NSX API uses XML format for API communication. To automate NSX in VMware vRealize Orchestror, it is always required to create a XML file with javascript as vRO workflow supports javascript only.Here i only shows you an example to how to do it.
The target here is to create a security group and add a simple firewall rule in this newly created security group.
Note: this vRO workflow has 2 inputs:
securityGroupName, description
And 2 properties:
nsxManagerRestHost, realtime(equal to sgID in Step1)
Step1: create a security group
var xmlbody = new XML('<securitygroup />'); xmlbody.objectId = " "; xmlbody.type.typeName = " "; xmlbody.description = description; xmlbody.name = securityGroupName; xmlbody.revision = 0; xmlbody.objectTypeName = " "; System.log(xmlbody); var request = nsxManagerRestHost.createRequest("POST", "/2.0/services/securitygroup/bulk/globalroot-0", xmlbody.toString()); request.contentType = "application/xml"; System.log("Creating a SecurityGroup " + securityGroupName); System.log("POST Request URL: " + request.fullUrl); var response = request.execute(); if (response.statusCode == 201) { System.debug("Successfully created Security Group " + securityGroupName); } else { throw("Failed to SecurityGroup " + securityGroupName); } sgID = response.getAllHeaders().get("Location").split('/').pop(); realtime=sgID
Step2: add a section in DFW and add a firewall rules
//create XML object for DFW source; var rulesources = new XML('<sources excluded="false" />'); rulesources.source.name = " "; rulesources.source.value = "10.47.161.23"; rulesources.source.type = "Ipv4Address"; rulesources.source.isValid = 'true'; System.log("Source: "+rulesources); //create XML object for DFW destination; var ruledestionations = new XML('<destinations excluded="false" />'); ruledestionations.destination.name = " "; ruledestionations.destination.value = "10.47.161.24"; ruledestionations.destination.type = "Ipv4Address"; ruledestionations.destination.isValid = 'true'; System.log("Destination: "+ruledestionations); //create XML object for DFW service var ruleservices = new XML('<services />'); ruleservices.service.destinationPort = "80"; ruleservices.service.protocol = "6"; ruleservices.service.subProtocol = "6"; ruleservices.service.isValid = 'true'; System.log("Service: "+ruleservices); //create XML object for the whole rule var xmlbodyrule = new XML('<rule disabled="false" logged="true" />'); xmlbodyrule.name = "vro created rule"; xmlbodyrule.action = "allow"; xmlbodyrule.notes = " "; xmlbodyrule.appliedToList.appliedTo.name = securityGroupName; xmlbodyrule.appliedToList.appliedTo.value = realtime; xmlbodyrule.appliedToList.appliedTo.type = 'SecurityGroup'; xmlbodyrule.appliedToList.appliedTo.isValid = 'true'; xmlbodyrule.sectionId = " "; xmlbodyrule.sources = rulesources; xmlbodyrule.destinations = ruledestionations; xmlbodyrule.services = ruleservices; //create XML object for DFW section var xmlbody = new XML( <section name ={securityGroupName} />); //xmlbody.rule = 'disabled="false" logged="true" />'; xmlbody.rule=xmlbodyrule; System.log("XML file for new rules: "+xmlbody); var request = nsxManagerRestHost.createRequest("POST", "/4.0/firewall/globalroot-0/config/layer3sections", xmlbody.toString()); request.contentType = "application/xml"; var response = request.execute(); if (response.statusCode == 201) { System.debug("Successfully created Security Group Section" + securityGroupName); } else { throw("Failed to SecurityGroup Section" + securityGroupName); }
Below is the output of XML file for creating a security group:
<securitygroup> <objectId></objectId> <type> <typeName></typeName> </type> <description>nsx1001test</description> <name>nsx1001test</name> <revision>0</revision> <objectTypeName></objectTypeName> </securitygroup>
XML file for creating a NSX DFW section and adding a new simple firewall rules:
<section name="nsx1001test"> <rule disabled="false" logged="true"> <name>vro created rule</name> <action>allow</action> <notes></notes> <appliedToList> <appliedTo> <name>nsx1001test</name> <value>securitygroup-947</value> <type>SecurityGroup</type> <isValid>true</isValid> </appliedTo> </appliedToList> <sectionId></sectionId> <sources excluded="false"> <source> <name></name> <value>10.47.161.23</value> <type>Ipv4Address</type> <isValid>true</isValid> </source> </sources> <destinations excluded="false"> <destination> <name></name> <value>10.47.161.24</value> <type>Ipv4Address</type> <isValid>true</isValid> </destination> </destinations> <services> <service> <destinationPort>80</destinationPort> <protocol>6</protocol> <subProtocol>6</subProtocol> <isValid>true</isValid> </service> </services> </rule> </section>