Automation Leveraging NSX REST API

A new Automation Guide has been published by VMware to help customers to Automate the Virtual Networking using NSX APIs.

VMware NSX provides a RESTful API service via NSX Manager that can be consumed in several ways. The NSX REST API can be consumed directly via a tool/library such as cURL or a REST Client like Postman, via multiple popular programming languages, and via orchestration cloud management tools. Popular programming languages such as Python, PowerShell, Perl, Go, and Java have REST client libraries which can easily be utilized to consume the NSX REST API. This means that elaborate workflows and complete systems/portals can be created to provide custom automation, management, and monitoring capabilities.

For More details and download the guide on API Guide

 

Advertisements

VMware NSX Firewalling using AD Groups

This particular use-case is to implement network security to allow or block network access to certain applications/servers in the datacenter, depending on the logged-on user in a horizon view environment.

This we will achieve using a feature of VMware NSX that is Identity based firewalling.

Let’s first connect NSX to Active Directory. This step can be completed on the NSX Manager under manage -> domains. Add the domain you want to use to NSX:

1

2

3

4

5

6

Once AD sync is completed. now , we need to chose an AD group inside NSX “Grouping Object”.

  1. Go to Grouping Objects
  2. Click on + sign, a New Window will open, provide a proper Name.
  3. Click on + sign
  4. Choose “Entity” from drop down.
  5. Click on the next box , it will open a list of AD groups.
  6. Choose your AD group

7

8

Go to IP Sets and lets create an IP set , these will contain the list of IPs which we don’t want users to access.

  1. Click on + Sign.
  2. Enter descriptive Name.
  3. Enter IP address to block.
  4. Click OK.

10

9

Now Lets’ go to Firewall and create a Rule.

  • Click in Firewall
  • Click on + Sign.
  • Give a descriptive Name.
  • Chose Group , that we have created in Grouping Object , in our case it is “Demo”.
  • Choose IP Set , that we have created in IP set , in our case “no_access_server”.
  • Chose “Block” as we would need to block the traffic.

11

I hope this should be useful and helpful. Please Review and comment.

Add a Static Route to DLR

In my last post i have created a DLR using API , now as per requirement we have to add a default route on DLR.

Request Type : PUT

https://<NSX-MGR-IP>/api/4.0/edges/edge-35/routing/config/static

Request Body:
<staticRouting>
<staticRoutes>
<route>
<description>route2</description>
<vnic>2</vnic>
<network>0.0.0.0/0</network>
<nextHop>192.168.10.2</nextHop>
<mtu>1500</mtu>
<type>user</type>
</route>
</staticRoutes>
</staticRouting>

route

 

Deploy Distributed Logical Router using NSX API

I am working on a NSX Design and Deployment engagement, this includes deployment of NSX on many sites and all sites spread across many cities of India and working on web client from the central location was very slow due to bandwidth issues. so we decided to deploy all the NSX components using NSX API.this will also help in keeping this code as a backup handy , so can be executed in case of restore required.

In my first post i have shown how to create Logical Switch , Now lets create a Distributed Logical Router….

Since we are using static Routing and there is no Firewall requirement  , so we have decided to not to deploy DLR edge VM at this point of time.

Request Type :POST   https://<NSX-MGR-IP>/api/4.0/edges

Request Body:

<edge>
<datacenterMoid>datacenter-21</datacenterMoid>
<name>ODC-A1</name>
<type>distributedRouter</type>
<appliances>
<deployAppliances>false</deployAppliances>
</appliances>
<mgmtInterface>
<connectedToId>dvportgroup-50</connectedToId>
</mgmtInterface>
<interfaces>
<interface>
<name>Towards_Transit</name>
<addressGroups>
<addressGroup>
<primaryAddress>192.168.10.1</primaryAddress>
<subnetMask>255.255.255.0</subnetMask>
<subnetPrefixLength>24</subnetPrefixLength>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>uplink</type>
<isConnected>true</isConnected>
<isSharedNetwork>false</isSharedNetwork>
<connectedToId>virtualwire-16</connectedToId>
<connectedToName>vxw-dvs-35-virtualwire-16-sid-5011-LS_ODC_A_Transit</connectedToName>
</interface>
<interface>
<name>Towards_ODC_LS</name>
<addressGroups>
<addressGroup>
<primaryAddress>10.112.203.1</primaryAddress>
<subnetMask>255.255.255.0</subnetMask>
<subnetPrefixLength>24</subnetPrefixLength>
</addressGroup>
</addressGroups>
<mtu>1500</mtu>
<type>internal</type>
<isConnected>true</isConnected>
<connectedToId>virtualwire-15</connectedToId>
<connectedToName>vxw-dvs-35-virtualwire-15-sid-5010-LS_ODC_A</connectedToName>
</interface>
</interfaces>
</edge>

dlr

Distributed Logical Router successfully created.

