Tag:

VMs

NSX 4.x Certificate Replacement

by Tommy Grot August 31, 2023

written by Tommy Grot 2 minutes read

Tonight’s topic is on replacing NSX Certificate for each NSX Manager appliance and also the VIP. If you’re tired of battling with certificate issues and are looking for a straightforward solution, you’ve come to the right place! In this blog post, we will guide you through the process of replacing NSX certificates for each manager and the VIP in a hassle-free manner. We will break down the steps and provide you with expert tips to ensure a smooth transition. Let’s get started!

What you will need:

Postman client
Certificate CSR
Certificate Generated by your Enterprise CA (I use Microsoft CA)
Your Enterprise Root CA Cert
Your newly generated Private Key

With your admin account, log in to NSX Manager.
Select System > Certificates.

Import your Certificate and Private Key Into your NSX Manager via Web UI

Service Certificate – No

Certificate Contents

(Cert)
(Intermediate – if exists)
(Root Cert)

Once you have all pre-requisites ready lets open up postman client and what you will need to do is prepare the authentication portion of your postman to authenticate successfully to the NSX Managers. Once you will then you can start getting the API calls ready.

First lets validate the certificate we imported –

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

https://nsx01a.prd.virtualbytes.io/api/v1/trust-management/certificates/6d78f17d-f58c-4c27-99fd-31b572dfb1e8?action=validate

Once, you see Status OK then proceed to the next step below.

POST https://<FQDN>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>

https://nsx01a.prd.virtualbytes.io/api/v1/trust-management/certificates/6d78f17d-f58c-4c27-99fd-31b572dfb1e8?action=apply_certificate&service_type=API&node_id=7cbf2942-086e-9316-b277-95beed9d91b1

Repeat the follow for the additional NSX Managers – Below you can grab the UUID from System – Appliances – UUID (Copy to Clipboard)

https://nsx01.prd.virtualbytes.io/api/v1/trust-management/certificates/6d78f17d-f58c-4c27-99fd-31b572dfb1e8?action=apply_certificate&service_type=MGMT_CLUSTER

There we go, the VIP of my NSX cluster has a enterprise CA signed certificate!

August 31, 2023 2 comments 2.1K views

Events

VMware Explore 2023 – Recap!

by Tommy Grot August 24, 2023

written by Tommy Grot 3 minutes read

Well That’s a Wrap…

Lets Recap! VMware Explore event was an absolute blast! We immersed ourselves in the fun-filled adventures of a multi cloud universe, diving headfirst into tons of Artificial Intelligence content and exploring the endless possibilities of multi-cloud technology. From mind-boggling demos to thought-provoking sessions, this event truly ignited our excitement for the future. With the incredible innovations and breakthroughs showcased, we can’t wait to see where this journey takes us next. The world of technology is evolving at lightning speed, and VMware Explore has undoubtedly left us buzzing with anticipation for what lies ahead in this exhilarating multi cloud universe. Stay Tuned for next VMware Explore 2024 in Las Vegas.

Previous Post of VMware Explore’s General Session here

Celebrating VMware’s 25 Years of Innovation

Introducing VMware Private AI Foundation

During the general session VMware CEO, Raghu Raghuram, and NVIDIA CEO, Jensen Huang, announced a new partnership to offer the next generation of Artificial Intelligence and VMware together, with this innovation with Generative AI and Large Language Models, this will allow organizations to embark the new era of computing and assisted computing to optimize their business’ needs and requirements. With NVIDIA AI Enterprise and VMware Cloud Foundation together, these two solutions will expand the VMware portfolio tremendously.

The Hub

The Hub! Fun filled adventures of: VMware Communities, VMTN Theater, Broadcast Booth, VMware {code} and VMware Rewards and so much more, cant forgot the cozy relaxing area with bean bags! This was the best place to kick back and relax with your fellow Explorer’s before attending your next session!

Incredible Friendships

My time spent with these incredible VMware VCDX’s (Mark Gabryjelski #023 – left and right – John Arrasjid #001) been nothing short of exhilarating! Getting to dive deep into the world of virtualization and cloud computing with the best in the field has been an absolute dream come true. I’ve gained invaluable insights, learned new techniques, and made lasting friendships that will undoubtedly propel my career forward. I am truly grateful for the opportunity to spend quality time with these masters of their craft, and I cannot wait to apply all that I’ve learned. The future is looking brighter than ever, and I’m thrilled to continue this exciting journey in the world of VMware!

My Favorite Sessions!

Keep the Attacker Out: Infrastructure Security Hardening and Auditing
Why and How to Apply the DISA vSphere STIGs and Other Hardening
Elevate Your Application Modernization Journey with Developer-Ready Cloud

VMware Communities

I want to thank the VMware Communities especially Corey Romero, for allowing me to be apart of the vExpert Team as well coming to VMware Explore 2023 as a Blogger! This year’s explore was beyond amazing, meeting many different executives and being able to meet engineers. architects and creating long lasting connections and friendships!

Highlights of VMware Explore 2023 – Las Vegas (Gallery)

VMware Explore 2023 has been filled with tons of joy and laughter and connections, from meeting Raghu Raghuram, CEO of VMware and Sumit Dhawan, President of VMware it was awesome moment. From exploring Las Vegas and The Venetian Resort. I am excited for VMware Explore 2024, here again in Las Vegas next year!

August 24, 2023 1 comment 522 views

Events

VMware Explore 2023 – General Session

by Tommy Grot August 22, 2023

written by Tommy Grot 2 minutes read

VMware Explore 2023 General Session News and Releases!

Welcome to the future of virtualization and cloud computing! Get ready to embark on an exhilarating journey as we dive into the incredible world of VMware Explore 2023. Brace yourselves for an electrifying experience filled with groundbreaking innovations, cutting-edge technologies, and mind-blowing possibilities that will leave you in awe. This blog post will be your ultimate guide to discovering the latest advancements and trends shaping the future of VMware. From immersive virtual environments to intelligent automation and beyond, we’ll explore the limitless potential that lies ahead. So, fasten your seatbelts, tech enthusiasts, because VMware Explore 2023 is about to take you on a thrilling ride into the unknown. Get ready to witness the future unfold before your eyes!

New Releases of Products and Features!

vSAN MAX
NSX+
VMware Cloud Foundation
Ransomware and Disaster Recovery
Tanzu Application Engine
VMware Edge Cloud Orchestrator – Police Interceptor Truck
VMware Private AI Foundation with NVIDIA

NVIDIA CEO Jensen Huang on stage at VMware Explore 2023!

vSAN MAX

The introduction of the vSAN Express Storage Architecture™ (ESA) in VMware vSAN 8 just one year ago marked a monumental advance in VMware’s hyperconverged solution. For the past year, we have highlighted just how extraordinary it is in its ability to process and store data faster and more efficiently than ever before. As impressive as that is, perhaps the most powerful aspect of the ESA is its ability to unlock new capabilities for our customers.

VMware is announcing the upcoming release of vSAN 8 Update 2 as well as an exciting new offering, VMware vSAN Max^TM
vSAN Max enables a new, optional disaggregated storage deployment model built on vSAN Express Storage Architecture
Performance improvements of up to 30% can be expected in vSAN 8 U2, through multiple platform enhancements

It is the power of the Express Storage Architecture that leads us to the introduction of vSAN Max™: VMware’s new disaggregated storage offering that provides Petabyte-scale centralized shared storage for your vSphere clusters. Let’s look at what vSAN Max is, and how it will deliver new capabilities, cost savings, and flexibility to your workloads running on VMware vSphere.

VMware Explore 2023 General Session is booming with thousands of Explorer’s and amazing news releases!

In conclusion, the VMware Explore 2023 General Session is an absolute thrill for tech enthusiasts and professionals alike! Packed with mind-blowing advancements in AI and LLM, cutting-edge apps, groundbreaking VDI technology, and the limitless possibilities of the cloud, this event is sure to leave you awestruck. Prepare to be captivated by the boundless potential of these incredible innovations as they shape the future of technology. Get ready to soar to new heights with VMware, because the possibilities are truly endless!

