VMware Networking Community
DavidPeyton
Contributor
Contributor
Jump to solution

Cannot Create NSX Edge NAT Rule with REST API JSON

NSX 6.4.3 on vSphere 6.7, I would assume this is that same for NSX 6.4.x and vSphere 6.x

Given a proper auth Token and REST API Url to post a new NAT Rule to, what is the proper format for JSON as the body of the POST to create a new NAT Rule?

URL: https://<Server FQDN>/api/4.0/edges/<Edge Gateway Id>/nat/config/rules

Method: POST

Header Info:

ContentType: application/json

Accept: application/json

Authorization: AUTHTOKEN <AuthToken>

JSON Body:

{

"dnatMatchDestinationPort": "any",

"ruleTag": "70000",

"description": "NAT Rule 1",

"vnic": 0,

"originalAddress": "192.168.128.204",

"enabled": "true",

"translatedPort": "any",

"protocol": "any",

"loggingEnabled": "true",

"action": "dnat",

"dnatMatchSourceAddress": "any",

"translatedAddress": "192.168.10.4",

"originalPort": "any"

}

When we POST using this method we get this response:

{"errorCode":10050,"details":"Invalid input ''{0}'' provided for field {1}.","rootCauseString":"natRules","moduleName":"vShield Edge"}

We have tried wrapping that JSON Body under a Key: natRule and even adding that under a Key: natRules, i.e. {"natRules" : {"natRule": <above JSON Body>}}, regardless of what combination we have tried we continue to get the same response.

Also, we know about PowerNSX and use it. we are trying to create an Idempotent Script that will create or update based on whether the Object already exists and properties are different than requested and rather than use PowerNSX to create and some other method to update we want to use the same script, just change the method. JSON is much easier to work with and we want to avoid XML, we know XML works, the question is about JSON.

Reply
0 Kudos
1 Solution

Accepted Solutions
sk84
Expert
Expert
Jump to solution

With your JSON body I received the same error message in our test lab.

But I have looked at what the JSON Body looks like when I request all nat rules via "GET https://{NSXMANAGER}/api/4.0/edges/{EDGE-ID}/nat/config" and tried something around.

At the end this body has worked for me:

{

     "natRulesDtos": [

          {

               "dnatMatchDestinationPort": "any",

               "ruleTag": "70000",

               "description": "NAT Rule 1",

               "vnic": "0",

               "originalAddress": "192.168.128.204",

               "enabled": true,

               "translatedPort": "any",

               "protocol": "any",

               "loggingEnabled": true,

               "action": "dnat",

               "dnatMatchSourceAddress": "any",

               "translatedAddress": "192.168.10.4",

               "originalPort": "any"

          }

     ]

}

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

View solution in original post

Reply
0 Kudos
5 Replies
sk84
Expert
Expert
Jump to solution

{"errorCode":10050,"details":"Invalid input ''{0}'' provided for field {1}.","rootCauseString":"natRules","moduleName":"vShield Edge"}

It's complaining about the first value in the first field.

And if I look at the NSX API reference I can not find the parameter "dnatMatchDestinationPort".

Only "dnatMatchSourcePort" for dnat rules and "snatMatchDestinationPort" for snat rules.

See: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/nsx_64_api.pdf (page 362 and 363)

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
DavidPeyton
Contributor
Contributor
Jump to solution

sk84

You are correct i had that property name wrong. Fixed that and ran again with the same result.

We are even trying to make sure the properties are in proper sequence/order basing it off the web reference for the request XML

https://vdc-repo.vmware.com/raw.githubusercontent.com/vmware/nsxraml/6.4/html-version/nsxvapi.html#p...

The XML Schema shows a sequence:


   <xs:sequence>
   <xs:element type="xs:string" name="action"/>
   <xs:element type="xs:string" name="vnic"/>
   <xs:element type="xs:string" name="originalAddress"/>
   <xs:element type="xs:string" name="translatedAddress"/>
   <xs:element type="xs:string" name="dnatMatchSourceAddress"/>
   <xs:element type="xs:string" name="snatMatchDestinationAddress"/>
   <xs:element type="xs:string" name="loggingEnabled"/>
   <xs:element type="xs:string" name="enabled"/>
   <xs:element type="xs:string" name="description"/>
   <xs:element type="xs:string" name="protocol"/>
   <xs:element type="xs:string" name="translatedPort"/>
   <xs:element type="xs:string" name="originalPort"/>
   <xs:element type="xs:string" name="dnatMatchSourcePort"/>
   <xs:element type="xs:string" name="snatMatchDestinationPort"/>
   </xs:sequence>

We have made an ordered hash table and still same error. Not sure if maybe it is a sequence thing or we are missing some element.

Reply
0 Kudos
DavidPeyton
Contributor
Contributor
Jump to solution

as an quick update the JSON body has been updated to:

{

  "action": "dnat",

  "vnic": "0",

  "originalAddress": "192.168.200.204",

  "translatedAddress": "192.168.10.4",

  "dnatMatchSourceAddress": "any",

  "loggingEnabled": "true",

  "enabled": "true",

  "description": "NAT Rule 1",

  "protocol": "any",

  "translatedPort": "any",

  "originalPort": "any",

  "dnatMatchSourcePort": "any"

}

Reply
0 Kudos
sk84
Expert
Expert
Jump to solution

With your JSON body I received the same error message in our test lab.

But I have looked at what the JSON Body looks like when I request all nat rules via "GET https://{NSXMANAGER}/api/4.0/edges/{EDGE-ID}/nat/config" and tried something around.

At the end this body has worked for me:

{

     "natRulesDtos": [

          {

               "dnatMatchDestinationPort": "any",

               "ruleTag": "70000",

               "description": "NAT Rule 1",

               "vnic": "0",

               "originalAddress": "192.168.128.204",

               "enabled": true,

               "translatedPort": "any",

               "protocol": "any",

               "loggingEnabled": true,

               "action": "dnat",

               "dnatMatchSourceAddress": "any",

               "translatedAddress": "192.168.10.4",

               "originalPort": "any"

          }

     ]

}

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply
0 Kudos
DavidPeyton
Contributor
Contributor
Jump to solution

Sebastian,

Well I'll be.... That worked!! Thanks for your help! I think Edge Firewall Rules are going to be similar but that is the next hurdle.

We have done the GET before exactly like you mentioned but never thought to formulate it that way,, Geesh.

Reply
0 Kudos