Almost everyone is using a brownfield environment to implement NSX. Switching the DFW firewall to deny all is the safest bet but hard to do with brownfield environments. Denying all traffic is a bad idea. Doing a massive application conversion at once into DFW rules is not practical. One method to solve this issue is to create an exception for all virtual machines then move them out of exception once you have created the correct allow rules for the machine. I didn’t want to manually via the GUI add all my machines so I explored the API.
How to explore the API for NSX
VMware’s beta developer center provides the easiest way to explore the NSX API. You can find the NSX section here. Searching the api for “excep” quickly turned up the following answer:
As you can see there are three methods (get, put, delete). It’s always safe to start with a get as it does not produce changes. Using postman for chrome. I was quickly connected to NSX see my setting below:
The return from this get was lots of lines of machines that I had manually added to the exception list. For example the following
Looking at this virtual machine you can see it’s identified by the objectID which aligns with the put and delete functions the following worked perfectly:
Delete
https://192.168.10.28/api/2.1/app/excludelist/vm-47
Put
https://192.168.10.28/api/2.1/app/excludelist/vm-47
A quick get showed the vm-47 was back on the list. Now we had one issue the designation and inventory of objectID’s is not a construct of NSX but of vCenter.
The Plan
In order to be successful in my plans I needed to do the following
- Gather list of all objectID’s from vCenter
- Put the list one at a time into NSX’s exclude list
- Have some way to orchestrate it all together
No surprise I turned to vRealize orchestrator. I wanted to keep it generic rest connections and not use NSX plugins. So my journey began.
Orchestrator REST for NSX
- Login to orchestrator
- Switch to workflow view
- Expand the library and locate the add rest host workflow
- Run the workflow
- Hit submit and wait for it to complete
- You can verify the connect by visiting the administration section and expanding rest connections
Now we need to add a rest operation for addition to the exception list.
- Locate the Add REST operation workflow
- Run it
- Fill out as shown
You now have a put method that takes input of {vm-id} before it can run. In order to test we go back to our Postman and delete vm-47 and do a get to verify it’s gone:
Delete:
https://192.168.10.28/api/2.1/app/excludelist/vm-47
Get:
https://192.168.10.28/api/2.1/app/excludelist
It’ is missing from the get. Now we need to run our REST operation
- Locate the workflow called: Invoke a REST operation
- Run it as shown below
Once completed a quick postman get showed me vm-47 is back on the exclude list. Now I am ready for prime time.
Creation of an Add to Exclude List workflow
I need to create a workflow that just runs the rest operation to add to exclude list.
- Copy the Invoke a REST operation
- New workflow should be called AddNSXExclude
- Edit new workflow
- Go to inputs and remove all param_xxx except param_0
- Move everything else but param_0 to Attributes
- Let’s edit the attributes next
- Click on the value for ther restOperation and set it to “Put on Exclude List ..” operation you created earlier
- Go to the Schema and edit the REST call scriptable task
- Remove all param_xxx except param_0 from the IN on the scriptable task
- Edit the top line of the scripting to read like this:
var inParamtersValues = [param_0];
- Close the scriptable task
- Click on presentation and remove everything but the content question
Now we have a new issue. We need to have it not error when the return code is not 200. For example if the object is already on the exception list. We just want everything on the list right away. So edit your schema to remove everything but the rest call:
Put it all together with a list of virtual machines
Time for a new workflow with a scriptable task.
- In the general tab put a single attribute that is an array of string
- Add a scriptable task to the schema
- Add a foreach element to the schema after the scriptable task
- Link the foreach look to the AddNSX workflow you made in the last step
- Link vmid to param_0
- Edit the scriptable task and add the following code:
//get list of all VM’s
vms = System.getModule(“com.vmware.library.vc.vm”).getAllVMs();
var vmid = new Array();
for each (vm in vms)
{
vmid.push(vm.id);
}
- Add an IN for vmid and an OUT for vmid
- Run it and your complete you can see the response headers in the logs section
Hope it helps you automate some NSX.