VMware vCloud Director Rights Correlation to VCPP NSX Bundles

I was recently asked by a colleague if we have any existing collateral on VMware vCloud Director (vCD) that maps to the VMware Cloud Provider Program (VCPP) NSX levels that are currently available to partners. Well, there wasn’t, until now. ūüôā

First, let’s talk about the NSX bundles inside of VCPP –

There are three levels identified within VCPP:

  1. NSX-SP Base – this is is your fundamental level of NSX. It does include your normal Edge services, Edge Firewall, NAT, Load Balancing, Dynamic/Static Routing, IPSEC/SSL VPN+, and Distributed Routing and Switching. This is typically referred to as “vCNS” mode (callout to the vCD old days) but does use NSX.
  2. NSX-SP Advanced – this includes Base, plus ECMP and Distributed Firewall functionality. Service Insertion, AD Integrated Firewall, etc. are all functions that the Provider can consume from the backend management.
  3. NSX-SP Enterprise – this includes Advanced along with HW VTEP integration, cross-vCenter NSX functionality, along with the L2VPN (Remote Gateway) solution. The new addition here is vCD 9.5 Multi-Site and Cross-VDC capability.

To state the obvious – vCloud Usage Meter will take care of automatic metering based off of what NSX functionality is used, this has been available since version 3.6. Check out this post that discusses how Usage Meter detects NSX (and vROPs) usage.

Last of all, the “Convert to Advanced Gateway” inside of vCloud Director for organization Edges¬†DOES NOT mean you will be using NSX Advanced right away! This is just a change in how vCD presents the Edge UI (with Advanced, it’ll show the H5) along with the API rights available. I demonstrate this in the above post too.

So let’s talk about the NSX levels and how they can pertain to vCD rights and role. I worked up the following roles in my vCD environment:

  1. NSX SP-Base Rights
  2. NSX SP-Advanced Rights
  3. NSX SP-Enterprise Rights

So what does one gain when using these rights? Well, they are now aligned to the VCPP NSX bundles and can be utilized as a starting to monetize NSX inside of a vCD environment.

Now, in my experience, these specific vCD permissions will apply to the VCPP NSX levels as stated above. The big thing I found in my testing is ECMP can be toggled with Static Routing, so I set this as “View Only” for any routing capability for SP-Base.

If you are using vCD 9.5, one could also create a rights bundle that is published to an organization along with utilizing Global Roles to make this *much* easier.

The steps for this would be: Creation of Rights Bundle(s) -> Publish to org(s) -> Creation of Global Roles -> Publish to org(s) -> Apply role to user(s)

Alright, here are the three exports for these rights required. This is not comprehensive for all vCloud permissions required, but gives you an idea of what to append to your existing role (which could be easily done via REST API). Note that the exports below show my vCD instance (vcd-01a.corp.local) along with the org UUID, so replace this if you are doing a POST.

NSX SP-Base:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Base Rights" id="urn:vcloud:role:0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" type="application/vnd.vmware.admin.role+xml">
<Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd" type="application/vnd.vmware.admin.role+xml"/>
<Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/0fbafcf0-1cce-4457-9f1d-d7bbacc189fd"/>
<Description></Description>
<RightReferences>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

NSX SP-Advanced:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Advanced Rights" id="urn:vcloud:role:1cde673c-3573-4e3a-a520-d03a83caef8d" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d" type="application/vnd.vmware.admin.role+xml">
    <Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d" type="application/vnd.vmware.admin.role+xml"/>
    <Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/1cde673c-3573-4e3a-a520-d03a83caef8d"/>
    <Description></Description>
    <RightReferences>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf" name="Organization vDC Gateway: Configure Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a100f6a0-2c81-3b61-90c3-c4dbd721b3a8" name="Organization vDC Distributed Firewall: Enable/Disable" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