August 22, 2023 0 comments 720 views

Cloud

The New Frontier of Generative AI & VMware Multi-Cloud!

by Tommy Grot July 10, 2023

written by Tommy Grot 1 minutes read

Generative AI and VMware Solutions, with the excitement and potential of new language learning models, will be adapted by businesses but with each business having their own domain to run their data through there are lots of concerns with security, privacy, and legal issues.

Large language models and multi-cloud infrastructure can complement each other by distributing the computational workload across multiple cloud providers. This allows for increased performance and scalability, as well as reducing the risk of service disruption or downtime.

Multi-cloud deployment of large language models enables organizations to leverage the strengths and capabilities of different cloud providers. By strategically distributing the workload, businesses can optimize cost-efficiency, enhance data privacy and security, and avoid vendor lock-in.

In this Briefing, you’ll hear insights from VMware business and technical leaders on topics including:

The opportunities and challenges CIOs see in transforming their businesses with AI.
Why multi-cloud environments will be the foundation for enterprise AI.
The importance of a responsible and ethical approach to AI.
The role of an AI-enabling ecosystem for customer choice and flexibility.
AI research priorities for VMware.
A glimpse into VMware’s focus on accelerating and simplifying customer adoption of AI.

Speakers include VMware President Sumit Dhawan, VP of Research Sujata Banerjee, and VP of Cross-Cloud Services Vittorio Viarengo. Don’t miss this important conversation!

July 10, 2023 0 comments 409 views

VMware vCenter

vCLS VMs failing to power on vSphere 8.x

by Tommy Grot June 14, 2023

written by Tommy Grot 2 minutes read

Tonight’s troubleshooting tidbit is an important topic that you’ll want to stick around for. We all know that upgrading your system can be a daunting task, especially when something goes wrong. In this blog post, we’ll be discussing an issue that many of you may be facing after upgrading your vSphere 8.0 to 8.0.1.

Are you experiencing problems with DRS not working or vCLS not powering back on? If so, don’t worry, we’ve got you covered! We’ll be diving into the root cause of this issue and providing you with some solutions to get your system back up and running smoothly. So, grab a cup of coffee and let’s get started!

Error Message: vSphere DRS functionality was impacted due to unhealthy state vSphere Cluster services caused by the unavailability of vSphere Cluster Service VMs. vSphere Cluster Service VMs are required to maintain the health of vSphere DRS.

Events Tab will have errors for the following Privilege check failed for user VSPHERE.LOCAL\vpxd-extension-xxxx for missing permission.

Before You Start!

Take a Snapshot of your vCSA
SSH into vCSA

Change to shell

mkdir /certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key

python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s <FQDN> -u [email protected]

2023-06-15T02:32:01.586Z Updating certificate for “com.vmware.vim.eam” extension
2023-06-15T02:32:01.645Z Successfully updated certificate for “com.vmware.vim.eam” extension
2023-06-15T02:32:01.669Z Verified login to vCenter Server using certificate=”/certificate/vpxd-extension.crt” is successful

service-control --stop vmware-eam

Operation not cancellable. Please wait for it to finish…
Performing stop operation on service eam…
Successfully stopped service eam

service-control --start vmware-eam

Operation not cancellable. Please wait for it to finish…
Performing start operation on service eam…
Successfully started service eam

Few seconds later in your vSphere UI, you will see vCLS starting to turn back on!

June 14, 2023 0 comments 4.4K views

Events

Who’s Excited for VMware Explore 2023!?

by Tommy Grot June 13, 2023

written by Tommy Grot 3 minutes read

Are you ready to explore the future of multi cloud technology? If so, you won’t want to miss VMware Explore 2023 in Las Vegas!

