├── Deploy 3 Tier App ├── Remove_TechSummit_3TA_Build.ps1 ├── TechSummit_3TA_Build.ps1 └── TechSummit_3TA_Build_Flat.ps1 ├── Deploy ECMP └── ecmp.ps1 ├── Deploy Log Insight ├── Log Insight 3 Single.ps1 ├── Log Insight Deploy+Configure+Segment - SINGLE.ps1 ├── Log Insight Purge.ps1 ├── Log Insight Segment+Deploy - SINGLE.ps1 ├── Log Insight Segment+Deploy.ps1 ├── Log Insight Segment.ps1 └── Log Insight Three.ps1 ├── FQDN-IPset-update └── fqdn-ipset.ps1 ├── IP Validator └── ipvalidator.ps1 ├── Microsegment └── LogInsightSegmentation.ps1 ├── NSX Rule Validator └── Rule-validator.ps1 ├── NSX Validation scripts ├── dfw-heap-test.ps1 ├── test-3TA-lb-status.ps1 └── test-nsx-controller-manager.ps1 ├── NSX-License └── nsx-license.ps1 ├── NSX-T-Bits ├── nsxt-all.ps1 ├── nsxt-cleanup.ps1 ├── nsxt-controller.ps1 ├── nsxt-edge.ps1 ├── nsxt-manager.ps1 └── nsxt-supporting-bits.ps1 ├── NSX-T ├── firewallrule-loop.ps1 ├── nsx_role_ids.txt └── nsxuser_create.ps1 ├── PowerLogInsight ├── PowerLI.ps1 └── PowerLI.psm1 ├── README.md ├── Security Loops ├── Loop_1.ps1 ├── Loop_2.ps1 ├── Loop_3.ps1 └── Loop_cleanup.ps1 ├── Slack Chat └── SlackChat.ps1 ├── SysSet └── SysSet.ps1 ├── Terraform └── Deploy 3 Tier App │ └── main.tf ├── k8s-harbor-dump ├── daemon.json └── squid.conf ├── nsxt-dynamictags.ps1 ├── nsxt-k8s └── single-master-node │ └── ubuntu │ ├── kubeadm.yaml │ ├── ncp-rc.yaml │ ├── nsx-node-agent-ds.yaml │ └── rbac-ncp.yaml └── vRA Load Balancer └── vRA_Load_Balancer.ps1 /Deploy 3 Tier App/Remove_TechSummit_3TA_Build.ps1: -------------------------------------------------------------------------------- 1 | ## Remove_TechSummit_3TA_Build ## 2 | ## Author: Anthony Burke t:@pandom_ b:networkinferno.net 3 | ## version 1.2 4 | ## January 2015 5 | #-------------------------------------------------- 6 | # ____ __ _ _ ____ ____ __ _ ____ _ _ 7 | # ( _ \ / \ / )( \( __)( _ \( ( \/ ___)( \/ ) 8 | # ) __/( O )\ /\ / ) _) ) // /\___ \ ) ( 9 | # (__) \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_) 10 | # PowerShell extensions for NSX for vSphere 11 | #-------------------------------------------------- 12 | 13 | #Permission is hereby granted, free of charge, to any person obtaining a copy of 14 | #this software and associated documentation files (the "Software"), to deal in 15 | #the Software without restriction, including without limitation the rights to 16 | #use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 17 | #of the Software, and to permit persons to whom the Software is furnished to do 18 | #so, subject to the following conditions: 19 | 20 | #The above copyright notice and this permission notice shall be included in all 21 | #copies or substantial portions of the Software. 22 | 23 | #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 24 | #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 25 | #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 26 | #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 27 | #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 28 | #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 29 | #SOFTWARE. 30 | 31 | ### Note 32 | #This powershell script should be considered entirely experimental and dangerous 33 | #and is likely to kill babies, cause war and pestilence and permanently block all 34 | #your toilets. Seriously - It's still in development, not tested beyond lab 35 | #scenarios, and its recommended you dont use it for any production environment 36 | #without testing extensively! 37 | 38 | # Removes 3TA from environment. 39 | write-host -foregroundcolor "Green" "Halting all VMs attached to Logical Topology" 40 | Get-NsxTransportZone | Get-NsxLogicalSwitch | Get-NsxBackingPortGroup | GET-Vm | Stop-Vm -Kill -confirm:$false 41 | start-sleep 15 42 | # Erases the VMDKs from the datastore 43 | write-host -foregroundcolor "Green" "Deleting VMs from Disk" 44 | Get-NsxTransportZone | Get-NsxLogicalSwitch | Get-NsxBackingPortGroup | GET-Vm | Remove-Vm -DeletePermanently -confirm:$false 45 | # Deleting the logical router 46 | write-host -foregroundcolor "Green" "Deleting Logical routers" 47 | Get-NsxLogicalRouter | Remove-NsxLogicalRouter -confirm:$false 48 | write-host -foregroundcolor "Green" "Deleting Edges" 49 | # Deleting the NSX Edge gateway 50 | Get-NsxEdge | Remove-NsxEdge -confirm:$false 51 | write-host -foregroundcolor "Green" "20 seconds wait time for VMs to stop" 52 | start-sleep 20 53 | # Removes the logical Switches 54 | write-host -foregroundcolor "Green" "Deleting Logical Switches" 55 | get-NsxTransportZone | get-NsxLogicalSwitch | remove-NsxLogicalSwitch -confirm:$false 56 | write-host -foregroundcolor "Green" "Erasing vApp" 57 | get-vapp | remove-vapp -confirm:$false 58 | #Kills microsegmentaiton of TS_3TA including the created Security Groups, IP Sets, and Firewall Section. 59 | write-host -foregroundcolor "Green" "Putting out the fire" 60 | get-NsxFirewallSection $FirewallSectionName | ? {$_.name -ne "default"} | remove-NsxFirewallSection -force -confirm:$False 61 | 62 | write-host -foregroundcolor "Green" "Removing the intelligence (Security Groups)" 63 | get-NsxSecurityGroup $WebSgName | Remove-NsxSecurityGroup -force -confirm:$False 64 | get-NsxSecurityGroup $AppSgName | Remove-NsxSecurityGroup -force -confirm:$False 65 | get-NsxSecurityGroup $DbSgName | Remove-NsxSecurityGroup -force -confirm:$False 66 | get-NsxSecurityGroup $BooksSgName | Remove-NsxSecurityGroup -force -confirm:$False 67 | get-nsxipset AppVIP_IpSet | Remove-NsxIpSet -force -confirm:$false 68 | get-nsxipset InternalESG_IpSet| Remove-NsxIpSet -force -confirm:$false 69 | Get-NsxIpSet Source_Network | Remove-NsxIpSet -force -confirm:$false 70 | Get-NsxIpSet 'Source Test Network' | Remove-NsxIpSet -force -confirm:$false 71 | 72 | write-host -foregroundcolor "Green" "Purge complete" 73 | -------------------------------------------------------------------------------- /Deploy ECMP/ecmp.ps1: -------------------------------------------------------------------------------- 1 | #t: 8-way ECMP with BGP. 2 | #a: Anthony Burke 3 | #ECMP 8-way 4 | # Script's goal is to create an 8-way ECMP edge with upstream. 5 | 6 | # X (upstream router) 7 | # | 8 | # | 9 | # _______________ (ecmp network LS) 10 | # | | | | | | | | 11 | # X X X X X X X X (8-node ecmp edges) 12 | # | | | | | | | | 13 | # --------------- (transit LS) 14 | # | 15 | # (dlr) 16 | 17 | 18 | 19 | param ( 20 | 21 | #Generic Edge requirements 22 | $ClusterName = 'Mgmt01', 23 | $DatastoreName = 'MgmtData', 24 | $CompClusterName = 'Compute01', 25 | $CompDatastoreName = 'CompData', 26 | $EdgeUplinkNetworkName = 'Internal', 27 | $Password = 'VMware1!VMware1!', 28 | $FormFactor = 'Compact', 29 | $DefaultSubnetBits = '24', 30 | $EdgeAs = '43214', 31 | $DlrAs = '52008', 32 | $upsteamAs = '23314', 33 | #MgtVdS 34 | $MgtVds = 'Mgt_Trans_Vds', 35 | #Logical Switches 36 | $EdgeToUpstreamLsName = 'ecmp-network', 37 | $DlrToEdgeLsName = 'transit-network', 38 | $ls1 = '172.16.201.1', 39 | $ls2 = '172.16.202.1', 40 | $ls3 = '172.16.203.1', 41 | $ls4 = '172.16.204.1', 42 | $ls5 = '172.16.205.1', 43 | $ls6 = '172.16.206.1', 44 | $ls7 = '172.16.207.1', 45 | $ls8 = '172.16.208.1', 46 | $ls9 = '172.16.209.1', 47 | $ls10 = '172.16.210.1', 48 | #DLR Configuration 49 | $DlrUplinkPrimaryAddress = '172.16.20.1', 50 | $DlrRouterId = '172.16.20.2', 51 | $DlrName = "ecmp-dlr", 52 | #Edge Configuration 53 | $edge0name = 'upstream-edge', 54 | $edge0uplinkaddress = '192.168.100.173', 55 | $edge0internaladdress = '172.16.10.1', 56 | 57 | $edge1name = 'ecmp-edge1', 58 | $edge1uplinkaddress = '172.16.10.11', 59 | $edge1internaladdress = '172.16.20.11', 60 | 61 | $edge2name = 'ecmp-edge2', 62 | $edge2uplinkaddress = '172.16.10.12', 63 | $edge2internaladdress = '172.16.20.12', 64 | 65 | $edge3name = 'ecmp-edge3', 66 | $edge3uplinkaddress = '172.16.10.13', 67 | $edge3internaladdress = '172.16.20.13', 68 | 69 | $edge4name = 'ecmp-edge4', 70 | $edge4uplinkaddress = '172.16.10.14', 71 | $edge4internaladdress = '172.16.20.14', 72 | 73 | $edge5name = 'ecmp-edge5', 74 | $edge5uplinkaddress = '172.16.10.15', 75 | $edge5internaladdress = '172.16.20.15', 76 | 77 | $edge6name = 'ecmp-edge6', 78 | $edge6uplinkaddress = '172.16.10.16', 79 | $edge6internaladdress = '172.16.20.16', 80 | 81 | $edge7name = 'ecmp-edge7', 82 | $edge7uplinkaddress = '172.16.10.17', 83 | $edge7internaladdress = '172.16.20.17', 84 | 85 | $edge8name = 'ecmp-edge8', 86 | $edge8uplinkaddress = '172.16.10.18', 87 | $edge8internaladdress = '172.16.20.18' 88 | 89 | 90 | ) 91 | 92 | 93 | 94 | ## Environment checks 95 | [int]$PowerCliMajorVersion = (Get-PowerCliVersion).major 96 | 97 | #if ( -not ($PowerCliMajorVersion -ge 6 ) ) { throw 'This script requires PowerShell 6' } 98 | 99 | try { 100 | $Cluster = get-cluster $ClusterName -errorAction Stop 101 | $DataStore = get-datastore $DatastoreName -errorAction Stop 102 | $EdgeUplinkNetwork = get-vdportgroup $EdgeUplinkNetworkName -errorAction Stop 103 | } 104 | catch { 105 | throw 'Failed getting vSphere Inventory Item: $_' 106 | } 107 | 108 | ## Logical Switches 109 | Write-Host -ForegroundColor Green "Creating transit LS $DlrToEdgeLsName and $EdgeToUpstreamLsName" 110 | $DlrToEdgeLs = Get-NsxTransportZone | New-NsxLogicalSwitch -name $DlrToEdgeLsName 111 | $EdgeToUpstreamLs = Get-NsxTransportZone | New-NsxLogicalSwitch $EdgeToUpstreamLsName 112 | 113 | ## Creating DLR 114 | 115 | # DLR Appliance has the uplink router interface created first. 116 | 117 | $DlrvNic0 = New-NsxLogicalRouterInterfaceSpec -type Uplink -Name $DlrToEdgeLsName -ConnectedTo $DlrToEdgeLs -PrimaryAddress $DlrUplinkPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits 118 | Write-Host -ForegroundColor Green "Creating $dlrname DLR" 119 | # The DLR is created with the first vnic defined, and the datastore and cluster on which the Control VM will be deployed. 120 | $Dlr = New-NsxLogicalRouter -name $DlrName -ManagementPortGroup $EdgeUplinkNetwork -interface $DlrvNic0 -cluster $Cluster -datastore $Datastore 121 | 122 | $DlrTransitInt = get-nsxlogicalrouter | get-nsxlogicalrouterinterface | ? { $_.name -eq $DlrToEdgeLsname} 123 | Get-NsxLogicalRouter $DlrName | Get-NsxLogicalRouterRouting | Set-NsxLogicalRouterRouting -EnableBgp -LocalAs $DlrAs -enableEcmp -RouterId $DlrRouterId -confirm:$false | out-null 124 | 125 | #This is quite slow. I should go ahead and create the interfacespec here and then store them in a hash table. Then loop over table on DLR creation. it will be faster. 126 | Write-Host -ForegroundColor Green "Adding interfaces to DLR" 127 | $lifs = @($ls1,$ls2,$ls3,$ls4,$ls5,$ls6,$ls7,$ls8,$ls9,$ls10) 128 | 129 | foreach ($lif in $lifs) { 130 | $ls = Get-NsxTransportzone | New-NsxLogicalSwitch -name "Network-$lif" 131 | $int = Get-NsxLogicalRouter $dlrName | New-NsxLogicalRouterInterface -type Internal -Name "Network-$Lif" -ConnectedTo $Ls -PrimaryAddress $lif -SubnetPrefixLength $DefaultSubnetBits 132 | } 133 | 134 | ## Scoping Management DVS and cluster 135 | 136 | $EdgeToUpstreamLs = $EdgeToUpstreamLs | Get-NsxBackingPortGroup | Where { $_.VDSwitch -match ("$MgtVds") } 137 | $TransitNetwork = $DlrToEdgeLs | Get-NsxBackingPortGroup | Where { $_.VDSwitch -match ("$MgtVds") } 138 | Write-Host -ForegroundColor Green "Creating Edge Interface specs" 139 | ## Defining Edge Interface Specs 140 | $edge0vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $Edge0UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeUplinkNetwork 141 | $edge0vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $Edge0InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 142 | 143 | $edge1vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $Edge1UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 144 | $edge1vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $Edge1InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 145 | 146 | $edge2vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $edge2UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 147 | $edge2vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $edge2InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 148 | 149 | $edge3vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $edge3UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 150 | $edge3vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $edge3InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 151 | 152 | $edge4vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $edge4UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 153 | $edge4vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $edge4InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 154 | 155 | $edge5vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $edge5UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 156 | $edge5vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $edge5InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 157 | 158 | $edge6vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $edge6UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 159 | $edge6vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $edge6InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 160 | 161 | $edge7vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $Edge7UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 162 | $edge7vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $Edge7InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 163 | 164 | $edge8vnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $Edge8UplinkAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeToUpstreamLs 165 | $edge8vnic1 = New-NsxEdgeInterfaceSpec -index 1 -Name 'Downlink' -type Internal -PrimaryAddress $Edge8InternalAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $TransitNetwork 166 | 167 | Write-Host -ForegroundColor Green "Creating Edges" 168 | ## Creating Edge 169 | $Edge0 = New-NsxEdge -name $Edge0Name -cluster $Cluster -datastore $DataStore -Interface $edge0vnic0, $edge0vnic1 -Password $Password -FormFactor $FormFactor -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 170 | $Edge1 = New-NsxEdge -name $Edge1Name -cluster $Cluster -datastore $DataStore -Interface $edge1vnic0, $edge1vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 171 | $Edge2 = New-NsxEdge -name $Edge2Name -cluster $Cluster -datastore $DataStore -Interface $edge2vnic0, $edge2vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 172 | $Edge3 = New-NsxEdge -name $Edge3Name -cluster $Cluster -datastore $DataStore -Interface $edge3vnic0, $edge3vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 173 | $Edge4 = New-NsxEdge -name $Edge4Name -cluster $Cluster -datastore $DataStore -Interface $edge4vnic0, $edge4vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 174 | $Edge5 = New-NsxEdge -name $Edge5Name -cluster $Cluster -datastore $DataStore -Interface $edge5vnic0, $edge5vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 175 | $Edge6 = New-NsxEdge -name $Edge6Name -cluster $Cluster -datastore $DataStore -Interface $edge6vnic0, $edge6vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 176 | $Edge7 = New-NsxEdge -name $Edge7Name -cluster $Cluster -datastore $DataStore -Interface $edge7vnic0, $edge7vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 177 | $Edge8 = New-NsxEdge -name $Edge8Name -cluster $Cluster -datastore $DataStore -Interface $edge8vnic0, $edge8vnic1 -Password $Password -FormFactor $FormFactor -FwEnabled:$False -FwDefaultPolicyAllow -AutoGenerateRules -enableSSH 178 | Write-Host -ForegroundColor Green "Configuring BGP on Edges" 179 | ##Enable BGP on Edges 180 | Write-Host -ForegroundColor Green "Configuring Upsteam Edge BGP for AS $EdgeAs" 181 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge0UplinkAddress -EnableEcmp -LocalAs $upsteamAs -confirm:$false | out-null 182 | Write-Host -ForegroundColor Green "Configuring Edge 1-8 BGP for AS $EdgeAs" 183 | get-nsxedge -name $Edge1Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge1UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 184 | get-nsxedge -name $Edge2Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge2UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 185 | get-nsxedge -name $Edge3Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge3UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 186 | get-nsxedge -name $Edge4Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge4UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 187 | get-nsxedge -name $Edge5Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge5UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 188 | get-nsxedge -name $Edge6Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge6UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 189 | get-nsxedge -name $Edge7Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge7UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 190 | get-nsxedge -name $Edge8Name | Get-NsxEdgeRouting | Set-NsxEdgeRouting -EnableBgp -RouterId $Edge8UplinkAddress -EnableEcmp -LocalAs $edgeAs -confirm:$false | out-null 191 | 192 | Write-Host -ForegroundColor Green "Configuring Edge to DLR BGP Peering" 193 | ## Define Edge to DLR Peering 194 | 195 | get-nsxedge -name $Edge1Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 196 | get-nsxedge -name $Edge2Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 197 | get-nsxedge -name $Edge3Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 198 | get-nsxedge -name $Edge4Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 199 | get-nsxedge -name $Edge5Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 200 | get-nsxedge -name $Edge6Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 201 | get-nsxedge -name $Edge7Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 202 | get-nsxedge -name $Edge8Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $dlrrouterid -RemoteAs $dlrAs -confirm:$false | Out-Null 203 | 204 | ## Define Edge to Upstream router peering 205 | Write-Host -ForegroundColor Green "Configuring Edge to Upstream peering" 206 | get-nsxedge -name $Edge1Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 207 | get-nsxedge -name $Edge2Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 208 | get-nsxedge -name $Edge3Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 209 | get-nsxedge -name $Edge4Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 210 | get-nsxedge -name $Edge5Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 211 | get-nsxedge -name $Edge6Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 212 | get-nsxedge -name $Edge7Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 213 | get-nsxedge -name $Edge8Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge0internaladdress -RemoteAs $upsteamas -confirm:$false | Out-Null 214 | 215 | ## Upstream Router $edge0 to Edges 216 | Write-Host -ForegroundColor Green "Configuring Upsteam peering to all Edges " 217 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge1UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 218 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge2UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 219 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge3UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 220 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge4UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 221 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge5UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 222 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge6UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 223 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge7UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 224 | get-nsxedge -name $Edge0Name | Get-NsxEdgeRouting | New-NsxEdgeBgpNeighbour -IpAddress $edge8UplinkAddress -RemoteAs $EdgeAs -confirm:$false | Out-Null 225 | 226 | ## Configure DLR BGP 227 | Write-Host -ForegroundColor Green "Configuring DLR BGP for AS $dlras " 228 | get-nsxlogicalrouter -name $dlrName | Get-NsxLogicalRouterRouting | Set-NsxLogicalRouterRouting -EnableBgp -RouterId $dlrrouterid -forwardingAddress $dlrrouterid -protocoladdress $DlrUplinkPrimaryAddress -LocalAs $dlras -confirm:$false | out-null 229 | 230 | 231 | ## Configure DLR BGP Neighbors 232 | Write-Host -ForegroundColor Green "Configuring DLR peering to all Edges " 233 | Get-NsxLogicalRouter -name $dlrname | Get-NsxLogicalRouterRouting | Set-NsxLogicalRouterRouting -EnableBgpRouteRedistribution -confirm:$false | Out-Null 234 | Get-NsxLogicalRouter -name $dlrName | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterRedistributionRule -learner bgp -FromConnected -confirm:$false | Out-Null 235 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge1InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 236 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge2InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 237 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge3InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 238 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge4InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 239 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge5InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 240 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge6InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 241 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge7InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null 242 | Get-nsxlogicalrouter -name $dlrname | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterBgpNeighbour -IpAddress $edge8InternalAddress -RemoteAs $EdgeAs -forwardingaddress $DlrUplinkPrimaryAddress -protocoladdress $DlrRouterId -confirm:$false | Out-Null -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight 3 Single.ps1: -------------------------------------------------------------------------------- 1 | ## Log Insight Parameters 2 | 3 | ## Cluster Settings 4 | 5 | param ( 6 | $ClusterName = "Mgmt01", 7 | $DatastoreName = "NFS-DS-001", 8 | $VdsName = "mgt-vds01", 9 | $VdPortGroupName = "VLAN999-MGT-Guest", 10 | ## OVA Global settings 11 | $LogInsightOvaLocation = "Z:\Lab\vrli.ova", 12 | $IpProtocol = "IPv4", 13 | 14 | 15 | ## Log Insight OVA Settings 16 | $LogInsightApplianceSize = "medium", 17 | $LogInsightPortGroupName = "$VdPortGroupName", 18 | 19 | $LogInsightHostName1 = "mgt-loginsight01", 20 | $LogInsightIpAddress1 = "10.35.254.81", 21 | $LogInsightHostName2 = "mgt-loginsight02", 22 | $LogInsightIpAddress2 = "10.35.254.82", 23 | $LogInsightHostName3 = "mgt-loginsight03", 24 | $LogInsightIpAddress3 = "10.35.254.83", 25 | $LogInsightNetmask = "255.255.255.128", 26 | $LogInsightGateway = "10.35.254.1", 27 | $LogInsightDns = "10.35.254.4", 28 | $LogInsightSearchPath = "sin.nicira.eng.vmware.com", 29 | $LogInsightDomain = "sin.nicira.eng.vmware.com", 30 | $RootPw = "VMware1!" 