VMware NSX Allows Tagging a vm to assign Specific Firewall rules and policies. vCommander can be used to automatically assign these tags based on the type of Service(vm) or based on specific criteria entered by the requester on the request form. 


Requirements

  • vCommander scripts (Download here)
  • vCommander custom attributes created to take values
  • PowerShell v3 installed on the vCommander application server
  • Embotics® vCommander® 6.1.2 or later
  • VMware PowerCLI
  • Embotics vCommander 2.8 REST API powershell libraries (Download here)


Prepare the Script Files


Download and extract the script to your vCommander application server. Embotics recommends storing all scripts called by vCommander in a single location (c:\Scripts) for example. These scripts are executed by vCommander, storing them in the same area is recommended. With the scripts extracted, the file system will look like this:

The scripts require minor editing before they will work with your systems. Refer to the comments in the individual script or the table below for guidance on editing the contents.


Setting
Description
$vCommanderServer
The hostname or IP address of the vCommander server.
$CredFile
The credentials file which handles access to your vCommander. For more details, please refer to the Appendix: PowerShell Script Credential Encryption in the vCommander API Getting Started Guide, available here.
$vCenterServer
The vCenter Server name as it appears in vCommander. This value must be resolvable via DNS and reachable from the vCommander application server.
$vCredFile
The credentials file which handles access to your vCenter. The user must have permission to read the notes for all the VMs you wish to synch to vCommander. For more details, please refer to the Appendix: PowerShell Script Credential Encryption in the vCommander API Getting Started Guide, available here.
$nsx
The credentials file which handles access to your NSX manager appliance
$nCredfile
The credentials file which handles access to your NSX Manager Appliance For more details, please refer to the Appendix: PowerShell Script Credential Encryption in the vCommander API Getting Started Guide, available here.
$Attribute
The name of the attribute to be created in vCommander to hold the values.


Configure Windows Task Scheduler for the nightly sync of Security tags to vCommander

Windows Task Scheduler is used to execute this script on the schedule you define. The steps to configure below are an example using Windows 2008 R2. Other versions of the server OS may introduce slight variations. If you encounter these, refer to Microsoft documentation or contact Embotics Technical Support for assistance.

  1. Logged in as an Administrator, Open Task Scheduler from the Administrative Tools in the Start Menu.
  2. In the Actions pane, click Create Basic Task.
  3. Name the task Synchronize vCenter Notes to vCommander and add a meaningful Description. Click Next.
  4. Choose to trigger the task Daily and click Next. Choose a time to run the task, and set it to recur every day. Click Next.

  5. Choose Start a program and click Next. Click Browse… to locate the PowerShell executable.
  6. Add the argument:

    & 'C:\Scripts\nsx\nsx_SyncSecurityTags.ps1'    using the correct path to your copy of the script. Click Next.


  7. Click Finish.


Run Scheduled Task


Now to run the task and ensure it populates vCommander properly

  1. Run the Task in task scheduler.
  2. If sucessful, loginto vCommander and ensure the Security Tag attribute was created and populated from NSX. It should look similar to these:
     
           

Update Service Catalog



  • Finally, we must configure the component in the service that we want to have either administratively set by an administrator based on the service catalog item itself or as a form selection that allows the user to select the permission based on requirement. 

    1. Select the service definition in your catalog that you would like to setup for NSX tagging, Note the Provisioning Destination that this catalog item can be deployed to must be setup and configured for NSX. 
    2. There are a couple ways to configure the Component to have the Attribute set:
      1. First and most common would be a specific attribute set on a component but not presented to on a form to a requesting user. Just add the attribute and Select the default Value for the service and that's 
      2. As a secondary option and your Tags are easy for a user to understand for the service they are requesting after doing step 1 above, Navigate to the form tab and add the Security Tag attribute to the form for user selection from the toolbox on the right. Edit the Attribute and make the selection required.
      3. Click finish.
    3. Add the second NSX integration script to the completion workflow. Locate your completion workflow and add an Execute Script step. In the example it's named "Set NSX Security Tag"


    4. Set the step to be conditional(Execute when the following conditions are met) with the following Logic to ensure it will only run for services configured for NSX tags:    #{target.settings.customAttribute['Security Tag']} -ne ""

    5. In the Command Line window insert the following if you used the same c:\Scripts Folder location.                      Powershell.exe C:\Scripts\NSX\Set_NSXSecurityTag.ps1 -vmRemoteID '#{target.remoteId}' -NSXSecTag '#{target.settings.customAttribute['Security Tag']}'

    6. Select Next on the completion workflow untill the finish button is presented to save your changes. 


    Test and Verify


    Now to request your service and verify that everything is configured properly. You will notice that the conditional logic was met triggering the script to run and Tag the provisioned VM.


        Looking at the Target in vCommander we can see that the Security Tag was assigned and an associated NSX Network.