This year’s conference promises to be the most exciting yet, showcasing the latest and greatest innovations in the world of virtualization, cloud computing, and digital transformation. From cutting-edge demos to inspiring keynotes and general session, you’ll have the opportunity to learn from the brightest minds in the industry and network with fellow tech enthusiasts. Whether you’re a seasoned IT pro or just getting started in your career, this conference is the perfect opportunity to deepen your knowledge, expand your horizons, and have some fun along the way. So mark your calendars, book your tickets here, and get ready to explore the future of tech!

How VMware Explore has helped my career?

VMware Explore 2022 was a blast, with experiencing and hearing and seeing all the new features and solutions VMware offers it has helped my career path and skillset in many ways:

1. Broadened knowledge of VMware products: VMware explore provides cloud engineers with an opportunity to learn about different VMware product offerings and how they can be implemented for various cloud environments.

2. Certifications: VMware explore offers certifications that help cloud engineers to validate their expertise in different areas. These certifications are highly valued in the IT industry and can open up opportunities for career advancement. At VMware Explore VMware Education is on site, which I have utilized the half off discounts at VMware Explore to take an exam!

3. Network with IT professionals: VMware explore provides a platform for cloud engineers to network with other IT professionals, share experiences, and exchange ideas. This networking can lead to new job opportunities and other professional engagements.

4. Hands-on experience: VMware explore provides cloud engineers with hands-on experience in different VMware products and how they can be used in different cloud environments with the state of the art VMware Hands on Labs! This experience is valuable as it can be applied in real-world scenarios and is highly valued by employers.

5. Professional growth: The knowledge and skills gained from VMware explore can help cloud engineers to grow professionally and take on new challenges in their careers. This growth can lead to higher salaries, promotions, and new job opportunities.

What Sessions am I most exited to attend?

Elevate Your Application Modernization Journey with a Developer-Ready Cloud [CEIB2614LV] by Stephen Evanchik
VMware Cloud Foundation Architecture Lessons Learned [CSXM1510LV] by
Jonathan McDonald
What Minecraft Has Taught Me About Building VM Templates With Automation [VMTN2813LV] by Sean Massey

What was your best Explore story?

At VMware Explore 2022, the first day started with a keynote session where industry experts shared their insights on emerging technologies, and the future of enterprise IT and multi-cloud. After that, everyone went and explored and attended their own sessions, but I had an awesome opportunity to participate in meetings with different business units, such as Cloud Director/VCPP, vRealize (Aria), AVI Vantage (NSX ALB), Cloud Foundation (VCF) and it was an enriching experience to collaborate with Vice Presidents, R&D Managers/Engineers, Architects and show case what I have deployed and architected.

In conclusion, the VMware Explore event was an enriching experience, and I was excited that I got to participate in different business units meetings. I gained a broader understanding of how the company operates, and the role of each team in delivering value to customers. I left VMware Explore feeling more enlightened and empowered, ready to tackle any challenge in the business world.

VMware Explore – Las Vegas Links

Registration : https://www.vmware.com/explore/us.html?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
Show Agenda : https://www.vmware.com/explore/us/attend/agenda.html?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
Content Catalog: https://event.vmware.com/flow/vmware/explore2023lv/content/page/catalog?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
Show Activities : https://www.vmware.com/explore/us/engage/activities.html?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
FAQs : https://www.vmware.com/explore/us/attend/faqs.html?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
VMware Explore Blog: https://blogs.vmware.com/explore/?src=em_nnqwkc8glpsjf&int_cid=7012H000000wtgaQAA
VMware Explore Twitter: https://twitter.com/VMwareExplore (#VMwareExplore)

June 13, 2023 0 comments 543 views

Cloud

Cannot establish a remote console connection in VMware Aria Automation 8.12.x

by Tommy Grot June 1, 2023

written by Tommy Grot 1 minutes read

Tonight’s troubleshooting tidbit – I have deployed VMware Aria Automation, started doing some automation, I ran into a issue were the Remote Console did not want to open it came with an error – “Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to accept the certificate, then close and retry the connection.”