31 | 32 | ) 33 | 34 | ## DO NOT EDIT BELOW HERE 35 | $Cluster = (Get-Cluster $ClusterName) 36 | $Datastore = (Get-Datastore $DatastoreName) 37 | $PortGroup = (Get-Vdswitch $vdsname | Get-Vdportgroup $LogInsightPortGroupName) 38 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 39 | 40 | 41 | 42 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 43 | 44 | $OvfConfiguration.IpAssignment.IpProtocol.value = $IpProtocol 45 | $OvfConfiguration.DeploymentOption.value = $LogInsightApplianceSize 46 | 47 | $OvfConfiguration.NetworkMapping.Network_1.value = $PortGroup 48 | 49 | 50 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightHostName1 51 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress1 52 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LogInsightNetmask 53 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LogInsightGateway 54 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LogInsightDns 55 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $LogInsightSearchPath 56 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $LogInsightDomain 57 | $OvfConfiguration.vm.rootpw.value = $RootPw 58 | 59 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName1 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore 60 | get-vm $LogInsightHostName | start-vm 61 | 62 | 63 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 64 | 65 | 66 | 67 | -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Deploy+Configure+Segment - SINGLE.ps1: -------------------------------------------------------------------------------- 1 | # Log Insight Segmentation Tool v0.1 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # t: pandom_ 5 | # 6 | 7 | 8 | param ( 9 | 10 | ######################### 11 | # Default Ports for Log Insight 12 | 13 | $http = "80", 14 | $https = "443", 15 | $ssh = "22", 16 | #Sending sources 17 | $syslog = "514", 18 | $secureSyslog = "1514", 19 | $agent = "9000", 20 | $secureAgent = "9543", 21 | #Food and Water 22 | $Ntp = "123", 23 | #SMTP 24 | $SMTP = "25", 25 | $SMTPS = "465", 26 | #DNS 27 | $DNS = "53", 28 | #Active Directory 29 | $AD = "389", 30 | $ADssl = "636", 31 | $ADLogServer = "3268", 32 | $ADGlobalCatalog = "3269", 33 | $Kerberos = "88", 34 | ############## 35 | # Firewall Rule addendum 36 | $LogInsightFirewallSectionName = "Log Insight Node", 37 | $LogInsightSecurityTagName = "ST-LogInsight-Node", 38 | $FirewallRuleManagementName = "FW-LogInsight-Management", 39 | $FirewallRuleExternalName = "FW-LogInsight-External", 40 | $DenyTag = "LogInsight-Deny", 41 | ############## 42 | # User-defined parameter 43 | $LogInsightSecurityGroupName = "SG-LogInsight-Node", 44 | $SecurityGroupAdName = "SG-ActiveDirectory", 45 | $SecurityGroupDNSName = "SG-DNS", 46 | $SecurityGroupSMTPName = "SG-SMTP", 47 | $SecurityGroupNTPName = "SG-NTP", 48 | $SecurityGroupvCenterName = "SG-vCenter", 49 | $SecurityGroupAdminSourceName = "SG-Administrative-Sources", 50 | ############# 51 | # Deploying Log Insight Nodes 52 | $ClusterName = "Mgmt01", 53 | $DatastoreName = "MgmtData", 54 | $VdsName = "Mgt_int_vds", 55 | $VdPortGroupName = "Internal", 56 | ## OVA Global settings 57 | $LogInsightOvaLocation = "Z:\Lab\Li.ova", 58 | $IpProtocol = "IPv4", 59 | 60 | 61 | ## Log Insight OVA Settings 62 | $LogInsightApplianceSize = "xsmall", 63 | $LogInsightPortGroupName = "$VdPortGroupName", 64 | 65 | $LogInsightHostName1 = "mgt-loginsight01", 66 | $LogInsightIpAddress1 = "192.168.100.96", 67 | $LogInsightNetmask = "255.255.255.0", 68 | $LogInsightGateway = "192.168.100.1", 69 | $LogInsightDns = "192.168.100.10", 70 | $LogInsightSearchPath = "corp.local", 71 | $LogInsightDomain = "corp.local", 72 | $RootPw = "VMware1!VMware1!", 73 | 74 | 75 | ## Log Insight Configuration Settings 76 | 77 | $AdminEmail = "admin@vmware.com", 78 | $LogInsightUser = "admin", 79 | $LogInsightPassword = "VMware1!", 80 | $LogInsightEmail = "loginsight@corp.local", 81 | $SmtpServer = "192.168.100.15", 82 | $SmtpPort = "8080", 83 | $NtpServer = "192.168.100.10", 84 | 85 | 86 | $vCenter = "vc-01a.corp.local", 87 | $vCenterUsername = "Administrator@vsphere.local", 88 | $vCenterPassword = "VMware1!", 89 | 90 | $LogInsightLicense = "ADD-KEY", 91 | 92 | $port = "443" 93 | 94 | ) 95 | 96 | 97 | ## DO NOT EDIT BELOW HERE ## 98 | 99 | write-host -ForegroundColor Green " 100 | 101 | Welcome to the Log Insight Deploy and Segment tool 102 | 103 | _ _____ _ _ _ 104 | | | |_ _| (_) | | | | 105 | | | ___ __ _ | | _ __ ___ _ __ _| |__ | |_ 106 | | | / _ \ / _` | | | | '_ \/ __| |/ _` | '_ \| __| 107 | | |___| (_) | (_| | _| |_| | | \__ \ | (_| | | | | |_ 108 | |______\___/ \__, |_|_____|_| |_|___/_|\__, |_| |_|\__| 109 | | __ \ __/ | | _ __/ | 110 | | | | | ___ |___/| | ___ _ _ _| ||___/ 111 | | | | |/ _ \ '_ \| |/ _ \| | | | |_ _| 112 | | |__| | __/ |_) | | (_) | |_| | |_| 113 | |_____/ \___| .__/|_|\___/ \__, | _ 114 | / ____| | | __/ | | | 115 | | (___ ___|_|_ _ _ __ ___|___/_ _ __ | |_ 116 | \___ \ / _ \/ _` | '_ ` _ \ / _ \ '_ \| __| 117 | ____) | __/ (_| | | | | | | __/ | | | |_ 118 | |_____/ \___|\__, |_| |_| |_|\___|_| |_|\__| 119 | __/ | 120 | |___/ 121 | " 122 | ########################### 123 | # Prompt user 124 | 125 | write-warning "This script will create the required objects and Distributed Firewall rules to segment Log Insight. This will combine a number of predefined variables and used inputs to do this. An administrator will need to append add the management or adminsitraive source networks to Security Group $SecurityGroupAdminSourceName before Log Insight is accessed." 126 | 127 | if ( (Read-Host "Continue (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 128 | 129 | ################################### 130 | #Check we were called with required modules loaded... 131 | import-module PowerNsx -DisableNameChecking 132 | if ( -not (( Get-module PowerNsx ) -and ( Get-Module VMware.VimAutomation.Core ) )) { throw "Required modules not loaded. PowerCLI v6, PowerLogInsight, and PowerNSX modules required."} 133 | else { write-host -ForegroundColor Green "PowerNsx, PowerLogInsight, and required PowerCLI modules installed"} 134 | 135 | ################################### 136 | #Checking parameters on the OVF 137 | 138 | $Cluster = (Get-Cluster $ClusterName) 139 | $Datastore = (Get-Datastore $DatastoreName) 140 | $PortGroup = (Get-Vdswitch $vdsname | Get-Vdportgroup $LogInsightPortGroupName) 141 | 142 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 143 | 144 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 145 | $OvfConfiguration.IpAssignment.IpProtocol.value = $IpProtocol 146 | $OvfConfiguration.DeploymentOption.value = $LogInsightApplianceSize 147 | $OvfConfiguration.NetworkMapping.Network_1.value = $PortGroup 148 | 149 | 150 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer1 151 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress1 152 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LogInsightNetmask 153 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LogInsightGateway 154 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LogInsightDns 155 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $LogInsightSearchPath 156 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $LogInsightDomain 157 | $OvfConfiguration.vm.rootpw.value = $RootPw 158 | write-host -ForegroundColor Green "$LogInsightHostName1 is being deployed on $VMHost" 159 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName1 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore | out-null 160 | 161 | 162 | $LI1 = get-vm $LogInsightHostName1 163 | ` 164 | write-host -ForegroundColor Green "$LogInsightHostName1 is starting" 165 | $LI1 | start-vm | out-null 166 | 167 | write-host -ForegroundColor Green "Log Insight clusters have started. Beginning configuration" 168 | 169 | 170 | ############################ 171 | # Log Insight initial bootstrap 172 | 173 | Wait-Tools -VM $LI1 -TimeoutSeconds 180 | out-null 174 | Write-Host -ForegroundColor Green "Waiting for Log Insight API to be active before configuration" 175 | $NumConnections = 0 176 | do { 177 | Sleep 7 178 | $Port = 443 179 | $Connection = New-Object System.Net.Sockets.TcpClient 180 | Try { 181 | $Connection.Connect($LogInsightIPAddress1,$Port) 182 | If ($Connection.Connected) { 183 | Write-Host -foregroundcolor Green "Waiting for Log Insight API to be active before configuration" 184 | $NumConnections ++ 185 | } 186 | } 187 | Catch {} 188 | Finally {} 189 | 190 | } until ($NumConnections -gt 10) 191 | New-LogInsightDefaultUser -userName $LogInsightUser -password $LogInsightPassword -server $LogInsightIpAddress1 192 | Connect-LogInsightServer -server $LogInsightIpAddress1 -userName $LogInsightUser -password $LogInsightPassword | out-null 193 | Set-LogInsightLicense $LogInsightLicense | out-null 194 | Write-Host -ForegroundColor Green "Adding $LogInsightServer as Syslog server" 195 | Get-Cluster | Get-VMHost | Foreach { 196 | $SetSyslog = Set-VMHostSysLogServer -SysLogServer $LogInsightIPAddress1 -SysLogServerPort 514 -VMHost $_ | out-null 197 | $Reload = (Get-ESXCLI -VMHost $_).System.Syslog.reload() | out-null 198 | 199 | 200 | $Firewall = $_ | Get-VMHostFirewallException | Where {$_.Name -eq ‘syslog’} | Set-VMHostFirewallException -Enabled:$true | out-null 201 | } 202 | write-host -ForegroundColor Green "Log Insight has been configured. Ingestion of logs beginning" 203 | 204 | 205 | 206 | ############################ 207 | # Creating Services 208 | # 209 | write-host -ForegroundColor Green "Creating the required Services" 210 | $u = "udp" 211 | $t = "tcp" 212 | 213 | #Management Access (HTTP/HTTPS/SSH) 214 | $t80 = Get-NsxService "$t/$http" 215 | if (!$t80) 216 | { 217 | $t80 = (New-NsxService -name "$t/$http" -protocol "$t" -port "$Http") 218 | } 219 | $t443 = Get-NsxService "$t/$https" 220 | if (!$t443) 221 | { 222 | $t443 = (New-NsxService -name "$t/$https" -protocol "$t" -port "$Https") 223 | } 224 | $t22 = Get-NsxService -name "$t/$ssh" 225 | if (!$t22) 226 | { 227 | $t22 = (New-NsxService -name "$t/$ssh" -protocol "$t" -port "$Ssh") 228 | } 229 | 230 | #Sending sources (Syslog, Agents, API) 231 | $t514 = Get-NsxService "$t/$syslog" 232 | if (!$t514) 233 | { 234 | $t514 = (New-NsxService -name "$t/$syslog" -protocol "$t" -port "$Syslog") 235 | } 236 | $u514 = Get-NsxService "$u/$syslog" 237 | if (!$u514) 238 | { 239 | $u514 = (New-NsxService -name "$u/$Syslog" -protocol "$u" -port "$Syslog") 240 | } 241 | $t1514 = Get-NsxService "$t/$SecureSyslog" 242 | if (!$t1514) 243 | { 244 | $t1514 = (New-NsxService -name "$t/$SecureSyslog" -protocol "$t" -port "$secureSyslog") 245 | } 246 | $t9000 = Get-NsxService "$t/$Agent" 247 | if (!$t9000) 248 | { 249 | $t9000 = (New-NsxService -name "$t/$Agent" -protocol $t -port "$Agent") 250 | } 251 | $t9543 = Get-NsxService "$t/$SecureAgent" 252 | if (!$6543) 253 | { 254 | $t9543 = (New-NsxService -name "$t/$SecureAgent" -protocol "$t" -port "$secureAgent") 255 | } 256 | 257 | if (!$t443) 258 | { 259 | 260 | } 261 | #Food and Water Services (AD/DNS/NTP/SMTP) 262 | #NTP Time 263 | #Get or Create UDP NTP Service 264 | $u123 = Get-NsxService "$u/$ntp" 265 | if (!$u123) 266 | { 267 | $u123 = (New-NsxService -name "$u/$ntp" -protocol "$u" -port "$ntp") 268 | } 269 | 270 | ##SMTP 271 | #Get or Create TCP SMTP Service 272 | $t25 = Get-NsxService "$t/$smtp" 273 | if (!$t25) 274 | { 275 | $t25 = (New-NsxService -name "$t/$smtp" -protocol "$t" -port "$Smtp") 276 | } 277 | #Get or Create TCP SMTPS Service 278 | $t465 = Get-NsxService "$t/$smtps" 279 | if (!$465) 280 | { 281 | $t25 = (New-NsxService -name "$t/$smtps" -protocol "$t" -port "$Smtps") 282 | } 283 | 284 | ##DNS 285 | #Get or Create TCP DNS Service 286 | $t53 = Get-NsxService "$t/$dns" 287 | if (!$t53) 288 | { 289 | $t53 = (New-NsxService -name "$t/$dns" -protocol "$t" -port "$Dns") 290 | } 291 | #Get or Create UDP DNS Service 292 | $u53 = Get-NsxService "$u/$dns" 293 | if (!$u53) 294 | { 295 | $u53 = (New-NsxService -name "$u/$dns" -protocol "$u" -port "$Dns") 296 | } 297 | ##Active Directory Services 298 | #Get or Create TCP AD Service 299 | $t389 = Get-NsxService "$t/$Ad" 300 | if (!$t389) 301 | { 302 | $t389 = (New-NsxService -name "$t/$Ad" -protocol "$t" -port "$Ad") 303 | } 304 | #Get or Create UDP AD Service 305 | $u389 = Get-NsxService "$u/$Ad" 306 | if (!$u389) 307 | { 308 | $u389 = (New-NsxService -name "$u/$Ad" -protocol "$u" -port "$Ad") 309 | } 310 | #Get or Create TCP AD SSL Service 311 | $t636 = Get-NsxService "$t/$Adssl" 312 | if (!$t636) 313 | { 314 | $t636 = (New-NsxService -name "$t/$Adssl" -protocol "$t" -port "$Adssl") 315 | } 316 | 317 | #Get or Create TCP AD Log Service 318 | $t3268 = Get-NsxService "$t/$AdLogServer" 319 | if (!$t3268) 320 | { 321 | $t3268 = (New-NsxService -name "$t/$AdLogServer" -protocol "$t" -port "$AdLogServer") 322 | } 323 | #Get or Create TCP AD Catalog Service 324 | $t3269 = Get-NsxService "$t/$ADGlobalCatalog" 325 | if (!$t3269) 326 | { 327 | $t3269 = (New-NsxService -name "$t/$ADGlobalCatalog" -protocol "$t" -port "$ADGlobalCatalog") 328 | } 329 | 330 | #Get or Create TCP Kerberos Service 331 | $t88 = Get-NsxService "$t/$Kerberos" 332 | if (!$t88) 333 | { 334 | $t88 = (New-NsxService -name "$t/$Kerberos" -protocol "$t" -port "$Kerberos") 335 | } 336 | #Get or Create UDP Kerberos Service 337 | $u88 = Get-NsxService "$u/$Kerberos" 338 | if (!$u88) 339 | { 340 | $u88 = (New-NsxService -name "$u/$Kerberos" -protocol "$u" -port "$Kerberos") 341 | } 342 | 343 | 344 | ############################ 345 | # Creating new Security Objects 346 | write-host -ForegroundColor Green "Creating Log Insight Security Tag $LogInsightSecurityTagName" 347 | # Create the Security Tag 348 | $LogInsightTag = Get-NsxSecurityTag $LogInsightSecurityTagName 349 | if (!$LogInsightTag) 350 | { 351 | $LogInsightTag = New-NsxSecurityTag -name $LogInsightSecurityTagName 352 | } 353 | 354 | # Create the cluster Security Group 355 | write-host -ForegroundColor Green "Creating Log Insight Security Group $LogInsightSecurityGroupName" 356 | $LogInsightSGNode = Get-NsxSecurityGroup $LogInsightSecurityGroupName 357 | if (!$LogInsightSGNode) 358 | { 359 | $LogInsightSGNode = New-NsxSecurityGroup $LogInsightSecurityGroupName -includeMember $LogInsightTag 360 | } 361 | 362 | # Append Security Tag to deployed Log Insight Virtual Machines 363 | Get-VM $LI1 | New-NsxSecurityTagAssignment -ApplyTag $LogInsightTag 364 | # Place holder Security Groups for rules that allow definition instead of ANY 365 | # User to add objects to these security groups for Food and Water 366 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdName" 367 | $SecurityGroupAd = Get-NsxSecurityGroup $SecurityGroupAdName 368 | if (!$SecurityGroupAd) 369 | { 370 | $SecurityGroupAd = New-NsxSecurityGroup $SecurityGroupAdName 371 | } 372 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupDNSName" 373 | $SecurityGroupDNS = Get-NsxSecurityGroup $SecurityGroupDNSName 374 | if (!$SecurityGroupDNS) 375 | { 376 | $SecurityGroupDNS = New-NsxSecurityGroup $SecurityGroupDNSName 377 | } 378 | 379 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupSMTPName" 380 | $SecurityGroupSMTP = Get-NsxSecurityGroup $SecurityGroupSMTPName 381 | if (!$SecurityGroupSMTP) 382 | { 383 | $SecurityGroupSMTP = New-NsxSecurityGroup $SecurityGroupSMTPName 384 | } 385 | 386 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupNTPName" 387 | $SecurityGroupNTP = Get-NsxSecurityGroup $SecurityGroupNTPName 388 | if (!$SecurityGroupNTP) 389 | { 390 | $SecurityGroupNTP = New-NsxSecurityGroup $SecurityGroupNTPName 391 | } 392 | 393 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupvCenterName" 394 | $SecurityGroupvCenter = Get-NsxSecurityGroup $SecurityGroupvCenterName 395 | if (!$SecurityGroupvCenter) 396 | { 397 | $SecurityGroupvCenter = New-NsxSecurityGroup $SecurityGroupvCenterName 398 | } 399 | 400 | $SecurityGroupvCenter = Get-NsxSecurityGroup $SecurityGroupvCenterName 401 | if (!$SecurityGroupvCenter) 402 | { 403 | $SecurityGroupvCenter = New-NsxSecurityGroup $SecurityGroupvCenterName 404 | } 405 | write-Host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdminSourceName" 406 | $SecurityGroupAdminSource = Get-NsxSecurityGroup $SecurityGroupAdminSourceName 407 | if (!$SecurityGroupAdminSource) 408 | { 409 | $SecurityGroupAdminSource = New-NsxSecurityGroup $SecurityGroupAdminSourceName 410 | } 411 | ############################ 412 | # Creating new firewall section 413 | write-host -ForegroundColor Green "Creating Log Insight Firewall Section" 414 | $LogInsightFirewallSection = New-NsxFirewallSection $LogInsightFirewallSectionName 415 | 416 | ############################ 417 | # Creating External Sources Rule 418 | write-host -ForegroundColor Green "Creating Log Insight External Source Rules" 419 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleExternalName Syslog/API" -Destination $LogInsightSGNode -service $t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 420 | 421 | ############################ 422 | # Creating Management Rules 423 | write-host -ForegroundColor Green "Creating Log Insight Management Rules" 424 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName Admin Access" -Destination $LogInsightSGNode -service $t80,$t443,$t22 -action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 425 | 426 | ############################ 427 | # Food and Water 428 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for Active Directory" 429 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName AD" -Source $LogInsightSGNode -Destination $SecurityGroupAd -service $t389,$u389,$t636,$t3268,$t3269,$t88,$u88 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 430 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for DNS" 431 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName DNS" -Source $LogInsightSGNode -Destination $SecurityGroupDNS -service $t53,$u53 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 432 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for SMTP" 433 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName SMTP" -Source $LogInsightSGNode -Destination $SecurityGroupSMTP -service $t25,$t465 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 434 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for NTP" 435 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName NTP" -Source $LogInsightSGNode -Destination $SecurityGroupNTP -service $u123 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 436 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for vCenter" 437 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName vCenter" -Source $LogInsightSGNode -Destination $SecurityGroupvCenter -service $t443 -Action "Allow" -position top -EnableLogging -AppliedTo $LogInsightSGNode | out-null 438 | ############################ 439 | # Application Microsegment 440 | write-host -ForegroundColor Green "Creating Log Insight Specific Deny rules" 441 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "FW-LogInsight-Deny" -Action "Deny" -tag $denytag -position bottom -AppliedTo $LogInsightSGNode | out-null 442 | 443 | ############################ 444 | # Application Microsegment 445 | write-host -ForegroundColor Green "Log Insight initial segmentation complete. Please add an object or IP Set to $SecurityGroupAdminSourceName and remove ANY to connect to Log Insight." 446 | -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Purge.ps1: -------------------------------------------------------------------------------- 1 | ## Log Insight Purage. 