Finally, NSX-SP Enterprise:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Role xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovfenv="http://schemas.dmtf.org/ovf/environment/1" xmlns:ns9="http://www.vmware.com/vcloud/versions" name="NSX SP-Enterprise Rights" id="urn:vcloud:role:61d589ab-27ca-4e7a-be3e-656e0dcaa587" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587" type="application/vnd.vmware.admin.role+xml">
    <Link rel="edit" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587" type="application/vnd.vmware.admin.role+xml"/>
    <Link rel="remove" href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/role/61d589ab-27ca-4e7a-be3e-656e0dcaa587"/>
    <Description></Description>
    <RightReferences>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d6b35bfc-3309-3573-8e3d-6bdd1cb2b61f" name="vDC Group: Configure" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/72c5e652-c8d7-3f19-ab83-283d30cb679f" name="Organization vDC Gateway: Configure Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf" name="Organization vDC Gateway: Configure Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d" name="Organization vDC Gateway: Configure SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/65439584-6aad-3c2c-916f-794099ee85bf" name="Organization vDC Gateway: View Remote Access" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9" name="Organization vDC Gateway: Configure NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b" name="Organization vDC Gateway: Configure DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/63c53fdf-80e5-3e31-ab26-ec7cc36ea759" name="Multisite: System Operations" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/cdb0edb0-9623-30a8-89de-b133db7cfeab" name="Organization vDC Gateway: View SSL VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9" name="Organization vDC Gateway: View DHCP" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5" name="Organization vDC Gateway: Configure System Logging" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a100f6a0-2c81-3b61-90c3-c4dbd721b3a8" name="Organization vDC Distributed Firewall: Enable/Disable" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2a097e48-f4c4-3714-8b24-552b2d573754" name="Organization vDC Gateway: View Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/b755b050-772e-3c9c-9197-111c286f563d" name="Organization vDC Gateway: Configure Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/eb525145-08e5-3934-91ef-ec80837c9177" name="Organization vDC Gateway: View OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/6ad5a05b-0d30-3bb5-acb1-02e7710a5ae6" name="vDC Group: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/209cde55-55db-33f1-8357-b27bba6898ed" name="Organization vDC Gateway: Configure IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/7fee6646-ec0c-34c9-9585-aff6f4d92473" name="Organization vDC Gateway: View Firewall" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/fb860afe-2e15-3ca9-96d8-4435d1447732" name="Organization vDC Gateway: View NAT" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/27be9828-4ce4-353e-8f68-5cd69260d94c" name="Organization vDC Gateway: Configure Load Balancer" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/84ddb40f-a49a-35e1-918e-3f11507825d7" name="Organization vDC Gateway: Configure Syslog" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/3b337aef-42a8-3ed1-8616-341152bc5790" name="Organization vDC Gateway: Configure OSPF Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/6edbfce1-4705-3cff-8dc7-8c03d36a6d45" name="Site: Edit" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/a5f5fc99-9afc-347b-9a31-f65f61f4416b" name="Organization vDC Gateway: Distributed Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/9740be24-4dd7-373c-9237-91896338c11e" name="Organization vDC Gateway: View Static Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/975d07ed-9c05-3277-a926-3c65933eb738" name="Site: View" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/82beb471-ab7f-3e2b-a615-136ba6645525" name="Organization vDC Gateway: View IPSec VPN" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/2c4eb5ac-15f5-33f0-8b4a-680b3a1d3707" name="Organization vDC Gateway: Configure BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d9dabcab-579e-33c5-807b-dc9232bf7eff" name="Organization vDC Gateway: View BGP Routing" type="application/vnd.vmware.admin.right+xml"/>
        <RightReference href="https://vcd-01a.corp.local/api/admin/org/a93c9db9-7471-3192-8d09-a8f7eeda85f9/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
    </RightReferences>
</Role>

I hope this helps others on aligning to the VCPP NSX levels and how to establish NSX capabilities inside of a vCD environment.

Thanks!

-Daniel

Setting up VMware vCloud Director 9.5 for Cross-VDC Networking

In this post, I will be reviewing the necessary steps to support Cross-VDC Networking inside of VMware vCloud Director 9.5. These are fairly straightforward since it aligns to the standard requirements set forth from Cross-vCenter NSX.

Pre-Requisites:

  1. Multi-Site management must be configured between the vCloud Director instances. I will try to add a post on establishing this at a later time.
  2. Ensure you have a unique vCloud Director installation ID. If you have duplicate IDs, this can lead to MAC address conflicts. Fojta did a blog post on updating your ID – please accomplish this before continuing.

Cross-vCenter NSX Configuration

vCD 9.5 does require a standard Cross-vCenter NSX configuration implemented between the resource/payload vCenters before we can do any configuration at the vCloud Director level.

