WilliamLam.com

Managing Distributed Firewall Rules in VMC using PowerShell & NSX-T Policy API

by // Leave a Comment

Back in November 2018, VMware Cloud on AWS (VMC) SDDC 1.5 Patch 1 was released and it was one of the most highly anticipated release by our customers. Although this was a "patch" release, it included a ton of new features and also brought the full power of the NSX-T platform to VMC as a generally available feature!

With NSX-T, customers also now have access to the highly requested Distributed Firewall (DFW) capability which enables granular control over East-West traffic between application workloads. In addition to enabling micro-segmentation in VMC, customers can now easily manage DFW rules using a number of grouping constructs (Tags, Virtual Machines & Conditional Statements) to create dynamic policies which follow their workloads.


Customers can configure DFW (as well as Edge Firewall) rules using the VMC Console UI but many of you have been asking for an automated method, especially if you need to create a large number of policies for more than a couple of workloads. After returning from the holiday, I spent the last couple of days updating my NSX-T Policy PowerShell Module which now includes basic support for managing DFW. For those of you who are new to using the NSX-T Policy API and PowerCLI, be sure to give these two articles a read here and here before proceeding further.

[Read more...]

Automating Hybrid Cloud Extension (HCX) Manager initial configuration for VMC

by // 2 Comments

Following up from my previous Hybrid Cloud Extension (HCX) Automation article which looked at deploying the HCX Manager OVA, this article will now focus on automating the initial configuration of HCX Manager including the registration to HCX Cloud which will enable the on-prem HCX Manager to be used with VMware Cloud on AWS (VMC). Once HCX Manager is up and running, customers can configure the system using the HCX VAMI interface which is available on port 9443 via the UI or in our case with the HCX VAMI APIs


I have updated my HCX PowerShell Module to include 8 additional functions that can be used for initial configuration of HCX Manager:

  • Set-HcxVCConfig
  • Set-HcxLicense
  • Get-HcxNSXConfig
  • Set-HcxNSXConfig
  • Get-HcxLocation
  • Set-HcxLocation
  • Get-HcxRoleMapping
  • Set-HcxRoleMapping
  • Get-HcxProxy
  • Set-HcxProxy
  • Remove-HcxProxy

[Read more...]

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

by // 3 Comments

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

[Read more...]