost Governance provides visibility into your cloud
consumption and in turn helps you optimize and control the usage of your Nutanix clusters running in AWS.
If you use Cost Governance with NC2, you can analyze the cost of EC2 bare-metal instances, cost per
instance type, cost of EC2 outbound traffic and network interfaces, and spend of S3 Buckets during
hibernation of the Nutanix clusters in AWS.

• Key: nutanix:clusters:cluster-uuid
• Value: UUID of the cluster created in AWS
You must add and activate the nutanix:clusters:cluster-uuid tag as a cost allocation tag in AWS, so that
Cost Governance can successfully display the cost analytics of Nutanix clusters in AWS.
For more information about setting up and using Cost Governance, see the NCM Cost Governance
documentation.

Integrating Cost Governance with NC2

To integrate Cost Governance with NC2, you must have a Cost Governance subscription and configure
Cost Governance with your AWS account.

About this task

Perform the following tasks to integrate Cost Governance with NC2.

Procedure

1. Subscribe to the Cost Governance service.

See the Cost Governance (Beam) section in the Cloud Services Administration Guide for instructions
about how to subscribe to the Cost Governance service.

2. Configure Cost Governance with your AWS account.

See Adding AWS Account (Cost Governance) in the NCM Cost Governance User Guide for instructions
about how to perform this task.

3. In AWS, add and activate the NC2 tag nutanix:clusters:cluster-uuid as a user-defined tag.
See Activating User-Defined Cost Allocation Tags section in the AWS documentation.
The tag activates after 24 hours.

Note: Add and activate the tag by using the payer account of your organization in AWS.

4. Sign in to the Cost Governance console to see the cost analytics of your Nutanix clusters in AWS.

Displaying Cost Analytics in the Cost Governance Console

You can display the cost of EC2 bare-metal instances, cost per instance type, cost of EC2 outbound traffic
and network interfaces, and spend of S3 Buckets during hibernation of the Nutanix clusters in AWS in the
Cost Governance console.

About this task

In the Cost Governance console, perform the following.

Cloud Clusters (NC2) | Cost Analytics | 205

 Note: For the up-to-date instructions about how to perform the following tasks, see the NCM Cost
Governance documentation.

Procedure

1. Sign in to the Cost Governance console.

2. Select Cost Governance in the application selection menu.

3. Select AWS and your AWS account in the cloud and account selection menu.

4. Click Analyze to display the Cost Analytics screen.

5. To display the cost of EC2 instances, do the following:

a. In the Cost Analytics screen, go to Compute → Instances.

b. In the Filters pane, in the Tag Key field, select the nutanix:clusters:cluster-uuid and, in the Tag
Value field, select the UUID of the cluster for which you want to view the spend.
c. Click Apply.

6. To display the cost for each instance type, do the following:

a. In the Cost Analytics screen, go to Compute → Instances Types.

b. In the Filters pane, in the Tag Key field, select the nutanix:clusters:cluster-uuid and, in the Tag
Value field, select the UUID of the cluster for which you want to view the spend.
c. Click Apply.

7. To display the cost of the EC2 outbound traffic, do the following:

a. In the Cost Analytics screen, go to Data Transfer.

b. In the Filters pane, in the Tag Key field, select the nutanix:clusters:cluster-uuid and, in the Tag
Value field, select the UUID of the cluster for which you want to view the spend.
c. Click Apply.

8. To display the cost for each instance type, do the following:

a. In the Cost Analytics screen, go to Compute → Subservices.

b. In the Filters pane, in the Tag Key field, select the nutanix:clusters:cluster-uuid and, in the Tag
Value field, select the UUID of the cluster for which you want to view the spend.
c. Click Apply.

9. To display the cost for each instance type, do the following:

a. In the Cost Analytics screen, go to Storage.

b. In the Filters pane, in the Tag Key field, select the nutanix:clusters:cluster-uuid and, in the Tag
Value field, select the UUID of the cluster for which you want to view the spend.
c. Click Apply.

Cloud Clusters (NC2) | Cost Analytics | 206

FILE ANALYTICS
Nutanix clusters running in AWS support File Analytics if you are using the Files feature of Nutanix. File
Analytics runs as a VM in Prism Element and not as a separate EC2 instance.
Install the File Analytics VM from the Prism Element web console.

Note: Nutanix Cloud Clusters (NC2) supports File Analytics versions 2.2.0 and later.

See the Files Analytics documentation on the Nutanix Support portal for more information about File
Analytics.
In the Prism Element web console, go to the Files page and click File Analytics.
If you are accessing the VM from inside the VPC, you can access the VM by using the File Analytics IP
address. If you want to access the file analytics VM from outside the VPC, you must configure a load
balancer that has a public IP address.