There are many guides out there, but here’s a link to the official VMware documentation on setting up cross-vCenter NSX.¬†

This can be a single or multi-SSO domain topology. In my environment, here’s what I’ve configured between my two sites: Site-A and Site-B.

  1. From the Networking and Security plugin, I’ve assigned my Site-A NSX Manager while linking Site-B NSX Manager as the secondary instance –¬†
  2. From there, I need to establish my Universal Segment ID pool and Transport Zone.
  3. Keep in mind you do not want to overlap with an existing Segment ID pool, so pick a number that’s high enough (or out of reach from other pools) –¬†
  4. From the Transport Zone screen, I’ve created my new Transport Zone named “Universal-TZ” –¬†
  5. Now I’m ready to connect it to my respective clusters on Site-A and Site-B. Keep in mind I need to hit the drop down for the NSX Manager and attach the respective cluster at your secondary (or additional) location.
  6. ¬†That’s it! Onto the next configuration which is at the vCloud Director level.

vCloud Director Initial Provider Setup

In this step, we need to assign the correlated NSX Manager to each vCenter instance that’s participating in the Cross-VDC networking solution. I will be showing how I’ve done this for my two sites, Site-A and Site-B, while establishing a fault domain.

  1. From my Site-A, navigate to System -> Manage & Monitor -> vSphere Resources -> vCenters –¬†
  2. We are going to right click, go to Properties of this vCenter –¬†
  3. From there, we need to go the NSX Manager tab. This is where we populate the following:
    1. Host/IP of NSX Manager
    2. Admin username
    3. Admin password
    4. Control VM Resource Pool vCenter Path – this can be either the MOref object id OR the ‘Cluster/RP’ path – I chose the former.
    5. Control VM Datastore Name – full name
    6. Control VM Management Interface Name – again, full name
    7. Network Provider Scope – now this is where we establish a fault domain. This Network Provider Scope could cover one or many vCenters in a single vCloud Instance. However, when we establish the vdc-Group, we must have a minimum of two different/unique fault domains (or network provider scope) inside of the created vdc-Group.
  4. Now, on my Site-B, I will configure my respective properties along with a Network Provider Scope of “region-b” –¬†
  5. Great! Next step is to add the Universal Transport Zone as a new network pool on each vCD instance. This is purely importing the created Universal-TZ and moving on, so very easy –¬†
  6. That’s it – now we are ready to enable a specific orgVDC for cross-VDC networking.

Enabling an orgVDC for Cross-VDC Networking

This is a very simple process – really just enable it on a per orgVDC basis.

  1. Go to your orgVDCs and right click on the orgVDC you want to enable cross-VDC Networking on. For example, I am enabling this on my Daniel oVDC’s –¬†
  2. Click on the Network Pool and Services sub-tab and you’ll see a new box below the Network Pool that states ‘Enable Cross VDC Networking (Using Network Pool “<Universal-TZ-Pool>”‘ Check this box.
    1. This still allows for local oVDC network creation using the traditional network pool as stated in the screenshot above – this is not a complete conversion to the Universal Transport Zone.
  3. Now, enabling this on my Site-B –¬†

Permissions/Rights required for Cross-VDC Networking

As discussed in the previous blog post, there are specific rights and roles required for Cross-VDC networking that are not enabled by default for the organization administrator. Please review these before the tenant utilizes Cross-VDC networking.

Cross-VDC Networking Permissions Review

Creation of the initial Cross-VDC Group

Now we are ready to test the creation of a new Cross-VDC group.

  1. Let’s log into the Tenant UI and we should see the Datacenter Groups from the context switching menu –¬†
  2. Now, I can create my first Cross-VDC group and start establishing my egress points. Awesome! 

More to come here on the Cross-VDC networking capabilities within vCD 9.5 from myself, Wissam Mahmassani, and Abhinav Mishra. Thanks!

-Daniel

Security Compliance – Pre-configure your vApp firewall rules inside vCloud Director using NSX DFW (Part 1 of 2)

This is a joint blog series with Wissam Mahmassani 

Today, we will be discussing pre-configured firewall rules for vApps inside of vCloud Director (vCD).

Recently, I received a request from a new provider that wants to deploy a specific vApp when they onboard a new tenant (or organization). This specific vApp will need to have NSX Distributed Firewall rules in place – the vApp will be the same for every tenant and will need to be secured accordingly.

