NSX-T

NSX-T Policy API Explorer, Docs and Sample Updates for VMC

05/20/2019 by William Lam Leave a Comment

The VMware Cloud on AWS (VMC) in-product API Explorer is something that I use on a regular basis, especially for executing a quick tasks without needing to write a single line of code or for documentation purposes to understand the required parameter to a specific API. Today, the VMC API Explorer includes both the VMC Service and Cloud Services Platform API, but one key API that has been missing is the inclusion of the NSX-T Policy API.

With the release of VMC 1.7 which just came out a few days ago, customers will now be able to also access the NSX-T Policy API directly from within the VMC API Explorer! In addition to adding to the VMC API Explorer, the NSX team has also enhanced their Swagger JSON and documentation to provide a better developer experience when working with NSX-T in VMC.

NSX-T Policy API Explorer

The new NSX-T Policy API Explorer is only available for SDDCs running 1.7, which can be newly created SDDC or an SDDC that has been upgraded to 1.7. In addition, since there still SDDC running NSX-V, to view the new API Explorer, you will need to select an NSX-T 1.7 SDDC and then two new NSX-T API references will be available: NSX VMC Policy API and NSX VMC AWS Integrations API

NSX-T Opaque Networks now supported with Cross vCenter Workload Migration Fling

04/15/2019 by William Lam Leave a Comment

The Cross vCenter Workload Migration Fling continues to be an extremely powerful tool for our customers and I just love hearing successful customer stories like the one recently shared by Jason on how the tool allowed him to easily migrate over 600 Virtual Machines and with more to come!

Moved 600 and looking at another thousand. Some monster VMs... our test environment moved as easy as vmotion.

— Jason 🛠 (@JasonThoms) April 9, 2019

One capability that customers have been asking for is the ability to migrate to and from an NSX-T Opaque Network type, which the current Fling does not support. This has become more and more important as the default NSX stack for VMware Cloud on AWS (VMC) is now NSX-T by default, rather than NSX-V. We are also seeing requests from on-premises customers who have deployed NSX-T for their next generation infrastructure and needing the ability to easily migrate workloads between their old infrastructure that maybe running VSS/VDS or NSX-V backed networks.

With the help from two new colleagues, Vikas Shitole and Rajmani Patel, we are excited to announce the release Cross vCenter Workload Migration v2.6 which now adds support for NSX-T Opaque Networks!

Which NSX-T Policy APIs are used in the NSX-T UI in VMC?

02/20/2019 by William Lam Leave a Comment

As the adoption of VMware Cloud on AWS (VMC) continues to accelerate, one of the very first UI interface that customers must interact with is the NSX-T UI, for enabling basic connectivity. By default the Edge Gateway has a Deny All Firewall Rule, so you will need to come to this screen to setup connectivity from your on-premises environment including a Direct Connect (DX) or Route/Policy-Based VPN. For some customers who have familiarize themselves with the NSX-T UI and its capabilities, usually the next order of business is how do I go about automating these various aspects from Day 0 setup all the way to Day N where I am migrating in or creating additional workloads.

A very common set of questions that I have been getting lately is which API do I need to look at to do X in the NSX-T UI in VMC?

Having spent some time with the NSX-T Policy API, I figure it would be useful to share the categories of NSX-T Policy API that maps back to what you see in the NSX-T UI in VMC. The list below is not exhaustive, but should it should point you in the right direction when needing to automate a particular operation.

How to retrieve the NSX-T Overview Info (SDDC Public IP, Appliance & Infra Subnet, etc.) in VMC?

02/08/2019 by William Lam Leave a Comment

I recently a question from one of our VMware Cloud on AWS (VMC) field folks who was looking to programmatically retrieve the SDDC Public IP Address which is shown under the NSX-T Networking & Security Overview page within the VMC Console as shown in the screenshot below.

This actually had me stumped for a bit as I was not able to find anything mentioned in the NSX-T Policy API documentation. My last resort before pinging the NSX Engineers was to use one of my favorite browser tool, Chrome Developer Tools, which allows me to inspect all requests made to a specific web page and can also be helpful in figuring out which REST APIs the UI is using.

It turns out for this particular page, the information was not actually coming from the NSX-T Policy API but rather from another endpoint and specifically /cloud-service/api/v1/infra/sddc-user-config which I am guessing has to do with the fact that some of this information is really AWS specific information such as the Public IP Address for example. In any case, once I realized what the endpoint was and that I could still use the VMC NSX-T Reverse Proxy to retrieve the details, it was pretty straight forward.

Using NSX-T Policy API to retrieve the Routing Table in VMC

02/04/2019 by William Lam Leave a Comment

When configuring connectivity from your on-premises environment to your VMware Cloud on AWS (VMC) NSX-T SDDC, you can either use a Direct Connect (DX) or a Route/Policy-based VPN. During the configuration, it can really be useful to have insights into the network routing table, especially if you need to verify a specific route or for general network debugging. Today, the NSX-T routing table in VMC is not currently available in the Network and Security UI, however this information can be retrieved using the NSX-T Policy API, which I have written about quite extensively here, here, here and here.

The NSX-T routing table can be retrieved by performing a GET operation on /policy/api/v1/infra/tier-0s/vmc/routing-table?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/vmc-enforcementpoint By default, you will get the entire routing table, but you also filter out specific route sources such as BGP, Static or Connected routes by appending the following query parameter to the request URL ?route_source={BGP,CONNECTED,STATIC}

To demonstrate how this API works, I have created a new function in my VMC NSX-T PowerShell Module as well as a quick shell script sample using cURL.

For PowerShell/PowerCLI users, I have a new Get-NSXTRouteTable function which will list the entire routing table by default as shown in the screenshot below.

You can also filter on a specific route source such as BGP, CONNECTED or STATIC routes by simply providing the -RouteSource argument and the route source type. In the screenshot below, I am only interested in the BGP routes.

Here is the output when running the list_vmc_nsxt_route_table.sh script which requires a valid CSP Refresh Token, OrgId and SDDCId

Changing the default behavior of the NSX-T Distributed Firewall (DFW) in VMC to Deny All

01/30/2019 by William Lam Leave a Comment

In VMware Cloud on AWS (VMC), the default behavior of the NSX-T Distributed Firewall (DFW) is to currently allow all traffic between compute workloads even across different logical networks (Segments). Today, the default behavior is currently not configurable and is something the NSX team is looking into with a few update of the VMC Service.

Having said that, it is actually pretty straight forward to create a new Deny All policy that would achieve the same desired behavior of blocking all traffic by default. Since this topic has come up a few times, I figure it would be useful to share the quick fix and big thanks to Michael Kolos, one of our VMC Customer Success Engineers who shared the original tidbit with me.