vRealize Automation 7: Adding NSX Integration


vRealize Automation 7 introduces some new big features for Networking and Security integrations like support for On Demand Security Groups, on demand load balancers, and Security Tags from the blueprint layout.

In order to use these features, you’ll need a functioning NSX installation, and then need to do the following configuration tasks to get it all working-

1. Add an NSX Manager in your vRealize Orchestrator client

vRealize Automation 7 uses vRealize Orchestrator to execute operations against NSX.  You will need to navigate the vRA 7 landing page and click the Orchestrator Client link (if you are using the embedded vRO, otherwise, navigate to the landing page for your external vRO appliance)

landing_page
vRealize Automation Landing Page

Use your administrator@vsphere.local (or vRO admin credentials) to log in, and navigate to /Library/NSX/Configuration/Create NSX Endpoint to start the endpoint creation:

add_nsx_endpoint
vRealize Orchestrator: Add a NSX Endpoint

After the endpoint is added, verify you are able to browse the NSX inventory on the inventory tab:

browse_sec_groups_vro
Browse NSX Inventory from vRO

This completes the addition of NSX to vRO.add_new_vRO_endpoint

2. Add Orchestrator as an endpoint to vRealize Automation

To use Orchestrator to manipulate NSX objects, it must be added as a new endpoint.  Do not confuse this with the Orchestrator configuration options under the Administration tab- those are used from XaaS blueprints rather than VM provisioning.  The endpoint configuration options you need are located under Infrastructure / Endpoints.

add_new_vRO_endpoint
Add Orchestrator Endpoint

One important change to note for the embedded vRealize Orchestrator 7 is the API interface is NOT running on port 8281 anymore, I’ve posted my example URL below:

https://mycloud.j2sys.local/vco

Make sure to use credentials that are tested by using them to log in to the vRO instance.  Also, you will need to add a custom property for vRO priority- VMware.VCenterOrchestrator.Priority = 1 (or another number if you are ordering multiple vRO instances).

vRO_endpoint_config
vRO Endpoint Config

Once you’ve added the endpoint, you will want to make sure data collection completes successfully.  If Data Collection fails, go back thru all your endpoint configuration and make sure it is correct.

vro_data_collection
vRO Data Collection

 

3. Specify manager for network and security platform

Once the orchestrator has been configured to connect to the NSX Manager, you need to specify and bind the NSX manager to the vSphere Endpoint- This is done under Infrastructure/Endpoints (if you do not see this tab, try logging in as configurationadmin@vsphere.local or administrator@vsphere.local)-

networking_and_security
Networking and Security Config

Once configured, you should be able to initiate Data Collection on the Compute Resource (not located on properties of the endpoint)- The Compute Resource should be available at Infrastucture / Compute Resources / Compute Resources. You should your relevant compute resources by cluster name:

compute_resources
Compute Resources Data Collection

When in the data collection screen, scroll to the bottom and check the Networking and Security Data Collection.  If everything is configured successfully, you should see a successful data collection after it completes-

 

networking_and_security_data_collection

Once data collection completes successfully, you should be able to include NSX constructs in your blueprint design-  below, you can see a on-demand security group being added to a blueprint-

vra_blueprint_with_NSX
Networking and Security Blueprint Components

 

The on demand and blueprint layout features really make configuration and deployment of complex multi tier applications and custom firewall rulesets in NSX significantly easier to deploy- less than 6 months ago this sort of feature set would require extensive custom vRO code.  It is great to see it in the core product now.

VMworld 2015

image

VMworld 2015 was great- this was actually my first year attending VMworld and i definitely understand all the buzz around the event.  I met a lot of great new contacts, saw former customers, and was able to deliver a well received session.

My VMworld session was on automation of the NSX distributed firewall using vRealize Automation and the NSX HTTP REST API-

We had 376 Pre-registered participants with 221 attendees actually checking in.  The session survey also posted excellent results-

Poor 0%
Fair 2.56 %
Good 15.38 %
Very Good 43.59 %
Excellent 38.46 %

If you missed the session at VMworld San Fransisco, we will be presenting it at VMworld Europe 2015 in Barcelona, US Tech Summit in Chicago, and APJ Tech Summit in Singapore.

vRA 6.2.1 Remote Console with Load Balancer

I was working with a client today to troubleshoot and resolve issues with vRA (vCAC) 6.2.1 Remote Console through a F5 load balancer.  Here are the key takeaways for getting it to work:

  • You will need a new pool or port service for Port 8444.  This is the port used from the client system to the vRA Web Appliance.
  • vRA Web must have connectivity to the vCenter on port 443 and to the ESXi server where the VM resides on port 902.
  • IF using F5 BIG IP with a version earlier than 11.4.0. there is a bug where the Load Balancer drops WebSocket traffic.  WebSocket traffic is used for remote console in vRA 6.2.1.  Here is the kbase article

https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14814.html

The workaround is documented in the article, but is essentially to not use an HTTP profile for the 8444 load balancing pool and to configure it to pass raw TCP traffic.  I’ve included a screenshot below:

F5 Web Sockets workaround
F5 Web Sockets workaround

 

Hope this helps! -Justin

vCAC CPU Memory Hot Add Disable

Today while working with a client we encountered an issue where CPU and Memory Hot Add were causing failures when a VM was edited.  vCAC showed the VM stuck in the mode On (Reconfigure.WaitingforRetry)-

Here is what it looks like in vCAC 6.1: (click for zoom)

Reconfigure.WaitingForRetry
Reconfigure.WaitingForRetry

In vCenter, the task to reconfigure CPU and memory fails, with the failure looking like this:

vCenter hotadd fail
vCenter hotadd fail

To fix this, there are 2 options:

  1. Configure vCenter templates to Support Hot Add (if the OS supports it.
  2. Disable CPU/Memory Hot add by adding a custom property to the blueprint, or a build profile.

Lets look at option 1 first.  Edit the VM in vCenter- (if it is a template, convert to VM first then edit):

Navigate to the Options tab and choose Memory/CPU Hotplug

vCenter Enable Hotadd
vCenter Enable Hotadd

For the second solution (Disabling CPU Hotadd), you can add the following custom properties:

  • VirtualMachine.Reconfigure.DisableHotCpu = true
  • VirtualMachine.Reconfigure.DisableHotMemory = true

Lastly, you for VMs stuck in the Reconfigure.WaitingforRetry state, make sure you have entitlements for Execute Reconfigure and Cancel Reconfigure, which should allow you to shut down the VM and then execute the reconfig, or cancel it.

Note: The custom properties added for disabling hot add will only apply to NEW VMs deployed, existing VMs will have to have the custom properties added manually.