Skip to content
This repository has been archived by the owner on Nov 20, 2020. It is now read-only.

Module for nsx_edge_firewall and nsx_loadbalancer #42

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

sarathk-vmw
Copy link

@sarathk-vmw sarathk-vmw commented Jan 27, 2017

nsx_edge_firewall

Summary : The modules extends nsxansible with the functionality to configure firewall on an NSX edge or DLR

Details :
Create/Append/Query/Delete/Reset firewall rules and set default action for the given edge firewall.

Sample workflow :

  • Add multiple rules to an edge firewall , modify the global config and default policy
  • Append a firewall rules
  • Delete a specific rule with a given rule ID (rule ID is generated when a rule is created)
  • Change the default firewall action to 'accept','deny' or 'reject'
  • Query the existing edge firewall rules
  • Reset the firewall configuration by deleting all the rules

(See examples and test playbooks for more details)

Notes:

  • Duplicate firewall rules are removed while adding multiple firewall rules
  • A firewall rule is appended only after verifying that the given rule does not already exist
  • Had added the functionality to convert existing configuration of a given firewall to YAML rulesets. It made sense for our use case as we were having problems manually entering a bunch of firewall rules. The converted YAML rulesets can be slightly modified and fed into Ansible for each new customer.
    Haven't added that functionality here as it was a more specific use case and moreover depends on the external 'pyyaml' module.

nsx_loadbalancer

Summary : This is a general purpose module for configuring the load-balancer functionality on an NSX edge appliance

Details : The modules uses multiple APIs to create the various load-balancer objects like Application Profiles, Application Rules, Monitors, Pools and Virtual Servers.

Sample Workflow :

  • Create application profiles for TCP and UDP templates
  • Create an application rule to redirect HTTP traffic to HTTPS
  • Create an HTTPS monitor to health check the backend servers
  • Create pool(s) which maps to the backend servers and refers to the monitor created above(referring to the monitorName)
  • Create virtual server(s) which maps to a frontend IP address and port. The virtual server also maps to the application profile, application rule and pool using their names specified above.

(See examples and test playbooks for more details)

@sarathk-vmw sarathk-vmw changed the title Module for nsx_edge_firewall Module for nsx_edge_firewall and nsx_loadbalancer Feb 15, 2017
@insidepacket
Copy link

@sarathk-vmw , hi, could you please suggest when your new edge firewall and load balancer module can be available for use?

@sarathk-vmw
Copy link
Author

@insidepacket this is pending on the code review stage and I will not be able to given an ETA on when this will be available. You'll have to check with the core nsxansible team for that.

For now you can use the forked version here : https://github.com/sarathk-vmw/nsxansible
Please check the examples section in the code for usage. (The examples section for nsx_loadbalancer will be updated soon)

@jedelman8
Copy link

Are there plans to get this merged?

@a-nanasov
Copy link

@sarathk-vmw thank you for these two modules, hope someday your pr will be merged finally :) great work!

@sarathk-vmw
Copy link
Author

@Kenuat Thanks!
@jedelman8 I will check with the owner. Let me know of any improvements/use cases to be addressed.
@yfauser can we merge this to vmw:master?

@mikecurrancs
Copy link

mikecurrancs commented Apr 19, 2018

@sarathk-vmw I'm testing this now -- https://github.com/sarathk-vmw/nsxansible -- and the loadbalancer piece doesnt account for any method to update a section unless you rebuild the whole loadbalancer. For 3-5 customers this isnt bad, but when you have 50-70 virtual servers and all the pools and rules that go with them, the loadbalancer_configuration.yml gets a bit large and cumbersome. Can this be broken out to not build the entire LoadBalancer everytime you want to add one item?

@a-nanasov
Copy link

a-nanasov commented Apr 26, 2018

@sarathk-vmw I'm trying to configure Virtual Server with several Application Rules applied
https://github.com/vmware/nsxraml/blob/master/md-version/nsxvapi.md says applicationRuleId is a field, I'm not sure but it seems your module tries to map it as a string
could you help me with this?

UPD my fix looks like this:

        application_rule_id = []
        application_rule_names = self._config.get("applicationRuleName", None)
        if application_rule_names:
            for application_rule_name in application_rule_names:
                application_rule_name_to_id = ApplicationRule.MAPPING
                application_rule_id.append(application_rule_name_to_id.get(application_rule_name, None))

but I think you have a more elegant solution for this :)

@hadfiiw
Copy link

hadfiiw commented Jul 3, 2018

@sarathk-vmw Is there is a way, on a per-rule basis, to set logging to on? It is usually set with the "action" but I don't see it in the example.

Copy link

@jstplcag jstplcag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sdfasdf

@kntait
Copy link

kntait commented Feb 18, 2020

Is there any update on when this will be merged?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants