Create XML file in vRealize Orchestrator for NSX Automation

On By insidepacketIn Network Automation, NSX, Uncategorized

NSX API uses XML format for API communication. To automate NSX in VMware vRealize Orchestror, it is always required to create a XML file with javascript  as vRO workflow supports javascript only.Here i only shows you an example to how to do it.

The target here is to create a security group and add a simple firewall rule in this newly created security group.

Note: this vRO workflow has 2 inputs:
securityGroupName, description
And 2 properties:
nsxManagerRestHost, realtime(equal to sgID in Step1)

Step1: create a security group

var xmlbody = new XML('<securitygroup />');
xmlbody.objectId = " ";
xmlbody.type.typeName = " ";
xmlbody.description = description;
xmlbody.name = securityGroupName;
xmlbody.revision = 0;
xmlbody.objectTypeName = " ";
System.log(xmlbody);
var request = nsxManagerRestHost.createRequest("POST", "/2.0/services/securitygroup/bulk/globalroot-0", xmlbody.toString());
request.contentType = "application/xml";
System.log("Creating a SecurityGroup " + securityGroupName);
System.log("POST Request URL: " + request.fullUrl);
var response = request.execute();
if (response.statusCode == 201) {
	System.debug("Successfully created Security Group " + securityGroupName);
	}
else {
	throw("Failed to SecurityGroup " + securityGroupName);
	}
sgID = response.getAllHeaders().get("Location").split('/').pop();
realtime=sgID

Step2: add a section in DFW and add a firewall rules

//create XML object for DFW source;
var rulesources = new XML('<sources excluded="false" />');
rulesources.source.name = " ";
rulesources.source.value = "10.47.161.23";
rulesources.source.type = "Ipv4Address";
rulesources.source.isValid = 'true';
System.log("Source: "+rulesources);

//create XML object for DFW destination;
var ruledestionations = new XML('<destinations excluded="false" />');
ruledestionations.destination.name = " ";
ruledestionations.destination.value = "10.47.161.24";
ruledestionations.destination.type = "Ipv4Address";
ruledestionations.destination.isValid = 'true';
System.log("Destination: "+ruledestionations);

//create XML object for DFW service
var ruleservices = new XML('<services />');
ruleservices.service.destinationPort = "80";
ruleservices.service.protocol = "6";
ruleservices.service.subProtocol = "6";
ruleservices.service.isValid = 'true';
System.log("Service: "+ruleservices);

//create XML object for the whole rule
var xmlbodyrule = new XML('<rule disabled="false" logged="true" />');
xmlbodyrule.name = "vro created rule";
xmlbodyrule.action = "allow";
xmlbodyrule.notes = " ";
xmlbodyrule.appliedToList.appliedTo.name = securityGroupName;
xmlbodyrule.appliedToList.appliedTo.value = realtime;
xmlbodyrule.appliedToList.appliedTo.type = 'SecurityGroup';
xmlbodyrule.appliedToList.appliedTo.isValid = 'true';
xmlbodyrule.sectionId = " ";
xmlbodyrule.sources = rulesources;
xmlbodyrule.destinations = ruledestionations;
xmlbodyrule.services = ruleservices;

//create XML object for DFW section
var xmlbody = new XML(
<section name ={securityGroupName} />);
//xmlbody.rule = 'disabled="false" logged="true" />';
xmlbody.rule=xmlbodyrule;
System.log("XML file for new rules: "+xmlbody);

var request = nsxManagerRestHost.createRequest("POST", "/4.0/firewall/globalroot-0/config/layer3sections", xmlbody.toString());
request.contentType = "application/xml";
var response = request.execute();
if (response.statusCode == 201) {
	System.debug("Successfully created Security Group Section" + securityGroupName);
	}
else {
	throw("Failed to SecurityGroup Section" + securityGroupName);
	}

Below is the output of XML file for creating a security group:

<securitygroup>
  <objectId></objectId>
  <type>
    <typeName></typeName>
  </type>
  <description>nsx1001test</description>
  <name>nsx1001test</name>
  <revision>0</revision>
  <objectTypeName></objectTypeName>
</securitygroup>

XML file for creating a NSX DFW section and adding a new simple firewall rules:

<section name="nsx1001test">
  <rule disabled="false" logged="true">
    <name>vro created rule</name>
    <action>allow</action>
    <notes></notes>
    <appliedToList>
      <appliedTo>
        <name>nsx1001test</name>
        <value>securitygroup-947</value>
        <type>SecurityGroup</type>
        <isValid>true</isValid>
      </appliedTo>
    </appliedToList>
    <sectionId></sectionId>
    <sources excluded="false">
      <source>
        <name></name>
        <value>10.47.161.23</value>
        <type>Ipv4Address</type>
        <isValid>true</isValid>
      </source>
    </sources>
    <destinations excluded="false">
      <destination>
        <name></name>
        <value>10.47.161.24</value>
        <type>Ipv4Address</type>
        <isValid>true</isValid>
      </destination>
    </destinations>
    <services>
      <service>
        <destinationPort>80</destinationPort>
        <protocol>6</protocol>
        <subProtocol>6</subProtocol>
        <isValid>true</isValid>
      </service>
    </services>
  </rule>
</section>

7 thoughts on “Create XML file in vRealize Orchestrator for NSX Automation

  2. Ahmet Enes

    Hello again,

    Can you explain me how can I use ” Step2: add a section in DFW and add a firewall rules” section. Do i have to create new workflow an put the xml code into scriptable task ? or just add whole step 2 code into step 1. (this is not running)

    [2019-03-13 14:34:38.050] [I]

    yamaha desc
    yamaha
    0

    [2019-03-13 14:34:38.056] [I] Creating a SecurityGroup yamaha
    [2019-03-13 14:34:38.060] [I] POST Request URL: https://lap01nsxcld.int.teb.com.tr/api/2.0/services/securitygroup/bulk/globalroot-0
    [2019-03-13 14:34:38.203] [D] Successfully created Security Group yamaha
    [2019-03-13 14:34:38.212] [I] Source:

    10.47.161.23
    Ipv4Address
    true

    [2019-03-13 14:34:38.217] [I] Destination:

    10.47.161.24
    Ipv4Address
    true

    [2019-03-13 14:34:38.223] [I] Service:

    80
    6
    6
    true

    [2019-03-13 14:34:38.244] [I] XML file for new rules:

    vro created rule
    allow

    yamaha
    securitygroup-20
    SecurityGroup
    true

    10.47.161.23
    Ipv4Address
    true

    10.47.161.24
    Ipv4Address
    true

    80
    6
    6
    true

    [2019-03-13 14:34:38.304] [E] Error in (Workflow:Copy of NSX_CreateSecGroup / Scriptable task (item1)#74) Failed to SecurityGroup Sectionyamaha
    [2019-03-13 14:34:38.344] [E] Workflow execution stack:
    ***
    item: ‘Copy of NSX_CreateSecGroup/item1’, state: ‘failed’, business state: ‘null’, exception: ‘Failed to SecurityGroup Sectionyamaha (Workflow:Copy of NSX_CreateSecGroup / Scriptable task (item1)#74)’
    workflow: ‘Copy of NSX_CreateSecGroup’ (827fd608-2a6c-4bd5-8991-9f7ce3a0ecf3)
    | ‘input’: name=securityGroupName type=string value=yamaha
    | ‘input’: name=description type=string value=yamaha desc
    | ‘input’: name=nsxManagerRestHost type=REST:RESTHost value=dunes://service.dunes.ch/CustomSDKObject?id=’3fe3abc1-99de-4053-991f-6b1cb4099f6d’&dunesName=’REST:RESTHost’
    | ‘input’: name=sgID type=string value=
    | ‘no outputs’
    | ‘no attributes’
    *** End of execution stack.

    Like

    Reply

    1. Hi, you don’t need create a new workflow for Step 2. Just add another script task as Step 2 in the same workflow. In addition, you possibly want to sleep a few seconds e.g.10 seconds before Step 2 starts which will allow NSX manager to complete Step 1.

      Like

      Reply

    1. Hi, you need to add 2 property: “sgID” and “realtime” . Then use these 2 new property as output in your first script task and as input in your second script task.
      In addition, It is possibly good for you to attend some vRA/vRO course for vRO workflow development.

      Like

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s