2 | write-host -ForegroundColor Green "Purging" 3 | 4 | Get-NsxFirewalLSection "Log Insight Cluster" | Remove-nsxfirewallsection -force -confirm:$false 5 | 6 | get-nsxsecuritygroup | ? {$_.name -match ("SG-")} | remove-nsxsecuritygroup -confirm:$false -force 7 | 8 | Get-NsxSecurityTag | ? {$_.name -match ("ST-LogInsight-Node")} | Remove-NsxSecurityTag -confirm:$false 9 | 10 | Get-NsxIpSet IP-LogInsight-VIP | Remove-NsxIpSet -confirm:$false 11 | 12 | Get-NsxService | ? {$_.name -notmatch ("DHCP") -AND $_.name -notmatch ("IPv6")} | Remove-NsxService -confirm:$false 13 | 14 | Get-VM mgt-loginsight01 | Stop-VM -confirm:$false | Remove-Vm -deletepermanently -confirm:$false 15 | Get-VM mgt-loginsight02 | Stop-VM -confirm:$false | Remove-Vm -deletepermanently -confirm:$false 16 | Get-VM mgt-loginsight03 | Stop-VM -confirm:$false | Remove-Vm -deletepermanently -confirm:$false 17 | 18 | write-host -ForegroundColor Green "Purge Complete" -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Segment+Deploy - SINGLE.ps1: -------------------------------------------------------------------------------- 1 | # Log Insight Segmentation Tool v0.1 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # t: pandom_ 5 | # 6 | 7 | 8 | param ( 9 | 10 | ######################### 11 | # Default Ports for Log Insight 12 | 13 | $http = "80", 14 | $https = "443", 15 | $ssh = "22", 16 | #Sending sources 17 | $syslog = "514", 18 | $secureSyslog = "1514", 19 | $agent = "9000", 20 | $secureAgent = "9543", 21 | #Food and Water 22 | $Ntp = "123", 23 | #SMTP 24 | $SMTP = "25", 25 | $SMTPS = "465", 26 | #DNS 27 | $DNS = "53", 28 | #Active Directory 29 | $AD = "389", 30 | $ADssl = "636", 31 | $ADLogServer = "3268", 32 | $ADGlobalCatalog = "3269", 33 | $Kerberos = "88", 34 | ############## 35 | # Firewall Rule addendum 36 | $LogInsightFirewallSectionName = "Log Insight Node", 37 | $LogInsightSecurityTagName = "ST-LogInsight-Node", 38 | $FirewallRuleManagementName = "FW-LogInsight-Management", 39 | $FirewallRuleExternalName = "FW-LogInsight-External", 40 | $DenyTag = "LogInsight-Deny", 41 | ############## 42 | # User-defined parameter 43 | $LogInsightSecurityGroupName = "SG-LogInsight-Node", 44 | $SecurityGroupAdName = "SG-ActiveDirectory", 45 | $SecurityGroupDNSName = "SG-DNS", 46 | $SecurityGroupSMTPName = "SG-SMTP", 47 | $SecurityGroupNTPName = "SG-NTP", 48 | $SecurityGroupvCenterName = "SG-vCenter", 49 | $SecurityGroupAdminSourceName = "SG-Administrative-Sources", 50 | ############# 51 | # Deploying Log Insight Nodes 52 | $ClusterName = "Mgmt01", 53 | $DatastoreName = "MgmtData", 54 | $VdsName = "Mgt_int_vds", 55 | $VdPortGroupName = "Internal", 56 | ## OVA Global settings 57 | $LogInsightOvaLocation = "Z:\Lab\Li.ova", 58 | $IpProtocol = "IPv4", 59 | 60 | 61 | ## Log Insight OVA Settings 62 | $LogInsightApplianceSize = "xsmall", 63 | $LogInsightPortGroupName = "$VdPortGroupName", 64 | 65 | $LogInsightHostName1 = "mgt-loginsight01", 66 | $LogInsightIpAddress1 = "192.168.100.96", 67 | $LogInsightNetmask = "255.255.255.0", 68 | $LogInsightGateway = "192.168.100.1", 69 | $LogInisghtDns = "192.168.100.10", 70 | $LogInsightSearchPath = "corp.local", 71 | $LogInsightDomain = "corp.local", 72 | $RootPw = "VMware1!VMware1!", 73 | 74 | 75 | ## Log Insight Configuration Settings 76 | 77 | $AdminEmail = "admin@vmware.com", 78 | $LogInsightPassword = "VMware1!", 79 | $LogInsightEmail = "loginsight@corp.local", 80 | $SmtpServer = "192.168.100.15", 81 | $SmtpPort = "8080", 82 | $NtpServer = "192.168.100.10", 83 | 84 | 85 | $vCenter = "vc-01a.corp.local", 86 | $vCenterUsername = "Administrator@vsphere.local", 87 | $vCenterPassword = "VMware1!", 88 | 89 | $LogInsightLicense = "PUT KEY HERE", 90 | 91 | $port = "443" 92 | 93 | ) 94 | 95 | 96 | ## DO NOT EDIT BELOW HERE ## 97 | 98 | write-host -ForegroundColor Green " 99 | 100 | Welcome to the Log Insight Deploy and Segment tool 101 | 102 | _ _____ _ _ _ 103 | | | |_ _| (_) | | | | 104 | | | ___ __ _ | | _ __ ___ _ __ _| |__ | |_ 105 | | | / _ \ / _` | | | | '_ \/ __| |/ _` | '_ \| __| 106 | | |___| (_) | (_| | _| |_| | | \__ \ | (_| | | | | |_ 107 | |______\___/ \__, |_|_____|_| |_|___/_|\__, |_| |_|\__| 108 | | __ \ __/ | | _ __/ | 109 | | | | | ___ |___/| | ___ _ _ _| ||___/ 110 | | | | |/ _ \ '_ \| |/ _ \| | | | |_ _| 111 | | |__| | __/ |_) | | (_) | |_| | |_| 112 | |_____/ \___| .__/|_|\___/ \__, | _ 113 | / ____| | | __/ | | | 114 | | (___ ___|_|_ _ _ __ ___|___/_ _ __ | |_ 115 | \___ \ / _ \/ _` | '_ ` _ \ / _ \ '_ \| __| 116 | ____) | __/ (_| | | | | | | __/ | | | |_ 117 | |_____/ \___|\__, |_| |_| |_|\___|_| |_|\__| 118 | __/ | 119 | |___/ 120 | " 121 | ########################### 122 | # Prompt user 123 | 124 | write-warning "This script will create the required objects and Distributed Firewall rules to segment Log Insight. This will combine a number of predefined variables and used inputs to do this. An administrator will need to append add the management or adminsitraive source networks to Security Group $SecurityGroupAdminSourceName before Log Insight is accessed." 125 | 126 | if ( (Read-Host "Continue (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 127 | 128 | ################################### 129 | #Check we were called with required modules loaded... 130 | import-module PowerNsx -DisableNameChecking 131 | if ( -not (( Get-module PowerNsx ) -and ( Get-Module VMware.VimAutomation.Core ) )) { throw "Required modules not loaded. PowerCLI v6, PowerNSX and Labs modules required."} 132 | else { write-host -ForegroundColor Green "PowerNsx and required PowerCLI modules installed"} 133 | 134 | ################################### 135 | #Checking parameters on the OVF 136 | 137 | $Cluster = (Get-Cluster $ClusterName) 138 | $Datastore = (Get-Datastore $DatastoreName) 139 | $PortGroup = (Get-Vdswitch $vdsname | Get-Vdportgroup $LogInsightPortGroupName) 140 | 141 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 142 | 143 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 144 | $OvfConfiguration.IpAssignment.IpProtocol.value = $IpProtocol 145 | $OvfConfiguration.DeploymentOption.value = $LogInsightApplianceSize 146 | $OvfConfiguration.NetworkMapping.Network_1.value = $PortGroup 147 | 148 | 149 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer1 150 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress1 151 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LogInsightNetmask 152 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LogInsightGateway 153 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LogInisghtDns 154 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $LogInsightSearchPath 155 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $LogInsightDomain 156 | $OvfConfiguration.vm.rootpw.value = $RootPw 157 | write-host -ForegroundColor Green "$LogInsightHostName1 is being deployed on $VMHost" 158 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName1 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore | out-null 159 | 160 | 161 | $LI1 = get-vm $LogInsightHostName1 162 | ` 163 | write-host -ForegroundColor Green "$LogInsightHostName1 is starting" 164 | $LI1 | start-vm | out-null 165 | 166 | write-host -ForegroundColor Green "Log Insight clusters have started. Beginning segmentation" 167 | 168 | ############################ 169 | # Creating Services 170 | # 171 | write-host -ForegroundColor Green "Creating the required Services" 172 | $u = "udp" 173 | $t = "tcp" 174 | #Management Access (HTTP/HTTPS/SSH) 175 | $t80 = (New-NsxService -name "$t/$http" -protocol "$t" -port "$Http") 176 | $t443 = (New-NsxService -name "$t/$https" -protocol "$t" -port "$Https") 177 | $t22 = (New-NsxService -name "$t/$ssh" -protocol "$t" -port "$Ssh") 178 | #Sending sources (Syslog, Agents, API) 179 | $t514 = (New-NsxService -name "$t/$syslog" -protocol "$t" -port "$Syslog") 180 | $u514 = (New-NsxService -name "$u/$Syslog" -protocol "$u" -port "$Syslog") 181 | $t1514 = (New-NsxService -name "$t/$SecureSyslog" -protocol "$t" -port "$secureSyslog") 182 | $t9000 = (New-NsxService -name "$t/$Agent" -protocol $t -port "$Agent") 183 | $t9543 = (New-NsxService -name "$t/$secureAgent" -protocol "$t" -port "$secureAgent") 184 | #Food and Water Services (AD/DNS/NTP/SMTP) 185 | $u123 = (New-NsxService -name "$u/$ntp" -protocol "$u" -port "$ntp") 186 | ##SMTP 187 | $t25 = (New-NsxService -name "$t/$smtp" -protocol "$t" -port "$Smtp") 188 | $t465 = (New-NsxService -name "$t/$SmtpS" -protocol "$t" -port "$SmtpS") 189 | ##DNS 190 | $t53 = (New-NsxService -name "$t/$dns" -protocol "$t" -port "$Dns") 191 | $u53 = (New-NsxService -name "$u/$dns" -protocol "$u" -port "$Dns") 192 | ##Active Directory 193 | $t389 = (New-NsxService -name "$t/$Ad" -protocol "$t" -port "$Ad") 194 | $u389 = (New-NsxService -name "$u/$Ad" -protocol "$u" -port "$Ad") 195 | $t636 = (New-NsxService -name "$t/$Adssl" -protocol "$t" -port "$Adssl") 196 | $t3268 = (New-NsxService -name "$t/$AdLogServer" -protocol "$t" -port "$AdLogServer") 197 | $t3269 = (New-NsxService -name "$t/$ADGlobalCatalog" -protocol "$t" -port "$ADGlobalCatalog") 198 | $t88 = (New-NsxService -name "$t/$Kerberos" -protocol "$t" -port "$Kerberos") 199 | $u88 = (New-NsxService -name "$u/$Kerberos" -protocol "$u" -port "$Kerberos") 200 | 201 | ############################ 202 | # Creating new Security Objects 203 | write-host -ForegroundColor Green "Creating Log Insight Security Tag $LogInsightSecurityTagName" 204 | # Create the Security Tag 205 | $LogInsightTag = New-NsxSecurityTag -name $LogInsightSecurityTagName 206 | # Create the cluster Security Group 207 | write-host -ForegroundColor Green "Creating Log Insight Security Group $LogInsightSecurityGroupName" 208 | $LogInsightSGNode= New-NsxSecurityGroup $LogInsightSecurityGroupName -includeMember $LogInsightTag 209 | # Append Security Tag to deployed Log Insight Virtual Machines 210 | Get-VM $LI1 | New-NsxSecurityTagAssignment -ApplyTag $LogInsightTag 211 | # Place holder Security Groups for rules that allow definition instead of ANY 212 | # User to add objects to these security groups for Food and Water 213 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdName" 214 | $SecurityGroupAd = New-NsxSecurityGroup $SecurityGroupAdName 215 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupDNSName" 216 | $SecurityGroupDNS = New-NsxSecurityGroup $SecurityGroupDNSName 217 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupSMTPName" 218 | $SecurityGroupSMTP = New-NsxSecurityGroup $SecurityGroupSMTPName 219 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupNTPName" 220 | $SecurityGroupNTP = New-NsxSecurityGroup $SecurityGroupNTPName 221 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupvCenterName" 222 | $SecurityGroupvCenter = New-NsxSecurityGroup $SecurityGroupvCenterName 223 | write-Host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdminSourceName" 224 | $SecurityGroupAdminSource = New-NsxSecurityGroup $SecurityGroupAdminSourceName 225 | # Create the Log Insight IP Set for ILB 226 | 227 | ############################ 228 | # Creating new firewall section 229 | write-host -ForegroundColor Green "Creating Log Insight Firewall Section" 230 | $LogInsightFirewallSection = New-NsxFirewallSection $LogInsightFirewallSectionName 231 | 232 | ############################ 233 | # Creating External Sources Rule 234 | write-host -ForegroundColor Green "Creating Log Insight External Source Rules" 235 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleExternalName Syslog/API" -Destination $LogInsightSGNode -service $t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 236 | 237 | ############################ 238 | # Creating Management Rules 239 | write-host -ForegroundColor Green "Creating Log Insight Management Rules" 240 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName Admin Access" -Source $SecurityGroupAdminSource -Destination $LogInsightSGNode -service $t80,$t443,$t22 -action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 241 | 242 | ############################ 243 | # Food and Water 244 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for Active Directory" 245 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName AD" -Source $LogInsightSGNode -Destination $SecurityGroupAd -service $t389,$u389,$t636,$t3268,$t3269,$t88,$u88 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 246 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for DNS" 247 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName DNS" -Source $LogInsightSGNode -Destination $SecurityGroupDNS -service $t53,$u53 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 248 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for SMTP" 249 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName SMTP" -Source $LogInsightSGNode -Destination $SecurityGroupSMTP -service $t25,$t465 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 250 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for NTP" 251 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName NTP" -Source $LogInsightSGNode -Destination $SecurityGroupNTP -service $u123 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 252 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for vCenter" 253 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName vCenter" -Source $LogInsightSGNode -Destination $SecurityGroupvCenter -service $t443 -Action "Allow" -position top -AppliedTo $LogInsightSGNode | out-null 254 | ############################ 255 | # Application Microsegment 256 | write-host -ForegroundColor Green "Creating Log Insight Specific Deny rules" 257 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "FW-LogInsight-Deny" -Action "Deny" -tag $denytag -position bottom -AppliedTo $LogInsightSGNode | out-null 258 | 259 | ############################ 260 | # Application Microsegment 261 | write-host -ForegroundColor Green "Log Insight initial segmentation complete. Please add an object or IP Set to $SecurityGroupAdminSourceName to connect to Log Insight." 262 | 263 | -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Segment+Deploy.ps1: -------------------------------------------------------------------------------- 1 | # Log Insight Segmentation Tool v0.1 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # t: pandom_ 5 | # 6 | 7 | 8 | param ( 9 | 10 | ######################### 11 | # Default Ports for Log Insight 12 | 13 | $http = "80", 14 | $https = "443", 15 | $ssh = "22", 16 | #Sending sources 17 | $syslog = "514", 18 | $secureSyslog = "1514", 19 | $agent = "9000", 20 | $secureAgent = "9543", 21 | #Cluster comms 22 | $Cassandra = "7000", 23 | $CassandraNPC = "9042", 24 | $ThriftClient = "9160", 25 | $ThriftServer = "59778", 26 | #Food and Water 27 | $Ntp = "123", 28 | #SMTP 29 | $SMTP = "25", 30 | $SMTPS = "465", 31 | #DNS 32 | $DNS = "53", 33 | #Active Directory 34 | $AD = "389", 35 | $ADssl = "636", 36 | $ADLogServer = "3268", 37 | $ADGlobalCatalog = "3269", 38 | $Kerberos = "88", 39 | ############## 40 | # Mandatory LB IP definition 41 | $LogInsightLoadBalancerIPAddress = "192.168.100.95", 42 | ############## 43 | # Firewall Rule addendum 44 | $LogInsightFirewallSectionName = "Log Insight Cluster", 45 | $LogInsightSecurityTagName = "ST-LogInsight-Node", 46 | $FirewallRuleClusterName = "FW-LogInsight-Cluster", 47 | $FirewallRuleManagementName = "FW-LogInsight-Management", 48 | $FirewallRuleExternalName = "FW-LogInsight-External", 49 | $LogInsightIlbName = "IP-LogInsight-VIP", 50 | $DenyTag = "LogInsight-Deny", 51 | ############## 52 | # User-defined parameter 53 | $LogInsightSecurityGroupName = "SG-LogInsight-Cluster", 54 | $SecurityGroupAdName = "SG-ActiveDirectory", 55 | $SecurityGroupDNSName = "SG-DNS", 56 | $SecurityGroupSMTPName = "SG-SMTP", 57 | $SecurityGroupNTPName = "SG-NTP", 58 | $SecurityGroupvCenterName = "SG-vCenter", 59 | $SecurityGroupAdminSourceName = "SG-Administrative-Sources", 60 | ############# 61 | # Deploying Log Insight Nodes 62 | $ClusterName = "Mgmt01", 63 | $DatastoreName = "MgmtData", 64 | $VdsName = "Mgt_int_vds", 65 | $VdPortGroupName = "Internal", 66 | ## OVA Global settings 67 | $LogInsightOvaLocation = "Z:\Lab\Li.ova", 68 | $IpProtocol = "IPv4", 69 | 70 | 71 | ## Log Insight OVA Settings 72 | $LogInsightApplianceSize = "xsmall", 73 | $LogInsightPortGroupName = "$VdPortGroupName", 74 | 75 | $LogInsightHostName1 = "mgt-loginsight01", 76 | $LogInsightIpAddress1 = "192.168.100.96", 77 | $LogInsightHostName2 = "mgt-loginsight02", 78 | $LogInsightIpAddress2 = "192.168.100.97", 79 | $LogInsightHostName3 = "mgt-loginsight03", 80 | $LogInsightIpAddress3 = "192.168.100.98", 81 | $LogInsightNetmask = "255.255.255.0", 82 | $LogInsightGateway = "192.168.100.1", 83 | $LogInisghtDns = "192.168.100.10", 84 | $LogInsightSearchPath = "corp.local", 85 | $LogInsightDomain = "corp.local", 86 | $RootPw = "VMware1!VMware1!", 87 | 88 | 89 | ## Log Insight Configuration Settings 90 | 91 | $AdminEmail = "admin@vmware.com", 92 | $LogInsightPassword = "VMware1!", 93 | $LogInsightEmail = "loginsight@corp.local", 94 | $SmtpServer = "192.168.100.15", 95 | $SmtpPort = "8080", 96 | $NtpServer = "192.168.100.10", 97 | 98 | 99 | $vCenter = "vc-01a.corp.local", 100 | $vCenterUsername = "Administrator@vsphere.local", 101 | $vCenterPassword = "VMware1!", 102 | 103 | $LogInsightLicense = "PUT KEY HERE", 104 | 105 | $port = "443" 106 | 107 | ) 108 | 109 | 110 | ## DO NOT EDIT BELOW HERE ## 111 | 112 | write-host -ForegroundColor Green " 113 | 114 | Welcome to the Log Insight Deploy and Segment tool 115 | 116 | _ _____ _ _ _ 117 | | | |_ _| (_) | | | | 118 | | | ___ __ _ | | _ __ ___ _ __ _| |__ | |_ 119 | | | / _ \ / _` | | | | '_ \/ __| |/ _` | '_ \| __| 120 | | |___| (_) | (_| | _| |_| | | \__ \ | (_| | | | | |_ 121 | |______\___/ \__, |_|_____|_| |_|___/_|\__, |_| |_|\__| 122 | | __ \ __/ | | _ __/ | 123 | | | | | ___ |___/| | ___ _ _ _| ||___/ 124 | | | | |/ _ \ '_ \| |/ _ \| | | | |_ _| 125 | | |__| | __/ |_) | | (_) | |_| | |_| 126 | |_____/ \___| .__/|_|\___/ \__, | _ 127 | / ____| | | __/ | | | 128 | | (___ ___|_|_ _ _ __ ___|___/_ _ __ | |_ 129 | \___ \ / _ \/ _` | '_ ` _ \ / _ \ '_ \| __| 130 | ____) | __/ (_| | | | | | | __/ | | | |_ 131 | |_____/ \___|\__, |_| |_| |_|\___|_| |_|\__| 132 | __/ | 133 | |___/ 134 | " 135 | ########################### 136 | # Prompt user 137 | write-warning "This script is design to be deployed against a multi-node Log Insight cluster where the Integrated Load Balancer (ILB) is configured. The firewall rules are built around this. The script currently is configured to use $LogInsightLoadBalancerIPAddress . Is this your ILB IP address? If not rerun this PowerShell script with -LogInsightLoadBalancerIPAddress " 138 | 139 | if ( (Read-Host "Is the printed LI ILB correct? (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 140 | 141 | write-warning "This script will create the required objects and Distributed Firewall rules to segment Log Insight. This will combine a number of predefined variables and used inputs to do this. An administrator will need to append add the management or adminsitraive source networks to Security Group $SecurityGroupAdminSourceName before Log Insight is accessed." 142 | 143 | if ( (Read-Host "Continue (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 144 | 145 | ################################### 146 | #Check we were called with required modules loaded... 147 | import-module PowerNsx -DisableNameChecking 148 | if ( -not (( Get-module PowerNsx ) -and ( Get-Module VMware.VimAutomation.Core ) )) { throw "Required modules not loaded. PowerCLI v6, PowerNSX and Labs modules required."