SSH into one vRA virtual appliance in the cluster
Edit the provisioning service deployment by running the following commandkubectl -n prelude edit deployment provisioning-service-app
Set the following property in the JAVA_OPTS list to true-Denable.remote-console-proxy=false

Here you will see the orginal screenshot having the Denable.remote-console-proxy=true, which next screenshot we will switch it to false

Denable.remote-console-proxy=false

After you save with wq! you will go back to the main SSH session and what I did was executed command – watch kubectl get pods -n prelude . This allowed me to verify and watch if there was no errors during startup.

June 1, 2023 0 comments 1.2K views

Cloud Networking VMware NSX

Deploying VMware NSX Advanced Load Balancer

by Tommy Grot May 3, 2023

written by Tommy Grot 2 minutes read

Today’s topic is on VMware NSX Advanced Load Balancer (AVI). We will walk through the steps of deploying a NSX ALB overlayed on top of your NSX Environment.

Features

Multi-Cloud Consistency – Simplify administration with centralized policies and operational consistency
Pervasive Analytics – Gain unprecedented insights with application performance monitoring and security
Full Lifecycle Automation – Free teams from manual tasks with application delivery automation
Future Proof – Extend application services seamlessly to cloud-native and containerized applications

More information at VMware’s site here

What You Will Need:

A Configured and running NSX Environment
NSX ALB Controller OVA (controller-22.1.3-9096.ova)
Supported Avi controller versions: 20.1.7, 21.1.2 or later versions
Obtain IP addresses needed to install an appliance:
- Virtual IP of NSX Advanced Load Balancer appliance cluster
- Management IP address
- Management gateway IP address
- DNS server IP address
Cluster VIP and all controllers management network must be in same subnet.

Lets start with deploying controller OVF

I like to keep neat and consistent names the following names I utilized:

Virtual Machine Names:

nsx-alb-01
nsx-alb-02
nsx-alb-03

You need total of 3 Controllers deployed to create a High Available NSX ALB.

Click the Ignore All, or you will get this error as show below

Select your datastore ->

Click Next ->

My DNS Records:

nsx-alb-01.virtualbytes.io
nsx-alb-02.virtualbytes.io
nsx-alb-03.virtualbytes.io

We are deploying!

Access your first appliance via its FQDN that you have set in the steps above.

Create your password for local admin account

Create your passphrase, and your DNS resolvers, and DNS Search Domains.

Skip SMTP if not needed, but if you need a mail server please fill out your required SMTP IP and Port

Service Engines are managed within the tenant context, not shared across tenants to enable the Tenant Context Mode.
Service Engines are managed within the provider context, shared across tenants to enable the Provider Context Mode.

That is it for the initial deployment, next we will add our other 2 additional NSX ALB nodes for HA setup.

Go to Administration -> Controller -> Nodes

Click Edit ->

For your 2 additional NSX ALB nodes you will need to provide an IP Address and hostname and password.

Sample of what it should look like for all 3 ALB appliances

A simple topology of what we have deployed.

That is it! from now on you can configure for what use case you will NSX-ALB for. A next blog post will go through how to step up a NSX-T Cloud.

Licensing Flavors – If you click on the little cog icon next to the Licensing. You will see different tiers.

Different License Tiers that are apart of NSX-ALB Licensing model.

May 3, 2023 0 comments 2.7K views

VMware NSX

VMware NSX – Segment fails to delete from NSX Manager. Status is “Delete in Progress”

by Tommy Grot April 28, 2023

written by Tommy Grot 2 minutes read

Today’s troubleshooting tidbit – If you have issues removing a NSX Segment that got removed from NSX Policy UI but NSX Manager UI still shows that the segment is being used and active and cannot delete, well no problem at all. We will clean it up.

For More Reference VMware has a published KB for this here.

Below you will see that my vmw-vsan-segment that was stuck and said it was dependent on another configuration, but it was not. This segment was created from within VMware Cloud Director.

