vRealize Automation 7 introduces some new big features for Networking and Security integrations like support for On Demand Security Groups, on demand load balancers, and Security Tags from the blueprint layout.
In order to use these features, you’ll need a functioning NSX installation, and then need to do the following configuration tasks to get it all working-
1. Add an NSX Manager in your vRealize Orchestrator client
vRealize Automation 7 uses vRealize Orchestrator to execute operations against NSX. You will need to navigate the vRA 7 landing page and click the Orchestrator Client link (if you are using the embedded vRO, otherwise, navigate to the landing page for your external vRO appliance)
Use your email@example.com (or vRO admin credentials) to log in, and navigate to /Library/NSX/Configuration/Create NSX Endpoint to start the endpoint creation:
After the endpoint is added, verify you are able to browse the NSX inventory on the inventory tab:
This completes the addition of NSX to vRO.
2. Add Orchestrator as an endpoint to vRealize Automation
To use Orchestrator to manipulate NSX objects, it must be added as a new endpoint. Do not confuse this with the Orchestrator configuration options under the Administration tab- those are used from XaaS blueprints rather than VM provisioning. The endpoint configuration options you need are located under Infrastructure / Endpoints.
One important change to note for the embedded vRealize Orchestrator 7 is the API interface is NOT running on port 8281 anymore, I’ve posted my example URL below:
Make sure to use credentials that are tested by using them to log in to the vRO instance. Also, you will need to add a custom property for vRO priority- VMware.VCenterOrchestrator.Priority = 1 (or another number if you are ordering multiple vRO instances).
Once you’ve added the endpoint, you will want to make sure data collection completes successfully. If Data Collection fails, go back thru all your endpoint configuration and make sure it is correct.
3. Specify manager for network and security platform
Once the orchestrator has been configured to connect to the NSX Manager, you need to specify and bind the NSX manager to the vSphere Endpoint- This is done under Infrastructure/Endpoints (if you do not see this tab, try logging in as firstname.lastname@example.org or email@example.com)-
Once configured, you should be able to initiate Data Collection on the Compute Resource (not located on properties of the endpoint)- The Compute Resource should be available at Infrastucture / Compute Resources / Compute Resources. You should your relevant compute resources by cluster name:
When in the data collection screen, scroll to the bottom and check the Networking and Security Data Collection. If everything is configured successfully, you should see a successful data collection after it completes-
Once data collection completes successfully, you should be able to include NSX constructs in your blueprint design- below, you can see a on-demand security group being added to a blueprint-
The on demand and blueprint layout features really make configuration and deployment of complex multi tier applications and custom firewall rulesets in NSX significantly easier to deploy- less than 6 months ago this sort of feature set would require extensive custom vRO code. It is great to see it in the core product now.