While this is a Provider managed approach, this is a very simple way of “stamping” out vApps or other required virtual machines that need specific policies applied to them. Moreover, we would like an automatic way to pick up the associated DFW rules so it’s one less step for the Provider.

Overall Steps:

  1. Creation of a Security Group with Dynamic Membership
  2. Creation of a Security Policy
  3. Activating Security Policy against Security Group
  4. Creating vApp that meets dynamic membership criteria

Creation of a Security Group with Dynamic Membership

  1. Navigate to Menu -> Networking and Security -> Service Composer
  2. The first thing we are going to do is create a Security Group that will associate the VMs based on criteria.
  3. The easiest way to do this is by using a dynamic membership policy. We want to apply this group to any VM’s that meet a specific name. In my example, I’m going to be utilizing “mgmt-pod” as my criteria –¬†
  4. Click Finish, and we are off to the next step.

Creation of a Security Policy

  1. Let’s click on the Security Policies tab inside of Service Composer and create a new Security Policy –¬†
  2. Let’s give it a name – I am using Standard vApp DFW Rules.¬†
  3. From here, we can click on Firewall Rules and create our rules. In my example, I am going to let HTTPS traffic in and block everything else. Typically, for micro-seg rules, we would create granular rules to secure all types of traffic. I am using these just as an example. 
  4. Creating DFW policies is fairly straightforward in the Service Composer –¬†

Activating Security Policy against Security Group

  1. Now, we are ready to apply our newly created policy to our group. Click the Apply button while your newly created policy is selected –¬†
  2. From the pop-up window, we will select our Standard vApp Rule group as a Selected Object –¬†
  3. Success – now we can see it has been applied –
  4. From the DFW view, we can see a new section created with associated DFW rules –¬†
    1. Solid note from Tom Fojta“Do not forget the order of DFW sections is important. If tenant‚Äôs DFW VDC section is above and he creates any-any-allow rule it will nullify provider rules. Tenant sections¬†are created by default on top unless forced with API to be created at the bottom.”

Creating vApp that meets dynamic membership criteria

  1. Now from my Provider UI, I am going to go ahead and create my Management vApp for a new tenant. Again, the context is this would be managed by the Provider initially while we are inheriting the Security Group set forth above. 
  2. Once my vApp is up, I can verify that I am unable to access via ICMP which meets my criteria. We can see the Standard vApp Rule group was associated with the vApp and I am unable to ping it. 

While this is not the only path of securing Provider-managed VM’s for a tenant. Check out Wissam’s approach here by utilizing Resource Pools!

-Daniel

A deeper look at vCloud Director and NSX Distributed Logical Router and Firewall Services with Usage Meter feature detection

Need to work on my titles, but that’s what I have for now. I want to spend some time reviewing how NSX Distributed, Edge, and DLR Firewall services behave in respect to vCloud Director and vCloud Usage Meter.

Some may know vCloud Usage Meter provides automated feature detection on a per-VM basis – essentially allowing granular-level billing for tenants. For example, tenant ACME may have 5 VM’s that need Distributed Firewall¬†out of 20 – why charge them for all if they aren’t using it? Since version 3.6 of Usage Meter, this feature has been applied on a per VM level, for the most part.

There are three different versions of NSX available in the Cloud Provider Program –

We can see that your basic fundamentals are available in SP Base: your distributed switching and routing, Edge Firewall services, NAT’ing, etc. Advanced adds in Distributed Firewalling, Service Insertion and other advanced functionality while Enterprise is adding in X-vCenter NSX, HW VTEP integration.

Second, let’s take a look at the chart for NSX Editions by Feature. This comes from our vCloud Usage Meter Feature Detection whitepaper. Don’t have it? Get on VMware Partner Central and grab a copy.

Take note at the statement of “All VMs on all networks serviced by the edge” – this means even if you have a VM on that edge that does not use that feature, it will charge for it since it still has access¬†to it. For example, if you set up a L2VPN on an Edge, be aware that any other connected networks will be charged for NSX Enterprise even though they may not be able to traverse to that tunnel!