} 149 | else { write-host -ForegroundColor Green "PowerNsx and required PowerCLI modules installed"} 150 | 151 | ################################### 152 | #Checking parameters on the OVF 153 | 154 | $Cluster = (Get-Cluster $ClusterName) 155 | $Datastore = (Get-Datastore $DatastoreName) 156 | $PortGroup = (Get-Vdswitch $vdsname | Get-Vdportgroup $LogInsightPortGroupName) 157 | 158 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 159 | 160 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 161 | $OvfConfiguration.IpAssignment.IpProtocol.value = $IpProtocol 162 | $OvfConfiguration.DeploymentOption.value = $LogInsightApplianceSize 163 | $OvfConfiguration.NetworkMapping.Network_1.value = $PortGroup 164 | 165 | 166 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer1 167 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress1 168 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LogInsightNetmask 169 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LogInsightGateway 170 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LogInisghtDns 171 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $LogInsightSearchPath 172 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $LogInsightDomain 173 | $OvfConfiguration.vm.rootpw.value = $RootPw 174 | write-host -ForegroundColor Green "$LogInsightHostName1 is being deployed on $VMHost" 175 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName1 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore | out-null 176 | 177 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer2 178 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress2 179 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 180 | write-host -ForegroundColor Green "$LogInsightHostName2 is being deployed on $VMHost" 181 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName2 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore | out-null 182 | 183 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer3 184 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress3 185 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 186 | write-host -ForegroundColor Green "$LogInsightHostName3 is being deployed on $VMHost" 187 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName3 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore | out-null 188 | 189 | sleep 5 190 | $LI1 = get-vm $LogInsightHostName1 191 | $LI2 = get-vm $LogInsightHostName2 192 | $LI3 = get-vm $LogInsightHostName3 193 | write-host -ForegroundColor Green "$LogInsightHostName1, $LogInsightHostName2, and $LogInsightHostName3 are starting" 194 | $LI1 | start-vm | out-null 195 | sleep 5 196 | $LI2 | start-vm | out-null 197 | sleep 5 198 | $LI3 | start-vm | out-null 199 | write-host -ForegroundColor Green "Log Insight clusters have started. Beginning segmentation" 200 | 201 | ############################ 202 | # Creating Services 203 | # 204 | write-host -ForegroundColor Green "Creating the required Services" 205 | $u = "udp" 206 | $t = "tcp" 207 | #Management Access (HTTP/HTTPS/SSH) 208 | $t80 = (New-NsxService -name "$t/$http" -protocol "$t" -port "$Http") 209 | $t443 = (New-NsxService -name "$t/$https" -protocol "$t" -port "$Https") 210 | $t22 = (New-NsxService -name "$t/$ssh" -protocol "$t" -port "$Ssh") 211 | #Sending sources (Syslog, Agents, API) 212 | $t514 = (New-NsxService -name "$t/$syslog" -protocol "$t" -port "$Syslog") 213 | $u514 = (New-NsxService -name "$u/$Syslog" -protocol "$u" -port "$Syslog") 214 | $t1514 = (New-NsxService -name "$t/$SecureSyslog" -protocol "$t" -port "$secureSyslog") 215 | $t9000 = (New-NsxService -name "$t/$Agent" -protocol $t -port "$Agent") 216 | $t9543 = (New-NsxService -name "$t/$secureAgent" -protocol "$t" -port "$secureAgent") 217 | #Cluster comms (Cassandra and Thrift) 218 | $t7000 = (New-NsxService -name "$t/$Cassandra" -protocol "$t" -port "7000") 219 | $t9042 = (New-NsxService -name "$t/$CassandraNPC" -protocol "$t" -port "$CassandraNPC") 220 | $t9160 = (New-NsxService -name "$t/$ThriftClient" -protocol "$t" -port "$ThriftClient") 221 | $t59778 = (New-NsxService -name "$t/$ThriftServer" -protocol "$t" -port "$ThriftServer") 222 | $t16520range = (New-NsxService -name "$t/16520-80" -protocol "$t" -port 16520-16580) 223 | #Food and Water Services (AD/DNS/NTP/SMTP) 224 | $u123 = (New-NsxService -name "$u/$ntp" -protocol "$u" -port "$ntp") 225 | ##SMTP 226 | $t25 = (New-NsxService -name "$t/$smtp" -protocol "$t" -port "$Smtp") 227 | $t465 = (New-NsxService -name "$t/$SmtpS" -protocol "$t" -port "$SmtpS") 228 | ##DNS 229 | $t53 = (New-NsxService -name "$t/$dns" -protocol "$t" -port "$Dns") 230 | $u53 = (New-NsxService -name "$u/$dns" -protocol "$u" -port "$Dns") 231 | ##Active Directory 232 | $t389 = (New-NsxService -name "$t/$Ad" -protocol "$t" -port "$Ad") 233 | $u389 = (New-NsxService -name "$u/$Ad" -protocol "$u" -port "$Ad") 234 | $t636 = (New-NsxService -name "$t/$Adssl" -protocol "$t" -port "$Adssl") 235 | $t3268 = (New-NsxService -name "$t/$AdLogServer" -protocol "$t" -port "$AdLogServer") 236 | $t3269 = (New-NsxService -name "$t/$ADGlobalCatalog" -protocol "$t" -port "$ADGlobalCatalog") 237 | $t88 = (New-NsxService -name "$t/$Kerberos" -protocol "$t" -port "$Kerberos") 238 | $u88 = (New-NsxService -name "$u/$Kerberos" -protocol "$u" -port "$Kerberos") 239 | 240 | ############################ 241 | # Creating new Security Objects 242 | write-host -ForegroundColor Green "Creating Log Insight Security Tag $LogInsightSecurityTagName" 243 | # Create the Security Tag 244 | $LogInsightTag = New-NsxSecurityTag -name $LogInsightSecurityTagName 245 | # Create the cluster Security Group 246 | write-host -ForegroundColor Green "Creating Log Insight Security Group $LogInsightSecurityGroupName" 247 | $LogInsightSGCluster = New-NsxSecurityGroup $LogInsightSecurityGroupName -includeMember $LogInsightTag 248 | # Append Security Tag to deployed Log Insight Virtual Machines 249 | Get-VM $LI1,$LI2,$LI3 | New-NsxSecurityTagAssignment -ApplyTag $LogInsightTag 250 | # Place holder Security Groups for rules that allow definition instead of ANY 251 | # User to add objects to these security groups for Food and Water 252 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdName" 253 | $SecurityGroupAd = New-NsxSecurityGroup $SecurityGroupAdName 254 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupDNSName" 255 | $SecurityGroupDNS = New-NsxSecurityGroup $SecurityGroupDNSName 256 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupSMTPName" 257 | $SecurityGroupSMTP = New-NsxSecurityGroup $SecurityGroupSMTPName 258 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupNTPName" 259 | $SecurityGroupNTP = New-NsxSecurityGroup $SecurityGroupNTPName 260 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupvCenterName" 261 | $SecurityGroupvCenter = New-NsxSecurityGroup $SecurityGroupvCenterName 262 | write-Host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdminSourceName" 263 | $SecurityGroupAdminSource = New-NsxSecurityGroup $SecurityGroupAdminSourceName 264 | # Create the Log Insight IP Set for ILB 265 | write-host -ForegroundColor Green "Creating IP Set for Log Insight Load Balancer VIP" 266 | $LogInsightIlbIpSet = New-NsxIpSet -name $LogInsightIlbName -IpAddresses "$LogInsightLoadBalancerIPAddress" 267 | 268 | ############################ 269 | # Creating new firewall section 270 | write-host -ForegroundColor Green "Creating Log Insight Firewall Section" 271 | $LogInsightFirewallSection = New-NsxFirewallSection $LogInsightFirewallSectionName 272 | 273 | 274 | ############################ 275 | # Creating Cluster Rules 276 | write-host -ForegroundColor Green "Creating Log Insight Cluster Rules" 277 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleClusterName Cluster Replication" -Source $LogInsightSGCluster -Destination $LogInsightSGCluster -service $t7000,$t9042,$t9160,$t59778,$t16520range,$t80,$t443,$t22,$t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 278 | 279 | 280 | ############################ 281 | # Creating External Sources Rule 282 | write-host -ForegroundColor Green "Creating Log Insight External Source Rules" 283 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleExternalName Syslog/API" -Destination $LogInsightIlbIpSet -service $t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 284 | 285 | ############################ 286 | # Creating Management Rules 287 | write-host -ForegroundColor Green "Creating Log Insight Management Rules" 288 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName Admin Access" -Source $SecurityGroupAdminSource -Destination $LogInsightIlbIpSet -service $t80,$t443,$t22 -action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 289 | 290 | ############################ 291 | # Food and Water 292 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for Active Directory" 293 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName AD" -Source $LogInsightSGCluster -Destination $SecurityGroupAd -service $t389,$u389,$t636,$t3268,$t3269,$t88,$u88 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 294 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for DNS" 295 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName DNS" -Source $LogInsightSGCluster -Destination $SecurityGroupDNS -service $t53,$u53 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 296 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for SMTP" 297 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName SMTP" -Source $LogInsightSGCluster -Destination $SecurityGroupSMTP -service $t25,$t465 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 298 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for NTP" 299 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName NTP" -Source $LogInsightSGCluster -Destination $SecurityGroupNTP -service $u123 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 300 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for vCenter" 301 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName vCenter" -Source $LogInsightSGCluster -Destination $SecurityGroupvCenter -service $t443 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 302 | ############################ 303 | # Application Microsegment 304 | write-host -ForegroundColor Green "Creating Log Insight Specific Deny rules" 305 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "FW-LogInsight-Deny" -Action "Deny" -tag $denytag -position bottom -AppliedTo $LogInsightSGCluster | out-null 306 | 307 | ############################ 308 | # Application Microsegment 309 | write-host -ForegroundColor Green "Log Insight initial segmentation complete. Please add an object or IP Set to $SecurityGroupAdminSourceName to connect to Log Insight." 310 | 311 | -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Segment.ps1: -------------------------------------------------------------------------------- 1 | # Log Insight Segmentation Tool v0.1 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # t: pandom_ 5 | # 6 | 7 | 8 | param ( 9 | 10 | ######################### 11 | # Default Ports for Log Insight 12 | 13 | $http = "80", 14 | $https = "443", 15 | $ssh = "22", 16 | #Sending sources 17 | $syslog = "514", 18 | $secureSyslog = "1514", 19 | $agent = "9000", 20 | $secureAgent = "9543", 21 | #Cluster comms 22 | $Cassandra = "7000", 23 | $CassandraNPC = "9042", 24 | $ThriftClient = "9160", 25 | $ThriftServer = "59778", 26 | #Food and Water 27 | $Ntp = "123", 28 | #SMTP 29 | $SMTP = "25", 30 | $SMTPS = "465", 31 | #DNS 32 | $DNS = "53", 33 | #Active Directory 34 | $AD = "389", 35 | $ADssl = "636", 36 | $ADLogServer = "3268", 37 | $ADGlobalCatalog = "3269", 38 | $Kerberos = "88", 39 | ############## 40 | # Mandatory LB IP definition 41 | $LogInsightLoadBalancerIPAddress = "192.168.100.95", 42 | ############## 43 | # Firewall Rule addendum 44 | $LogInsightFirewallSectionName = "Log Insight Cluster", 45 | $LogInsightSecurityTagName = "ST-LogInsight-Node", 46 | $FirewallRuleClusterName = "FW-LogInsight-Cluster", 47 | $FirewallRuleManagementName = "FW-LogInsight-Management", 48 | $FirewallRuleExternalName = "FW-LogInsight-External", 49 | $LogInsightIlbName = "IP-LogInsight-VIP", 50 | $DenyTag = "LogInsight-Deny", 51 | ############## 52 | # User-defined parameter 53 | $LogInsightSecurityGroupName = "SG-LogInsight-Cluster", 54 | $SecurityGroupAdName = "SG-ActiveDirectory", 55 | $SecurityGroupDNSName = "SG-DNS", 56 | $SecurityGroupSMTPName = "SG-SMTP", 57 | $SecurityGroupNTPName = "SG-NTP", 58 | $SecurityGroupvCenterName = "SG-vCenter", 59 | $SecurityGroupAdminSourceName = "SG-Administrative-Sources" 60 | ) 61 | 62 | write-host -ForegroundColor Green " 63 | 64 | Welcome to the Log Insight Segmentor tool 65 | 66 | _ _____ _ _ _ 67 | | | |_ _| (_) | | | | 68 | | | ___ __ _ | | _ __ ___ _ __ _| |__ | |_ 69 | | | / _ \ / _` | | | | '_ \/ __| |/ _` | '_ \| __| 70 | | |___| (_) | (_| | _| |_| | | \__ \ | (_| | | | | |_ 71 | |______\___/ \__, | |_____|_| |_|___/_|\__, |_| |_|\__| 72 | __/ | __/ | 73 | |___/ |___/ 74 | _____ _ 75 | / ____| | | 76 | | (___ ___ __ _ _ __ ___ ___ _ __ | |_ ___ _ __ 77 | \___ \ / _ \/ _` | '_ ` _ \ / _ \'_ \ __/ _ \| '__| 78 | ____) | __/ (_| | | | | | | __/ | | | | (_) | | 79 | |_____/ \___|\__, |_| |_| |_|\___|_| |_|\_\___/|_| 80 | __/ | 81 | |___/ 82 | " 83 | ########################### 84 | # Prompt user 85 | write-warning "This script is design to be deployed against a multi-node Log Insight cluster where the Integrated Load Balancer (ILB) is configured. The firewall rules are built around this. The script currently is configured to use $LogInsightLoadBalancerIPAddress . Is this your ILB IP address? If not rerun this PowerShell script with -LogInsightLoadBalancerIPAddress " 86 | 87 | if ( (Read-Host "Is the printed LI ILB correct? (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 88 | 89 | write-warning "This script will create the required objects and Distributed Firewall rules to segment Log Insight. This will combine a number of predefined variables and used inputs to do this. An administrator will need to append Security Tag ST-LogInsight-Node to each Log Insight Virtual Machine for firewall rules to take effect." 90 | 91 | if ( (Read-Host "Continue (y) ?") -ne "y" ) { throw "User has cancelled the operation" } 92 | 93 | ################################### 94 | #Check we were called with required modules loaded... 95 | import-module PowerNsx -DisableNameChecking 96 | if ( -not (( Get-module PowerNsx ) -and ( Get-Module VMware.VimAutomation.Core ) )) { throw "Required modules not loaded. PowerCLI v6, PowerNSX and Labs modules required."} 97 | else { write-host -ForegroundColor Green "PowerNsx and required PowerCLI modules installed"} 98 | 99 | 100 | ############################ 101 | # Creating Services 102 | # 103 | write-host -ForegroundColor Green "Creating the required Services" 104 | $u = "udp" 105 | $t = "tcp" 106 | #Management Access (HTTP/HTTPS/SSH) 107 | $t80 = (New-NsxService -name "$t/$http" -protocol "$t" -port "$Http") 108 | $t443 = (New-NsxService -name "$t/$https" -protocol "$t" -port "$Https") 109 | $t22 = (New-NsxService -name "$t/$ssh" -protocol "$t" -port "$Ssh") 110 | #Sending sources (Syslog, Agents, API) 111 | $t514 = (New-NsxService -name "$t/$syslog" -protocol "$t" -port "$Syslog") 112 | $u514 = (New-NsxService -name "$u/$Syslog" -protocol "$u" -port "$Syslog") 113 | $t1514 = (New-NsxService -name "$t/$SecureSyslog" -protocol "$t" -port "$secureSyslog") 114 | $t9000 = (New-NsxService -name "$t/$Agent" -protocol $t -port "$Agent") 115 | $t9543 = (New-NsxService -name "$t/$secureAgent" -protocol "$t" -port "$secureAgent") 116 | #Cluster comms (Cassandra and Thrift) 117 | $t7000 = (New-NsxService -name "$t/$Cassandra" -protocol "$t" -port "7000") 118 | $t9042 = (New-NsxService -name "$t/$CassandraNPC" -protocol "$t" -port "$CassandraNPC") 119 | $t9160 = (New-NsxService -name "$t/$ThriftClient" -protocol "$t" -port "$ThriftClient") 120 | $t59778 = (New-NsxService -name "$t/$ThriftServer" -protocol "$t" -port "$ThriftServer") 121 | $t16520range = (New-NsxService -name "$t/16520-80" -protocol "$t" -port 16520-16580) 122 | #Food and Water Services (AD/DNS/NTP/SMTP) 123 | $u123 = (New-NsxService -name "$u/$ntp" -protocol "$u" -port "$ntp") 124 | ##SMTP 125 | $t25 = (New-NsxService -name "$t/$smtp" -protocol "$t" -port "$Smtp") 126 | $t465 = (New-NsxService -name "$t/$SmtpS" -protocol "$t" -port "$SmtpS") 127 | ##DNS 128 | $t53 = (New-NsxService -name "$t/$dns" -protocol "$t" -port "$Dns") 129 | $u53 = (New-NsxService -name "$u/$dns" -protocol "$u" -port "$Dns") 130 | ##Active Directory 131 | $t389 = (New-NsxService -name "$t/$Ad" -protocol "$t" -port "$Ad") 132 | $u389 = (New-NsxService -name "$u/$Ad" -protocol "$u" -port "$Ad") 133 | $t636 = (New-NsxService -name "$t/$Adssl" -protocol "$t" -port "$Adssl") 134 | $t3268 = (New-NsxService -name "$t/$AdLogServer" -protocol "$t" -port "$AdLogServer") 135 | $t3269 = (New-NsxService -name "$t/$ADGlobalCatalog" -protocol "$t" -port "$ADGlobalCatalog") 136 | $t88 = (New-NsxService -name "$t/$Kerberos" -protocol "$t" -port "$Kerberos") 137 | $u88 = (New-NsxService -name "$u/$Kerberos" -protocol "$u" -port "$Kerberos") 138 | 139 | ############################ 140 | # Creating new Security Objects 141 | write-host -ForegroundColor Green "Creating Log Insight Security Tag $LogInsightSecurityTagName" 142 | # Create the Security Tag 143 | $LogInsightTag = New-NsxSecurityTag -name $LogInsightSecurityTagName 144 | # Create the cluster Security Group 145 | write-host -ForegroundColor Green "Creating Log Insight Security Group $LogInsightSecurityGroupName" 146 | $LogInsightSGCluster = New-NsxSecurityGroup $LogInsightSecurityGroupName -includeMember $LogInsightTag 147 | # Place holder Security Groups for rules that allow definition instead of ANY 148 | # User to add objects to these security groups for Food and Water 149 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdName" 150 | $SecurityGroupAd = New-NsxSecurityGroup $SecurityGroupAdName 151 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupDNSName" 152 | $SecurityGroupDNS = New-NsxSecurityGroup $SecurityGroupDNSName 153 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupSMTPName" 154 | $SecurityGroupSMTP = New-NsxSecurityGroup $SecurityGroupSMTPName 155 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupNTPName" 156 | $SecurityGroupNTP = New-NsxSecurityGroup $SecurityGroupNTPName 157 | write-host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupvCenterName" 158 | $SecurityGroupvCenter = New-NsxSecurityGroup $SecurityGroupvCenterName 159 | write-Host -ForegroundColor Green "Creating Log Insight Security Group $SecurityGroupAdminSourceName" 160 | $SecurityGroupAdminSource = New-NsxSecurityGroup $SecurityGroupAdminSourceName 161 | # Create the Log Insight IP Set for ILB 162 | write-host -ForegroundColor Green "Creating IP Set for Log Insight Load Balancer VIP" 163 | $LogInsightIlbIpSet = New-NsxIpSet -name $LogInsightIlbName -IpAddresses "$LogInsightLoadBalancerIPAddress" 164 | 165 | ############################ 166 | # Creating new firewall section 167 | write-host -ForegroundColor Green "Creating Log Insight Firewall Section" 168 | $LogInsightFirewallSection = New-NsxFirewallSection $LogInsightFirewallSectionName 169 | 170 | 171 | ############################ 172 | # Creating Cluster Rules 173 | write-host -ForegroundColor Green "Creating Log Insight Cluster Rules" 174 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleClusterName Cluster Replication" -Source $LogInsightSGCluster -Destination $LogInsightSGCluster -service $t7000,$t9042,$t9160,$t59778,$t16520range,$t80,$t443,$t22,$t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 175 | 176 | 177 | ############################ 178 | # Creating External Sources Rule 179 | write-host -ForegroundColor Green "Creating Log Insight External Source Rules" 180 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name "$FirewallRuleExternalName Syslog/API" -Destination $LogInsightIlbIpSet -service $t514,$u514,$t1514,$t9000,$t9543 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 181 | 182 | ############################ 183 | # Creating Management Rules 184 | write-host -ForegroundColor Green "Creating Log Insight Management Rules" 185 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName Admin Access" -Source $SecurityGroupAdminSource -Destination $LogInsightIlbIpSet -service $t80,$t443,$t22 -action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 186 | 187 | ############################ 188 | # Food and Water 189 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for Active Directory" 190 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName AD" -Source $LogInsightSGCluster -Destination $SecurityGroupAd -service $t389,$u389,$t636,$t3268,$t3269,$t88,$u88 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 191 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for DNS" 192 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName DNS" -Source $LogInsightSGCluster -Destination $SecurityGroupDNS -service $t53,$u53 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 193 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for SMTP" 194 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName SMTP" -Source $LogInsightSGCluster -Destination $SecurityGroupSMTP -service $t25,$t465 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 195 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for NTP" 196 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName NTP" -Source $LogInsightSGCluster -Destination $SecurityGroupNTP -service $u123 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 197 | write-host -ForegroundColor Green "Creating Log Insight Food and Water Rules for vCenter" 198 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "$FirewallRuleManagementName vCenter" -Source $LogInsightSGCluster -Destination $SecurityGroupvCenter -service $t443 -Action "Allow" -position top -AppliedTo $LogInsightSGCluster | out-null 199 | ############################ 200 | # Application Microsegment 201 | write-host -ForegroundColor Green "Creating Log Insight Specific Deny rules" 202 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -Name "FW-LogInsight-Deny" -Action "Deny" -tag $denytag -position bottom -AppliedTo $LogInsightSGCluster | out-null 203 | 204 | ############################ 205 | # Application Microsegment 206 | write-host -ForegroundColor Green "Log Insight initial segmentation complete. Please add an object or IP Set to $SecurityGroupAdminSourceName to connect to Log Insight." 207 | -------------------------------------------------------------------------------- /Deploy Log Insight/Log Insight Three.ps1: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Deploy Log Insight 3.3.1. 