Create XML file in vRealize Orchestrator for NSX Automation

NSX API uses XML format for API communication. To automate NSX in VMware vRealize Orchestror, it is always required to create a XML file with javascript  as vRO workflow supports javascript only.Here i only shows you an example to how to do it.

The target here is to create a security group and add a simple firewall rule in this newly created security group.

Note: this vRO workflow has 2 inputs:
securityGroupName, description
And 2 properties:
nsxManagerRestHost, realtime(equal to sgID in Step1)

Step1: create a security group

var xmlbody = new XML('<securitygroup />');
xmlbody.objectId = " ";
xmlbody.type.typeName = " ";
xmlbody.description = description;
xmlbody.name = securityGroupName;
xmlbody.revision = 0;
xmlbody.objectTypeName = " ";
System.log(xmlbody);
var request = nsxManagerRestHost.createRequest("POST", "/2.0/services/securitygroup/bulk/globalroot-0", xmlbody.toString());
request.contentType = "application/xml";
System.log("Creating a SecurityGroup " + securityGroupName);
System.log("POST Request URL: " + request.fullUrl);
var response = request.execute();
if (response.statusCode == 201) {
	System.debug("Successfully created Security Group " + securityGroupName);
	}
else {
	throw("Failed to SecurityGroup " + securityGroupName);
	}
sgID = response.getAllHeaders().get("Location").split('/').pop();
realtime=sgID

Step2: add a section in DFW and add a firewall rules

//create XML object for DFW source;
var rulesources = new XML('<sources excluded="false" />');
rulesources.source.name = " ";
rulesources.source.value = "10.47.161.23";
rulesources.source.type = "Ipv4Address";
rulesources.source.isValid = 'true';
System.log("Source: "+rulesources);

//create XML object for DFW destination;
var ruledestionations = new XML('<destinations excluded="false" />');
ruledestionations.destination.name = " ";
ruledestionations.destination.value = "10.47.161.24";
ruledestionations.destination.type = "Ipv4Address";
ruledestionations.destination.isValid = 'true';
System.log("Destination: "+ruledestionations);

//create XML object for DFW service
var ruleservices = new XML('<services />');
ruleservices.service.destinationPort = "80";
ruleservices.service.protocol = "6";
ruleservices.service.subProtocol = "6";
ruleservices.service.isValid = 'true';
System.log("Service: "+ruleservices);

//create XML object for the whole rule
var xmlbodyrule = new XML('<rule disabled="false" logged="true" />');
xmlbodyrule.name = "vro created rule";
xmlbodyrule.action = "allow";
xmlbodyrule.notes = " ";
xmlbodyrule.appliedToList.appliedTo.name = securityGroupName;
xmlbodyrule.appliedToList.appliedTo.value = realtime;
xmlbodyrule.appliedToList.appliedTo.type = 'SecurityGroup';
xmlbodyrule.appliedToList.appliedTo.isValid = 'true';
xmlbodyrule.sectionId = " ";
xmlbodyrule.sources = rulesources;
xmlbodyrule.destinations = ruledestionations;
xmlbodyrule.services = ruleservices;

//create XML object for DFW section
var xmlbody = new XML(
<section name ={securityGroupName} />);
//xmlbody.rule = 'disabled="false" logged="true" />';
xmlbody.rule=xmlbodyrule;
System.log("XML file for new rules: "+xmlbody);

var request = nsxManagerRestHost.createRequest("POST", "/4.0/firewall/globalroot-0/config/layer3sections", xmlbody.toString());
request.contentType = "application/xml";
var response = request.execute();
if (response.statusCode == 201) {
	System.debug("Successfully created Security Group Section" + securityGroupName);
	}
else {
	throw("Failed to SecurityGroup Section" + securityGroupName);
	}

Below is the output of XML file for creating a security group:

<securitygroup>
  <objectId></objectId>
  <type>
    <typeName></typeName>
  </type>
  <description>nsx1001test</description>
  <name>nsx1001test</name>
  <revision>0</revision>
  <objectTypeName></objectTypeName>
</securitygroup>

XML file for creating a NSX DFW section and adding a new simple firewall rules:

