Upgrading NSX Controllers to NSX 6.3.3 or later deletes any associated DRS anti-affinity rules

Published by Jimmy Mankowitz on 2017-12-082017-12-08

So this post is a follow-up and somewhat related to my prevoius post regarding upgrade of NSX Controllers not retaining syslog conf.

I also noticed that the current DRS-Anti-Affinity regler are deleted when upgrading the NSX Controllers to 6.3.4. This is documented at Vmware Upgrade docs for the NSX Controllers

Important:
In NSX 6.3.3 the underlying operating system of the NSX Controller changes. This means that when you upgrade from NSX 6.3.2 or earlier to NSX 6.3.3 or later, instead of an in-place software upgrade, the existing controllers are deleted one at a time, and new Photon OS based controllers are deployed using the same IP addresses.

When the controllers are deleted, this also deletes any associated DRS anti-affinity rules. You must create new anti-affinity rules in vCenter to prevent the new controller VMs from residing on the same host. VMware Docs

So with this in mind I wanted to find out how to quickly find if I did not have any Rules left and in that case recreate the Anti-Affinity rules for the NSX Controllers. And I went on creating Powershell code that I will share:

$credentials = Get-Credential
$VCenters="vcenter01"  ##### Replace with your VCenter Server Names
##A Function for Get-DRSAffinity
Function Get-DRSAffinityEverywhere {
foreach ($Vcenter in $VCenters)
    {
     Connect-VIServer $VCenters -Credential $credentials
     $Clusters= get-cluster
     foreach($Cluster in $Clusters)
         {
             Get-DrsRule -Name "*Controller*" -Cluster $Cluster | Select Name, Enabled, Type, 
                @{Name="VM"; Expression={ $iTemp = @(); $_.VMIds | % { $iTemp += (Get-VM -Id $_).Name }; 
                  [string]::Join(";", $iTemp) }} 
         }
    Disconnect-VIServer -Force $VCenters 
    }
}
$credentials = Get-Credential
$VCenters="vcenter01"

So If we where to find any Anti-Affinity Group that has the name and contains Controllers then we do not need to do anything, if now we would need to recreate the rule and add the NSX Controllers to that rule.
Get-DRSAffinityEverywhere
Name          Port       User 
----          ----       ---- 
vcenter01     443        local\vcuser

Since it was empty we now run the following script to create fetch the Cluster where the NSX Controllers are in my case it ends with 01 so I filter on that.

## Separate NSX Controllers with Anti-Affinity Rule

$credentials = Get-Credential
$VCenters="vcenter01"
Connect-VIServer $VCenters -Credential $credentials

## Get the Cluster that has name containing 01.
$cluster = GET-Cluster -Name "*01*"
$cluster

## Get the VMs that contains Controller
$antiAffinityVMs = Get-VM -Name "*Controller*"
$antiAffinityVMs

## Create a new DRS Rule that separates (KeepTogether=false) the VMs 
New-DrsRule -Cluster $cluster -Name "Separate NSX Controllers" -KeepTogether $false -VM $antiAffinityVMs
Disconnect-VIServer -Force $VCenters

We can now Run the command Get-DRSAffinityEverywhere once more to check that the VMs have been added to the Anti-Affinity Rule.

Get-DRSAffinityEverywhere

Name         Port     User 
----         ----     ---- 
vcenter01    443      local\vcuser

Name : Separate NSX Controllers
Enabled : True
Type : VMAntiAffinity
VM : NSX_Controller_0101010101;NSX_Controller_101010101;NSX_Controller_1111000001111

Or check in VMware vSphere WebClient.