4 | #To-Do: * Check for Thin Provision 5 | # * Add PowerLogInsight stuff in 6 | param ( 7 | $ClusterName = "Mgmt01", 8 | $DatastoreName = "MgmtData", 9 | $VdsName = "Mgt_int_vds", 10 | $VdPortGroupName = "Internal", 11 | ## OVA Global settings 12 | $LogInsightOvaLocation = "Z:\Lab\vrli.ova", 13 | $IpProtocol = "IPv4", 14 | 15 | 16 | ## Log Insight OVA Settings 17 | $LogInsightApplianceSize = "xsmall", 18 | $LogInsightPortGroupName = "$VdPortGroupName", 19 | 20 | $LogInsightHostName1 = "mgt-loginsight01", 21 | $LogInsightIpAddress1 = "192.168.100.96", 22 | $LogInsightHostName2 = "mgt-loginsight02", 23 | $LogInsightIpAddress2 = "192.168.100.97", 24 | $LogInsightHostName3 = "mgt-loginsight03", 25 | $LogInsightIpAddress3 = "192.168.100.98", 26 | $LogInsightNetmask = "255.255.255.0", 27 | $LogInsightGateway = "192.168.100.1", 28 | $LogInisghtDns = "192.168.100.10", 29 | $LogInsightSearchPath = "corp.local", 30 | $LogInsightDomain = "corp.local", 31 | $RootPw = "VMware1!VMware1!", 32 | 33 | 34 | ## Log Insight Configuration Settings 35 | 36 | $AdminEmail = "admin@vmware.com", 37 | $LogInsightPassword = "VMware1!", 38 | $LogInsightEmail = "loginsight@corp.local", 39 | $SmtpServer = "192.168.100.15", 40 | $SmtpPort = "8080", 41 | $NtpServer = "$LogInsightDns", 42 | 43 | 44 | $vCenter = "vc-01a.corp.local", 45 | $vCenterUsername = "Administrator@vsphere.local", 46 | $vCenterPassword = "VMware1!", 47 | 48 | $LogInsightLicense = "PUT KEY HERE", 49 | 50 | $port = "443", 51 | 52 | ) 53 | 54 | 55 | ## DO NOT EDIT BELOW HERE 56 | 57 | $Cluster = (Get-Cluster $ClusterName) 58 | $Datastore = (Get-Datastore $DatastoreName) 59 | $PortGroup = (Get-Vdswitch $vdsname | Get-Vdportgroup $LogInsightPortGroupName) 60 | 61 | $VMHost = $Cluster| Get-VMHost | Sort MemoryUsageGB | Select -first 1 62 | $OvfConfiguration = Get-OvfConfiguration $LogInsightOvaLocation 63 | 64 | $OvfConfiguration.IpAssignment.IpProtocol.value = $IpProtocol 65 | $OvfConfiguration.DeploymentOption.value = $LogInsightApplianceSize 66 | $OvfConfiguration.NetworkMapping.Network_1.value = $PortGroup 67 | 68 | 69 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer1 70 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress1 71 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LogInsightNetmask 72 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LogInsightGateway 73 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LogInisghtDns 74 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $LogInsightSearchPath 75 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $LogInsightDomain 76 | $OvfConfiguration.vm.rootpw.value = $RootPw 77 | 78 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName1 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore 79 | 80 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer2 81 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress2 82 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName2 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore 83 | 84 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LogInsightServer3 85 | $OvfConfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LogInsightIpAddress3 86 | Import-vApp $LogInsightOvaLocation -OvfConfiguration $OvfConfiguration -name $LogInsightHostName3 -Location $Cluster -VMhost $Vmhost -Datastore $Datastore 87 | 88 | sleep 5 89 | $LI1 = get-vm $LogInsightHostName1 90 | $LI2 = get-vm $LogInsightHostName2 91 | $LI3 = get-vm $LogInsightHostName3 92 | ######## 93 | # Start Virtual Machines 94 | $LI1 | start-vm 95 | sleep 5 96 | $LI2 | start-vm 97 | sleep 5 98 | $LI3 | start-vm 99 | 100 | -------------------------------------------------------------------------------- /FQDN-IPset-update/fqdn-ipset.ps1: -------------------------------------------------------------------------------- 1 | # FQDN IP Set population tool 2 | # a: anthony burke 3 | # g: github.com/pandom/ 4 | # t: pandom_ 5 | # This should be run as a cronjob every X hours 6 | 7 | param( 8 | $domainname = "news.com.au" 9 | ) 10 | #Internal, non custom variables 11 | $FQDNIpSetName = "IPS-$domainname-v4" 12 | $FQDNIpSetName6 = "IPS-$domainname-v6" 13 | $existingIp = Get-NsxIpset -name $FQDNIpSetName 14 | $existingIp6 = Get-NsxIpset -name $FQDNIpSetName6 15 | 16 | if (!$existingIp){ 17 | $existingIp = New-NsxIpSet -name "$FQDNIpSetName" 18 | } 19 | if (!$existingIp6){ 20 | $existingIp6 = New-NsxIpSet -name "$FQDNIpSetName6" 21 | } 22 | # Perform DNS lookup 23 | $updatedIp = [System.Net.Dns]::GetHostAddressesAsync($domainname) 24 | $ipv4only = $updatedip.Result | ? {$_.AddressFamily -eq "InterNetwork"} 25 | $ipv6only = $updatedip.Result | ? {$_.AddressFamily -eq "InterNetworkV6"} 26 | $updatedIps = $ipv4only.IpAddressToString 27 | $updatedIps6 = $ipv6only.IpAddressToString 28 | 29 | $Global:array = @() 30 | $Global:array += $updatedIps 31 | $Global:array6 = @() 32 | $Global:array6 += $updatedIps6 33 | #Add New IPv4 Addresses from $updatedIPs 34 | if ($updatedIps.count -gt '0') { 35 | write-host "Attempting to add $($array.length) IPv4 address(es) to $FQDNIpSetName" 36 | $Global:FQDNIpSet = Get-NsxIpSet -name $FQDNIpSetName | Add-NsxIpSetMember -IPAddress $array 37 | } 38 | # #Add New IPv6 Addresses from $updatedIPs6 39 | if ($updatedIps6.count -gt '0') { 40 | write-host "Attempting to add $($array6.length) IPv6 address(es) to $FQDNIpSetName6" 41 | $Global:FQDNIpSet6 = Get-NsxIpSet -name $FQDNIpSetName6 | Add-NsxIpSetMember -IPAddress $array6 42 | } 43 | #Remove old IPv4 Addresses if new $updatedIPs are added 44 | write-host "Tidying IPv4 entries" 45 | if ($existingip.value -gt 0){ 46 | try { 47 | $splitEIp = $existingip.value.Split(",") 48 | $global:existingipArray = @() 49 | foreach ($eip in $splitEIp) { 50 | foreach ($ipv4 in $ipv4only) { 51 | if ($eip -ne $ipv4){ 52 | $global:existingipArray += $eip 53 | } 54 | } 55 | } 56 | $global:purgearray = $existingiparray | Select -Unique 57 | if ($purgearray.count -gt '0'){ 58 | #write-host "Attempting to remove $($purgearray.count) stale IP Addresses from $FQDNIpSetName" 59 | $null = Get-NsxIpSet -name $FQDNIpSetName | Remove-NsxIpSetMember -IPaddress $global:purgearray 60 | } 61 | } 62 | catch { 63 | #write-host "No stale IPv4 entries to remove" 64 | } 65 | } 66 | #Remove old IPv6 Addresses if new $updatedIPs6 are added 67 | write-host "Tidying IPv6 entries" 68 | if ($existingip6.value -gt 0){ 69 | try { 70 | $splitEIp6 = $existingip6.value.Split(",") 71 | $global:existingipArray6 = @() 72 | foreach ($eip6 in $splitEIp6) { 73 | foreach ($ipv6 in $ipv6only) { 74 | if ($eip6 -ne $ipv6){ 75 | $global:existingipArray6 += $eip6 76 | } 77 | } 78 | } 79 | $global:purgearray6 = $existingiparray6 | Select -Unique 80 | if ($purgearray6.count -gt '0'){ 81 | #write-host "Attempting to remove $($purgearray6.count) stale IP Addresses from $FQDNIpSetName6" 82 | $null = Get-NsxIpSet -name $FQDNIpSetName6 | Remove-NsxIpSetMember -IPaddress $global:purgearray6 83 | } 84 | } 85 | catch { 86 | #write-host "No stale IPv6 entries to remove" 87 | } 88 | } 89 | 90 | 91 | 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /IP Validator/ipvalidator.ps1: -------------------------------------------------------------------------------- 1 | 2 | param ( 3 | $IpAddress = "10.35.254.4" 4 | ) 5 | 6 | write-host -foregroundcolor Green "Below is the output if the IP address was detected by VMTools detection" 7 | Get-VM | Select Name, @{N="IP Address";E={@($_.Guest.IPAddress[0])}}, @{N="PowerState";E={@($_.PowerState)}}, @{N="VMTools Status";E={@($_.ExtensionData.Guest.ToolsStatus)}}, @{N="VMTools Version";E={@($_.Guest.ToolsVersion)}} | ? {$_."IP Address" -eq ("$IpAddress")} 8 | 9 | 10 | write-host -foregroundcolor Green "Below is the output if the IP address was detected by NSX ARP IP Discovery" 11 | $vm = Get-NsxSpoofGuardPolicy | Get-NsxSpoofGuardNic 12 | $vm.DetectedIpAddress | ? {$_."ipAddress" -eq ("$IpAddress")} 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /Microsegment/LogInsightSegmentation.ps1: -------------------------------------------------------------------------------- 1 | 2 | #Script 3 | param ( 4 | ## Creating Log Insight buckets 5 | $LogInsightVmNames = "mgt-log*", 6 | $LogInsightTagName = "ST-Mgt-LogInsight", 7 | $LogInsightFirewallSectionName = "Mgt-LogInsight", 8 | #Security Group 9 | $LogInsightSecurityGroupName = "SG-Mgt-LogInsight-Cluster", 10 | $LogInsightOuterSecurityGroupName = "SG-Mgt-LogInsight-Outer", 11 | #Initial rules whilst learning 12 | $FirewallRuleClusterLearnName = "FW-Mgt-LogInsight-Cluster-Learn", 13 | $FirewallRuleExternalLearnName = "FW-Mgt-LogInsight-External-Learn", 14 | $FirewallRuleCatchLearnName = "FW-Mgt-LogInsight-Catch-Learn", 15 | #Final Rules when called 16 | $FirewallRuleClusterName = "FW-Mgt-LogInsight-Cluster", 17 | $FirewallRuleExternalName = "FW-Mgt-LogInsight-External", 18 | $FirewallRuleManagementName = "FW-Mgt-LogInsight-Management", 19 | $FirewallRuleCatchName = "FW-Mgt-LogInsight-Catch", 20 | #Distributed Firewall Tags 21 | $LogInsightClusterDfwTagName = "LogInsightCluster", 22 | $LogInsightExternalDfwTagName = "LogInsightExternal", 23 | $LogInsightOuterDfwTagName = "LogInsightCatch", 24 | #New Services 25 | $ServiceLogInsightClusterName = "SV-LogInsight-Cluster", 26 | 27 | $ManagementClusterName = "SG-Management-Cluster" 28 | $LogInsightVipName = "IP-Mgt-LogInsight-VIP", 29 | $LogInsightVipIp = "10.35.254.8", 30 | $ManagementHostsIp = "10.35.252.192/26", 31 | $ComputeHostsIp = "10.35.253.192/26", 32 | $ComputeHostsName = "IP-Compute-Hosts", 33 | $ManagementHostsName = "IP-Management-Hosts", 34 | $pfSenseIp = "10.35.254.6", 35 | $pfSenseName = "IP-Mgt-pfSense", 36 | $MgtJumpName = "mgt-tempjump", 37 | $NsxManagerIp = "10.35.254.39", 38 | $NsxManagerName = "IP-Mgt-NsxVMgr01", 39 | 40 | 41 | #Management Access 42 | $tcp80 = (New-NsxService -name "tcp/80" -protocol "tcp" -port "80"), 43 | $tcp443 = (New-NsxService -name "tcp/443" -protocol "tcp" -port "443"), 44 | $tcp22 = (New-NsxService -name "tcp/22" -protocol "tcp" -port "22"), 45 | #Sending sources 46 | $tcp514 = (New-NsxService -name "tcp/514" -protocol "tcp" -port "514"), 47 | $udp514 = (New-NsxService -name "udp/514" -protocol "udp" -port "514"), 48 | $tcp1514 = (New-NsxService -name "tcp/1515" -protocol "tcp" -port "1514"), 49 | $tcp9000 = (New-NsxService -name "tcp/9000" -protocol tcp -port "9000"), 50 | $tcp9543 = (New-NsxService -name "tcp/9543" -protocol "tcp" -port "9543"), 51 | #Cluster comms 52 | $tcp7000 = (New-NsxService -name "tcp/7000" -protocol "tcp" -port "7000"), 53 | $tcp9042 = (New-NsxService -name "tcp/9042" -protocol "tcp" -port "9042"), 54 | $tcp9160 = (New-NsxService -name "tcp/9160" -protocol "tcp" -port "9160"), 55 | $tcp59778 = (New-NsxService -name "tcp/59778" -protocol "tcp" -port "59778"), 56 | $tcp16520range = (New-NsxService -name "tcp/16520-80" -protocol "tcp" -port 16520-16580), 57 | #Food and Water 58 | $udp123 = (New-NsxService -name "udp/123" -protocol "udp" -port "123"), 59 | $tcp25 = (New-NsxService -name "tcp/25" -protocol "tcp" -port "25"), 60 | $tcp465 = (New-NsxService -name "tcp/465" -protocol "tcp" -port "465"), 61 | $tcp53 = (New-NsxService -name "tcp/53" -protocol "tcp" -port "53"), 62 | $udp53 = (New-NsxService -name "udp/53" -protocol "udp" -port "53"), 63 | $tcp389 = (New-NsxService -name "tcp/389" -protocol "tcp" -port "389"), 64 | $udp389 = (New-NsxService -name "udp/389" -protocol "udp" -port "389"), 65 | $tcp636 = (New-NsxService -name "tcp/636" -protocol "tcp" -port "636"), 66 | $tcp3268 = (New-NsxService -name "tcp/3268" -protocol "tcp" -port "3268"), 67 | $tcp3269 = (New-NsxService -name "tcp/3269" -protocol "tcp" -port "3269"), 68 | $tcp88 = (New-NsxService -name "tcp/88" -protocol "tcp" -port "88"), 69 | $udp88 = (New-NsxService -name "udp/88" -protocol "udp" -port "88") 70 | 71 | 72 | ) 73 | 74 | 75 | $ntp1 = "192.168.65.254" 76 | $ntp2 = "192.168.65.255" 77 | $ntpname = "IP-Mgt-NTP" 78 | 79 | 80 | $dns1 = "mgt-dns01" 81 | $dns2 = "mgt-dns02" 82 | $dns = (Get-VM $dns1,$dns2) 83 | $DnsSecurityGroupName = "SG-Mgt-Dns" 84 | $DnsSecurityGroup = "SG-Mgt-Dns" 85 | $dc1 = "mgt-dc01" 86 | $dc2 = "mgt-dc02" 87 | $dcs = (Get-VM $dc1,$dc2) 88 | $AdSecurityGroupName = "SG-Mgt-Active-Directory" 89 | 90 | $vc1 = (Get-Vm mgt-vcenter01) 91 | $vc2 = (Get-Vm comp-vcenter01) 92 | $IpSetNTP = New-NsxIpSet -name $NtpName -IpAddresses "$ntp1,$ntp2" 93 | 94 | $AdSecurityGroup = New-NsxSecurityGroup -name $AdSecurityGroupName -includeMember (get-vm $dc1,$dc2) 95 | $DnsSecurityGroup = New-NsxSecurityGroup -name $DnsSecurityGroupName -includeMember (get-vm $dns1,$dns2) 96 | 97 | 98 | #Create Security Tag, attach security tag to selected Virtual Machines, Create security group with given Security Tag as membership and then create out Security Group 99 | $LogInsightTag = New-NsxSecurityTag $LogInsightTagName 100 | $LogInsightVm = get-vm $LogInsightVmNames 101 | $LogInsightVm | New-NsxSecurityTagAssignment -ApplyTag -SecurityTag $LogInsightTag 102 | $LogInsightClusterSecurityGroup = New-NsxSecurityGroup $LogInsightSecurityGroupName -IncludeMember $LogInsightTag 103 | $LogInsightOuterSecurityGroup = New-NsxSecurityGroup $LogInsightOuterSecurityGroupName -IncludeMember $LogInsightClusterSecurityGroup 104 | 105 | 106 | ## Creating DFW Section for Log Insight 107 | $LogInsightFirewallSection = New-NsxFirewallSection $LogInsightFirewallSectionName 108 | 109 | ##Cluster Rules 110 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleClusterLearnName -source $LogInsightClusterSecurityGroup -Destination $LogInsightClusterSecurityGroup -enableLogging -action "allow" -AppliedTo $LogInsightClusterSecurityGroup -tag $LogInsightClusterDfwTagName -position top 111 | ##External Rules 112 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleExternalLearnName -enableLogging -action "allow" -AppliedTo $LogInsightClusterSecurityGroup -tag $LogInsightExternalDfwTagName -position bottom 113 | ##Catch all 114 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleCatchLearnName -enableLogging -action "allow" -AppliedTo $LogInsightOuterSecurityGroup -tag $LogInsightCatchDfwTagName -position bottom 115 | 116 | 117 | ## 118 | 119 | #Cluster Rules 120 | 121 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleClusterName -Source (Get-NsxSecurityGroup $LogInsightSecurityGroupName) -Destination(Get-NsxSecurityGroup $LogInsightSecurityGroupName) -service $tcp7000,$tcp9042,$tcp9160,$tcp59778,$tcp16520range,$tcp80,$tcp443,$tcp22,$tcp514,$udp514,$tcp1514,$tcp9000,$tcp9543 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 122 | 123 | 124 | ## Creating a Security Group for sources 125 | 126 | 127 | 128 | $ManagementCluster = Get-Cluster 129 | $ManagementClusterSG = New-NsxSecurityGroup $ManagementClusterName -includeMember $ManagementCluster 130 | $IpSetComputeHosts = New-NsxIpSet -name $ManagementHostsName -IpAddresses $ManagementHostsIp 131 | $IpSetManagementHosts = New-NsxIpSet -name $ComputeHostsName -IpAddresses $ComputeHostsIp 132 | $IpSetLogInsightVip = New-NsxIpSet -name $LogInsightVipName -IpAddresses $LogInsightVipIp 133 | $IpSetpfSenseIP = New-NsxIpSet -name $pfSenseName -IpAddresses $pfSenseIp 134 | $IpSetNsxvMgr = New-NsxIpSet -name $NsxManagerName -IpAddresses $NsxManagerIp 135 | $mgtjump = Get-Vm $mgtjumpname 136 | ## Create a FW rule for Virtual Sources 137 | 138 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleExternalName -Source $ManagementClusterSG, $IpSetComputeHosts, $IpSetManagementHosts, $IpSetNsxvMgr -Destination $IpSetLogInsightVip -service $tcp514,$udp514,$tcp1514,$tcp9000,$tcp9543 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 139 | 140 | 141 | ## Create a FW rule for Management Sources 142 | 143 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleManagementName -Source $IpSetpfSenseIP,$mgtjump -Destination $IpSetLogInsightVip -service $tcp80, $tcp443, $tcp22 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 144 | 145 | 146 | 147 | 148 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleManagementName -Source (Get-NsxSecurityGroup $LogInsightSecurityGroupName) -Destination $AdSecurityGroup -service $tcp88,$udp88,$tcp389,$udp389 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 149 | 150 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleManagementName -Source (Get-NsxSecurityGroup $LogInsightSecurityGroupName) -Destination $DnsSecurityGroup -service $udp53,$tcp53 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 151 | 152 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleManagementName -Source (Get-NsxSecurityGroup $LogInsightSecurityGroupName) -Destination $IpSetNTP -service $udp123 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 153 | 154 | 155 | 156 | Get-NsxFirewallSection $LogInsightFirewallSectionName | New-NsxFirewallRule -name $FirewallRuleManagementName -Source (Get-NsxSecurityGroup $LogInsightSecurityGroupName) -Destination $vc1,$vc2 -service $tcp443 -Action "Allow" -position top -AppliedTo (Get-NsxSecurityGroup $LogInsightSecurityGroupName) 157 | 158 | #ViewDesktops 159 | # 160 | 161 | 162 | #Purge all rules except ones used by Default Rule. 163 | #Get-NsxService | ? {$_.name -notmatch ("DHCP") -AND $_.name -notmatch ("IPv6")} | Remove-NsxService -confirm:$false 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | #Get-NsxService | ? {$_.name -notmatch ("DHCP") -AND $_.name -notmatch ("IPv6")} | Remove-NsxService -confirm:$false 173 | 174 | # $SGWeb = New-NsxSecurityGroup "SG-Web" 175 | # $SGApp = New-NsxSecurityGroup "SG-App" 176 | # $SGDb = New-NsxSecurityGroup "SG-Db" 177 | # $SGBookstore = New-NsxSecurityGroup "SG-Bookstore" -includeMember ($SGApp,$SGWeb,$SGDb) 178 | 179 | # New-NsxFirewallSection "Bookstore Application" 180 | # Get-NsxFirewallSection "Bookstore Application" | New-NsxFirewallRule -name "Bookstore Web Learn" -enableLogging -action "Allow" -tag "Bookstore-Web" -AppliedTo $SGWeb 181 | # Get-NsxFirewallSection "Bookstore Application" | New-NsxFirewallRule -name "Bookstore App Learn" -enableLogging -action "Allow" -tag "Bookstore-App" -AppliedTo $SGApp 182 | # Get-NsxFirewallSection "Bookstore Application" | New-NsxFirewallRule -name "Bookstore Db Learn" -enableLogging -action "Allow" -tag "Bookstore-Db" -AppliedTo $SGDb 183 | # Get-NsxFirewallSection "Bookstore Application" | New-NsxFirewallRule -name "Bookstore Catch" -enableLogging -action "Allow" -tag "Bookstore-Catch" -AppliedTo $SGBookstore -position bottom 184 | 185 | 186 | -------------------------------------------------------------------------------- /NSX Rule Validator/Rule-validator.ps1: -------------------------------------------------------------------------------- 1 | ## Distributed Firewall rule validator ## 2 | ## Author: Anthony Burke t:@pandom_ b:networkinferno.net 3 | ## version 1.0 4 | ## January 2015 5 | #-------------------------------------------------- 6 | # ____ __ _ _ ____ ____ __ _ ____ _ _ 7 | # ( _ \ / \ / )( \( __)( _ \( ( \/ ___)( \/ ) 8 | # ) __/( O )\ /\ / ) _) ) // /\___ \ ) ( 9 | # (__) \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_) 10 | # PowerShell extensions for NSX for vSphere 11 | #-------------------------------------------------- 12 | #USAGE: On execution of the script either change the $vmname attribute to the specific VM. 13 | param ( 14 | $vmname = "melb-log-0", 15 | # WARNING - this script uses match. It will pull out details of ALL VMs that match the string in $VMNAME. An exact match will need to be the entire VM's name. 16 | $vmactual = (Get-Vm | ? {$_.name -match "$vmname"}) 17 | ) 18 | #Pulls VM filter information include VM-name and MAC address 19 | write-host -foregroundcolor "Green" "$vmactual Firewall filter and VM IPs" 20 | Get-Vm $vmactual | Select Name, @{N="IP Address";E={@($_.guest.IPAddress[0])}} | ft -autosize -wrap 21 | Get-Vm $vmactual | Get-NsxCliDfwFilter 22 | 23 | #Pulls any related address sets and resolves them. 24 | write-host -foregroundcolor "Green" "Resolving objects applied to $vmactual " 25 | Get-Vm $vmactual | Get-NsxCliDfwAddrSet | ft -wrap -autosize 26 | #Outputs ruletable installed onto the vNIC 27 | 28 | write-host -foregroundcolor "Green" "Output of all rules" 29 | get-vm $vmactual | Get-NsxCliDfwRule | ft -wrap -autosize RuleID,service,Source,Destination,Port 30 | -------------------------------------------------------------------------------- /NSX Validation scripts/dfw-heap-test.ps1: -------------------------------------------------------------------------------- 1 | ## Test for DFW Memory heap usage 2 | #a: Anthony Burke - @pandom_ 3 | #c: (dcoghland for original idea and initial code, nbradford for sanity checks and matching) 4 | #r: PowerCLI, PowerNSX, PSate, PShould 5 | 6 | 7 | ## DO NOT EDIT. 8 | ### The limit threshold is recommended as a buffer. If 80% of memory or more is used the test will fail. 9 | ## Some math for heap percentage 10 | $limit = 20 11 | $total = (100-$limit) 12 | ## Collect all VMhosts under vCenter 13 | $esxi_creds = (Get-Credential) 14 | 15 | 16 | 17 | ## Initiate Test sequence 18 | DescribingEach "Distributed Firewall Memory heaps"{ 19 | $vSphereHosts = get-cluster | % { 20 | $currclus = $_ 21 | if (($currclus | get-nsxclusterstatus | ? { $_.featureId -eq 'com.vmware.vshield.firewall' }).Installed -eq 'true') { 22 | $currclus 23 | } 24 | } | get-vmhost 25 | 26 | # For each vSphere host found by Get-VMhost connect to host with SSH 27 | foreach ( $vsphere in $vSphereHosts ) { 28 | GivenEach "vSphere Host $($vSphere.name)" { 29 | $esxi_SSH_Session = New-SSHSession -ComputerName $vsphere -Credential $esxi_creds -AcceptKey 30 | #Invoke vsish command to list all VSIP heaps and store it 31 | $vsish_command_1 = "vsish -e ls /system/heaps|grep vsip" 32 | $vsish_object_1 = Invoke-SSHCommand -SessionId $esxi_SSH_Session.SessionId -Command $vsish_command_1 -EnsureConnection 33 | #Upon the stored object, for each heap listed, use SSH session to check heap memory remaining. 34 | foreach ($heap in $vsish_object_1.output) { 35 | 36 | $command = "vsish -e get /system/heaps/$heap'stats'" 37 | $stats = Invoke-SSHCommand -SessionId $esxi_SSH_Session.SessionId -Command $command -EnsureConnection 38 | $stats.output | ? { $_ -match "(percent free of max size):(\d{1,3})" } > $Null 39 | # Based on the regex output, use matches and PShould to determine remaining memory is more than limit (ex:80 is more than 20) 40 | It "has not surpassed the $total % memory threshold on memory heap $heap for $vsphere" { 41 | $matches[2] | should be -gt $limit 42 | } 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /NSX Validation scripts/test-3TA-lb-status.