Skip to content



This page will outline some of the prerequisite actions that may be required before a tenancy can be migrated from NSX-V to NSX-T. VMware have provided a tool that will migrate tenancies from a NSX-V backed VDC to NSX-T. The tool makes a lot of network changes across multiple systems (NSX-V, NSX-T, VCD and vSphere) that underpin the AUCloud platform. Using the migration tool allows for minimal service interruptions and downtime during the migration process. Full details on the migration tool are found in the links at the bottom of this article.

This article also outlines some caveats and details related to other products integrated to the platform. These are in relation to:

  • Disaster Recovery services provided by VMware Cloud Directory Availability (VCDA) and,
  • Backup services provided by Data Protection with Veeam.


The VMware NSX Migration for VMware Cloud Director will first run a pre-check analysis of a customers tenancy. The assessment may identify issues that will need to be corrected before the migration can happen and AUCloud migration technical resources will be in direct contact before migration happens for any identified issues. Below is a list of a few common prerequisites:

  • vApps & Virtual Machines
    • Virtual Machines cannot be suspended - they need to be powered on or off.
    • Virtual Machines cannot have media inserted - disconnect all media.
    • vApps cannot be empty - if they are empty, they need to be deleted.
  • Network

    • Firewall rules cannot use certain objects (Gateway Interfaces, Virtual Machines or Org Vdc Networks) - change Firewall Rules to IP Sets or Security Groups.

      NSX-V FW Objects

      There are three types of gateway interface that can be referenced in firewall policy that require attention, as shown below.

      NSX-V Gateway Interfaces

      The first type of gateway interface is External, which refers to traffic entering or exiting the edge services gateway via the external interfaces

      The External gateway interface type can be replaced in the firewall rules using one of two options

      • Replace with the value of ANY
      • Replace with an IP Set that covers all IP address space excluding the private range (i.e. excluding the RFC1918 ranges). This option can be applied if you do not want private subnets used internally to have access, only sources or destinations that are truly external.


      The following would be included in an IP Set covering all IP address space excluding the private range:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

      The second type of gateway interface is VSE which refers to traffic sourced from or destined to the Edge Gateway itself.

      The VSE gateway interface type can be replaced in the firewall rules with the specific IP addresses assigned to the Edge Gateway, i.e., or in the above diagram.

      The third type of gateway interface is Internal, which refers to all subnets assigned to Organisation VDC networks attached to the Edge Gateway.

      The Internal gateway interface type can be replaced in the firewall rules using IP Sets that contain all Organisation VDC subnets, i.e. and

      Further details around NSX-T Firewalls found here.

  • Named Disks

    • 'Shared' Named Disks cannot be migrated - they need to be removed. Non-shared Named Disks are okay.
  • VMware Cloud Directory Availability (VCDA) - Disaster Recovery (DRaaS)
    • Virtual Machines that are Protected by VCDA need to have their protection removed and re-created. This has to happen if either the Source or Destination tenancy is about to undergo NSX-V to NSX-T migration.

Important Caveats¤

  • Data Protection with Veeam details are found here.

VMware References¤

Official migration tool documentation: