VMware Cloud Community
virtualhobbit
Enthusiast
Enthusiast

Trying to create Edge Gateway firewall rules

Hi,

I'm trying to create a few simple Edge Gateway firewalls rule in vCloud Air using the following:

# Variables

$region = "de-ge"

$regionstar = $region + "*"

$credential = Get-Credential

# Connect to vCloud Air

Connect-PIServer -vCA -credential $credential -WarningAction 0 -ErrorAction 0

# Connect to compute instance

Get-PIComputeInstance -Region $regionstar | Connect-PIComputeInstance -WarningAction 0 -ErrorAction 0

# Select Edge Services Gateway

$edgeGateway = Search-Cloud -QueryType edgegateway | Where-Object {$_.Name -eq "gateway"}

# Generate view

$edgeView = $edgeGateway | Get-CIView

# Item to Configure Services

$edgeView.Configuration.EdgeGatewayServiceConfiguration

# Begin configuration

$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice

$fwService.DefaultAction = "drop"

$fwService.LogDefaultAction = $false

$fwService.IsEnabled = $true

$fwService.FirewallRule = New-Object vmware.vimautomation.cloud.views.firewallrule

$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

Ipcsv -path $csvFile | ForEach {

  $fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

  $rowNum = $_.Num -as [int]

  $fwService.FirewallRule[$rowNum].Id = $_.Num

  $fwService.FirewallRule[$rowNum].description = $_.Descr

  $fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols

  switch ($_.Proto)

  {

  "tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }

  "udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }

  "any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }

  default { $fwService.FirewallRule[$rowNum].protocols.any = $true }

  }

  $fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP

  if ($_.SrcPort -eq "any" ){

  $srcPort = "-1"

  } else {

  $srcPort = $_.SrcPort

  }

  $fwService.FirewallRule[$rowNum].sourceport = $srcPort

  $fwService.FirewallRule[$rowNum].destinationip = $_.DstIP

  $fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange

  $fwService.FirewallRule[$rowNum].policy = $_.Policy

  $fwService.FirewallRule[$rowNum].direction = $_.Direction

  $fwService.FirewallRule[$rowNum].MatchOnTranslate = [System.Convert]::ToBoolean($_.MatchOnTranslate)

  $fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)

  $fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)

}

# Apply rules

$edgeView.ConfigureServices($fwservice)

# Disconnect from vCloud Air

Disconnect-PIServer -Confirm:$false

CSV consists of:

Num,Descr,Proto,SrcIP,SrcPort,DstIP,DstPortRange,Policy,Direction,MatchOnTranslate,isEnabled,EnableLogging

0,Allow SSH in,tcp,any,any,192.168.109.0/24,22,allow,in,true,true,false

1,Allow HTTP in,tcp,any,any,192.168.109.0/24,80,allow,in,true,true,false

2,Allow all outgoing,any,any,any,any,any,allow,out,true,true,false

However I get the following error:

Exception calling "ConfigureServices" with "1" argument(s): "Bad request  - Unexpected JAXB Exception  - cvc-complex-type.2.4.b: The content of element 'q1:FirewallRule' is not complete. One of

'{"http://www.vmware.com/vcloud/v1.5":VCloudExtension, "http://www.vmware.com/vcloud/v1.5":Id, "http://www.vmware.com/vcloud/v1.5":IsEnabled, "http://www.vmware.com/vcloud/v1.5":MatchOnTranslate,

"http://www.vmware.com/vcloud/v1.5":Description, "http://www.vmware.com/vcloud/v1.5":Policy, "http://www.vmware.com/vcloud/v1.5":Protocols, "http://www.vmware.com/vcloud/v1.5":IcmpSubType, "http://www.vmware.com/vcloud/v1.5":Port,

"http://www.vmware.com/vcloud/v1.5":DestinationPortRange, "http://www.vmware.com/vcloud/v1.5":DestinationIp, "http://www.vmware.com/vcloud/v1.5":DestinationVm}' is expected."

At C:\Users\mark\Dropbox\runme.ps1:41 char:1

+ $edgeView.ConfigureServices($fwService)

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

    + FullyQualifiedErrorId : CloudException

Obviously I'm missing something. Any ideas what it could be?

Any help is greatly appreciated,

-Mark

Reply
0 Kudos
1 Reply
alanrenouf
VMware Employee
VMware Employee

I didn't have a chance to look at the code but I wondered if you saw my module here, i wrote some code for shield edge manipulation and i think i remember trying it against vCloud air and it working with some adjustments, if you have time check out the code here: http://www.virtu-al.net/2012/01/04/vmware-vshield-powershell-module/

If it doesn't help let me know and I will try and find time to look at this properly.

Blog: http://virtu-al.net Twitter: http://twitter.com/alanrenouf Co-author of the PowerCLI Book: http://powerclibook.com
Reply
0 Kudos