<section name="nsx1001test">
  <rule disabled="false" logged="true">
    <name>vro created rule</name>
    <action>allow</action>
    <notes></notes>
    <appliedToList>
      <appliedTo>
        <name>nsx1001test</name>
        <value>securitygroup-947</value>
        <type>SecurityGroup</type>
        <isValid>true</isValid>
      </appliedTo>
    </appliedToList>
    <sectionId></sectionId>
    <sources excluded="false">
      <source>
        <name></name>
        <value>10.47.161.23</value>
        <type>Ipv4Address</type>
        <isValid>true</isValid>
      </source>
    </sources>
    <destinations excluded="false">
      <destination>
        <name></name>
        <value>10.47.161.24</value>
        <type>Ipv4Address</type>
        <isValid>true</isValid>
      </destination>
    </destinations>
    <services>
      <service>
        <destinationPort>80</destinationPort>
        <protocol>6</protocol>
        <subProtocol>6</subProtocol>
        <isValid>true</isValid>
      </service>
    </services>
  </rule>
</section>

7 thoughts on “Create XML file in vRealize Orchestrator for NSX Automation

  1. Ahmet Enes

    Hello again,

    Can you explain me how can I use ” Step2: add a section in DFW and add a firewall rules” section. Do i have to create new workflow an put the xml code into scriptable task ? or just add whole step 2 code into step 1. (this is not running)

    [2019-03-13 14:34:38.050] [I]

    yamaha desc
    yamaha
    0

    [2019-03-13 14:34:38.056] [I] Creating a SecurityGroup yamaha
    [2019-03-13 14:34:38.060] [I] POST Request URL: https://lap01nsxcld.int.teb.com.tr/api/2.0/services/securitygroup/bulk/globalroot-0
    [2019-03-13 14:34:38.203] [D] Successfully created Security Group yamaha
    [2019-03-13 14:34:38.212] [I] Source:

    10.47.161.23
    Ipv4Address
    true

    [2019-03-13 14:34:38.217] [I] Destination:

    10.47.161.24
    Ipv4Address
    true

    [2019-03-13 14:34:38.223] [I] Service:

    80
    6
    6
    true

    [2019-03-13 14:34:38.244] [I] XML file for new rules:

    vro created rule
    allow

    yamaha
    securitygroup-20
    SecurityGroup
    true

    10.47.161.23
    Ipv4Address
    true

    10.47.161.24
    Ipv4Address
    true

    80
    6
    6
    true

    [2019-03-13 14:34:38.304] [E] Error in (Workflow:Copy of NSX_CreateSecGroup / Scriptable task (item1)#74) Failed to SecurityGroup Sectionyamaha
    [2019-03-13 14:34:38.344] [E] Workflow execution stack:
    ***
    item: ‘Copy of NSX_CreateSecGroup/item1’, state: ‘failed’, business state: ‘null’, exception: ‘Failed to SecurityGroup Sectionyamaha (Workflow:Copy of NSX_CreateSecGroup / Scriptable task (item1)#74)’
    workflow: ‘Copy of NSX_CreateSecGroup’ (827fd608-2a6c-4bd5-8991-9f7ce3a0ecf3)
    | ‘input’: name=securityGroupName type=string value=yamaha
    | ‘input’: name=description type=string value=yamaha desc
    | ‘input’: name=nsxManagerRestHost type=REST:RESTHost value=dunes://service.dunes.ch/CustomSDKObject?id=’3fe3abc1-99de-4053-991f-6b1cb4099f6d’&dunesName=’REST:RESTHost’
    | ‘input’: name=sgID type=string value=
    | ‘no outputs’
    | ‘no attributes’
    *** End of execution stack.

    Like

    1. Hi, you don’t need create a new workflow for Step 2. Just add another script task as Step 2 in the same workflow. In addition, you possibly want to sleep a few seconds e.g.10 seconds before Step 2 starts which will allow NSX manager to complete Step 1.

      Like

    1. Hi, you need to add 2 property: “sgID” and “realtime” . Then use these 2 new property as output in your first script task and as input in your second script task.
      In addition, It is possibly good for you to attend some vRA/vRO course for vRO workflow development.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s