Lab Setup

I wanted to design a DLR environment within vCD along with using Edge and Distributed Firewall rules. I came up the following design in my 9.x environment:

  1. Creating an NSX Distributed Logical Router (DLR) is pretty easy. Select the Advanced Gateway box and check Enable Distributed Routing. You can also enable Distributed Routing on any existing Advanced Edge –¬†
  2. The great thing about how vCloud Director creates Distributed Routing is it’s actually two Edges – a standard perimeter edge along with the DLR southbound. The transit interface is created as a /30 while applying static routes for any connected DLR interface. DLR’s default gateway is the Edge transit interface. Below is what I can see inside of NSX.¬†

Using the NSX Distributed Logical Router is in the NSX Base bundle and covered by Advanced SP Bundle, which is great for providers. However, Edge Firewall services are only available in the NSX Base bundle, where some providers may want to provide “high-powered” firewalling services.

The key difference between Edge and Distributed Firewall services is we do not hairpin for forwarding decisions in the DFW model: the decision is made inside of the hypervisor before the packet ever egresses anywhere. Hence, provides better throughput and capability compared to Edge or traditional firewall services – check out Wissam’s discussion on DFW capabilities here.¬†

vCD Access to Edge Firewall vs Distributed Firewall

I think Tomas did a great job of summarizing vCD Firewall capabilities and pointing out some of the architecture differences between the two firewall technologies.

From a vCD UI access point of view, you have to access the firewall services in two different places.

  1. Edge Firewall services are accessed by right-clicking on the Edge Gateway and selecting Edge Services. Makes sense, right? 
  2. Now Distributed Firewall management is accessed by right-clicking on the organization VDC and clicking on Manage Firewall. Not my favorite and doesn’t state DFW, but this is how it’s accessed today in the Flex UI.¬†

NSX Distributed Firewall Changes

Okay, let’s get into a few scenarios and test out how Usage Meter will put up the changes.

  1. I freshly created my three vApps: T1-App-1, T1-DB-01, T1-DLR-tclinux-01/02a (Web Servers). We can run a VM History Report and pick them up and see they all have been associated with the Advanced Bundle initially. I will try to point out the vROps and NSX column in the following discussion, but we will be looking for a checkmark and an “A” that refers to Advanced usage.¬†
  2. So let’s go ahead and crack open the DFW and start carving up some rules. This is a simple 3-tier architecture so I’m going to lay out allowing web, web to app traffic, app to DB, allowing SSH to App and DB, and blocking everything else in Web, App, and DB Tiers.¬†
  3. As you can see, the Applied To for my deny rule is only applied to my three Distributed Routing tiers (or routed Org VDC Networks). Not only is this a good NSX practice, this cuts down on who gets charged for NSX Advanced!
  4. Now looking at the DFW rules from vCenter, I can see vCD created the tenant folder and applied the policies in order. Very streamlined. 
  5. Now let’s check to see if my new rules work. Yep, I can still SSH to my VM’s but do not receive any ICMP replies. Perfect!¬†

How did Usage Meter detect the changes?

  1. So let’s now take a look at the Usage Meter VM History Report. What’s fascinating is Usage Meter tracks every move called state change. We can see in my tclinux-vApp (or Web) that it tracked when it started using Base NSX usage, then switched to Advanced, then my vROPs Enterprise instance picked it up and added it to its inventory. All in a very short timespan. Very useful!¬†
  2. With the DB and App layers, we see something very similar – vROps Enterprise, however, picked up these VM’s first and then we see Advanced NSX usage.¬†
  3. Now, I can see a few new line items populated on my Customer Monthly Usage and Monthly Usage report. I now see Advanced Bundle with Networking, Advanced Bundle with Management, Advanced Bundle with Networking and Management.
  4. This is to be expected since my VM’s went through a few iterations – my Web VM’s initially went with NSX Advanced without vROps which falls in the Advanced with Management while DB/App started using NSX Advanced without vROps registration (Advanced with Networking bundle). Last of all, all three are now assigned to the Advanced w/Networking and Management since we are using NSX Advanced features along with vROps Enterprise.
  5. While I see the new line items, I don’t see any units to be reported. Why? Well, I have some very small VM’s (256MB in vRAM) and they just ran a few hours during this testing. Keep in mind Usage Meter averages out the usage over the entire calendar month (720 hours for a 30 day period or 744 hours in a 31 day period). Again, to be expected but was pleased that new categories were added immediately.

In summary, Usage Meter does a great job of detecting NSX feature usage and bills it accordingly based on a specific service – Distributed Firewall being one of them. Thanks!

-Daniel