Note: NC2 recommends that you enable File Analytics for a desired file server before you add a load
balancer to the File Analytics VM.

Configure a load balancer with the following:

1. Target type must be the IP address of the File Analytics VM.
2. Target must have only one IP address, that is the File Analytics VM IP address since it is a single-node
VM.
3. Allow traffic only on port 3000 as a part of the listener definition.
4. Protocol must be HTTPS.
5. Configure health checks at “/“.
After you add a load balancer, you cannot access the File Analytics VM from the Files page. Use the
following link to directly access the File Analytics VM:
<Load balancer link>:3000/#dashboard?fs_id=<file server uuid>&user_name=<user name of
the user>

Cloud Clusters (NC2) | File Analytics | 207

NC2 SYSTEM AND OPERATIONAL
FEATURES
This section describes the system and operational features of Nutanix Cloud Clusters (NC2) that enables
you to configure data protection, perform routine and emergency maintenance, monitor health of the
cluster through health checks, and access support services.

Health Check
Nutanix provides robust mechanisms to monitor the health of your clusters by using Nutanix Cluster Check
and health monitoring through the Prism Element web console.
You can use the NC2 console to check the status of the cluster and view notifications and logs that the
NC2 console provides.

Figure 136: Check status and notifications for a cluster

For more information on how to assess and monitor the health of your cluster, See Health Monitoring.

Backup and Recovery

Nutanix provides the following backup and recovery options.

Disaster Recovery for Instance, AZ, and Region Failure

Nutanix has native inbuilt replication capabilities to recover from complete cluster failure. Nutanix
supports asynchronous replication. You can set your Recovery Point Objective (RPO) to be one hour with
asynchronous replications.
You can create a new remote site in your on-prem Nutanix cluster for the new cluster on AWS. You can
pair the Prism Central of the Nutanix cluster running in AWS with the Prism Central of the Nutanix cluster
running in your on-premises datacenter. You must configure connectivity between your on-prem datacenter
and AWS VPC by using either the AWS VPN or AWS Direct Connect. You must also ensure the ports
are open on the management security group required for replication. The existing best practices listed in
the Nutanix Disaster Recovery Guide apply, because in many ways an AWS bare-metal instance is like
another supported OEM vendor.
See the AWS documentation at AWS Site-to-Site VPN to connect AWS VPC by using VPN.
See the AWS documentation at Connect Your Data Center to AWS to connect AWS VPC by using Direct
Connect.

Cloud Clusters (NC2) | NC2 System and Operational Features | 208

 If you want to use protection policies and recovery plans to protect applications across multiple Nutanix
clusters, set up Nutanix Disaster Recovery (formerly Leap) from Prism Central. Nutanix Disaster Recovery
allows you to stage your application to be restored in the right order. You can also use protection policies to
failback to on-prem if required.
See the Nutanix Disaster Recovery Guide on the Nutanix Support portal for more information.

Integration with Third-Party Backup Solutions

Deploying a single cluster in AWS is great for more ephemeral workloads where you want to take
advantage of performance improvements and use the same automation pipelines you use on-prem.
Nutanix recommends you to use backup products compatible with AHV to target S3 as the backup
destination.
Nutanix qualifies most of the backup products compatible with AHV. For example, HYCU and Veeam
are compatible with AHV and are qualified as a backup solution to work in an NC2 environment. See
the HYCU and Veeam documentation for instructions about how to implement and configure HYCU and
Veeam solutions.

Routine Maintenance
This section has more information about routine maintenance activities like monitoring certificates, software
updates, managing licenses and system credentials.

Monitoring Certificates
You must monitor your certificates for expiration. Nutanix does not provide a process for monitoring
certificate expiration, but AWS provides an AWS CloudFormation template that can help you set up alarms.
See acm-certificate-expiration-check for more information. Follow the AWS best practices for certificate
renewals.

Nutanix Software Updates

You can track and manage the software versions of all the entities in your Nutanix cluster by using methods
described in Life Cycle Manager Guide and Acropolis Upgrade Guide.
For an on-prem cluster, Life Cycle Manager (LCM) allows you to perform upgrades of the BMC, BIOS, and
any hardware component firmware. However, these components are not applicable to clusters deployed in
AWS. Therefore, LCM does not list these items in the upgrade inventory.

Managing Nutanix Licenses

After you log on to the Nutanix Support portal at https://portal.nutanix.com and click the Licenses link on
the portal home page, you can expand the Clusters on the left pane to manage the licenses.
The Clusters page includes the following category pages depending on the license type used for your
NC2 cluster:

• Licensed Clusters. Displays a table of licensed clusters including the cluster name, cluster UUID,
license tier, and license metric. NC2 clusters with AOS and NCI licensing appear under Licensed
Clusters.
• Cloud Clusters. Displays a table of licensed Nutanix Cloud Clusters including the cluster name, cluster
UUID, billing mode, and status. NC2 clusters with AOS licensing appear under Cloud Clusters. NCI-
licensed clusters do not appear under Cloud Clusters.
To purchase and manage the software licenses for your Nutanix clusters, see the License Manager Guide.

Cloud Clusters (NC2) | NC2 System and Operational Features | 209

System Credentials
See the AWS documentation to manage your AWS accounts and their permissions.
For NC2 credentials, see the NC2 Payment Methods and User Management.

Managing Access Keys and AWS Service Limits

Nutanix recommends that you follow the AWS best practices to manage access keys and service limits.

Emergency Maintenance
The NC2 software can automatically perform emergency maintenance if you configure redundancy factor 2
(RF2) or RF3 on your cluster to protect against rack failures and synchronous or asynchronous replication
to protect against AZ failures. For node failures, NC2 detects a node failure and replaces the failed node
with a new node.
Hosts in a cluster are deployed by using a partition placement group with seven partitions. A placement
group is created for each host type and the hosts are balanced within the placement group. The placement
group along with the partition number is translated into a rack ID of the node. This enables AOS Storage to
place meta data and data replicas in different fault domains.

Figure 137: NC2 on AWS Partition Placement(Multi)

A redundancy factor 2 (RF2) configuration of the cluster protects data against a single-rack failure and an
RF3 configuration protects against a two-rack failure. Additionally, to protect against multiple correlated
failures within a data center and an entire AZ failure, Nutanix recommends that you set up synchronous
replication to a second cluster in a different AZ in the same Region or an asynchronous replication to an AZ
in a different Region.
See Data Protection and Recovery with Prism Element for more information.

Automatic Node Failure Detection

If a node failure occurs, the NC2 software detects the failure, and will automatically condemn the node,
add a new node to the cluster, and ultimately remove the failed node. Depending on the type of failure, the
workload on the failed node will be either migrated or restarted on the remaining nodes.

Note: NC2 detects a node failure in a few minutes and brings a replaced node online in approximately one
hour; this duration varies depending on the time taken for data replication, the customer’s specific setup, and
so on.

Cloud Clusters (NC2) | NC2 System and Operational Features | 210

Troubleshooting Deployment Issues
Nutanix provides knowledge-base articles to address any errors that users might encounter while
deploying and using NC2 on AWS. You can find most recent KBs here. You can also get a list of known
issues in the NC2 on AWS Release Notes.
Some of the issues that have been observed recently are:

• LCM based AHV upgrades in NC2 clusters timeout because of bare metal EC2 instances taking long
time to boot. See KB Article 000013370.
• Cluster resume workflow hangs when S3 connectivity is lost on one of the CVMs. KB Article
000013499.

Documentation Support and Feedback

Nutanix strives to improve product documentation continuously to ensure that users get the information
they want. Making sure our content is sufficiently solving our users' problems is essential to us. With
feedback, you can indicate if you found the documentation helpful and highlight the article that needs
improvements.
Nutanix provides a way for users to share their feedback for documentation and takes necessary actions to
incorporate the feedback received to improve the documentation quality and user experience.
To share your feedback for documentation:

Procedure

1. When accessing a document on https://portal.nutanix.com/, navigate to the Feedback dialog displayed

at the bottom of the page.

Figure 138: Documentation Feedback

2. Select one to five stars to rate the page you referred to. Here, a single star means poor, and five stars
mean excellent.

Cloud Clusters (NC2) | NC2 System and Operational Features | 211

 3. Select the predefined feedback messages that are presented based on the number of stars selected.

Figure 139: Submit Documentation Feedback

4. Enter your suggestion on how this section can be improved.

5. Enter your email address and click Submit.

Support
You can access the technical support services in a variety of ways to troubleshoot issues with your Nutanix
cluster. See the Nutanix Support Portal Help for more information.
Nutanix offers a support tier called Production Support for NC2.
See Product Support Programs under Cloud Services Support for more information about Production
Support tier and SLAs.

AWS Support
Nutanix recommends that you sign up for an AWS Support Plan subscription for technical support of the
AWS entities such as Amazon EC2 Instances, VPC, and more. See AWS Support Plan Offerings for more
information.

Cloud Clusters (NC2) | NC2 System and Operational Features | 212

COPYRIGHT
Copyright 2023 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual property
laws. Nutanix and the Nutanix logo are registered trademarks of Nutanix, Inc. in the United States and/or
other jurisdictions. All other brand and product names mentioned herein are for identification purposes only
and may be trademarks of their respective holders.

Cloud Clusters (NC2) | Copyright | 213