VMware Cloud on AWS

Which NSX-T Policy APIs are used in the NSX-T UI in VMC?

02/20/2019 by William Lam Leave a Comment

As the adoption of VMware Cloud on AWS (VMC) continues to accelerate, one of the very first UI interface that customers must interact with is the NSX-T UI, for enabling basic connectivity. By default the Edge Gateway has a Deny All Firewall Rule, so you will need to come to this screen to setup connectivity from your on-premises environment including a Direct Connect (DX) or Route/Policy-Based VPN. For some customers who have familiarize themselves with the NSX-T UI and its capabilities, usually the next order of business is how do I go about automating these various aspects from Day 0 setup all the way to Day N where I am migrating in or creating additional workloads.

A very common set of questions that I have been getting lately is which API do I need to look at to do X in the NSX-T UI in VMC?

Having spent some time with the NSX-T Policy API, I figure it would be useful to share the categories of NSX-T Policy API that maps back to what you see in the NSX-T UI in VMC. The list below is not exhaustive, but should it should point you in the right direction when needing to automate a particular operation.

How to retrieve the NSX-T Overview Info (SDDC Public IP, Appliance & Infra Subnet, etc.) in VMC?

02/08/2019 by William Lam Leave a Comment

I recently a question from one of our VMware Cloud on AWS (VMC) field folks who was looking to programmatically retrieve the SDDC Public IP Address which is shown under the NSX-T Networking & Security Overview page within the VMC Console as shown in the screenshot below.

This actually had me stumped for a bit as I was not able to find anything mentioned in the NSX-T Policy API documentation. My last resort before pinging the NSX Engineers was to use one of my favorite browser tool, Chrome Developer Tools, which allows me to inspect all requests made to a specific web page and can also be helpful in figuring out which REST APIs the UI is using.

It turns out for this particular page, the information was not actually coming from the NSX-T Policy API but rather from another endpoint and specifically /cloud-service/api/v1/infra/sddc-user-config which I am guessing has to do with the fact that some of this information is really AWS specific information such as the Public IP Address for example. In any case, once I realized what the endpoint was and that I could still use the VMC NSX-T Reverse Proxy to retrieve the details, it was pretty straight forward.

Common PowerCLI examples for VM Provisioning in VMware Cloud on AWS

02/07/2019 by William Lam 1 Comment

One of the huge benefits of VMware Cloud on AWS (VMC) is not only the ability to extend your existing on-premises environment and tap into the potentially unlimited capacity of the Cloud, but customers can continue to use the existing tools and scripts that they are already familiar with. When it comes to Automation, PowerCLI is still by far the most popular tool that our customers uses on a regular basis. With VMC, this is no different as the SDDC is simply made up of vSphere, vSAN and NSX which PowerCLI fully supports.

One learning curve that I have seen for some customers when working with VMC is around general provisioning and the implication of the restrictive permission model in VMC. Unlike your on-premises vSphere environment, in VMC, you are no longer running as a vSphere Administrator but rather a Cloud Administrator. This simply means you no longer have to worry about managing the underlying infrastructure (patch, upgrade, monitor, etc) and you get to focus deploying and managing your workloads.

What this technically translates to is that you are restricted to a particular part of the vSphere Inventory where you have permissions to actually deploy workloads. This is to help isolate your workloads and ensure that you do not negatively impact the VMware Management VMs by accident and thus affecting your SDDC.

From the Hosts/Clusters view, you must use the Compute-ResourcePool
From the VM view, you must use the Workloads Folder
From the Datastore view, you must use the WorkloadDatastore

When using the vSphere UI to deploy new workloads, the UI does a really good job of guiding you towards the right inventory objects, but this may not always be apparent when using the CLI or API, especially for new folks or folks who never use the UI 😉

Using NSX-T Policy API to retrieve the Routing Table in VMC

02/04/2019 by William Lam Leave a Comment

When configuring connectivity from your on-premises environment to your VMware Cloud on AWS (VMC) NSX-T SDDC, you can either use a Direct Connect (DX) or a Route/Policy-based VPN. During the configuration, it can really be useful to have insights into the network routing table, especially if you need to verify a specific route or for general network debugging. Today, the NSX-T routing table in VMC is not currently available in the Network and Security UI, however this information can be retrieved using the NSX-T Policy API, which I have written about quite extensively here, here, here and here.

The NSX-T routing table can be retrieved by performing a GET operation on /policy/api/v1/infra/tier-0s/vmc/routing-table?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/vmc-enforcementpoint By default, you will get the entire routing table, but you also filter out specific route sources such as BGP, Static or Connected routes by appending the following query parameter to the request URL ?route_source={BGP,CONNECTED,STATIC}

To demonstrate how this API works, I have created a new function in my VMC NSX-T PowerShell Module as well as a quick shell script sample using cURL.

For PowerShell/PowerCLI users, I have a new Get-NSXTRouteTable function which will list the entire routing table by default as shown in the screenshot below.

You can also filter on a specific route source such as BGP, CONNECTED or STATIC routes by simply providing the -RouteSource argument and the route source type. In the screenshot below, I am only interested in the BGP routes.

Here is the output when running the list_vmc_nsxt_route_table.sh script which requires a valid CSP Refresh Token, OrgId and SDDCId

Changing the default behavior of the NSX-T Distributed Firewall (DFW) in VMC to Deny All

01/30/2019 by William Lam Leave a Comment

In VMware Cloud on AWS (VMC), the default behavior of the NSX-T Distributed Firewall (DFW) is to currently allow all traffic between compute workloads even across different logical networks (Segments). Today, the default behavior is currently not configurable and is something the NSX team is looking into with a few update of the VMC Service.

Having said that, it is actually pretty straight forward to create a new Deny All policy that would achieve the same desired behavior of blocking all traffic by default. Since this topic has come up a few times, I figure it would be useful to share the quick fix and big thanks to Michael Kolos, one of our VMC Customer Success Engineers who shared the original tidbit with me.

How to change the default CPU and Memory requirements for deploying the VMC vCenter Cloud Gateway

01/13/2019 by William Lam Leave a Comment

When deploying the VMware Cloud on AWS (VMC) vCenter Cloud Gateway (VCG), there is a minimum amount of vCPU and memory that is required for deployment. For customers who wish to evaluate this solution for non-production usage, such as a lab environment, it would be nice to be able to reduce the requirements purely for testing purposes. Today, the vCPU and Memory is not configurable and is currently encoded within a JSON configuration file as well as the VCG OVA. The fact that this is not part of the installer itself but within the OVA means we can actually change the default 🙂 Below are the instructions for updating the vCPU and Memory requirements for the VCG.

Step 1 - Download the VCG ISO from MyVMware and extract the ISO.