Self Service NSX Services in vCloud Director

Starting from the 8.20 release, vCloud Director has the capability to offer NSX Advanced Services to Tenants.

In this post, I’ll show you how to grant Self-Service advanced consumption of NSX to a specific Tenant. This apply to both vCloud Director 8.20.x and the recently announced vCloud Director 9.0

I’m writing “to a specific Tenant” because the additional powerful feature in vCloud Director is that you can grant granular access to NSX Services on a Tenant basis through Role Based Access Control (RBAC). When a new Organization is created and Users are added to the Organization, the roles you grant to Users are cloned from a Template Role, in this way every Organization will inherit dedicated and specific Roles that you can modify, in effect enabling the Service Provider in building a very granular offer.

How it works

In my scenario, I’ve created a new Organization named “ACME” and a User named acmeadmin. I’ve assigned the default “Organization Administrator” role to the user.

Create vCD Session via API

The first step we need to  take is to create an authentication session with vCloud Director.
We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)

We’ll make the following API call:

POST https://<vcd-IP>/api/sessions

vCloud Director - Create vCD session via API

We need the x-vcloud-authorization header for the successive API calls.

List available Organizations in our vCloud Director instance

We need to list all the Rights available to the Organization using the following API call:

GET https://<vcd-IP>/api/org

We’ll use the following Headers:

  • Accept: application/*;version=9.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization value from the previous API call

vCloud Director - List available Organizations

The response will give us the list of available Organizations:

vCloud Director - Organization List

We will use the highlighted REST reference to the ACME Organization for our subsequent API calls.

List all the Rights available to the Organization

We’ll use the same Headers as the previous call to make the next API call. With this call we’ll obtain the list of all the Rights available by default to an Organization. In this specific case we’ll get the list of available Rights for the ACME Organization.

The API call we’ll make is the following:

GET https://<vcd-IP>/api/admin/org/<ORG-ID>/rights

vCloud Director - List Organization Rights

We’ll take note of the output of the Response Body and we’ll use these data in the following steps, when we’ll add the new Rights.

Here’s an excerpt of the output from the original API call used to list all the Rights available to the Organization:

<?xml version=”1.0″ encoding=”UTF-8″?>
<OrgRights xmlns=”http://www.vmware.com/vcloud/v1.5″ href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.vmware.com/vcloud/v1.5 http://vcd-01a.corp.local/api/v1.5/schema/master.xsd”>
<Link rel=”edit” href=”https://vcd-01a.corp.local/api/admin/org/e46b03d6-46bc-4c95-94fc-27a6c78737a9/rights” type=”application/vnd.vmware.admin.org.rights+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/39ec03d4-440d-32cf-8507-f01acd822540” name=”Catalog: Change Owner” type=”application/vnd.vmware.admin.right+xml”/>
<RightReference href=”https://vcd-01a.corp.local/api/admin/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5” name=”Catalog: Add vApp from My Cloud” type=”application/vnd.vmware.admin.right+xml”/>
……….

Convert Edge Gateway to Advanced Gateway

The next step we need to do is to convert each Edge Gateway available in the Organization on which we want to leverage Advanced Networking Services. Note: the conversion enables the new HTML5 User Interface for Networking Services, potentially enabling the Tenant to consume these services. It’s the Service Provider that still has to enable the Services and make them available to the Tenant for consumption. In simple terms, the conversion has nothing to do with the “NSX Advanced Bundle” you can find in the VMware Cloud Provider Program Product Usage Guide. The guide instructs you on how much you’ll be charged for if you’ll use a specific service, instead the conversion technically enables the possibility to consume the Services. I repeat, the possibility is enabled, not the consumption.

vCloud Director - Convert Edge Gateway to Advanced

After the conversion, selecting the action “Edge Gateway Services…” bring us to the new H5 User Interface.

As you can see, the conversion of the Edge in Advanced mode has not enable the Organization (Administrator) to consume NSX Advanced Services. In fact, only the “Base” NSX features (NAT, IPSec VPN, LB etc.) are exposed to the Tenant.

If we look at Roles, Edge Gateway Advanced Services are not shown as available to be assigned (e.g. to Organization Administration Role):

The Service Provider can now choose to grant specific and very granular rights to the Organization to manage Networking Services. Once added, these additional rights will be available to the Service Provider (or to the Organization Administration) to be granted to Roles in the Organization.

Add Advanced Networking Rights to the Organization

A new set of API is available starting from vCloud Director 8.20, specifically provided to manage NSX Services. These new API version is 27.0

We’ll use the following Headers:

  • Accept: application/*;version=27.0
  • Authorization: Basic (username in the user@org format)
  • x-vcloud-authorization: x-vcloud-authorization field value from the previous API call
  • Content-Type: application/vnd.vmware.admin.rights+xml

And we’ll make the following API call:

PUT https://<vcd-IP>/api/admin/org/<ORG-ID>rights

We’ll compile the Body section of the request with the saved content from the previous step (the one used to obtain the list of User Rights available to the Organization), but we’ll append the list of Advanced Networking Services related Rights we want to make available to the Organization.

vCloud Director - Add Rights to the Organization

You can find the list of available NSX related Rights in the following KB article: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149016
In the KB you can find a downloadable pre-formatted XML file listing all the Networking Rights, so you can use it as a template to add specific Networking Services Rights to an Organization.

