Over the weekend I got a chance to deploy my first vSphere with Tanzu environment using the new NSX Advanced Load Balancer (NSX ALB) which I had shared on Twitter.
π₯³ Successfully deployed my π₯ vSphere w/@VMwareTanzu using the new @vmwarensx Advanced Load Balancer (formally @AviNetworks)
πhttps://t.co/Mqb9Ja0rtV was extremely helpful, a MUST read IMHO! ππ€ @CormacJHogan
Visuals is NSX ALB is nice! Looks like I need more resources! pic.twitter.com/C6E36zIl7X
— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) March 28, 2021
This was also my first time getting exposed to NSX ALB (formally AVI Networks) and this detailed blog post from my buddy Cormac Hogan was instrumental in helping me quickly get started and get into the specific configurations needed for a two network design with vSphere with Tanzu. For me personally, there were just too many different configuration pages a user needed to navigate to and context switching between them made it non-intuitive for a new user like myself. After going through this once, I knew Automation was the next step for me and this was also an opportunity to try out the NSX ALB API, which I also have never used before.
One of the very first challenge that I needed to figure out was how to initially login to the API. During the initial UI step, the user is prompted to provide a password which will be used to create a new admin account. This is actually miss-leading because you are not actually creating a new account but rather you are changing the default password for the admin user that already exists.
This actually took me some time to figure out and I eventually came across a note mentioning that the default password can be found in the download portal where you had downloaded the NSX ALB OVA! In addition to the default password, the NSX ALB API requires that you pass a Cross-Site Request Forgery (CSRF) token along with referrer ID which is then used to authenticate subsequent requests. This did make the initial automation more complicated, especially since basic authentication is disabled by default.
Here is a quick PowerShell snippet using the NSX ALB REST API to initially login and then changing the default admin password:
$nsxAdvLBIPAddress = "192.168.30.171" $NSXAdvLBAdminPassword = "VMware1!" $headers = @{ "Content-Type"="application/json" "Accept"="application/json" } $payload = @{ username="admin"; password="58NFaGDJm(PJH0G"; } $defaultPasswordBody = $payload | ConvertTo-Json $response = Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/login -Body $defaultPasswordBody -Method POST -Headers $headers -SessionVariable WebSession -SkipCertificateCheck $cookies = $WebSession.Cookies.GetCookies("https://${nsxAdvLBIPAddress}/login") $csrf = $cookies["csrftoken"].value $payload = @{ old_password = "58NFaGDJm(PJH0G"; password = $NSXAdvLBAdminPassword; username = "admin" } $newPasswordBody = $payload | ConvertTo-Json $headers = @{ "Content-Type"="application/json" "Accept"="application/json" "x-avi-version"="20.1.4" "x-csrftoken"=$csrf "referer"="https://${nsxAdvLBIPAddress}/login" } Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/api/useraccount -Body $newPasswordBody -Method PUT -Headers $headers -WebSession $WebSession -SkipCertificateCheck
Once you have changed the default admin password, you can then login to NSX ALB UI to apply other configuration changes. If you wish to enable basic authentication, you can navigate to Administration->Settings->Access Settings and then click on the pencil to edit and check the Allow Basic Authentication box.
Now, of course you could have also automated both the admin password change and enablement of basic auth (hint see /systemconfiguration) and then switch to basic auth login for all subsequent API requests. Once I had figured out how to coordinate the initial automation, then it was digging into the NSX ALB API and using my favorite tool, Chrome Developer to understand which NSX ALB APIs were being used. Now it on to the task of trial/error and heavily leveraging vSphere Snapshots and as you can see from the Tweet below, where I am fully headed π
Not too bad, almost 1 minute flat to automate all of these @vmwarensx Advanced Load Balancer settings π€©
First time using the NSX ALB (API) APIs too! Just have the DNS IPAM configuration to tackle tomorrow and then some testing pic.twitter.com/B7otLLukKh
— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) March 29, 2021
Roberto Casula says
Hi William! If you like PowerShell I wrote a wrapper around the Avi API to handle some of the boring stuff like session management.
https://www.github.com/avinetworks/devops/tree/master/powershell
William Lam says
Hey Roberto,
Funny enough, I did come across your PS module before getting started, but I found that it didn't work for me and I believe it has to do with not being able to support/ignore self-sign TLS certificate. Perhaps this was before PowerShell Core added support for -SkipCertificateCheck using Invoke-WebRequest/RestMethod. I also noticed the repo hadn't been updated for a few years and that it had moved, that perhaps it wasn't kept up to date as the version of the API was several releases back
Roberto Casula says
Interesting. I've used it as recently as a couple of weeks ago with no issues. Did you use the Disable-AviCertificateWarnings scriptlet first? This installs a custom certificate validation function (that always returns true) and should be invoked for any WebRequest...I only haven't updated it because it's generally agnostic to the version of Avi and continues to work when I try it from time to time. If Disable-AviCertificateWarnings doesn't work for you, I'd like to get to the bottom of it. Ping me with your setup details (OS, PS version etc.) and I can try and take a look.
Roberto Casula says
Ah yes - I think it is due to differences in PS Core and certificate validation. Will look into it.
William Lam says
Yup. I've tried the Disable-* function and ran into error which I've normally solved by using the -SkipCertificateCheck parameter. For my usage, I think what I've got is working anyhow, I've already figured the APIs I needed but it did take a bit more time using Chrome Developer π