Python Script to import Distributed Firewall Rules recommended by vRNI to NSX-T on-prem or VMC on AWS SDDC

vRealize Network Insight – Guide to importing recommended DFW rules to NSX-T or VMC SDDC using Python Script.

Pre-requisites:

  • Python 3.7 or above
  • Requests, json, argparse, sys, requests, glob, os, xml.dom, xml.etree.Elementtree, getpass python libraries installed
  • Connectivity to the internet from where script will be executed
  • Connectivity to VMC SDDC over HTTPS (443)
  • Connectivity to NSX-T Manager or VIP over HTTPS (443)

 

Follow steps below:

Step: Download script by clicking “Download” button on this page

IF VMC:

Step: Copy VMC Refresh token

Login to https://console.cloud.vmware.com/

Click ‘My Account’ -> ‘API Tokens’ tab -> ‘Generate Token’ or Regenerate an existing token

Token must have NSX Cloud Admin service role under VMC on AWS service.

Copy token

 

Step: Collect SDDC ID and VMC Organizational ID

Login to https://console.cloud.vmware.com/

Select “VMware Cloud on AWS” under “My Services” -> Click desired SDDC -> Click Support

Copy Org ID  and SDDC ID

 

IF NSX-T:

Step: Copy NSX-T Manager or VIP URL ( https://manager.fqdn/ )

Note: Must use full url including Https:// and trailing /  

 

 

Step: Export application rules

  • Log into vRNI
  • Search for “Plan security of application NAME” (changing NAME to the application name you would like to secure)
  • Select the three dots at the top right of the security donut diagram -> click “Export to XML”
  • Unzip the .zip file
  • Take not of the directory or folder location of the data center folder you will be importing rules for

 

Step:

  • Run script vRNI_DFW_Rule_to_VMC_or_NSXT_Import.py
    • Use --help for details on available arguments ( [--help] [--orgid ORGID] [--rulefolder RULEFOLDER] [--sddcid SDDCID] [--refreshtoken REFRESHTOKEN] [--verbose] [--appname APPNAME] [--enablerules] [--nsxtusesr] [--nsxturl] )

 

 

***NOTE***  While security groups will be created based off the tier names within the application rules,  these created security groups are not populated with the respective VM or IP address members by this script.   In order for rules to apply to appropriate source and destination objects,  security group memberships should be populated. 

 

 

Contributors: 

Trey Tyler <Ttyler@vmware.com>

Kevin Forbes <Kforbes@vmware.com>

 


Sign in to be able to add comments.

Comments 0