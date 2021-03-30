Over the weekend I got a chance to deploy my first vSphere with Tanzu environment using the new NSX Advanced Load Balancer (NSX ALB) which I had shared on Twitter.

🥳 Successfully deployed my 🥇 vSphere w/@VMwareTanzu using the new @vmwarensx Advanced Load Balancer (formally @AviNetworks) 👉https://t.co/Mqb9Ja0rtV was extremely helpful, a MUST read IMHO! 👏🤙 @CormacJHogan Visuals is NSX ALB is nice! Looks like I need more resources! pic.twitter.com/C6E36zIl7X — William Lam (@lamw) March 28, 2021

This was also my first time getting exposed to NSX ALB (formally AVI Networks) and this detailed blog post from my buddy Cormac Hogan was instrumental in helping me quickly get started and get into the specific configurations needed for a two network design with vSphere with Tanzu. For me personally, there were just too many different configuration pages a user needed to navigate to and context switching between them made it non-intuitive for a new user like myself. After going through this once, I knew Automation was the next step for me and this was also an opportunity to try out the NSX ALB API, which I also have never used before.

One of the very first challenge that I needed to figure out was how to initially login to the API. During the initial UI step, the user is prompted to provide a password which will be used to create a new admin account. This is actually miss-leading because you are not actually creating a new account but rather you are changing the default password for the admin user that already exists.



This actually took me some time to figure out and I eventually came across a note mentioning that the default password can be found in the download portal where you had downloaded the NSX ALB OVA! In addition to the default password, the NSX ALB API requires that you pass a Cross-Site Request Forgery (CSRF) token along with referrer ID which is then used to authenticate subsequent requests. This did make the initial automation more complicated, especially since basic authentication is disabled by default.

Here is a quick PowerShell snippet using the NSX ALB REST API to initially login and then changing the default admin password:

$nsxAdvLBIPAddress = "192.168.30.171" $NSXAdvLBAdminPassword = "VMware1!" $headers = @{ "Content-Type"="application/json" "Accept"="application/json" } $payload = @{ username="admin"; password="58NFaGDJm(PJH0G"; } $defaultPasswordBody = $payload | ConvertTo-Json $response = Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/login -Body $defaultPasswordBody -Method POST -Headers $headers -SessionVariable WebSession -SkipCertificateCheck $cookies = $WebSession.Cookies.GetCookies("https://${nsxAdvLBIPAddress}/login") $csrf = $cookies["csrftoken"].value $payload = @{ old_password = "58NFaGDJm(PJH0G"; password = $NSXAdvLBAdminPassword; username = "admin" } $newPasswordBody = $payload | ConvertTo-Json $headers = @{ "Content-Type"="application/json" "Accept"="application/json" "x-avi-version"="20.1.4" "x-csrftoken"=$csrf "referer"="https://${nsxAdvLBIPAddress}/login" } Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/api/useraccount -Body $newPasswordBody -Method PUT -Headers $headers -WebSession $WebSession -SkipCertificateCheck 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 $nsxAdvLBIPAddress = "192.168.30.171" $NSXAdvLBAdminPassword = "VMware1!" $headers = @ { "Content-Type" = "application/json" "Accept" = "application/json" } $payload = @ { username = "admin" ; password = "58NFaGDJm(PJH0G" ; } $defaultPasswordBody = $payload | ConvertTo-Json $response = Invoke-WebRequest -Uri https : / / $ { nsxAdvLBIPAddress } / login -Body $defaultPasswordBody -Method POST -Headers $headers -SessionVariable WebSession -SkipCertificateCheck $cookies = $WebSession . Cookies . GetCookies ( "https://${nsxAdvLBIPAddress}/login" ) $csrf = $cookies [ "csrftoken" ] . value $payload = @ { old_password = "58NFaGDJm(PJH0G" ; password = $NSXAdvLBAdminPassword ; username = "admin" } $newPasswordBody = $payload | ConvertTo-Json $headers = @ { "Content-Type" = "application/json" "Accept" = "application/json" "x-avi-version" = "20.1.4" "x-csrftoken" = $csrf "referer" = "https://${nsxAdvLBIPAddress}/login" } Invoke-WebRequest -Uri https : / / $ { nsxAdvLBIPAddress } / api / useraccount -Body $newPasswordBody -Method PUT -Headers $headers -WebSession $WebSession -SkipCertificateCheck

Once you have changed the default admin password, you can then login to NSX ALB UI to apply other configuration changes. If you wish to enable basic authentication, you can navigate to Administration->Settings->Access Settings and then click on the pencil to edit and check the Allow Basic Authentication box.

Now, of course you could have also automated both the admin password change and enablement of basic auth (hint see /systemconfiguration) and then switch to basic auth login for all subsequent API requests. Once I had figured out how to coordinate the initial automation, then it was digging into the NSX ALB API and using my favorite tool, Chrome Developer to understand which NSX ALB APIs were being used. Now it on to the task of trial/error and heavily leveraging vSphere Snapshots and as you can see from the Tweet below, where I am fully headed 😀

Not too bad, almost 1 minute flat to automate all of these @vmwarensx Advanced Load Balancer settings 🤩 First time using the NSX ALB (API) APIs too! Just have the DNS IPAM configuration to tackle tomorrow and then some testing pic.twitter.com/B7otLLukKh — William Lam (@lamw) March 29, 2021