Confirm that there are no ports in use with the Logical Switch which was not deleted

Lets SSH into one of your NSX Managers, then we will execute the command below Run get logical-switches on the Local Manager CLI and confirm the stale Logical Switch is listed, and note its UUID

get logical-switches

Elevate to root shell with command below

Engineering Mode

Use st en to enter engineering mode which is root privileged mode

st en

Confirm the Logical Switch info can be polled with API:
curl -k -v -H “Content-Type:application/json” -u admin -X GET “https://{mgr_IP}/api/v1/logical-switches/(LS_UUID)“

Example of my command below:

 curl -k -v -H "Content-Type:application/json" -u admin -X GET "https://172.16.2.201/api/v1/logical-switches/e2f51ece-99fe-417a-b7db-828a6a39234b"

Remove stale Logical Switch objects via API:
curl -k -v -H “Content-Type:application/json” -H “X-Allow-Overwrite:true” -u admin -X DELETE “https://{mgr_IP}/api/v1/logical-switches/{LS_UUID}?cascade=true&detach=true“

Example of my command below:

curl -k -v -H "Content-Type:application/json"  -H "X-Allow-Overwrite:true" -u admin -X DELETE "https://172.16.2.201/api/v1/logical-switches/e2f51ece-99fe-417a-b7db-828a6a39234b?cascade=true&detach=true"

Now you should see a return ‘200’ response code if deletion is successful

That is all, we successfully cleaned up our NSX Segment that was stuck!

April 28, 2023 0 comments 1.4K views

Cloud

VMware Cloud Director 10.4.X & Terraform Automation Part 2

by Tommy Grot April 13, 2023

written by Tommy Grot 6 minutes read

Tonight’s multi-post is about VMware Cloud Director 10.4.x and Terraform!

With Terraform there are endless possibilities, creating a virtual data center and being able to tailor to your liking and keeping it in an automated deployment. In this multi-part blog post we will get into VCD and Terraform Infrastructure as Code automation. If you would like to see what we did in Part 1, here is the previous post – VMware Cloud Director 10.4.X & Terraform Automation Part 1

What You will Need:

A Linux VM to execute Terraform from
Latest Terraform Provider (I am using beta 3.9.0-beta.2 )
Gitlab / Code Repo (Optional to store your code)
VMware Cloud Director with NSX-T Integrated already
Local Account with Provider Permissions on VCD (mine is terraform)

Lets Begin!

First part we will add on to our existing Terraform automation which we have continued in Part 1 of this multi-part blog. Below is the provider information for reference.

terraform {
  required_providers {
    vcd = {
      source  = "vmware/vcd"
      version = "3.9.0-beta.2"
    }
  }
}

provider "vcd" {
  url                  = "https://cloud.virtualbytes.io/api"
  org                  = "system"
  user                 = "terraform"
  password             = "VMware1!"
  auth_type            = "integrated"
  max_retry_timeout    = 60
  allow_unverified_ssl = true
}

Next, we will add Data Center Groups to our terraform template, what we are doing here is Creating the virtual data center group to span multiple organizations, if need be, but for this demonstration – I am using a DCG for Distributed Firewall purposes.

#### Create VDC Org Group 

resource "vcd_vdc_group" "demo-vdc-group" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org                   = "demo-org-10"
  name                  = "demo-vdc-group"
  description           = "Demo Data Center Group"
  starting_vdc_id       = vcd_org_vdc.demo-org-10.id
  participating_vdc_ids = [vcd_org_vdc.demo-org-10.id]
  dfw_enabled           = true
  default_policy_status = true
}

The next code snippet – here we will set and configure the Data Center Group firewall from an Internal to Internal and Drop to Any to Any and Allow. Configuration where by default it keeps Internal DFW rule.

##### DFW VDC Group to Any-Any-Allow
resource "vcd_nsxt_distributed_firewall" "lab-03-pro-dfw" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org = "demo-org-10"
  vdc_group_id = vcd_vdc_group.demo-vdc-group.id
  rule {
    name        = "Default_VdcGroup_demo-vdc-group"
    direction   = "IN_OUT"
    ip_protocol = "IPV4"
    source_ids = [vcd_nsxt_security_group.static_group_1.id]
    destination_ids = []
    action      = "ALLOW"
  }
}

If you are wanting to create multiple rules within a Distributed Firewall, here below I will show some examples – This will not be a part of the code implementation.