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pandom/NSX-Scripts/9d9118c1f2224eedccbd81248fabc26887ed0521/NSX Validation scripts/test-3TA-lb-status.ps1 -------------------------------------------------------------------------------- /NSX Validation scripts/test-nsx-controller-manager.ps1: -------------------------------------------------------------------------------- 1 | ## Basic NSX health check 2 | # 3 | # 4 | # Requires Psate 5 | # Requires Pshould 6 | # Requests PowerNSX 7 | # 8 | # 9 | # To Do. Build in more checks. 10 | #* Get feedback from Nick 11 | #* Look at outputs based on failure 12 | #* What should be tested? 13 | 14 | TestFixture "VMware components" { 15 | 16 | 17 | ## A list of URIs to test connectivity environment. 18 | $a = "http://vmware.com/" 19 | $b = "https://vc-01a.corp.local/vsphere-client/?csp" 20 | $c = "https://192.168.100.201/login.jsp" 21 | $uris = @($a,$b,$c) 22 | 23 | foreach ($u in $uris){ 24 | TestCase "$u is accessible" { 25 | $results = Invoke-WebRequest -Uri $u 26 | $results.StatusCode | Should be 200 27 | } 28 | } 29 | 30 | TestCase "GitHub API status check" { 31 | $results = Invoke-RestMethod https://status.github.com/api/status.json 32 | 33 | $results.status | Should be good 34 | } 35 | 36 | TestCase "NSX Manager API check" { 37 | 38 | $results = Invoke-NsxRestMethod -uri /api/1.0/appliance-management/summary/system -method get 39 | 40 | $results.versioninfo.majorVersion | Should be 6 41 | 42 | } 43 | 44 | TestCase "Check NSX Controllers"{ 45 | 46 | 47 | $results = Invoke-NsxRestMethod -uri /api/2.0/vdn/controller -method get 48 | # For loop to test the same command against EACH controller found. 49 | foreach ($controller in $($results.Controllers.controller)) { 50 | 51 | $controller.status | should be RUNNING 52 | # This write-host here was to prove my loop works for each controller. 53 | write-host -foregroundcolor green " [++]Testing individual controller" 54 | 55 | } 56 | 57 | 58 | 59 | 60 | } 61 | 62 | } 63 | -------------------------------------------------------------------------------- /NSX-License/nsx-license.ps1: -------------------------------------------------------------------------------- 1 | # NSX licence via PowerCLI 2 | #a. anthony burke 3 | #t. @pandom 4 | #c. This script will licence NSX for vSphere via PowerCLI. It requires a connection to vCenter along with a valid licence. Kudos to Gavin for helping me find nsx-netsec via MOB. 5 | 6 | param ( 7 | $license = "INSERT LICENCE HERE" 8 | ) 9 | 10 | 11 | 12 | $ServiceInstance = Get-View ServiceInstance 13 | $LicenseManager = Get-View $ServiceInstance.Content.licenseManager 14 | $LicenseAssignmentManager = Get-View $LicenseManager.licenseAssignmentManager 15 | $LicenseAssignmentManager.UpdateAssignedLicense("nsx-netsec",$license,$NULL) 16 | 17 | # The following can be used to check an assigned licence. 18 | #$CheckLicense = $$LicenseAssignmentManager.QueryAssignedLicenses("nsx-netsec") 19 | #$CheckLicense.AssignedLicense 20 | -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-all.ps1: -------------------------------------------------------------------------------- 1 | ## Deploy NSX-T Controller 2 | #Environment 3 | $clname = "Management" 4 | $dsname = "STO-SRV-001" 5 | $pgname = "PP-MGT-Guest" 6 | 7 | #RTQA63 8 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-controller-2.0.0.0.0.6217020.ova" 9 | 10 | #Edge 11 | $gw = "192.168.254.1" 12 | $sn = "255.255.255.128" 13 | $dns = "192.168.254.7" 14 | $ntp = "192.168.65.255,192.168.65.254" 15 | $dm = "pp.sin.nicira.eng.vmware.com" 16 | 17 | 18 | #OVF Details 19 | $password = "VMware1!" 20 | $df = "thin" 21 | 22 | 23 | # Creating #1 24 | $hn = "pp-mgt-nsxctrl01" 25 | $ip = "192.168.254.11" 26 | $cl = get-cluster $clname 27 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 28 | $ds = get-datastore $dsname 29 | $nw = get-vdportgroup $pgname 30 | 31 | ##OVF Deployment 32 | $ovf = Get-OvfConfiguration -ovf $ovflocation 33 | $ovf.common.nsx_passwd_0.value = "$password" 34 | $ovf.common.nsx_cli_passwd_0.value = "$password" 35 | #$ovf.common.extraPara.value = "" 36 | $ovf.common.nsx_hostname.value = "$hn" 37 | $ovf.common.nsx_gateway_0.value = "$gw" 38 | $ovf.common.nsx_ip_0.value = "$ip" 39 | $ovf.common.nsx_netmask_0.value = "$sn" 40 | $ovf.common.nsx_dns1_0.value = "$dns" 41 | $ovf.common.nsx_domain_0.value = "$dm" 42 | $ovf.common.nsx_ntp_0.value = "$ntp" 43 | $ovf.common.nsx_isSSHEnabled.value = "True" 44 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 45 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 46 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 47 | 48 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null 49 | 50 | # Creating #2 51 | $hn = "pp-mgt-nsxctrl02" 52 | $ip = "192.168.254.12" 53 | $cl = get-cluster $clname 54 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 55 | $ds = get-datastore $dsname 56 | $nw = get-vdportgroup $pgname 57 | 58 | ##OVF Deployment 59 | $ovf = Get-OvfConfiguration -ovf $ovflocation 60 | $ovf.common.nsx_passwd_0.value = "$password" 61 | $ovf.common.nsx_cli_passwd_0.value = "$password" 62 | #$ovf.common.extraPara.value = "" 63 | $ovf.common.nsx_hostname.value = "$hn" 64 | $ovf.common.nsx_gateway_0.value = "$gw" 65 | $ovf.common.nsx_ip_0.value = "$ip" 66 | $ovf.common.nsx_netmask_0.value = "$sn" 67 | $ovf.common.nsx_dns1_0.value = "$dns" 68 | $ovf.common.nsx_domain_0.value = "$dm" 69 | $ovf.common.nsx_ntp_0.value = "$ntp" 70 | $ovf.common.nsx_isSSHEnabled.value = "True" 71 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 72 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 73 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 74 | 75 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null 76 | 77 | #Creating #3 78 | $hn = "pp-mgt-nsxctrl03" 79 | $ip = "192.168.254.13" 80 | $cl = get-cluster $clname 81 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 82 | $ds = get-datastore $dsname 83 | $nw = get-vdportgroup $pgname 84 | 85 | ##OVF Deployment 86 | $ovf = Get-OvfConfiguration -ovf $ovflocation 87 | $ovf.common.nsx_passwd_0.value = "$password" 88 | $ovf.common.nsx_cli_passwd_0.value = "$password" 89 | #$ovf.common.extraPara.value = "" 90 | $ovf.common.nsx_hostname.value = "$hn" 91 | $ovf.common.nsx_gateway_0.value = "$gw" 92 | $ovf.common.nsx_ip_0.value = "$ip" 93 | $ovf.common.nsx_netmask_0.value = "$sn" 94 | $ovf.common.nsx_dns1_0.value = "$dns" 95 | $ovf.common.nsx_domain_0.value = "$dm" 96 | $ovf.common.nsx_ntp_0.value = "$ntp" 97 | $ovf.common.nsx_isSSHEnabled.value = "True" 98 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 99 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 100 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 101 | 102 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null 103 | 104 | 105 | #Creating #1 106 | ## Deploy NSX-T Manager 107 | #Environment 108 | $clname = "Management" 109 | $dsname = "STO-SRV-001" 110 | $pgname = "PP-MGT-Guest" 111 | 112 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-manager-2.0.0.0.0.6218290.ova" ##RTQA63 113 | 114 | #Edge 115 | $hn = "pp-mgt-nsxmgr01" 116 | $ip = "192.168.254.19" 117 | # $hn = "pp-mgt-nsxmgr02" 118 | # $ip = "192.168.254.20" 119 | # $hn = "pp-mgt-nsxmgr03" 120 | # $ip = "192.168.254.21" 121 | 122 | #OVF Details 123 | $password = "VMware1!" 124 | $audituser = "audit" 125 | $auditpass = "$password" 126 | $cliuser = "admin" 127 | $df = "thin" 128 | 129 | # Deploy 130 | 131 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 132 | 133 | ##OVF Deployment 134 | $ovf = Get-OvfConfiguration -ovf $ovflocation 135 | $ovf.common.nsx_passwd_0.value = "$password" 136 | $ovf.common.nsx_cli_passwd_0.value = "$password" 137 | $ovf.common.nsx_cli_username.value = "$cliuser" 138 | $ovf.common.nsx_cli_audit_username.value = "$audituser" 139 | $ovf.common.nsx_cli_audit_passwd_0.value = "$auditpass" 140 | #$ovf.common.extraPara.value = "" 141 | $ovf.common.nsx_hostname.value = "$hn" 142 | $ovf.common.nsx_gateway_0.value = "$gw" 143 | $ovf.common.nsx_ip_0.value = "$ip" 144 | $ovf.common.nsx_netmask_0.value = "$sn" 145 | $ovf.common.nsx_dns1_0.value = "$dns" 146 | $ovf.common.nsx_domain_0.value = "$dm" 147 | $ovf.common.nsx_ntp_0.value = "$ntp" 148 | $ovf.common.nsx_isSSHEnabled.value = "True" 149 | $ovf.common.nsx_allowSSHRootLogin.value = "True" 150 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 151 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 152 | 153 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null 154 | 155 | ## Deploy NSX-T Edge 156 | #Environment 157 | $clname = "Management" 158 | $dsname = "STO-SRV-001" 159 | $pgname = "PP-MGT-Guest" 160 | $teppgname = "PP-MGT-TEP" 161 | $vlanpgname = "PP-MGT-Tenant-Interconnect" 162 | 163 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-edge-2.0.0.0.0.6217019.ova" #RTQA63 164 | 165 | #Edge 166 | $gw = "192.168.254.1" 167 | $sn = "255.255.255.128" 168 | $dns = "192.168.254.7" 169 | $ntp = "192.168.65.255,192.168.65.254" 170 | $dm = "pp.sin.nicira.eng.vmware.com" 171 | $es = "large" 172 | 173 | #OVF Details 174 | $password = "VMware1!" 175 | $df = "thin" 176 | 177 | $cl = get-cluster $clname 178 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 179 | $ds = get-datastore $dsname 180 | $nw1 = get-vdportgroup $pgname 181 | $nw2 = get-vdportgroup $teppgname 182 | $nw3 = get-vdportgroup $vlanpgname 183 | 184 | ##OVF Deployment 185 | 186 | $hn = "pp-mgt-nsxedge01" 187 | $ip = "192.168.254.31" 188 | 189 | $ovf = Get-OvfConfiguration -ovf $ovflocation 190 | $ovf.common.nsx_passwd_0.value = "$password" 191 | $ovf.common.nsx_cli_passwd_0.value = "$password" 192 | #$ovf.common.extraPara.value = "" 193 | $ovf.common.nsx_hostname.value = "$hn" 194 | $ovf.common.nsx_gateway_0.value = "$gw" 195 | $ovf.common.nsx_ip_0.value = "$ip" 196 | $ovf.common.nsx_netmask_0.value = "$sn" 197 | $ovf.common.nsx_dns1_0.value = "$dns" 198 | $ovf.common.nsx_domain_0.value = "$dm" 199 | $ovf.common.nsx_ntp_0.value = "$ntp" 200 | $ovf.common.nsx_isSSHEnabled.value = "True" 201 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 202 | $ovf.NetworkMapping.Network_0.Value = "$($nw1.name)" 203 | $ovf.NetworkMapping.Network_1.Value = "$($nw2.name)" 204 | $ovf.NetworkMapping.Network_2.Value = "$($nw3.name)" 205 | #not used - assigning to PP-TENANT-INTERCONNECT 206 | $ovf.NetworkMapping.Network_3.Value = "$($nw3.name)" 207 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 208 | $ovf.DeploymentOption.value = "$es" 209 | 210 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null 211 | 212 | 213 | #Edge 2 214 | $hn = "pp-mgt-nsxedge02" 215 | $ip = "192.168.254.32" 216 | 217 | $ovf = Get-OvfConfiguration -ovf $ovflocation 218 | $ovf.common.nsx_passwd_0.value = "$password" 219 | $ovf.common.nsx_cli_passwd_0.value = "$password" 220 | #$ovf.common.extraPara.value = "" 221 | $ovf.common.nsx_hostname.value = "$hn" 222 | $ovf.common.nsx_gateway_0.value = "$gw" 223 | $ovf.common.nsx_ip_0.value = "$ip" 224 | $ovf.common.nsx_netmask_0.value = "$sn" 225 | $ovf.common.nsx_dns1_0.value = "$dns" 226 | $ovf.common.nsx_domain_0.value = "$dm" 227 | $ovf.common.nsx_ntp_0.value = "$ntp" 228 | $ovf.common.nsx_isSSHEnabled.value = "True" 229 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 230 | $ovf.NetworkMapping.Network_0.Value = "$($nw1.name)" 231 | $ovf.NetworkMapping.Network_1.Value = "$($nw2.name)" 232 | $ovf.NetworkMapping.Network_2.Value = "$($nw3.name)" 233 | #not used - assigning to PP-TENANT-INTERCONNECT 234 | $ovf.NetworkMapping.Network_3.Value = "$($nw3.name)" 235 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 236 | $ovf.DeploymentOption.value = "$es" 237 | 238 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-cleanup.ps1: -------------------------------------------------------------------------------- 1 | join management-plane 192.168.254.19 username admin thumbprint a7ba094dea71062f942f814ba750091e6347eeaf89538f92886cab06caa22b04 password 2 | 3 | 4 | join management-plane 192.168.254.19 username admin thumbprint a7ba094dea71062f942f814ba750091e6347eeaf89538f92886cab06caa22b04 password VMware1! 5 | 6 | 7 | 26e68ad3ebfccc58505be6873c1090e6ce82bedc60f7d0402c4ab90df64588ee 8 | 9 | [root@srv-030:~] openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout 10 | SHA1 Fingerprint=13:65:EB:11:91:0B:97:B8:30:62:DB:35:28:D4:A7:92:3D:D2:A1:68 11 | 12 | [root@srv-031:/var/log] openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha1 -noout 13 | SHA1 Fingerprint=3D4E8F3CA30A2FFC5600C670E00154FB9F1648A0 14 | 15 | detach management-plane 192.168.254.19 username admin password VMware1! thumbprint a7ba094dea71062f942f814ba750091e6347eeaf89538f92886cab06caa22b04 16 | 17 | vsipioctl clearallfilters 18 | etc/init.d/netcpad stop 19 | /etc/init.d/netcpad stop 20 | /etc/init.d/nsx-exporter stop 21 | /etc/init.d/nsx-nestdb stop 22 | /etc/init.d/nsx-support-bundle-client stop 23 | /etc/init.d/nsx-ctxteng stop 24 | /etc/init.d/nsx-sfhc stop 25 | /etc/init.d/nsx-da stop 26 | /etc/init.d/nsx-hyperbus stop 27 | /etc/init.d/nsx-lldp stop 28 | /etc/init.d/nsx-platform-client stop 29 | /etc/init.d/nsx-mpa stop 30 | /etc/init.d/nsx-datapath stop 31 | /etc/init.d/nsx-ctxteng stop 32 | /etc/init.d/nsx-hyperbus stop 33 | /etc/init.d/nsx-metrics-libs stop 34 | /etc/init.d/nsx-nestdb-libs stop 35 | /etc/init.d/nsx-nestdb stop 36 | /etc/init.d/nsx-platform-client stop 37 | /etc/init.d/nsx-rpc-libs stop 38 | /etc/init.d/nsx-shared-libs stop 39 | /etc/init.d/nsx-common-libs stop 40 | 41 | esxcli software vib remove -n nsx-aggservice -f 42 | esxcli software vib remove -n nsx-da -f 43 | esxcli software vib remove -n nsx-esx-datapath -f 44 | esxcli software vib remove -n nsx-exporter -f 45 | esxcli software vib remove -n nsx-host -f 46 | esxcli software vib remove -n nsx-lldp -f 47 | esxcli software vib remove -n nsx-netcpa -f 48 | esxcli software vib remove -n nsx-python-protobuf -f 49 | esxcli software vib remove -n nsx-sfhc -f 50 | esxcli software vib remove -n nsx-support-bundle-client -f 51 | esxcli software vib remove -n nsxa -f 52 | esxcli software vib remove -n nsxcli -f 53 | esxcli software vib remove -n nsx-mpa -f 54 | esxcli software vib remove -n nsx-ctxteng -f 55 | esxcli software vib remove -n nsx-hyperbus -f 56 | esxcli software vib remove -n nsx-metrics-libs -f 57 | esxcli software vib remove -n nsx-nestdb-libs -f 58 | esxcli software vib remove -n nsx-nestdb -f 59 | esxcli software vib remove -n nsx-platform-client -f 60 | esxcli software vib remove -n nsx-rpc-libs -f 61 | esxcli software vib remove -n nsx-shared-libs -f 62 | esxcli software vib remove -n nsx-common-libs -f 63 | 64 | 65 | ##MANUAL INSTALL 66 | esxcli software vib install -d /tmp/nsx-lcp-2.0.0.0.0.6080953-esx65.zip -f 67 | ##MANUAL BINDING 68 | /opt/vmware/nsx-cli/bin/scripts/nsxcli 69 | join management-plane 192.168.254.19 username admin thumbprint a7ba094dea71062f942f814ba750091e6347eeaf89538f92886cab06caa22b04 password VMware1! 70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-controller.ps1: -------------------------------------------------------------------------------- 1 | ## Deploy NSX-T Controller 2 | #Environment 3 | $clname = "Management" 4 | $dsname = "STO-SRV-001" 5 | $pgname = "PP-MGT-Guest" 6 | 7 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-controller-2.0.0.0.0.6080938.ova" ##vdr-mac 8 | #$ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-controller-2.0.0.0.0.6058270.ova" pre-RTQA, Maclearning 9 | #$ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\1.10\nsx-controller-1.1.0.0.0.4788146.ova" 10 | 11 | #Edge 12 | $hn = "pp-mgt-nsxctrl01" 13 | $ip = "192.168.254.11" 14 | # $hn = "pp-mgt-nsxctrl02" 15 | # $ip = "192.168.254.12" 16 | # $hn = "pp-mgt-nsxctrl03" 17 | # $ip = "192.168.254.13" 18 | $gw = "192.168.254.1" 19 | $sn = "255.255.255.128" 20 | $dns = "192.168.254.7" 21 | $ntp = "192.168.65.255,192.168.65.254" 22 | $dm = "pp.sin.nicira.eng.vmware.com" 23 | 24 | 25 | #OVF Details 26 | $password = "VMware1!" 27 | $df = "thin" 28 | 29 | $cl = get-cluster $clname 30 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 31 | $ds = get-datastore $dsname 32 | $nw = get-vdportgroup $pgname 33 | 34 | ##OVF Deployment 35 | $ovf = Get-OvfConfiguration -ovf $ovflocation 36 | $ovf.common.nsx_passwd_0.value = "$password" 37 | $ovf.common.nsx_cli_passwd_0.value = "$password" 38 | #$ovf.common.extraPara.value = "" 39 | $ovf.common.nsx_hostname.value = "$hn" 40 | $ovf.common.nsx_gateway_0.value = "$gw" 41 | $ovf.common.nsx_ip_0.value = "$ip" 42 | $ovf.common.nsx_netmask_0.value = "$sn" 43 | $ovf.common.nsx_dns1_0.value = "$dns" 44 | $ovf.common.nsx_domain_0.value = "$dm" 45 | $ovf.common.nsx_ntp_0.value = "$ntp" 46 | $ovf.common.nsx_isSSHEnabled.value = "True" 47 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 48 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 49 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 50 | 51 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-edge.ps1: -------------------------------------------------------------------------------- 1 | ## Deploy NSX-T Edge 2 | #Environment 3 | $clname = "Management" 4 | $dsname = "STO-SRV-001" 5 | $pgname = "PP-MGT-Guest" 6 | $teppgname = "PP-MGT-TEP" 7 | $vlanpgname = "PP-MGT-Tenant-Interconnect" 8 | 9 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-edge-2.0.0.0.0.6080944.ova" #vdr-mac 10 | # $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-edge-2.0.0.0.0.6058279.ova" pre-RTQA, Maclearning 11 | #$ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\1.10\nsx-edge-1.1.0.0.0.4788148.ova" 12 | 13 | #Edge 14 | $hn = "pp-mgt-nsxedge01" 15 | $ip = "192.168.254.31" 16 | $hn = "pp-mgt-nsxedge02" 17 | $ip = "192.168.254.32" 18 | $gw = "192.168.254.1" 19 | $sn = "255.255.255.128" 20 | $dns = "192.168.254.7" 21 | $ntp = "192.168.65.255,192.168.65.254" 22 | $dm = "pp.sin.nicira.eng.vmware.com" 23 | $es = "large" 24 | 25 | #OVF Details 26 | $password = "VMware1!" 27 | $df = "thin" 28 | 29 | $cl = get-cluster $clname 30 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 31 | $ds = get-datastore $dsname 32 | $nw1 = get-vdportgroup $pgname 33 | $nw2 = get-vdportgroup $teppgname 34 | $nw3 = get-vdportgroup $vlanpgname 35 | 36 | ##OVF Deployment 37 | $ovf = Get-OvfConfiguration -ovf $ovflocation 38 | $ovf.common.nsx_passwd_0.value = "$password" 39 | $ovf.common.nsx_cli_passwd_0.value = "$password" 40 | #$ovf.common.extraPara.value = "" 41 | $ovf.common.nsx_hostname.value = "$hn" 42 | $ovf.common.nsx_gateway_0.value = "$gw" 43 | $ovf.common.nsx_ip_0.value = "$ip" 44 | $ovf.common.nsx_netmask_0.value = "$sn" 45 | $ovf.common.nsx_dns1_0.value = "$dns" 46 | $ovf.common.nsx_domain_0.value = "$dm" 47 | $ovf.common.nsx_ntp_0.value = "$ntp" 48 | $ovf.common.nsx_isSSHEnabled.value = "True" 49 | $ovf.common.nsx_allowSSHRootLogin.value = "False" 50 | $ovf.NetworkMapping.Network_0.Value = "$($nw1.name)" 51 | $ovf.NetworkMapping.Network_1.Value = "$($nw2.name)" 52 | $ovf.NetworkMapping.Network_2.Value = "$($nw3.name)" 53 | #not used - assigning to PP-TENANT-INTERCONNECT 54 | $ovf.NetworkMapping.Network_3.Value = "$($nw3.name)" 55 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 56 | $ovf.DeploymentOption.value = "$es" 57 | 58 | 59 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-manager.ps1: -------------------------------------------------------------------------------- 1 | ## Deploy NSX-T Manager 2 | #Environment 3 | $clname = "Management" 4 | $dsname = "STO-SRV-001" 5 | $pgname = "PP-MGT-Guest" 6 | 7 | $ovflocation = "\\10.35.253.138\data01\Build\VMware\NSX Transformers\2.0\nsx-manager-2.0.0.0.0.6080942.ova" ##vdr-mac 8 | 9 | 10 | #Edge 11 | $hn = "pp-mgt-nsxmgr01" 12 | $ip = "192.168.254.19" 13 | # $hn = "pp-mgt-nsxmgr02" 14 | # $ip = "192.168.254.20" 15 | # $hn = "pp-mgt-nsxmgr03" 16 | # $ip = "192.168.254.21" 17 | $gw = "192.168.254.1" 18 | $sn = "255.255.255.128" 19 | $dns = "192.168.254.7" 20 | $ntp = "192.168.65.255,192.168.65.254" 21 | $dm = "pp.sin.nicira.eng.vmware.com" 22 | 23 | 24 | #OVF Details 25 | $password = "VMware1!" 26 | $audituser = "audit" 27 | $auditpass = "$password" 28 | $cliuser = "admin" 29 | $df = "thin" 30 | 31 | # Deploy 32 | 33 | $cl = get-cluster $clname 34 | $vh = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 35 | $ds = get-datastore $dsname 36 | $nw = get-vdportgroup $pgname 37 | 38 | ##OVF Deployment 39 | $ovf = Get-OvfConfiguration -ovf $ovflocation 40 | $ovf.common.nsx_passwd_0.value = "$password" 41 | $ovf.common.nsx_cli_passwd_0.value = "$password" 42 | $ovf.common.nsx_cli_username.value = "$cliuser" 43 | $ovf.common.nsx_cli_audit_username.value = "$audituser" 44 | $ovf.common.nsx_cli_audit_passwd_0.value = "$auditpass" 45 | #$ovf.common.extraPara.value = "" 46 | $ovf.common.nsx_hostname.value = "$hn" 47 | $ovf.common.nsx_gateway_0.value = "$gw" 48 | $ovf.common.nsx_ip_0.value = "$ip" 49 | $ovf.common.nsx_netmask_0.value = "$sn" 50 | $ovf.common.nsx_dns1_0.value = "$dns" 51 | $ovf.common.nsx_domain_0.value = "$dm" 52 | $ovf.common.nsx_ntp_0.value = "$ntp" 53 | $ovf.common.nsx_isSSHEnabled.value = "True" 54 | $ovf.common.nsx_allowSSHRootLogin.value = "True" 55 | $ovf.NetworkMapping.Network_1.Value = "$($nw.name)" 56 | $ovf.IpAssignment.IpProtocol.value = "IPv4" 57 | 58 | Import-vApp -Source $OvfLocation -OvfConfiguration $ovf -Name $hn -Location $cl -VMHost $vh -Datastore $ds -DiskStorageFormat $Df | out-null -------------------------------------------------------------------------------- /NSX-T-Bits/nsxt-supporting-bits.ps1: -------------------------------------------------------------------------------- 1 | $LiFileName = "VMware-vRealize-Log-Insight-4.5.0-5654101.ova" 2 | #Connection details 3 | $VIUserName = "administrator@vsphere.local" 4 | $VIPassword = "VMware1!" 