In this series, I’ll document how to automate the creation and (some of) the management of NSX security groups within NSX.
First, what’s the use case? Why is this interesting? Let’s assume that you’ve decided to use large “flat” networks instead of many small networks. One reason you may make that decision is because of the challenges with either having many blueprints (one per network!) or making changes to the workflows to reliably set the appropriate properties.
In this solution, we’ll have to have vCAC 6.1 or vRealize Automation 6.2, NSX 6.x and vCenter/vRealize Orchestrator with the vCAC and NSX plugins installed and configured. We have two Logical Switches, one for Production and one for Non-Production. In addition, there’s a corresponding network profile and the business groups have reservations. Now, we have to ensure that there are security boundaries within the flat networks. We’ll accomplish this through Security Groups.
We’ll create security groups and nod in the direction of security profiles, but will not be automating the creation of security profiles nor their assignment to the Security Group(s). That can be done by the security admins through the NSX interface or maybe later we’ll add that capability too. 😉
- Create Security Groups.
- Open vSphere Web Client and navigate to Networking and Security, then Service Composer.
- Click the “New Security Group” icon
- Enter a Name and Description for your new Security Group and click Next
- If you want to create rules for dynamic membership or include/exclude existing VMs, you can do so in the subsequent steps. Finish the wizard.
- Repeat to create all of your security groups
- Create Property Dictionaries invCAC/vRA.
- Log into vCAC as an Infrastructure Admin and navigate to Infrastructure|Blueprints|Property Dictionary
- Click “New Property Definition”, for the name enter “VCNS.SecurityGroup.Names.Production“. You can replace “Production” with a name of your choosing, so you can have multiple lists.
- Select “DropDownList” as the control type and check to make it required, click the green check to save.
- Click the “Edit” link in the Property Attributes column
- Click “New Property Attribute”, select “ValueList” as the attribute type
- Set the name to something appropriate, such as the same name as the Property Definition or “ValueList” or “SecurityGroups”
- In the Value field, enter the names of the security groups you want included. Separate the group names by commas (no spaces). If you have groups whose names include spaces or commas, put them in quotes. Click the green check to save.
- Repeat to create another property dictionary and attribute for the Non-Production list
- Update Blueprints.
- Edit your “production” blueprints by adding the “VCNS.SecurityGroup.Names.Production” custom property. Set the value to your default security group or leave it blank to require a selection. Be sure to check the “Prompt User” box. Click the green check to save.
- Submit a request for the affected blueprint and verify that the dropdown list of security groups looks like you expect it to. Remember, that unlike many other custom properties in vCAC (eg: Network Profiles), you CAN have multiple versions of this one and display different lists.
- After a VMis provisioned, verify in the vSphere Web Client that ithas been assigned to the expected security group
In the next parts of this series, I plan to address the problems of maintaining the dropdown list manually and having a single security group per machine.
Many thanks to my friend Grant Orchard for his article on selecting a security group in a blueprint . It was the inspiration for this series.