Solved: domain in nsx-t 3.0

rajkumar49 · ‎09-08-2020

hi,

whether the Domains concept is deprecated in NSX-T 3.0?

for example, look at the below REST API :

GET https://10.204.x.x/policy/api/v1/infra/domains/default/groups

whether the default domain is the only domain in the nsx-t 3.0 ?

p0wertje · ‎09-09-2020

Hi.

The reply i got from vmware:

On an earlier version of NSX-T the concept and function of Domains was introduced and was present on the UI.

However a product decision was made to explicitly remove this from the UI from 2.4.1 onwards . The plan being to perform an internal assessment of the role of Domains and to ensure they would be future proofed from a product roadmap perspective, Federation etc. A decision was made to leave the Domain API as fully functional.

So not available in gui. But it is available in API

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

View solution in original post

p0wertje · ‎09-08-2020

You can have domains. But you do not see them in the gui.

i.e i have a k8s domain:

{

"resource_type": "Domain",

"id": "k8scluster",

"display_name": "k8scluster",

"tags": [

{

"scope": "ncp/cluster_domain",

"tag": "true"

},

{

"scope": "ncp/cluster",

"tag": "k8scluster"

}

],

"path": "/infra/domains/k8scluster",

"relative_path": "k8scluster",

"parent_path": "/infra",

"unique_id": "dbe72602-1081-4ca3-a882-1517ecc58299",

"marked_for_delete": false,

"overridden": false,

"_create_user": "admin",

"_create_time": 1596721212148,

"_last_modified_user": "admin",

"_last_modified_time": 1598516965091,

"_system_owned": false,

"_protection": "NOT_PROTECTED",

"_revision": 8

}

And inside that o have groups

/infra/domains/k8scluster/groups/10.4.192.0_24

{

"expression": [

{

"ip_addresses": [

"10.4.192.0/24"

],

"resource_type": "IPAddressExpression",

"id": "cf9ee9ad-e9a1-435a-8e7f-ad36ff881ed0",

"path": "/infra/domains/k8scluster/groups/10.4.192.0_24/ip-address-expressions/cf9ee9ad-e9a1-435a-8e7f-ad36ff881ed0",

"relative_path": "cf9ee9ad-e9a1-435a-8e7f-ad36ff881ed0",

"parent_path": "/infra/domains/k8scluster/groups/10.4.192.0_24",

"marked_for_delete": false,

"overridden": false,

"_protection": "NOT_PROTECTED"

}

],

"extended_expression": [],

"reference": false,

"resource_type": "Group",

"id": "10.4.192.0_24",

"display_name": "10.4.192.0_24",

"path": "/infra/domains/k8scluster/groups/10.4.192.0_24",

"relative_path": "10.4.192.0_24",

"parent_path": "/infra/domains/k8scluster",

"unique_id": "1ccd5747-2a97-42f8-bf88-574d674a1984",

"marked_for_delete": false,

"overridden": false,

"_create_user": "admin",

"_create_time": 1598294616147,

"_last_modified_user": "admin",

"_last_modified_time": 1598294616148,

"_system_owned": false,

"_protection": "NOT_PROTECTED",

"_revision": 0

}

I have a case open at support regarding not able to see the domains in the gui. I do not have an answer on that (yet)

See the api for more info (chapter 3.5.3.4

NSX-T Data Center REST API - VMware API Explorer - VMware {code}

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

Lalegre · ‎09-08-2020

Hey,

As he mention some of the domains will not be visible from the GUI and are created for interacting between platforms. For example if you have a NSX-T Federation topology with more that one region you will see 3 domains (Global, Region A and Region B)

rajkumar49 · ‎09-08-2020

hi

Do you know any API to get security groups from all the domains ?

for example, the below API will get security groups from only the default domain :

GET https://10.204.x.x/policy/api/v1/infra/domains/default/groups

Lalegre · ‎09-08-2020

Hey,

Unfortunately there is no API call for searching multiple groups cross domain. For doing that you will need to do separate calls to each domain.

I just tested myself even in 3.0.1.1 and is the same.

rajkumar49 · ‎09-08-2020

hi ,

in NSX-T 3.0 GUI , there is no option to create domain .

also no option to create security groups for other domains. whether Vmware will deprecate the domains feature?

whether the below API gives all the security groups from all domains ?

GET /api/v1/ns-groups

Lalegre · ‎09-09-2020

Hey,

So basically you are getting confused between NSX-T modes. NS-Groups and Groups are basically the same but the difference in which mode they have been created.

The default visibility that you have when you install NSX-T is the Policy Mode and you can toggle it to Manager Mode if you change that parameters in the User Interface Settings on the System tab.

So when you run the call GET /api/v1/ns-groups you are reading from the groups created in Manager Mode but when you run GET /policy/api/v1/infra/domains/domain-id/groups you are reading from the groups created in Policy Mode that is why on the call it starts with "policy".

Remember this not only for these calls but always you see the policy.

p0wertje · ‎09-09-2020

Hi.

The reply i got from vmware:

On an earlier version of NSX-T the concept and function of Domains was introduced and was present on the UI.

However a product decision was made to explicitly remove this from the UI from 2.4.1 onwards . The plan being to perform an internal assessment of the role of Domains and to ensure they would be future proofed from a product roadmap perspective, Federation etc. A decision was made to leave the Domain API as fully functional.

So not available in gui. But it is available in API

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved

All

domain in nsx-t 3.0