5 | 6 | #OVF temp directory 7 | $LiOvfLocation = "\\10.35.253.138\data01\Build\VMware\vRealize\Log Insight\$LiFileName" 8 | #Common configuration 9 | $NodeNetmask = "255.255.255.0" 10 | $LiGateway = "192.168.110.1" 11 | $LiDNSServer = "192.168.110.10" 12 | $DomainName = "corp.local" 13 | $RootPw = "VMware1!" 14 | $ManagementNetwork = "VM Network" 15 | $LiNodeSize = "xsmall" 16 | #Node specific configuration 17 | #Node1 18 | $LiNode1HostName = "vrli-01a" 19 | $LiNode1IpAddress = "192.168.110.198" 20 | 21 | # vSphere 22 | $clname = "Management & Edge Cluster" 23 | $dsname = "MgmtData" 24 | #OVA 25 | $DiskFormat = "thin" 26 | 27 | #storage of OVA 28 | $storageuser = "cloud\nasguest" 29 | $storagepass = "P@ssw0rd" 30 | 31 | $controlcenter = "ControlCenter" 32 | 33 | $ds = get-datastore $dsname 34 | $cl = get-cluster $clname 35 | $VMHost = $cl | Get-VMHost | Sort MemoryUsageGB | Select -first 1 36 | $nw = $VmHost | Get-VirtualPortGroup -name $ManagementNetwork 37 | Write-Host -ForegroundColor Green "Deploying Log Insight node $LiNode1HostName" 38 | $ovfconfiguration = Get-OvfConfiguration -ovf $LiOvfLocation 39 | $ovfconfiguration.deploymentOption.value = $LiNodeSize 40 | $ovfconfiguration.ipAssignment.ipProtocol.value = "IPv4" 41 | $ovfconfiguration.NetworkMapping.Network_1.value = $nw.name 42 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.hostname.value = $LiNode1HostName 43 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.ip0.value = $LiNode1IpAddress 44 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.netmask0.value = $LiNodeNetmask 45 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.gateway.value = $LiGateway 46 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.DNS.value = $LiDNSServer 47 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.searchpath.value = $DomainName 48 | $ovfconfiguration.vami.VMware_vCenter_Log_Insight.domain.value = $DomainName 49 | $ovfconfiguration.vm.rootpw.value = $RootPw 50 | 51 | # Select host with lowest memory 52 | 53 | 54 | Import-vApp -Source $LiOvfLocation -OvfConfiguration $OvfConfiguration -Name $LiNode1Hostname -Location $cl -VMHost $Vmhost -Datastore $ds -DiskStorageFormat $DiskFormat | out-null 55 | 56 | 57 | ##VIDM 58 | $vidmfilename = "identity-manager-3.0.0.0-6651498.ova" 59 | $vidmovflocation = "\\10.35.253.138\data01\Build\VMware\Identity Manager\$vidmfilename" 60 | 61 | $vidmhostname = "vidm-01a" 62 | $vamitimezone = "Australia/Sydney" 63 | $vidmIpAddress = "192.168.110.199" 64 | $vidmgateway = "192.168.110.1" 65 | 66 | $ovfconfiguration = Get-OvfConfiguration -ovf $vidmovflocation 67 | 68 | $ovfconfiguration.Common.vami.hostname.value = $vidmhostname 69 | $ovfconfiguration.Common.vamitimezone.value = $vamitimezone 70 | $ovfconfiguration.ipAssignment.ipProtocol.value = "IPv4" 71 | $ovfconfiguration.NetworkMapping.Network_1.value = $nw.name 72 | 73 | $ovfconfiguration.vami.IdentityManager.ip0.value = $vidmIpAddress 74 | $ovfconfiguration.vami.IdentityManager.netmask0.value = $NodeNetmask 75 | $ovfconfiguration.vami.IdentityManager.DNS.value = $vidmdns 76 | $ovfconfiguration.vami.IdentityManager.searchpath.value = $DomainName 77 | $ovfconfiguration.vami.IdentityManager.domain.value = $DomainName 78 | $ovfconfiguration.vami.IdentityManager.gateway.value = $vidmgateway 79 | 80 | Import-vApp -Source $LiOvfLocation -OvfConfiguration $OvfConfiguration -Name $vidmhostname -Location $cl -VMHost $Vmhost -Datastore $ds -DiskStorageFormat $DiskFormat | out-null 81 | 82 | # Start VMs 83 | Get-Vm $vidmhostname | Start-Vm 84 | Get-Vm $LiNode1HostName | Start-VM 85 | 86 | -------------------------------------------------------------------------------- /NSX-T/firewallrule-loop.ps1: -------------------------------------------------------------------------------- 1 | $cred = Get-Credential -user admin 2 | #$server = "nsxmgr-01a.corp.local" 3 | $port = "443" 4 | $protocol = $connection.Protocol 5 | $timeout = 10 6 | $method = "get" 7 | $headerDictionary = @{} 8 | $base64cred = [system.convert]::ToBase64String( 9 | [system.text.encoding]::ASCII.Getbytes( 10 | "$($cred.GetNetworkCredential().username):$($cred.GetNetworkCredential().password)" 11 | ) 12 | ) 13 | $headerDictionary.add("Authorization", "Basic $Base64cred") 14 | 15 | 16 | 17 | 18 | $uri = "https://$server/api/v1/firewall/sections" 19 | $response = invoke-webrequest -method $method -headers $headerDictionary -uri $uri -TimeoutSec $Timeout -contenttype "application/json" -skipcertificatecheck 20 | $result = $response.content | convertfrom-json 21 | 22 | write-host -foregroundcolor green "$($result.result_count) firewall sections found" 23 | 24 | $id = $result.results.id 25 | foreach ($item in $id) { 26 | $ruleURI = "https://$server/api/v1/firewall/sections/$($item)/rules" 27 | $response = invoke-webrequest -method $method -headers $headerDictionary -uri $ruleURI -TimeoutSec $Timeout -contenttype "application/json" -skipcertificatecheck 28 | $result = $response.content | convertfrom-json 29 | $resultnum = $result.result_count 30 | $resultsection = $result.results.section_id 31 | 32 | write-host -foregroundcolor green "$resultnum rule(s) found in $resultsection " 33 | 34 | if ($result.results.services) { 35 | 36 | $result.results 37 | write-host -foregroundcolor green "This rule uses the following services" 38 | $result.results.services.service 39 | 40 | } 41 | else { 42 | $result.results 43 | } 44 | 45 | } -------------------------------------------------------------------------------- /NSX-T/nsx_role_ids.txt: -------------------------------------------------------------------------------- 1 | Extension.Register 2 | Extension.Update 3 | Extension.Unregister 4 | Sessions.TerminateSession 5 | Sessions.ValidateSession 6 | Sessions.GlobalMessage 7 | Sessions.ImpersonateUser 8 | Host.Local.CreateVM 9 | Host.Local.ReconfigVM 10 | Host.Local.DeleteVM 11 | Host.Config.Maintenance 12 | Task.Create 13 | Task.Update 14 | ScheduledTask.Create 15 | ScheduledTask.Delete 16 | ScheduledTask.Run 17 | ScheduledTask.Edit 18 | Global.CancelTask 19 | Authorization.ReassignRolePermissions 20 | Resource.AssignVMToPool 21 | Resource.AssignVAppToPool 22 | Network.Assign 23 | VirtualMachine.GuestOperations.Query 24 | VirtualMachine.GuestOperations.Modify 25 | VirtualMachine.GuestOperations.Execute 26 | VirtualMachine.GuestOperations.QueryAliases 27 | VirtualMachine.GuestOperations.ModifyAliases 28 | VirtualMachine.Config.Rename 29 | VirtualMachine.Config.Annotation 30 | VirtualMachine.Config.AddExistingDisk 31 | VirtualMachine.Config.AddNewDisk 32 | VirtualMachine.Config.RemoveDisk 33 | VirtualMachine.Config.RawDevice 34 | VirtualMachine.Config.HostUSBDevice 35 | VirtualMachine.Config.CPUCount 36 | VirtualMachine.Config.Memory 37 | VirtualMachine.Config.AddRemoveDevice 38 | VirtualMachine.Config.EditDevice 39 | VirtualMachine.Config.Settings 40 | VirtualMachine.Config.Resource 41 | VirtualMachine.Config.UpgradeVirtualHardware 42 | VirtualMachine.Config.ResetGuestInfo 43 | VirtualMachine.Config.ToggleForkParent 44 | VirtualMachine.Config.AdvancedConfig 45 | VirtualMachine.Config.DiskLease 46 | VirtualMachine.Config.SwapPlacement 47 | VirtualMachine.Config.DiskExtend 48 | VirtualMachine.Config.ChangeTracking 49 | VirtualMachine.Config.QueryUnownedFiles 50 | VirtualMachine.Config.ReloadFromPath 51 | VirtualMachine.Config.QueryFTCompatibility 52 | VirtualMachine.Config.MksControl 53 | VirtualMachine.Config.ManagedBy 54 | VirtualMachine.Provisioning.Customize 55 | VirtualMachine.Provisioning.Clone 56 | VirtualMachine.Provisioning.PromoteDisks 57 | VirtualMachine.Provisioning.CreateTemplateFromVM 58 | VirtualMachine.Provisioning.DeployTemplate 59 | VirtualMachine.Provisioning.CloneTemplate 60 | VirtualMachine.Provisioning.MarkAsTemplate 61 | VirtualMachine.Provisioning.MarkAsVM 62 | VirtualMachine.Provisioning.ReadCustSpecs 63 | VirtualMachine.Provisioning.ModifyCustSpecs 64 | VirtualMachine.Provisioning.DiskRandomAccess 65 | VirtualMachine.Provisioning.DiskRandomRead 66 | VirtualMachine.Provisioning.FileRandomAccess 67 | VirtualMachine.Provisioning.GetVmFiles 68 | VirtualMachine.Provisioning.PutVmFiles 69 | VirtualMachine.Inventory.Create 70 | VirtualMachine.Inventory.CreateFromExisting 71 | VirtualMachine.Inventory.Register 72 | VirtualMachine.Inventory.Delete 73 | VirtualMachine.Inventory.Unregister 74 | VirtualMachine.Inventory.Move 75 | VApp.ResourceConfig 76 | VApp.InstanceConfig 77 | VApp.ApplicationConfig 78 | VApp.ManagedByConfig 79 | VApp.Export 80 | VApp.Import 81 | VApp.ExtractOvfEnvironment 82 | VApp.AssignVM 83 | VApp.AssignResourcePool 84 | VApp.AssignVApp 85 | VApp.Clone 86 | VApp.Create 87 | VApp.Delete 88 | VApp.Unregister 89 | VApp.Move 90 | VApp.PowerOn 91 | VApp.PowerOff 92 | VApp.Suspend 93 | VApp.Rename -------------------------------------------------------------------------------- /NSX-T/nsxuser_create.ps1: -------------------------------------------------------------------------------- 1 | # Parameter help description 2 | [string]$domain = "vsphere.local" 3 | [string]$nsxtuser = "svc_nsx" 4 | [string]$vcentername = "vc-01a.corp.local" 5 | 6 | 7 | # NSX_T user 8 | $nsxt_user = "$domain\$nsxtuser" 9 | 10 | # NSX_T permissions 11 | $nsxt_role = "nsxt_permissions" 12 | 13 | #Roles for NSX-T 2.3+ 14 | $nsxt_privileges = @( 15 | 'Extension.Register', 16 | 'Extension.Update', 17 | 'Extension.Unregister', 18 | 'Sessions.TerminateSession', 19 | 'Sessions.ValidateSession', 20 | 'Sessions.GlobalMessage', 21 | 'Sessions.ImpersonateUser', 22 | 'Host.Local.CreateVM', 23 | 'Host.Local.ReconfigVM', 24 | 'Host.Local.DeleteVM', 25 | 'Host.Config.Maintenance', 26 | 'Task.Create', 27 | 'Task.Update', 28 | 'ScheduledTask.Create', 29 | 'ScheduledTask.Delete', 30 | 'ScheduledTask.Run', 31 | 'ScheduledTask.Edit', 32 | 'Global.CancelTask', 33 | 'Authorization.ReassignRolePermissions', 34 | 'Resource.AssignVMToPool', 35 | 'Resource.AssignVAppToPool', 36 | 'Network.Assign', 37 | 'VirtualMachine.GuestOperations.Query', 38 | 'VirtualMachine.GuestOperations.Modify', 39 | 'VirtualMachine.GuestOperations.Execute', 40 | 'VirtualMachine.GuestOperations.QueryAliases', 41 | 'VirtualMachine.GuestOperations.ModifyAliases', 42 | 'VirtualMachine.Config.Rename', 43 | 'VirtualMachine.Config.Annotation', 44 | 'VirtualMachine.Config.AddExistingDisk', 45 | 'VirtualMachine.Config.AddNewDisk', 46 | 'VirtualMachine.Config.RemoveDisk', 47 | 'VirtualMachine.Config.RawDevice', 48 | 'VirtualMachine.Config.HostUSBDevice', 49 | 'VirtualMachine.Config.CPUCount', 50 | 'VirtualMachine.Config.Memory', 51 | 'VirtualMachine.Config.AddRemoveDevice', 52 | 'VirtualMachine.Config.EditDevice', 53 | 'VirtualMachine.Config.Settings', 54 | 'VirtualMachine.Config.Resource', 55 | 'VirtualMachine.Config.UpgradeVirtualHardware', 56 | 'VirtualMachine.Config.ResetGuestInfo', 57 | 'VirtualMachine.Config.ToggleForkParent', 58 | 'VirtualMachine.Config.AdvancedConfig', 59 | 'VirtualMachine.Config.DiskLease', 60 | 'VirtualMachine.Config.SwapPlacement', 61 | 'VirtualMachine.Config.DiskExtend', 62 | 'VirtualMachine.Config.ChangeTracking', 63 | 'VirtualMachine.Config.QueryUnownedFiles', 64 | 'VirtualMachine.Config.ReloadFromPath', 65 | 'VirtualMachine.Config.QueryFTCompatibility', 66 | 'VirtualMachine.Config.MksControl', 67 | 'VirtualMachine.Config.ManagedBy', 68 | 'VirtualMachine.Provisioning.Customize', 69 | 'VirtualMachine.Provisioning.Clone', 70 | 'VirtualMachine.Provisioning.PromoteDisks', 71 | 'VirtualMachine.Provisioning.CreateTemplateFromVM', 72 | 'VirtualMachine.Provisioning.DeployTemplate', 73 | 'VirtualMachine.Provisioning.CloneTemplate', 74 | 'VirtualMachine.Provisioning.MarkAsTemplate', 75 | 'VirtualMachine.Provisioning.MarkAsVM', 76 | 'VirtualMachine.Provisioning.ReadCustSpecs', 77 | 'VirtualMachine.Provisioning.ModifyCustSpecs', 78 | 'VirtualMachine.Provisioning.DiskRandomAccess', 79 | 'VirtualMachine.Provisioning.DiskRandomRead', 80 | 'VirtualMachine.Provisioning.FileRandomAccess', 81 | 'VirtualMachine.Provisioning.GetVmFiles', 82 | 'VirtualMachine.Provisioning.PutVmFiles', 83 | 'VirtualMachine.Inventory.Create', 84 | 'VirtualMachine.Inventory.CreateFromExisting', 85 | 'VirtualMachine.Inventory.Register', 86 | 'VirtualMachine.Inventory.Delete', 87 | 'VirtualMachine.Inventory.Unregister', 88 | 'VirtualMachine.Inventory.Move', 89 | 'VApp.ResourceConfig', 90 | 'VApp.InstanceConfig', 91 | 'VApp.ApplicationConfig', 92 | 'VApp.ManagedByConfig', 93 | 'VApp.Export', 94 | 'VApp.Import', 95 | 'VApp.ExtractOvfEnvironment', 96 | 'VApp.AssignVM', 97 | 'VApp.AssignResourcePool', 98 | 'VApp.AssignVApp', 99 | 'VApp.Clone', 100 | 'VApp.Create', 101 | 'VApp.Delete', 102 | 'VApp.Unregister', 103 | 'VApp.Move', 104 | 'VApp.PowerOn', 105 | 'VApp.PowerOff', 106 | 'VApp.Suspend', 107 | 'VApp.Rename' 108 | ) 109 | 110 | 111 | # PRE CHECK 112 | # VCSA has no APIS for SSO features in VCSA. Therefore an account must be manually made otherwise it does not work. I will do a check and throw before doing this to ensure user has gone and made a manual user. Ugh! 113 | # If AD is already setup this will work, I believe. 114 | 115 | $existingaccounts = get-viaccount -Domain $domain 116 | $existing = $existingaccounts | ? {$_.name -eq $nsxt_user} 117 | 118 | if (!$existing){ 119 | write-host -ForegroundColor Red "There is no account $nsxt_user created. Please create one manually and harass VMware for a new cmdlet and APIs!" 120 | 121 | write-host -ForegroundColor Red "To create a local vCenter user: 122 | `n 1. Menu -> Administration 123 | `n 2. Single Sign On -> Users and Groups 124 | `n 3. Domain = vSphere.local 125 | `n 4. Add Users and match $nsxtuser 126 | `n 5. Rerun the script " 127 | 128 | } 129 | else { 130 | 131 | $rootFolder = Get-Folder -NoRecursion 132 | 133 | #validate if role already exists through previous install. 134 | $existingrole = get-virole -name $nsxt_role -ErrorAction silentlycontinue 135 | 136 | if ($existingrole){ 137 | $guid = (new-guid).Guid.substring(0,6) 138 | write-host -ForegroundColor Green "Found existing role named $nsxt_role. Creating a new role $nsxt_role-$guid and assigning to $nsxt_user" 139 | New-VIRole -Name "$nsxt_role-$guid" -Privilege (Get-VIPrivilege -id $nsxt_privileges) | out-null 140 | 141 | New-VIPermission -Entity $rootFolder -Principal $nsxt_user -Role $nsxt_role -Propagate:$true | Out-Null 142 | } 143 | else { 144 | write-host -ForegroundColor Green "Creating role $nsxt_role - Assigning to $nsxt_user" 145 | New-VIRole -Name $nsxt_role -Privilege (Get-VIPrivilege -id $nsxt_privileges) | out-null 146 | 147 | New-VIPermission -Entity $rootFolder -Principal $nsxt_user -Role $nsxt_role -Propagate:$true | Out-Null 148 | } 149 | 150 | } 151 | 152 | -------------------------------------------------------------------------------- /PowerLogInsight/PowerLI.ps1: -------------------------------------------------------------------------------- 1 | # PowerLogInsight 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # GLOBAL DEFINITION - Only once 5 | if ( -not ("TrustAllCertsPolicy" -as [type])) { 6 | 7 | add-type @" 8 | using System.Net; 9 | using System.Security.Cryptography.X509Certificates; 10 | public class TrustAllCertsPolicy : ICertificatePolicy { 11 | public bool CheckValidationResult( 12 | ServicePoint srvPoint, X509Certificate certificate, 13 | WebRequest request, int certificateProblem) { 14 | return true; 15 | } 16 | } 17 | "@ 18 | 19 | } 20 | function New-LogInsightDefaultUser { 21 | 22 | <# 23 | .SYNOPSIS 24 | Connects to Log Insight to create a new user on initial bootstrap. 25 | .DESCRIPTION 26 | The New-LogInsightDefaultUser is a one time call to create the default user on deployment. This is accessed one time only across an unauthenticated API call. Successful execution of this cmdlet results in the denial of subsequent Default User calls. 27 | 28 | .EXAMPLE 29 | This example show show to create a new default user 30 | 31 | PS C:\> New-LogInsightDefaultUser -server 192.168.100.97 -username Admin -password VMware1! -provider Local 32 | #> 33 | param ( 34 | [Parameter (Mandatory=$True)] 35 | [ValidateNotNullOrEmpty()] 36 | [string]$userName, 37 | [Parameter (Mandatory=$True)] 38 | [ValidateNotNullOrEmpty()] 39 | [string]$Password, 40 | [Parameter (Mandatory=$false)] 41 | [ValidateNotNullOrEmpty()] 42 | [string]$Email, 43 | [Parameter (Mandatory=$True)] 44 | [ValidateNotNullorEmpty()] 45 | [string]$Server 46 | ) 47 | 48 | $Port = 9000 49 | $URI = "http://$($server):$($port)/api/v1/deployment/new" 50 | $Body=[pscustomobject]@{ 51 | "user" = [pscustomobject]@{ 52 | "userName" = $userName; 53 | "password" = $Password 54 | } 55 | } 56 | 57 | $JsonBody = $Body | ConvertTo-Json 58 | $NewUser = Invoke-RestMethod -method "POST" -URI $URI -body $JsonBody -ContentType "application/json" 59 | $NewUser 60 | } 61 | 62 | 63 | function Connect-LogInsightServer { 64 | 65 | <# 66 | .SYNOPSIS 67 | Creates a connection to a given Log Insight server. 68 | .DESCRIPTION 69 | The Connect-LiServer command creates a session based on username to the Log Insight cluster. 70 | 71 | .EXAMPLE 72 | PS C:\> Connect-LiServer -server 192.168.100.97 -username admin -password VMware1! 73 | #> 74 | 75 | param ( 76 | [Parameter (Mandatory=$True)] 77 | [ValidateNotNullOrEmpty()] 78 | [string]$Server, 79 | [Parameter (Mandatory=$True)] 80 | [ValidateNotNullOrEmpty()] 81 | [string]$Username, 82 | [Parameter (Mandatory=$True)] 83 | [ValidateNotNullOrEmpty()] 84 | [string]$Password, 85 | [Parameter (Mandatory=$false)] 86 | [ValidateNotNullOrEmpty()] 87 | [bool]$ValidateCertificate=$false, 88 | [Parameter (Mandatory=$false)] 89 | [ValidateNotNullorEmpty()] 90 | [switch]$DefaultLogInsightConnection=$true 91 | ) 92 | #Ignore CertificatePolicy 93 | [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy 94 | 95 | $body=[pscustomobject]@{ 96 | "provider" = "Local"; 97 | "username" = $username; 98 | "password" = $password 99 | } 100 | 101 | $Port = "443" 102 | $Method = "POST" 103 | $Uri = "https://$($server):$($port)/api/v1/sessions" 104 | $Session = Invoke-RestMethod -method $method -uri $uri -body (ConvertTo-Json $body) -ContentType "application/json" 105 | 106 | $Connection=[pscustomobject]@{ 107 | "Server" = $Server; 108 | "Session" = $Session.sessionId; 109 | "Port" = "443"; 110 | "Protocol" = "https" 111 | 112 | 113 | } 114 | if ($DefaultLogInsightConnection){ 115 | set-variable -name DefaultLogInsightConnection -value $connection -scope Global 116 | } 117 | $Authkey = $Session.sessionId 118 | $Global:Header= @{ "Authorization" = "Bearer "+ "$authkey" } 119 | $Connection 120 | } 121 | 122 | 123 | function Disconnect-LogInsightServer { 124 | 125 | <# 126 | .SYNOPSIS 127 | Destroys the $DefaultNSXConnection global variable if it exists. 128 | 129 | .DESCRIPTION 130 | REST is not connection oriented, so there really isnt a connect/disconnect 131 | concept. Disconnect-NsxServer, merely removes the $DefaultNSXConnection 132 | variable that PowerNSX cmdlets default to using. 133 | 134 | .EXAMPLE 135 | Connect-NsxServer -Server nsxserver -username admin -Password VMware1! 136 | 137 | #> 138 | if (Get-Variable -Name DefaultLogInsightConnection -scope global ) { 139 | Remove-Variable -name DefaultLogInsightConnection -scope global 140 | } 141 | } 142 | 143 | 144 | 145 | 146 | #export-ModuleMember function Connect-LiServer 147 | 148 | function invoke-LogInsightRestMethod{ 149 | 150 | <# 151 | .SYNOPSIS 152 | The invoke-LogInsightRestMethod uses the default connection to manipulate the Log Insight API 153 | .DESCRIPTION 154 | 155 | 156 | .EXAMPLE 157 | PS C:\> invoke-LogInsightRestMethod -body $body -method $method -uri $uri 158 | #> 159 | 160 | param( 161 | [Parameter (Mandatory=$True)] 162 | [ValidateSet("GET","PUT","POST","PATCH","DELETE")] 163 | [string]$Method, 164 | [Parameter (Mandatory=$False)] 165 | [ValidateNotNullOrEmpty()] 166 | [PsCustomObject]$Body, 167 | [Parameter (Mandatory=$False)] 168 | [ValidateNotNullOrEmpty()] 169 | [System.Collections.Hashtable]$Headers, 170 | [Parameter (Mandatory=$True)] 171 | [ValidateNotNullOrEmpty()] 172 | [string]$Uri 173 | ) 174 | 175 | #Contstruct the right URI 176 | 177 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$URI" 178 | $BodyString = $Body | ConvertTo-Json 179 | 180 | $Global:LogInsightMethod = Invoke-RestMethod -method $Method -URI $ActiveURI -body $BodyString -Headers $Header -ContentType "application/json" 181 | 182 | $LogInsightMethod 183 | } 184 | 185 | function Get-LogInsightVersion { 186 | 187 | <# 188 | .SYNOPSIS 189 | Checks the version of VMware Log Insight 190 | .DESCRIPTION 191 | This function will check the version of VMware Log Insight. 192 | The API was introduced in version 3.0. 193 | 194 | .EXAMPLE 195 | PS C:\> Get-LogInsightVersion 196 | #> 197 | 198 | $Uri = "api/v1/version" 199 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 200 | $Version = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 201 | 202 | $Version 203 | 204 | } 205 | 206 | #function Get-LogInsightIlb{ 207 | # 208 | # <# 209 | # .SYNOPSIS 210 | # This will retrieve the if the Log Insight Integrated Load Balancer (ILB) is configured. 