An interesting scenario is the SSL VPN-Plus. This Service would always been potentially offered by Service Provider but this didn’t happen because SSL VPN-Plus wasn’t available as a Service in the vCloud Director UI. It’s still not available until you convert the Edge Gateway to Advanced and grant the specific right to the Tenant. In addition, it’s very important to mention that the SSL VPN is now available as part of the NSX Base Bundle!

The list of Rights we’ll need to add to an Organization to cover the NSX “Base” (a.k.a vCNS Mode) use case are the following:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b080bb50-cff1-3258-9683-842d34255a95″ name=”Organization vDC Gateway: Configure Services” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/84ddb40f-a49a-35e1-918e-3f11507825d7″ name=”Organization vDC Gateway: Configure Syslog” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/ff3fc70f-fd25-3c0a-9d90-e7ff82456be5″ name=”Organization vDC Gateway: Configure System Logging” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801″ name=”Organization vDC Gateway: Convert to Advanced Networking” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e90fa73c-3347-3ec7-b407-e25eae2cfe8d” name=”Organization vDC Gateway: Create” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/e22e674f-17c3-32cc-ba8a-aecc6733b977″ name=”Organization vDC Gateway: Delete” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/bc655eb3-964c-335a-b588-167a9a69cd13″ name=”Organization vDC Gateway: Modify Form Factor” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/6122ae98-30b3-3450-b4d1-e1b935e36fbd” name=”Organization vDC Gateway: Update” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/93268d9c-3f30-3924-bc2e-9e42bfe6418c” name=”Organization vDC Gateway: Update Properties” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7e1af410-d811-3056-8593-85e2b1808ad9″ name=”Organization vDC Gateway: Upgrade” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae” name=”Organization vDC Gateway: View” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/be1abe9a-7ddc-38f6-bdf3-94affb01e46b” name=”Organization vDC Gateway: Configure DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/b755b050-772e-3c9c-9197-111c286f563d” name=”Organization vDC Gateway: Configure Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/209cde55-55db-33f1-8357-b27bba6898ed” name=”Organization vDC Gateway: Configure IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/27be9828-4ce4-353e-8f68-5cd69260d94c” name=”Organization vDC Gateway: Configure Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/c9e19573-3d54-3d4a-98f2-f56e446a8ef9″ name=”Organization vDC Gateway: Configure NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/72c5e652-c8d7-3f19-ab83-283d30cb679f” name=”Organization vDC Gateway: Configure Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/92b7d500-6bb6-3176-b9eb-d1fda4ce444d” name=”Organization vDC Gateway: Configure SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/f72af304-97b0-379e-9d6d-68eb89bdc6cf” name=”Organization vDC Gateway: Configure Static Routing” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/8e16d30d-1ae3-3fff-8d4b-64c342b186a9″ name=”Organization vDC Gateway: View DHCP” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/7fee6646-ec0c-34c9-9585-aff6f4d92473″ name=”Organization vDC Gateway: View Firewall” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/82beb471-ab7f-3e2b-a615-136ba6645525″ name=”Organization vDC Gateway: View IPSec VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/2a097e48-f4c4-3714-8b24-552b2d573754″ name=”Organization vDC Gateway: View Load Balancer” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/fb860afe-2e15-3ca9-96d8-4435d1447732″ name=”Organization vDC Gateway: View NAT” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/65439584-6aad-3c2c-916f-794099ee85bf” name=”Organization vDC Gateway: View Remote Access” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/cdb0edb0-9623-30a8-89de-b133db7cfeab” name=”Organization vDC Gateway: View SSL VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/9740be24-4dd7-373c-9237-91896338c11e” name=”Organization vDC Gateway: View Static Routing” type=”application/vnd.vmware.admin.right+xml”/>

Once added, all these new Rights are available to be assigned to Roles in the Organization. Note that this Organization Administrator is specific to the ACME Organization. As a result, the Service Provider and/or the Org. Admin can grant specific Rights to different Roles in a very granular way.

The following screenshot shows you the new Rights available to the Organization.

vCloud Director - Advanced Networking Services

This is the resultant view in the new vCloud Director HTML5 Window:

vCloud Director - SSL VPN

As you can see, SSL VPN-Plus can now be configured by the Organization Administrator.

Looking at a specific Service tab like VPN, we can notice that IPsec VPN is present, but L2VPN is not. The reason for this is that we have only included “Base” Services in the list of Service that this Tenant can consume.

vCloud Director - No L2VPN Option

Let’s imagine that our ACME Tenant wants to leverage the Hybrid Cloud capabilities of vCloud Director, for this reason she decides to buy our L2VPN Service offering.

With a simple API PUT, the Service Provider will add the new Right to the ACME Organization:

  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59″ name=”Organization vDC Gateway: Configure L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>
  • <RightReference href=”https://vcd-01a.corp.local/api/admin/right/105191de-9e29-3495-a917-05fcb5ec1ad0″ name=”Organization vDC Gateway: View L2 VPN” type=”application/vnd.vmware.admin.right+xml”/>

After the API call, L2VPN is available as a Right for the ACME Organization. In this example, we are adding the Right to the Organization Administrator.

vCloud Director - L2VPN Flag available

As a result, our Organization Administrator can now configure L2VPN on its Edge Gateways!

vCloud Director - L2VPN Configuration

Once additional Rights are granted to an Organization, an Organization Administrator can assign these Rights to all new Roles that can be added (via API) to the Organization. As a result, a possible use case could be the creation of a limited role for a Security/Network Admin, entitled to only create and/or change Network and Security configurations on Edge Gateways but not to interact with vApps.