The article is based on the following software versions
- vRealize Automation 7.0.1
- vRealize Orchestrator 7.0.1
- VMware NSX 6.2.2
- NSX Plug-in for vRO 1.0.3
First we need to install the NSX plug-in. Log into the vRO Control Center and upload / install the NSX Plug-in
Accept the EULA
Restart the vRO service
Ensure you enable the plug-in 🙂
Now log into the vRO Client. You will see a set of workflows. Here start the Create NSX Endpoint workflow. This will not create an Endpoint in vRA – but an Endpoint in vRO 🙂
Enter your NSX details
And ensure the workflow finishes successfully – not like my first attempt – using the wrong password 😉
You should now be able to browse your NSX environment from within vRO
Please note – if you receive the following error
Then please check my other article for the fix.
Before I configure vRA, I will do some more in NSX. My NSX instance is pretty much un-used so the data collection would be pointless at this point (and we’d have to do it manually again anyway).
So here I want to achieve the following.
- A firewall is blocking certain ports to virtual machines deployed via vRA
- RDP
- SSH
- Ping
Probably not the most exciting rule, but again, this is just a test and I am too lazy to create multiple rules right now 🙂
Using your web client, navigate to
Networking & Security > NSX Managers > Click your NSX Manager > Manage > Grouping Objects
Create a new Security Group
This is all I am doing at this stage. I do not define any dynamic membership, nor do I define objects to include or exclude. I use this Security Group solely for vRA and vRA will, via vRO, add virtual machines to the group automatically.
Then I create a firewall rule.
Networking & Security > Firewall > Configuration > General
Here you can see I created a rule to block the three services discussed and assigned it to the Security Group only
At this stage the group has no members
Now we can configure vRA. Navigate to your vCenter Endpoint
Tick Specify manager for network and security platform and enter the URL of the NSX Manager https://<FQDN>
Also select the appropriate credentials.
Note: These are not the NSX Manager credentials but the credentials which have access to the NSX Manager via the vCenter Web Client. In my lab I am using the SSO admin – [email protected] – which effectively the selected credential is.
Now ensure that the Data Collection has finished successfully. As you know – the collection, by default, runs daily. So if you are unlucky and the data collection finished before you have created the required NSX configuration, simply re-run the collection and you are all good to go.
Browse to the Compute Resources of this vCenter Endpoint and check the Network and Security Inventory
Now either change or create a new blueprint. On the left hand side, select Network & Security and drag Existing Security Group onto the canvas.
Under Security Group, select the newly created group, here vRealize Automation
Now we need to connect the Security Group with the actual VM. Click the VM and move over to the Security Tab
Tick the newly added Security Group and click Finish
Not that painful, was it ? Now deploy a VM from this blueprint.
Once the VM has been deployed, you will see that the VM has been added to the Security Group specified
Then of course we can test it even further.
So another check what the VM is called (did some more deployments so above screenshot is not accurate anymore)
So here – vra7-prod-035 has been added to the SG which blocks RDP, SSH and Ping.
This is a Linux VM – so RDP is not really relevant, but anyway, first let’s check what IP the VM got
Let’s try ping
Nothing. Now SSH
Nope.
But VM is certainly up and got access to the outside world
In a later article I will probably go a bit further and let vRA deal with NAT etc. – but this is it for now 🙂
Enjoy ..