Using NSX In vRealize Automation Blueprints

Extending the Power of NSX to vRealize Automation

Integrating NSX with vRealize Automation quickly adds network automation capabilities to the self-service porta, giving administrators and designers access to build network blueprints into standard service offerings.  This has the effect not only of decreasing the time to deliver services that require network components, but also increasing the security and availability of services provided by ensuring that network changes conform to a consistent set of rules when deployed.

Adding NSX integration to vRealize Automation

Integrating NSX with vRealize Automation is a simple process, provided NSX has already been successfully deployed to your environment.

First, visit the Infrastructure tab, click the Endpoints menu option on the right, and then click the Endpoints sub-menu, also on the right.  (Side note: vRA menus and sub-menus are a confusing mess sometimes).

Click New endpoint > Network and Security > NSX.

Adding a new NSX Endpoint in vRealize Automation

Enter the NSX Manager connection information, and click Test Connection.

Enter NSX information and test connection

If using self-signed, untrusted certificates, accept the certificate after verifying its details in the popup.

Accept untrusted certificate

After a successful connection test, a success message will appear at the top of the page.

Successful test connection

Click OK to create the endpoint.

Associating the NSX Endpoint to a vCenter Endpoint

Once the NSX endpoint has been created, it needs to be associated to a vCenter endpoint (already existing in the vRA configuration).

In the endpoint list, edit a vCenter Endpoint.

Edit a vCenter Endpoint

Click the Associations tab and click the New button to create a new association.

Add an NSX association to the vCenter Endpoint

Select the NSX Manager previously added.  This will be the NSX manager associated with this vCenter endpoint.

Select the NSX Endpoint

Click the OK button in the associations list to finish creating the association.

Click OK to create the association

Click the OK button at the bottom of the form to save changes to the vCenter endpoint.

Click OK to save the vCenter Endpoint changes

Integration with NSX is now complete. 

Data collection on the endpoints must occur in order to discover the NSX objects managed by the NSX Manager and vCenter server, so it may take a few minutes before these objects are available in the blueprint editor for consumption.

Consuming NSX Components in vRealize Automation Blueprints

Once NSX has been integrated with vRealize Automation, the next step is to begin using the components in blueprints.  There are a number of components available, including existing networks, on-demand networks, on-demand load balancers, security groups, and more.

NSX integration with vRA enables the creation of logical/virtual networks on-the-fly at request time.  These can be combined with existing networks and network profiles to determine if the networks should be routable or NAT’ed behind an on-demand NSX Edge firewall appliance.

A common application for NSX is to create multi-tiered applications that utilize an on-demand load balancer, and implement micro-segmentation.

The following blueprint illustrates this concept.

 NSX Components in vRealize Automation Blueprint

In this blueprint, an on-demand load balancer is created to act as the front-door to the provisioned application.  The application tier hosts one or more application servers that run on JBoss and other components are built as necessary using vRA software components.

The blueprint also builds out a Messaging tier and Database tier, which host virtual machines to handle a message bus and a database as back-end and middle components of the multi-tier application.  Each of the servers in these tiers are automatically added to pre-existing NSX security groups, which ensures that micr-segmentation is enforced on these workloads.  Micro-segmentation, in a nutshell, is a method by which NSX can filter traffic between workloads on the same or different networks based on meta-data and additional criteria about the workloads.  In this case, the criteria defining traffic that should be forwarded or dropped is defined by the membership of the security group, which means as soon as these workloads are created, they are added to the security group identified in the blueprint, and NSX immediately begins traffic filtering according to those rules.

Using the various components available in a vRA blueprint for automating the creation and lifecycle of NSX constructs, we can quickly add value to repeatable service offerings requested from vRA.  These include network automation and security functions that in a traditional operating model might take days, weeks, or even months to request through official/human channels and review processes.  The vRA blueprint codifies an organization’s approved network changes and ensures only those changes that are approved are executed by virtue of a request for a blueprint through the vRA self-service portal.

This enables an organization to significantly increase the power they can leverage from an NSX and vRA implementation.

Leave a comment