Book Release: Automating NSX for vSphere with PowerNSX

Book Release: Automating NSX for vSphere with PowerNSX

When I was first shown PowerNSX a few years ago, I immediatly was hooked. I wanted to contribute on all fronts. This was code, documentation, web tasks, training materials, VMworld sessions, Tech Summit sessions, and more.

bookcover

The demand for PowerNSX has been nothing short of overwhelming. We see it appearing at customers, being referenced in support cases by customers, engineering using it to automate tests, and more. This uptake caused us to start referring it to as “The ‘unofficial official’ automation tool for NSX.”

When I started to write the book I thought it would be a good resource to compliment what was already out there. The books goal is to provide insight into the most common operations and features of PowerNSX. It also highlights how PowerNSX can be used to create tools for your infrastructure. Peppered throughout the book is general advice and tips using PowerShell and PowerNSX as an administrator. It as released in digital and physical formats at VMworld 2017. 

Whilst I was not there due to paternity leave, my trusty colleagues and book contributors, Nick Bradford and Dale Coghlan were there to help represent. They were signing copies of the physical book and chatting to people about PowerNSX. They too were surprised at the support shown by people for the book and PowerNSX. So, with that, thank you! Thank you to all of the users and those interested in PowerNSX!

If you see me in person at an event in the future I may just have some hard copies to give out!

Get your free copy

The book is 100% free. Get your digital copy here and get started with PowerNSX today!

FQDN based IP Sets in DFW rules

Using PowerNSX to create FQDN populated IP Sets

NSX for vSphere does not have the ability to create FQDN based rules. Traditionally, a FQDN based rule will use the management planes registered DNS server to perform a lookup against a domain name. This will then return the IP address associated with web page and update an address set. Traditional firewalls such as SRX or ASA have this ability. Thanks to PowerNSX, NSX for vSphere does now as well!

Using the FQDN tool

Lets try on a very common website that most people have visited before.

PS /> ./fqdn-ipset.ps1 -domainname facebook.com

Adding new IPv4 addresses to IPS-facebook.com-v4
Adding new IPv6 addresses to IPS-facebook.com-v6
Tidying IPv4 entries
Tidying IPv6 entries

Alright! Two successfully created IP Sets for Facebook. It includes both IPv4 and IPv6 addresses.

PS /> get-nsxipset IPS-facebook.com-v4

objectId           : ipset-24
objectTypeName     : IPSet
vsmUuid            : 4201B045-B1F9-457F-E621-B54038A6AFA5
nodeId             : 4b749a6a-bc41-431b-bf24-cf9e54dcb452
revision           : 13
type               : type
name               : IPS-facebook.com-v4
description        :
scope              : scope
clientHandle       :
extendedAttributes :
isUniversal        : false
universalRevision  : 0
inheritanceAllowed : false
value              : 157.240.7.35 

So there is a single IP address in the value property. Great! To prove that it is the current DNS entry lets run the resolution manually.

PS /Users/aburke/Documents/git/nsx-scripts/FQDN-IPset-update> [System.Net.Dns]::GetHostAddressesAsync($domainname).result


AddressFamily      : InterNetwork
ScopeId            :
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 157.240.13.35

AddressFamily      : InterNetworkV6
ScopeId            : 0
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 2a03:2880:f126:83:face:b00c::25de 

Great! There is a single entry for IPv4 and IPv6.

Running it again and cleanup

The script is built to handle existing IP Sets. It is also built to remove IP Addresses that are no longer being resolved. Lets run it again to see the behaviour of the script if something already exists.

PS /> ./fqdn-ipset.ps1 -domainname facebook.com

Attempting to add 2 IPv4 address(es) to IPS-facebook.com-v4

WARNING: Value 157.240.7.35 is already a member of the IPSet IPS-facebook.com-v4

Attempting to add 1 IPv6 address(es) to IPS-facebook.com-v6

WARNING: Value 2a03:2880:f126:83:face:b00c::25de is already a member of the IPSet IPS-facebook.com-v6

Tidying IPv4 entries
Tidying IPv6 entries

This example shows a WARNING. This is some smarts built into PowerNSX by Dale and Nick. It will identify if an IP address already exists. If it does and you attempt to add it then PowerNSX will pass a warning to the console. It’s an example of building some smarts over the top of the API.

It will then remove old or stale IP Addresses from the IPv4 and IPv6 IP Sets. This is done by comparing updated IP’s to existing IP’s. Lets have a look at the dataplane to confirm.

[[email protected]:~] vsipioctl getrules -f nic-5454921-eth0-vmware-sfw.2
ruleset domain-c26 {
  # Filter rules
  rule 1012 at 1 inout protocol tcp from addrset ip-securitygroup-26 to addrset dst1012 port 443 accept;
  rule 1012 at 2 inout protocol tcp from addrset ip-securitygroup-26 to addrset dst1012 port 80 accept;
  rule 1003 at 3 inout protocol ipv6-icmp icmptype 135 from any to any accept;
  rule 1003 at 4 inout protocol ipv6-icmp icmptype 136 from any to any accept;
  rule 1002 at 5 inout protocol udp from any to any port 68 accept;
  rule 1002 at 6 inout protocol udp from any to any port 67 accept;
  rule 1001 at 7 inout protocol any from any to any accept;
}

Now lets have a look at the container on the dataplane which represents the destination addresses.

[[email protected]:~] vsipioctl getaddrsets -f nic-5454921-eth0-vmware-sfw.2
addrset dst1012 {
ip 157.240.7.35,
ip 2a03:2880:f126:83:face:b00c:0:25de,
}

It’s working and populated with the IPv4 and IPv6 addresses from the previous examples.

Using it in a rule

So now there is a dynamically updated pair of IPsets for IPv4 and IPv6 addresses, what about a rule? Here is an example rule.

Screenshot 2017 07 13 21 45 53

This will allow Virtual Machines associated with the source Security Group access to the destination IP addresses on HTTP/HTTPs.

Keeping it up to date

Name resolution is performed by the local host the script is run on. It will talk to the DNS server it has been assigned. This could be run on a dedicated virtual machine or container. The script can be run as a cron job or scheduled task at an interval of every 5 minutes to ensure resolution is current and up to date. If that is the case the user would need to define a connection to NSX Manager and start a powershell session as well!

This is what the interaction would look like with a ‘script-server’ running the tool.

NewImage

It would need to talk to the DNS server and NSX Manager. This topoogy is to provide an idea of what connectivity may look like.

The code

The code for this script is found on my GitHub here

Summary

It is most likely than an enterprise would use this for internally hosted workloads. These may be virtual IPs for applications or internal hosted services. The frequency of this tool along with the speed of updates is dependant on the rate of changes for addresses.