Note – At the time of Writing with NSX 6.2.2,The example given in the API doc in the DLR section is actually for an ESG. the use of “vnic” for DLR does not work. we must use <interface> </interface>.

NSX Edge Backup and Restore

 

Apart from NSX Manager backup and restore procedure , I was looking for a procedure to backup and restore NSX edge appliances.Here is the API way to do this…. (this may not be supported by VMware)

Backup NSX Edge Configuration-

To get edge configuration of a specified edge using REST API, use the following rest API call.

Request type: GET https://<nsxmgr-ip>/api/4.0/edges/<Edge-id>

get_edge

Save the response body (output) as backed up configuration in a file.

Note : Backup the edge certificates , passkeys and passphrase outside of NSX as the edge certificates are not exported  as  part of the REST call.

How to Restore Edge Configuration-

To deploy a new edge using backed up configuration in the above step, use the following rest API call with the saved backed up configuration inside the API call body.

Before pasting the backup in the request body make the following changes……

Remove the section <id><edge-id></id>

remove

Add a new section <password>your 12 digit password </password> inside <cliSettings></cliSettings>

Example:

 

passw

you must remove the section <clientSsl></clientSsl> in the Application Profiles inside Load-Balancer if exists.

clientssl

Now go to your API client and

Request type: POST   and URL – https://<nsxmgr-ip>/api/4.0/edges/
where body is the backed up configuration with the above modifications.

send

if above goes well , it will deploy edge with existing configuration and response will be like this.

created

then user will have to go to the NSX UI and self sign the certificate or import the certificate. If the certificate was associated to an application profile, the user will have to do the same via UI.

 

Assigning User Permissions(RBAC)-NSX

In this post, we will get into the NSX  Permission (Role Based Access control) configuration.

Let’s go to NSX console from vSphere Client and from there Go to “Manage” -> “Users” -> Click on the green Plus button:

8

Here we can select if we want to map specific A/D user to NSX Role or A/D Group to Role.

2

Format to use is as – > “group_name”@domain.name. or. “user_name”@domain.name.

Let’s start with a sample user “dave”, which should have been already created in our Active Directory, this user “dave” is required “Enterprise Administrator” permission, as he is going to manage our entire NSX environment. same way we can assign permission to other users with different permission needs.

3

Select one of the NSX Role, for “dave” user we chose “Enterprise Administrator”

4

Let’s Try our first login with user “dave”:

6

 The login successful but there is no “Network & Security” tab , as user got the permission on the NSX but not on the vCenter.

7

So far we configure all NSX Manager part but we didnt take care of the vCenter Configuration permission for that user.

Let’s configure vCenter permission, so that user can view Network & Security Tab:

vCenter has its own Role for each group. We need to configure roles to etch A/D group/users to whom we want to assign permission. These settings determine what the user can create/access the in vCenter environment.

Configure vCenter Roles:

Let’s start by configure the Role for “dave”. We know this user is for “Enterprise Administrator” in the NSX Manager, so it will make sense to give this user “Network Administrator” to all other vCenter environment, so that he can manage network related components of vSphere also.

Go to vCenter -> Manage -> Permissions and click the green button:

8

For our case choose “Network Administrator” is the Minimum.

Select “Network Administrator” from the Assigned Role drop down list and click on the “Add” button from “User and Group”:

9

From the Domain Select your Domain name, in our lab the domain is “CORP”, choose your Active Directory user from the list (dave for this example) and click the “Add” button:

10

Click Ok and Ok for Next Step:

11

12

Now we can try to login with “Dave” user: now Networking & Security is visible.

13

 

 

1 15 16
%d bloggers like this: