WilliamLam.com

Automating the new VMware Cloud Notification Gateway (NGW) User Notification Preferences

by // 2 Comments

Last week the VMware Cloud team released one of the highly requested feature which is the ability to control notification preferences for an individual user, which is provided as part of the VMware Cloud Notification Gateway (NGW) service. Users can now login to the VMware Cloud Console (VMC UI) and on left hand side, you should now see a new Notification Preferences tab which will allow you to specify which notifications you wish to receive via the Email channel.


As of writing this blog post, there is currently over 200+ notifications that can be configured which are broken up across the following four categories:

  • Elastic DRS (7)
  • Organization General (128)
  • SDDC Maintenance (61)
  • VMware Site Recovery Service (23)

Today, the notification preferences is configured on a per-use basis and by default, users are automatically subscribed to all notifications. The ability to customize is great but with over 200+ notifications to select or de-select from, this could be a difficult task, especially with a large number of users who may or may not understand each and ever single notification type. This is certainly an area the VMware Cloud team will be looking to enhance in the future to make it even easier to consume and customize.

In the mean time, to help with making this customization change easier within your organization, we can also take advantage of the new NGW Notification Preferences API. What better way to demonstrate this than incorporating this into my VMware Cloud Notification Gateway Community PowerShell Module, which is also available for consumption within the PowerShell Gallery.

[Read more...]

Publishing and consuming custom events with VMware Event Broker Appliance (VEBA)

by // Leave a Comment

One of the really exciting features that will be included in the upcoming release of the VMware Event Broker Appliance (VEBA) v0.7 release (currently in Tech Preview) is the support for incoming webhooks! This will allow customers to easily build event-driven automation for non-vSphere based events and even non-VMware events while still maintaining a consistent consumption experience. If you are interested in learning more about the upcoming VEBA v0.7 release, Michael Gasch and myself will be doing a LIVE VMworld Session - VEBA Revolutions - Unleashing the Power of Event-Driven Automation #CODE2773 that you should definitely add to your schedule builder!

Webhook support can easily be enabled during the initial VEBA appliance deployment using a few new OVF properties or configured through the VMware Event Router configuration when deploying to an existing Kubernetes cluster using kubectl or Helm. Once the webhook endpoint is running, users can simply publish their custom events as a conformant CloudEvent and VEBA will ensure these custom events are immediately available for consumption by function authors. This means any product and/or service that can construct a custom HTTP payload including headers will be able to take advantage of this new VEBA feature! I also want to mention that this is NOT the only way to produce custom events that VEBA can ingest, but is certainly one simple way.

To help make this concept more concrete, I wanted to see how we could integrate VMware Cloud events into VEBA by using this new webhook mechanism and using the VMware Cloud Notification Gateway. Below is a diagram to help illustrate what is happens when a VMware Cloud event is generated and how it can be consumed by VEBA. The beauty of this type of a solution is the "Event Producer" does not have to know anything about the "Event Consumer" or how they might consume the data. The producer simply pushes events into VEBA and if there is a consumer who cares about a specific event and wishes to do something about it, they can create a function that will listen for a specific event(s) and perform an operation like sending to Slack as an example.

  1. Event is produced by VMware Cloud and pushed by the VMware Cloud Notification Gateway (NGW)
  2. A conformant CloudEvent payload is constructed from VMware Cloud event by NGW service
  3. NGW forwards the custom CloudEvent to VEBA's webhook endpoint (https://[VEBA-FQDN]/webhook)
  4. VEBA functions can now react to these custom CloudEvents (e.g. SDDC Provisioned Event)

[Read more...]

Decoding Services Roles/Permissions from a VMware Cloud Services Platform (CSP) Token

by // Leave a Comment

To programmatically access the various VMware Cloud Services (CSP) such as VMware Cloud on AWS as an example, a user must first generate a CSP Refresh Token using the CSP Console.


When creating a new CSP Refresh Token, you have the option to scope access to a specific set organization roles and service roles which will enable you to limit the permissions of this token to specific CSP Services. In the example below, I have created a new token which is scoped to the organization owner role along with two VMware Cloud on AWS Service Roles: Administrator (Delete Restricted) and NSX Cloud Admin to be able to grant access to a VMware Cloud on AWS SDDC.


One common issue that I see folks run into when working with some of the CSP Services including VMware Cloud on AWS from a programmatic standpoint is that they did not properly create a token with the correct permissions which usually will lead to some type of invalid request.

For popular services like VMware Cloud on AWS, it is usually pretty easy to track down, especially if the user who is using the CSP Refresh Token is the same person who created it. However, if you are not the person who created the original token or if you have forgotten or you may have access to multiple token, it can be a little bit difficult to troubleshoot.

The good news and probably lesser known detail about how CSP Refresh Tokens work is that you can actually decode these tokens to understand what specific scopes were used to create the initial token. Below are two methods to decode these tokens, both CSP Refresh Tokens (generated from the CSP UI) as well as CSP Access Token, which is returned when you request access providing your CSP Refresh Token.

[Read more...]