Re: Command Line / PowerCLI script to create Edge ...

baronne · ‎02-26-2015

Hi,

Is there a quicker way to add 100's of firewall rules to an edge gateway other than via the vCD web GUI which is quite limited. I'm either looking for a command line PowerCLI type script or another way to simplify or at least speed up the process.

Any suggestions greatly welcomed.

thanks,

Sreec · ‎02-26-2015

Hi,

Rest Api would be perfect,please go through https://www.vmware.com/pdf/vshield_55_api.pdf(page no:75)

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

baronne · ‎02-26-2015

thanks, I can see that would be a good option however, our environment is managed by vCloud director so any changes directly using vShield Manager are not retained as vCD will overwrite them. Can you advise if there is a different API set or tools using PowerCLI that can administer this process via vCloud?

Sreec · ‎02-26-2015

Hi,

Good Point.In that case you can use vCloud API to perform the task

It would be good start with network administration Page 169 http://pubs.vmware.com/vcd-55/topic/com.vmware.ICbase/PDF/vcd_55_api_guide.pdf

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

baronne · ‎02-26-2015

thanks for the reference - I'm not much of a developer, so it would seem a steep curve to work out how to programmatically get that to work via API - I don't really know where to begin with it to be honest.

I found this whilst looking around for scripts/tools:

ttps://github.com/gds-operations/vcloud-edge_gateway

Do you think it might do the trick?

cheers

Sreec · ‎02-26-2015

Hi,

To be very honest you don't need to be a good developer to start with API Whenever you get time try to go through Exploring the vCloud REST API Part 1 | VMware vSphere Blog - VMware Blogs .Once you log-in to the Solution it is very easy task.

I'm unsure about the link that you provided,because i never tried that till now

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered

baronne · ‎02-26-2015

thanks for the links, I'll check that out!

technoe · ‎06-04-2015

I know this is an older post but I have modified the scripts referenced below to load any number of Edge Gateway NAT rules at one time. See below: I'm using PowerCLI 5.8 with the below snapins. I've attached a sample csv.

param(

[Parameter(Mandatory = $true,Position = 0)][string]$te #this is the org name

)

#region Module/Snapin/Dot Sourcing

#Load SnapIns related to VMWare

$snapinList = @( 'VMware.VimAutomation.Core', 'VMware.VimAutomation.Vds', 'VMware.VimAutomation.License', 'VMware.DeployAutomation', 'VMware.ImageBuilder', 'VMware.VimAutomation.Cloud')

foreach($snapin in $snapinList)

{

if(!(Get-PSSnapin $snapin -ErrorAction:SilentlyContinue))

{

Add-PSSnapin $snapin

}

#endregion Module/Snapin/Dot Sourcing

Connect-CIServer -Server 10.1.0.34 -User [USERNAME] -Password [Password]

$EdgeGateway = 'EdgeGW-' + $te

$extNet = Get-ExternalNetwork | Where-Object {$_.Name -eq 'vCD-ExternalNetwork'}

Function New-GatewayRule

{

param

(

[System.Object]

$EdgeGateway,

[System.Object]

$ExternalNetwork

)

$Edgeview = Search-Cloud -QueryType EdgeGateway -name $EdgeGateway | Get-CIView

if (!$Edgeview)

{

Write-Warning -Message "Edge Gateway with name $Edgeview not found"

#Exit

}

$URI = ($Edgeview.Href + '/action/configureServices')

$wc = New-Object -TypeName System.Net.WebClient

# Add Authorization headers

$wc.Headers.Add('x-vcloud-authorization', $Edgeview.Client.SessionKey)

$wc.Headers.Add('Content-Type', 'application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml')

$wc.Headers.Add('Accept', 'application/*+xml;version=5.1')

$webclient = New-Object -TypeName system.net.webclient

$webclient.Headers.Add('x-vcloud-authorization',$Edgeview.Client.SessionKey)

$webclient.Headers.Add('accept',$Edgeview.Type + ';version=5.1')

[xml]$EGWConfXML = $webclient.DownloadString($Edgeview.href)

[xml]$OriginalXML = $EGWConfXML.EdgeGateway.Configuration.EdgegatewayServiceConfiguration.NatService.outerxml

$NewID = [int]($OriginalXML.NatService.natrule |

Sort-Object -Property id |

Select-Object -Property Id -Last 1).id + 1

If($NewID -eq 1)

{

$NewID = 65537

}

$csv = Import-Csv -Path [Path to CSV]

foreach($line in $csv | Where-Object {$_.Type -ne 'SNAT'})

{

$NewID = $line.ID

$OriginalIP = ($line.OriginIP + $line.Octet)

$OriginalPort = $line.SourcePort

$TranslatedIP = $line.translatedIP

$TranslatedPort = $line.DestPort

$Protocol = $line.Protocol

$strXML += '<NatRule>
<RuleType>DNAT</RuleType>
<IsEnabled>true</IsEnabled>
<Id>' + $NewID + '</Id>
<GatewayNatRule>
<Interface type="application/vnd.vmware.admin.network+xml" name="' + $ExternalNetwork.Name + '" href="' + $ExternalNetwork.Href + '"/>
<OriginalIp>' + $OriginalIP + '</OriginalIp>
<OriginalPort>' + $OriginalPort + '</OriginalPort>
<TranslatedIp>' + $TranslatedIP + '</TranslatedIp>
<TranslatedPort>' + $TranslatedPort + '</TranslatedPort>
<Protocol>' + $Protocol + '</Protocol>
</GatewayNatRule>
</NatRule>'

}

foreach($line in $csv | Where-Object {$_.Type -eq 'SNAT'})

{

$NewID = $line.ID

$OriginalIP = $line.translatedIP

$OriginalPort = $line.SourcePort

$TranslatedIP = ($line.OriginIP + $line.Octet)

$TranslatedPort = $line.DestPort

$Protocol = $line.Protocol

$strXML += '<NatRule>
<RuleType>SNAT</RuleType>
<IsEnabled>true</IsEnabled>
<Id>' + $NewID + '</Id>
<GatewayNatRule>
<Interface type="application/vnd.vmware.admin.network+xml" name="' + $ExternalNetwork.Name + '" href="' + $ExternalNetwork.Href + '"/>
<OriginalIp>' + $OriginalIP + '</OriginalIp>
<TranslatedIp>' + $TranslatedIP + '</TranslatedIp>
</GatewayNatRule>
</NatRule>'

}

$GoXML = '<?xml version="1.0" encoding="UTF-8"?>
<EdgeGatewayServiceConfiguration xmlns="http://www.vmware.com/vcloud/v1.5" >
<NatService>
<IsEnabled>true</IsEnabled>'

$OriginalXML.NatService.NatRule | ForEach-Object -Process {

$GoXML += $_.OuterXML

}

$GoXML += $strXML

$GoXML += '</NatService>
</EdgeGatewayServiceConfiguration>'

[byte[]]$byteArray = [System.Text.Encoding]::ASCII.GetBytes($GoXML)

$UploadData = $wc.UploadData($URI, 'POST', $byteArray)

}

New-GatewayRule -EdgeGateway $EdgeGateway -ExternalNetwork $extNet

technoe · ‎06-04-2015

Also, I just realized you were talking firewall rules. I have a script for that as well.

# Replaces all rules for a given vshield with the ones from a CSV file.

# CSV header is: Num,Descr,Proto,SrcIP,SrcPort,DstIP,DstPortRange,Policy,Direction,isEnabled,EnableLogging

# http://pubs.vmware.com/vcd-51/index.jsp?topic=%2Fcom.vmware.vcloud.api.reference.doc_51%2Fdoc%2Ftype...

# Note: SrcPort can be -1 (for any), any or a port number. DstPortRange can be any or a port number range (ex: 22-26)

param (

[parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,

[parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,

[parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet',

[parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile

)

# Add in the VI Toolkit

if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {

Add-PSsnapin VMware.VimAutomation.Core

}

if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {

Add-PSsnapin VMware.VimAutomation.Cloud

}

try {

Connect-CIServer -Server $CIServer -username '[username]' -password '[password]' | out-null

} catch {

Exit

}

#Search EdgeGW

try {

$myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet

$edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href

$edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}

} catch {

[System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)

Exit

}

#Item to Configure Services

$edgeView.Configuration.EdgeGatewayServiceConfiguration

$fwService = New-Object vmware.vimautomation.cloud.views.firewallservice

$fwService.DefaultAction = "drop"

$fwService.LogDefaultAction = $false

$fwService.IsEnabled = $true

$fwService.FirewallRule = @()

Ipcsv -path $csvFile |

foreach-object `

{

$fwService.FirewallRule += New-Object vmware.vimautomation.cloud.views.firewallrule

$rowNum = $_.Num -as [int]

$fwService.FirewallRule[$rowNum].description = $_.Descr

$fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols

switch ($_.Proto)

{

"tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }

"udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }

"any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }

default { $fwService.FirewallRule[$rowNum].protocols.any = $true }

}

$fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP

if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }

$fwService.FirewallRule[$rowNum].sourceport = $srcPort

$fwService.FirewallRule[$rowNum].destinationip = $_.DstIP

$fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange

$fwService.FirewallRule[$rowNum].policy = $_.Policy

$fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)

$fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)

}

#configure Edge

$edgeView.ConfigureServices($fwService)

All

Command Line / PowerCLI script to create Edge Gateway Firewall Rules?