NSX Full Stack deployment

In our line of work we are often deployment clean NSX environments in the lab. One of our labs allows us to deploy a multi-cluster vSphere environment and configure it with storage, clusters, vCenter elements, and DVS with PowerCLI very quickly. This allows our team to quickly deploy a topology and validate a customer environment, squash a bug, or configure a new integration.

Automate all the things

With all these new environments it is pretty painful and slow to deploy NSX again and again. So here is the script we use to deploy NSX from nothing and deploy it all the way through to a working 3 Tier App.

Why now?

To be frank, we’ve been sitting on something like this since Janaury and just assume it was useful to use. Time to dust it off and share with the wide world.

Running the Script

There are a heap of parameters that you will need to adjust for your environment. Storage and Cluster names are the ones that are most likely to be different. IP addresses too. The idea of this script is that you can take the code you need and create something of your own.

By running ./NSXBuildFromScratch.ps1 the following will occur:

  • Validate and collect Virtual Infastructure
  • Deploy NSX Manager
  • Register NSX Manager
  • Deploy NSX Controller
  • Prepare vSphere clusters for DFW/VXLAN
  • Configure VNI and Transport Zone

Whilst the infrastructure is deploying there are checks to ensure if timeouts occur they are handled. This pertains mostly to the Host preparation steps.

Once completed the 3 Tier Application is deployed.

  • Logical Switches
  • Logical Router
  • Edge
  • Edge and DLR routing
  • Edge Load Balancer
  • Distributed Firewall / Rules
  • Deploy vApp

So what are you waiting for? Grab the script, download the 3 Tier App OVA and get your groove on by deploying dozens on labs per hour!

Download the Script

Download the Bookstore 3 Tier App for yourself.

Bulk creation of NSX rules with Python

A customer was wanted to validate the impact of numerous firewall rules within NSX. The thought was how much impact on cores of the CPU host and distributed firewall throughput when NSX had 100, 500, and 1000 rule sets loaded. There would be a method that would have taken me a very long time to do – clicky clicky GUI. We have an API so why not use it. The script below generates XML in the format required for distributed firewall rule sets.

## Define the section in which you want to test the rules.
print

## i is substituted numeral.
for i in range(0,5):
    ## j is subsituted for numeral. 10.1.0.1, 10.1.(i)1.(j)1
        for j in range(1,100):
            ## XML required for NSX to parse. Rule actions, enablement and values
            print ""\
              "allow"\
              ""\
            ""\
            "10.1."+str(i)+"."+str(j)+""\
            "Ipv4Address"\
            "true"\
             ""\
             ""\
             ""
        j+=1
i+=1
print

The python script will print XML. It will create a section called POC-test-rules. It will loop and print 1-100 for j and repeat this for i 0 – 5. This will make over 600 rules for our test environment.

Overwatch:Desktop aburke$ python loopapi.py
allow10.1.0.1Ipv4Addresstrue allow10.1.0.2Ipv4Addresstrue

;

So there is some XML that can be uploaded into the firewall section by a REST post. But before we do that lets have some more authentic rules. Here is an adjusted script to do some dynamic ports.

print 
print "
" for i in range(0,2): for j in range(50,100): for k in range(200,205): print ""\ "Test_Rule."+str(i)+"."+str(j)+""\ "allow"\ ""\ ""\ "DISTRIBUTED_FIREWALL"\ "DISTRIBUTED_FIREWALL"\ "DISTRIBUTED_FIREWALL"\ "true"\ ""\ ""\ ""\ ""\ "10.10."+str(i)+"."+str(j)+""\ "Ipv4Address"\ "true"\ ""\ ""\ ""\ ""\ "true"\ ""+str(k)+""\ "6"\ "TCP"\ ""\ ""\ "inout"\ "any"\ "" j+=1 i+=1 k+=1 print "
"

The output should look a bit more real world!

Overwatch:Desktop aburke$ python loopapi-ports.py
Test_Rule.0.50allowDISTRIBUTED_FIREWALLDISTRIBUTED_FIREWALLDISTRIBUTED_FIREWALLtrue10.10.0.50Ipv4Addresstruetrue2006TCPinoutany

 

There is a nicer output with IP’s and ports.

I have demonstrated REST API POST via a browser here. Alternatively it is possible to use a subsequent script to push this information.

import httplib,urllib,base64,os,xml
    os.chdir('/Users/aburke/Desktop')
    body=open('fw.txt')
    conn=httplib.HTTPSConnection("192.168.110.42")
    cred=base64.b64encode("admin:nicira123")
#print body
#headerx={"Authorization":"Basic YWRtaW46bmljaXJhMTIz"}
header1={"Authorization":"Basic"+""+cred}
header2={"Authorization":"Basic YWRtaW46bmljaXJhMTIz","content-type":"application/xml"}
#conn.request("GET","/api/2.0/services/usermgmt/user/admin",'',header1)
conn.request("POST","/api/4.0/firewall/globalroot-0/config/layer3sections",body,header2)
resp=conn.getresponse()
head=resp.getheaders()
status=resp.status
print head
print status
conn.close()

Here I am pushing a file called fw.txt. This is the output from the previous script saved into a text document. (I have not got a file to save correctly yet from the first script.) A breakdown of this script is as follows. Conn.request will POST a connection defined by conn to 192.168.110.42. It will post the contents of the file to the L3 dFW segment. The body is defined to open fw.txt. Fw.txt is found in the directory of /Users/aburke/Desktop. header2 indicates the connection type, content type and defines that it should be parsed as XML. The two print commands will print the result of the actions – 400, 404, 500. HTML response codes which you can read more on here.

So here is a practical use of Python and the NSX API. What have you been doing to be more efficient lately?