As the adoption of VMware Cloud on AWS (VMC) continues to accelerate, one of the very first UI interface that customers must interact with is the NSX-T UI, for enabling basic connectivity. By default the Edge Gateway has a Deny All Firewall Rule, so you will need to come to this screen to setup connectivity from your on-premises environment including a Direct Connect (DX) or Route/Policy-Based VPN. For some customers who have familiarize themselves with the NSX-T UI and its capabilities, usually the next order of business is how do I go about automating these various aspects from Day 0 setup all the way to Day N where I am migrating in or creating additional workloads.
A very common set of questions that I have been getting lately is which API do I need to look at to do X in the NSX-T UI in VMC?
Having spent some time with the NSX-T Policy API, I figure it would be useful to share the categories of NSX-T Policy API that maps back to what you see in the NSX-T UI in VMC. The list below is not exhaustive, but should it should point you in the right direction when needing to automate a particular operation.
- Segments (Logical Networks) - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Connectivity.Segments
- Route Based VPN - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.L3Vpn
- Policy Based VPN - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.L3Vpn
- Layer 2 VPN - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.L2Vpn
- NAT - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Nat
- Gateway Firewall - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Gateway%20Firewall
- Distributed Firewall (DFW) - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Dfw
- Groups - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Methods.ListGroupForDomain
- Services - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Methods.ListServicesForTenant
- IPFIX - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Ipfixdfw
- Port Mirroring - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Methods.ListPortMirroringInstances
- DNS - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Sections.Policy.Dns%20Forwarder
- Public IPs - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Methods.ListPublicIps
- Direct Connect
- Connected VPC - https://vdc-download.vmware.com/vmwb-repository/dcr-public/fce962c2-9c8d-477c-ba14-0572c3f11ed6/da7645f7-fe16-47a9-9e8d-29b9bae8cb34/nsx_api_vmc.html#Methods.ListLinkedVpcs
Below are some additional resources including reference samples when working with the NSX-T Policy API, definitely worth checking out if you ask me? 😉
- Getting started with the new NSX-T Policy API in VMC
- NSX-T Policy PowerShell Community Module for VMC
- Managing Distributed Firewall Rules in VMC using PowerShell & NSX-T Policy API
- Using NSX-T Policy API to retrieve the Routing Table in VMC
- Changing the default behavior of the NSX-T Distributed Firewall (DFW) in VMC to Deny All
- Quick Tip – How do I tell if NSX-V or NSX-T is installed?
Thanks for the comment!