##### Sample DFW Rule Creation
resource "vcd_nsxt_distributed_firewall" "lab-03-pro-dfw-1" {
  depends_on = [vcd_org_vdc.demo-org-10]
  org = "demo-org-10"
  vdc_group_id = vcd_vdc_group.demo-vdc-group.id
  rule {
    name        = "rule-1" # Here you will create your name for the specific firewall rule
    direction   = "IN_OUT" # One of IN, OUT, or IN_OUT. (default IN_OUT)
    ip_protocol = "IPV4"
    source_ids = []
    destination_ids = []
    action      = "ALLOW"
  }
}

Some more detailed information from Terraform site –

Each Firewall Rule contains following attributes:

name – (Required) Explanatory name for firewall rule (uniqueness not enforced)
comment – (Optional; VCD 10.3.2+) Comment field shown in UI
description – (Optional) Description of firewall rule (not shown in UI)
direction – (Optional) One of IN, OUT, or IN_OUT. (default IN_OUT)
ip_protocol – (Optional) One of IPV4, IPV6, or IPV4_IPV6 (default IPV4_IPV6)
action – (Required) Defines if it should ALLOW, DROP, REJECT traffic. REJECT is only supported in VCD 10.2.2+
enabled – (Optional) Defines if the rule is enabled (default true)
logging – (Optional) Defines if logging for this rule is enabled (default false)
source_ids – (Optional) A set of source object Firewall Groups (IP Sets or Security groups). Leaving it empty matches Any (all)
destination_ids – (Optional) A set of source object Firewall Groups (IP Sets or Security groups). Leaving it empty matches Any (all)
app_port_profile_ids – (Optional) An optional set of Application Port Profiles.
network_context_profile_ids – (Optional) An optional set of Network Context Profiles. Can be looked up using vcd_nsxt_network_context_profile data source.
source_groups_excluded – (Optional; VCD 10.3.2+) – reverses value of source_ids for the rule to match everything except specified IDs.
destination_groups_excluded – (Optional; VCD 10.3.2+) – reverses value of destination_ids for the rule to match everything except specified IDs.

Now that we have established firewall rules within our template, next you can IP Sets which are kind of a Group that you can use for ACL’s and integrate them into a firewall and static groups etc!

#### Demo Org 10 IP sets
resource "vcd_nsxt_ip_set" "ipset-server-1" {
  org = "demo-org-10" # Optional

  edge_gateway_id = vcd_nsxt_edgegateway.lab-03-pro-gw-01.id

  name        = "first-ip-set"
  description = "IP Set containing IPv4 address for a server"

  ip_addresses = [
    "10.10.10.50",
  ]
}

Static Groups are another great way to assign networks and members. For this example, my Static Group consists of my domain network segment and with this I can utilize the group into firewall rules.

#### Create Static Group
resource "vcd_nsxt_security_group" "static_group_1" {
  org = "demo-org-10"
  edge_gateway_id = vcd_nsxt_edgegateway.lab-03-pro-gw-01.id

  name        = "domain-network"
  description = "Security Group containing domain network"

  member_org_network_ids = [vcd_network_routed_v2.nsxt-backed-2.id]
}

###########################################################
An example of how to use a Static Group within a firewall rule.
  rule {
    name        = "domain-network" ## firewall rule name
    action      = "ALLOW" 
    direction   = "IN_OUT"
    ip_protocol = "IPV4"
    source_ids = [vcd_nsxt_security_group.sg-domain-network.id]
    destination_ids = [vcd_nsxt_security_group.sg-domain-network.id]
    logging   = true
  }

That is it for the automation for Part 2 of VMware Cloud Director! Stay Tuned for more automation!

April 13, 2023 0 comments 1.3K views

Newer Posts

Older Posts