211 | # .DESCRIPTION 212 | # This function will check the version of VMware Log Insight. 213 | # The ILB was introduced in Log Insight 3.0 and higher. Log Insight can have numerous ILB's configured. This Virtual IP address allows a single IP address (and assocaited FQDN) represent a cluster. This ensures consistent log ingestion if a cluster node goes down. 214 | # 215 | # .EXAMPLE 216 | # PS C:\> Get-LogInsightIlb 217 | # #> 218 | # 219 | # $Uri = "api/v1/ilb" 220 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 221 | # 222 | # $Ilb = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 223 | # 224 | # $Ilb 225 | #} 226 | # 227 | # 228 | #function Get-LogInsightIlbStatus{ 229 | # 230 | # <# 231 | # .SYNOPSIS 232 | # Checks the version of VMware Log Insight 233 | # .DESCRIPTION 234 | # This function will check the version of VMware Log Insight. 235 | # The API was introduced in version 3.0. 236 | # 237 | # .EXAMPLE 238 | # PS C:\> Get-LogInsightVersion 239 | # #> 240 | # 241 | # $Uri = "api/v1/ilb/status" 242 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 243 | # 244 | # $IlbStatus = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 245 | # 246 | # $IlbStatus 247 | #} 248 | 249 | ##### 250 | ##### 251 | ##### 252 | ##### 253 | 254 | ##### TEST THESE FUNCTIONS 255 | 256 | ##### 257 | ##### 258 | ##### 259 | function Get-LogInsightLicense { 260 | 261 | <# 262 | .SYNOPSIS 263 | Checks the licence of VMware Log Insight 264 | .DESCRIPTION 265 | This function will check the version of VMware Log Insight. 266 | The API was introduced in version 3.0. 267 | 268 | .EXAMPLE 269 | PS C:\> Get-LogInsightLicense 270 | #> 271 | 272 | $Uri = "api/v1/licenses" 273 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 274 | 275 | $License = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 276 | 277 | 278 | $License=[pscustomobject]@{ 279 | "License" = $License.licenses; 280 | "License State" = $License.licenseState; 281 | "CPU units" = $License.hasCpu; 282 | "OSI units" = $License.hasOsi 283 | } 284 | $License 285 | 286 | } 287 | 288 | function Set-LogInsightLicense { 289 | 290 | <# 291 | .SYNOPSIS 292 | Sets the license of VMware Log Insight 293 | .DESCRIPTION 294 | This function will check the version of VMware Log Insight. 295 | The API was introduced in version 3.0. 296 | 297 | .EXAMPLE 298 | PS C:\> Get-LogInsightVersion 299 | #> 300 | param ( 301 | [Parameter (Mandatory=$True)] 302 | [ValidateNotNullOrEmpty()] 303 | [string]$License 304 | 305 | ) 306 | 307 | $Uri = "api/v1/licenses" 308 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 309 | 310 | $Body=[pscustomobject]@{ 311 | "key" = "$License" 312 | } 313 | 314 | $JsonBody = $Body | ConvertTo-Json 315 | $SetKey = Invoke-RestMethod -method POST -URI $ActiveURI -Body $JsonBody -Headers $Header -ContentType "application/json" 316 | 317 | $ActiveKey = Get-LogInsightLicense 318 | 319 | $ActiveKey 320 | 321 | $License=[pscustomobject]@{ 322 | "License" = $License.licenses; 323 | "License State" = $License.licenseState; 324 | "CPU units" = $License.hasCpu; 325 | "OSI units" = $License.hasOsi 326 | } 327 | $License 328 | 329 | } 330 | 331 | function Get-LogInsightvSphereIntegration { 332 | 333 | <# 334 | .SYNOPSIS 335 | Sets the license of VMware Log Insight 336 | .DESCRIPTION 337 | This function will check the version of VMware Log Insight. 338 | The API was introduced in version 3.0. 339 | 340 | .EXAMPLE 341 | PS C:\> Get-LogInsightvSphereIntegration 342 | #> 343 | 344 | 345 | $Uri = "api/v1/vsphere" 346 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 347 | 348 | $vSphere = Invoke-RestMethod -method GET -URI $ActiveURI -Body $JsonBody -Headers $Header -ContentType "application/json" 349 | 350 | $vSphere 351 | 352 | 353 | } 354 | 355 | 356 | function Set-LogInsightvSphereIntegration { 357 | 358 | <# 359 | .SYNOPSIS 360 | Sets the license of VMware Log Insight 361 | .DESCRIPTION 362 | This function will check the version of VMware Log Insight. 363 | The API was introduced in version 3.0. 364 | 365 | .EXAMPLE 366 | PS C:\> Get-LogInsightVersion 367 | #> 368 | param ( 369 | [Parameter (Mandatory=$True)] 370 | [ValidateNotNullOrEmpty()] 371 | [string]$HostName, 372 | [Parameter (Mandatory=$True)] 373 | [ValidateNotNullOrEmpty()] 374 | [string]$UserName, 375 | [Parameter (Mandatory=$True)] 376 | [ValidateNotNullOrEmpty()] 377 | [string]$Password 378 | 379 | ) 380 | 381 | $body=[pscustomobject]@{ 382 | "hostname" = $HostName; 383 | "username" = $UserName; 384 | "password" = $PassWord; 385 | "vsphereEventsEnabled" = "true" 386 | } 387 | 388 | $JsonBody = $Body | ConvertTo-Json 389 | $Uri = "api/v1/vsphere" 390 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 391 | 392 | $Configure = Invoke-RestMethod -method POST -URI $ActiveURI -Body $JsonBody -Headers $Header -ContentType "application/json" 393 | 394 | Get-LogInsightvSphereIntegration 395 | 396 | $Configured 397 | 398 | 399 | } 400 | 401 | #function Get-LogInsightClusterNode { 402 | # <# 403 | # .SYNOPSIS 404 | # Returns any confgiured Clusters in VMware Log Insight 405 | # .DESCRIPTION 406 | # This will check and return any configured Log Insight Clusters. 407 | # 408 | # .EXAMPLE 409 | # PS C:\> Get-LogInsightCluster 410 | # #> 411 | # 412 | # $Uri = "api/v1/cluster/nodes" 413 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 414 | # 415 | # $Cluster = Invoke-restMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 416 | # 417 | # #Prints contents of IRM stored in $Cluster 418 | # $Cluster=[pscustomobject]@{ 419 | # "Node hostname" = $Cluster.hostname; 420 | # "Status" = $Cluster.licenseState; 421 | # "Uptime" = $Cluster.uptime; 422 | # "fullversion" = $Cluster.fullversion; 423 | # "Upgrading?" = $Cluster.upgradeInProgress 424 | # } 425 | # $Cluster 426 | #} 427 | 428 | #function Set-LogInsightClusterNodeRegistration{ 429 | # 430 | # <# 431 | # .SYNOPSIS 432 | # Register a node member in VMware Log Insight cluster 433 | # .DESCRIPTION 434 | # This will check and return any configured Log Insight Clusters. 435 | # 436 | # .EXAMPLE 437 | # PS C:\> Get-LogInsightCluster 438 | # #> 439 | # 440 | # param( 441 | # [Parameter (Mandatory=$True)] 442 | # [ValidateNotNullOrEmpty()] 443 | # [string]$workerAddress, 444 | # [Parameter (Mandatory=$False)] 445 | # [ValidateNotNullOrEmpty()] 446 | # [PsCustomObject]$workerPort="16520" 447 | # 448 | # ) 449 | # 450 | # $body=[pscustomobject]@{ 451 | # "workerAddress" = $workerAddress; 452 | # "workerPort" = $workerPort 453 | # 454 | # } 455 | # 456 | # $JsonBody = $body | ConvertTo-Json 457 | # $Uri = "api/v1/cluster/workers" 458 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 459 | # 460 | #} 461 | 462 | 463 | #function Set-LogInsightClusterNode{ 464 | # 465 | # <# 466 | # .SYNOPSIS 467 | # Performs operations against an invidual cluster node 468 | # .DESCRIPTION 469 | # This will check and return any configured Log Insight Clusters. 470 | # 471 | # .EXAMPLE 472 | # PS C:\> Get-LogInsightCluster 473 | # #> 474 | # 475 | # param( 476 | # [Parameter (Mandatory=$True)] 477 | # [ValidateSet("Approve","Deny","Upgrade","Pause","Resume")] 478 | # [String]$Action, 479 | # [Parameter (Mandatory=$True)] 480 | # [ValidateScript({ Get-LogInsightClusterNode $_ })] 481 | # [String]$WorkerToken, 482 | # [Parameter (Mandatory=$False)] 483 | # [ValidateNotNullOrEmpty()] 484 | # [string]$workerAddress, 485 | # [Parameter (Mandatory=$False)] 486 | # [ValidateNotNullOrEmpty()] 487 | # [string]$workerPort="16520" 488 | # 489 | # ) 490 | # $body=[pscustomobject]@{ 491 | # "workerAddress" = $workerAddress 492 | # "workerPort" = $workerPort; 493 | # 494 | # } 495 | # 496 | # $JsonBody = $body | ConvertTo-Json 497 | # $Uri = "api/v1/cluster/workers" 498 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 499 | # $ClusterNode = Invoke-RestMethod -method PUT -Uri $ActiveURI -body $JsonBody -Headers $Header -ContentType "application/xml" 500 | # $Cluster = Get-LogInsightCluster 501 | # $Cluster 502 | #} 503 | 504 | 505 | 506 | # function Get-LogInsightClusterNode{ 507 | 508 | # .SYNOPSIS 509 | # Sets the license of VMware Log Insight 510 | # .DESCRIPTION 511 | # This function will check the version of VMware Log Insight. 512 | # The API was introduced in version 3.0. 513 | 514 | # .EXAMPLE 515 | # PS C:\> Get-LogInsightClusterNode 516 | 517 | # PS C:\> Get-LogInsightCluster | Get-LogInsightClusterNode -node 518 | 519 | 520 | # $Uri = "api/v1/cluster/nodes" 521 | # $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 522 | 523 | # $Node 524 | 525 | # } 526 | -------------------------------------------------------------------------------- /PowerLogInsight/PowerLI.psm1: -------------------------------------------------------------------------------- 1 | # PowerLogInsight 2 | # a: Anthony Burke 3 | # b: networkinferno.net 4 | # GLOBAL DEFINITION - Only once 5 | if ( -not ("TrustAllCertsPolicy" -as [type])) { 6 | 7 | add-type @" 8 | using System.Net; 9 | using System.Security.Cryptography.X509Certificates; 10 | public class TrustAllCertsPolicy : ICertificatePolicy { 11 | public bool CheckValidationResult( 12 | ServicePoint srvPoint, X509Certificate certificate, 13 | WebRequest request, int certificateProblem) { 14 | return true; 15 | } 16 | } 17 | "@ 18 | 19 | } 20 | function New-LogInsightDefaultUser { 21 | 22 | <# 23 | .SYNOPSIS 24 | Connects to Log Insight to create a new user on initial bootstrap. 25 | .DESCRIPTION 26 | The New-LogInsightDefaultUser is a one time call to create the default user on deployment. This is accessed one time only across an unauthenticated API call. Successful execution of this cmdlet results in the denial of subsequent Default User calls. 27 | 28 | .EXAMPLE 29 | This example show show to create a new default user 30 | 31 | PS C:\> New-LogInsightDefaultUser -server 192.168.100.97 -username Admin -password VMware1! -provider Local 32 | #> 33 | param ( 34 | [Parameter (Mandatory=$True)] 35 | [ValidateNotNullOrEmpty()] 36 | [string]$userName, 37 | [Parameter (Mandatory=$True)] 38 | [ValidateNotNullOrEmpty()] 39 | [string]$Password, 40 | [Parameter (Mandatory=$false)] 41 | [ValidateNotNullOrEmpty()] 42 | [string]$Email, 43 | [Parameter (Mandatory=$True)] 44 | [ValidateNotNullorEmpty()] 45 | [string]$Server 46 | ) 47 | 48 | $Port = 9000 49 | $URI = "http://$($server):$($port)/api/v1/deployment/new" 50 | $Body=[pscustomobject]@{ 51 | "user" = [pscustomobject]@{ 52 | "userName" = $userName; 53 | "password" = $Password 54 | } 55 | } 56 | 57 | $JsonBody = $Body | ConvertTo-Json 58 | $NewUser = Invoke-RestMethod -method "POST" -URI $URI -body $JsonBody -ContentType "application/json" 59 | $NewUser 60 | } 61 | 62 | 63 | function Connect-LogInsightServer { 64 | 65 | <# 66 | .SYNOPSIS 67 | Creates a connection to a given Log Insight server. 68 | .DESCRIPTION 69 | The Connect-LiServer command creates a session based on username to the Log Insight cluster. 70 | 71 | .EXAMPLE 72 | PS C:\> Connect-LiServer -server 192.168.100.97 -username admin -password VMware1! 73 | #> 74 | 75 | param ( 76 | [Parameter (Mandatory=$True)] 77 | [ValidateNotNullOrEmpty()] 78 | [string]$Server, 79 | [Parameter (Mandatory=$True)] 80 | [ValidateNotNullOrEmpty()] 81 | [string]$Username, 82 | [Parameter (Mandatory=$True)] 83 | [ValidateNotNullOrEmpty()] 84 | [string]$Password, 85 | [Parameter (Mandatory=$false)] 86 | [ValidateNotNullOrEmpty()] 87 | [bool]$ValidateCertificate=$false, 88 | [Parameter (Mandatory=$false)] 89 | [ValidateNotNullorEmpty()] 90 | [switch]$DefaultLogInsightConnection=$true 91 | ) 92 | #Ignore CertificatePolicy 93 | [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy 94 | 95 | $body=[pscustomobject]@{ 96 | "provider" = "Local"; 97 | "username" = $username; 98 | "password" = $password 99 | } 100 | 101 | $Port = "443" 102 | $Method = "POST" 103 | $Uri = "https://$($server):$($port)/api/v1/sessions" 104 | $Session = Invoke-RestMethod -method $method -uri $uri -body (ConvertTo-Json $body) -ContentType "application/json" 105 | 106 | $Connection=[pscustomobject]@{ 107 | "Server" = $Server; 108 | "Session" = $Session.sessionId; 109 | "Port" = "443"; 110 | "Protocol" = "https" 111 | 112 | 113 | } 114 | if ($DefaultLogInsightConnection){ 115 | set-variable -name DefaultLogInsightConnection -value $connection -scope Global 116 | } 117 | $Authkey = $Session.sessionId 118 | $Global:Header= @{ "Authorization" = "Bearer "+ "$authkey" } 119 | $Connection 120 | } 121 | 122 | 123 | function Disconnect-LogInsightServer { 124 | 125 | <# 126 | .SYNOPSIS 127 | Destroys the $DefaultNSXConnection global variable if it exists. 128 | 129 | .DESCRIPTION 130 | REST is not connection oriented, so there really isnt a connect/disconnect 131 | concept. Disconnect-NsxServer, merely removes the $DefaultNSXConnection 132 | variable that PowerNSX cmdlets default to using. 133 | 134 | .EXAMPLE 135 | Connect-NsxServer -Server nsxserver -username admin -Password VMware1! 136 | 137 | #> 138 | if (Get-Variable -Name DefaultLogInsightConnection -scope global ) { 139 | Remove-Variable -name DefaultLogInsightConnection -scope global 140 | } 141 | } 142 | 143 | 144 | 145 | 146 | #export-ModuleMember function Connect-LiServer 147 | 148 | function invoke-LogInsightRestMethod{ 149 | 150 | <# 151 | .SYNOPSIS 152 | The invoke-LogInsightRestMethod uses the default connection to manipulate the Log Insight API 153 | .DESCRIPTION 154 | 155 | 156 | .EXAMPLE 157 | PS C:\> invoke-LogInsightRestMethod -body $body -method $method -uri $uri 158 | #> 159 | 160 | param( 161 | [Parameter (Mandatory=$True)] 162 | [ValidateSet("GET","PUT","POST","PATCH","DELETE")] 163 | [string]$Method, 164 | [Parameter (Mandatory=$False)] 165 | [ValidateNotNullOrEmpty()] 166 | [PsCustomObject]$Body, 167 | [Parameter (Mandatory=$False)] 168 | [ValidateNotNullOrEmpty()] 169 | [System.Collections.Hashtable]$Headers, 170 | [Parameter (Mandatory=$True)] 171 | [ValidateNotNullOrEmpty()] 172 | [string]$Uri 173 | ) 174 | 175 | #Contstruct the right URI 176 | 177 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$URI" 178 | $BodyString = $Body | ConvertTo-Json 179 | 180 | $Global:LogInsightMethod = Invoke-RestMethod -method $Method -URI $ActiveURI -body $BodyString -Headers $Header -ContentType "application/json" 181 | 182 | $LogInsightMethod 183 | } 184 | 185 | function Get-LogInsightVersion { 186 | 187 | <# 188 | .SYNOPSIS 189 | Checks the version of VMware Log Insight 190 | .DESCRIPTION 191 | This function will check the version of VMware Log Insight. 192 | The API was introduced in version 3.0. 193 | 194 | .EXAMPLE 195 | PS C:\> Get-LogInsightVersion 196 | #> 197 | 198 | $Uri = "api/v1/version" 199 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 200 | $Version = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 201 | 202 | $Version 203 | 204 | } 205 | 206 | function Get-LogInsightLicense { 207 | 208 | <# 209 | .SYNOPSIS 210 | Checks the licence of VMware Log Insight 211 | .DESCRIPTION 212 | This function will check the version of VMware Log Insight. 213 | The API was introduced in version 3.0. 214 | 215 | .EXAMPLE 216 | PS C:\> Get-LogInsightLicense 217 | #> 218 | 219 | $Uri = "api/v1/licenses" 220 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 221 | 222 | $License = Invoke-RestMethod -method GET -URI $ActiveURI -Headers $Header -ContentType "application/json" 223 | 224 | 225 | $License=[pscustomobject]@{ 226 | "License" = $License.licenses; 227 | "License State" = $License.licenseState; 228 | "CPU units" = $License.hasCpu; 229 | "OSI units" = $License.hasOsi 230 | } 231 | $License 232 | 233 | } 234 | 235 | function Set-LogInsightLicense { 236 | 237 | <# 238 | .SYNOPSIS 239 | Sets the license of VMware Log Insight 240 | .DESCRIPTION 241 | This function will check the version of VMware Log Insight. 242 | The API was introduced in version 3.0. 243 | 244 | .EXAMPLE 245 | PS C:\> Get-LogInsightVersion 246 | #> 247 | param ( 248 | [Parameter (Mandatory=$True)] 249 | [ValidateNotNullOrEmpty()] 250 | [string]$License 251 | 252 | ) 253 | 254 | $Uri = "api/v1/licenses" 255 | $ActiveURI = "$($DefaultLogInsightConnection.protocol)://$($DefaultLogInsightConnection.server):$($DefaultLogInsightConnection.port)/$Uri" 256 | 257 | $Body=[pscustomobject]@{ 258 | "key" = "$License" 259 | } 260 | 261 | $JsonBody = $Body | ConvertTo-Json 262 | $SetKey = Invoke-RestMethod -method POST -URI $ActiveURI -Body $JsonBody -Headers $Header -ContentType "application/json" 263 | 264 | $ActiveKey = Get-LogInsightLicense 265 | 266 | $ActiveKey 267 | 268 | $License=[pscustomobject]@{ 269 | "License" = $License.licenses; 270 | "License State" = $License.licenseState; 271 | "CPU units" = $License.hasCpu; 272 | "OSI units" = $License.hasOsi 273 | } 274 | $License 275 | 276 | } 277 | 278 | # 279 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NSX-Scripts 2 | A collection of NSX Scripts 3 | -------------------------------------------------------------------------------- /Security Loops/Loop_1.ps1: -------------------------------------------------------------------------------- 1 | ## Security Group loop for Groups and Tags ## 2 | ## Author: Anthony Burke t:@pandom_ b:networkinferno.net 3 | ## version 1.0 4 | ## July 2016 5 | # Creating loops to ensure 1:1 SG/Tag mapping. Example to create loops. Ones below are based on the integer values in the brackets. The loop will repeat for each value in this. Current number below is 10. Could be thousands. These are populated with any string value. 6 | New-NsxFirewallSection "Hatred" > $null 7 | 8 | $ips10 = New-NsxIpSet -name "10" -IpAddress "10.0.0.0/8" 9 | 10 | (1..250) | % { 11 | [string]$suffix = $_.ToString("0000") 12 | $st = New-NsxSecurityTag -name SG-TAG-$suffix 13 | $sg = New-NsxSecurityGroup -name SG-GROUP-$suffix -includemember ($st) 14 | $ips1 = New-NsxIpSet -name IP-$suffix -IpAddress 1.$($_).1.1 15 | Get-NsxFirewallSection "Hatred" | New-NsxFirewalLRule -name "Incarnate" -source $sg -destination ($ips10,$ips1) -action "allow" > $null 16 | } 17 | -------------------------------------------------------------------------------- /Security Loops/Loop_2.ps1: -------------------------------------------------------------------------------- 1 | ## Security Group loop for Groups and Tags ## 2 | ## Author: Anthony Burke t:@pandom_ b:networkinferno.net 3 | ## version 1.0 4 | ## July 2016 5 | # Creating loops to ensure 1:1 SG/Tag mapping. Example to create loops. Ones below are based on a CSV file. This CSV file has a column titled SECURITYTAG and another titled SECURITYGROUP 6 | #This will make based on CSV. 7 | import-csv .\base-example.csv | % { 8 | $st = New-NsxSecurityTag -name $_.SECURITYTAG 9 | $sg = new-NsxSecurityGroup -name $_.SECURITYGROUP -includemember ($st) 10 | } 11 | -------------------------------------------------------------------------------- /Security Loops/Loop_3.ps1: -------------------------------------------------------------------------------- 1 | ## Security Group loop for Groups and Tags ## 2 | ## Author: Anthony Burke t:@pandom_ b:networkinferno.net 3 | ## version 1.0 4 | ## July 2016 5 | # Creating loops to ensure 1:1 SG/Tag mapping. Example to create loops. Ones below are based on a CSV file. This CSV file has a column titled SECURITYTAG and another titled SECURITYGROUP 6 | 7 | import-csv .\base-example.csv | % { 8 | $st = New-NsxSecurityTag -name $_.SECURITYTAG 9 | $sg = new-NsxSecurityGroup -name $_.SECURITYGROUP -includemember ($st) 10 | $vm = Get-Vm -name $_.VMNAME | New-NsxSecurityTagAssignment -ApplyTag $st 11 | } 12 | -------------------------------------------------------------------------------- /Security Loops/Loop_cleanup.ps1: -------------------------------------------------------------------------------- 1 | #Cleanup from loops 2 | 3 | 4 | Get-NsxSecuritytag | ? {$_.name -match ("SG-TAG-0*")} | remove-nsxsecuritytag -force -confirm:$false 5 | Get-NsxSecurityGroup | ? {$_.name -match ("SG-GROUP-0*")} | remove-nsxsecuritygroup -force -confirm:$falseH 6 | -------------------------------------------------------------------------------- /Slack Chat/SlackChat.ps1: -------------------------------------------------------------------------------- 1 | #Slack Integration 2 | # 3 | # 4 | # 5 | #todo: Deal with secure tokens 6 | 7 | function Set-SlackNotification{ 8 | <# 9 | .SYNOPSIS 10 | Connects to Slack instance and posts a message to a given channel 11 | .DESCRIPTION 12 | This function, Set-SlackNotification, builds a message that is posted to Slack. This allows notification sent to a Slack channel. 13 | 14 | This can be used as a foundation for chat ops. 15 | 16 | .EXAMPLE 17 | This example show show to create a new default user 18 | 19 | PS C:\> Set-SlackNotification -token $Token -Text 'The script was successful' -Channel General -BotName = 'Singapore Lab Bot' 20 | #> 21 | 22 | 23 | Param( 24 | [Parameter(Mandatory=$false)] 25 | [ValidateNotNullorEmpty()] 26 | [String]$Token, 27 | [Parameter(Mandatory=$true)] 28 | [ValidateNotNullorEmpty()] 29 | [String]$Text, 30 | [Parameter(Mandatory=$true)] 31 | [ValidateNotNullorEmpty()] 32 | [String]$Channel, 33 | [Parameter(Mandatory=$false)] 34 | [ValidateNotNullorEmpty()] 35 | [String]$BotName = 'Singapore Bot', 36 | [Parameter(Mandatory=$false)] 37 | [ValidateNotNullorEmpty()] 38 | [String]$Icon 39 | ) 40 | 41 | # If the token variable is not defined in initial call then a token.txt file is used containing token 42 | if (!$token) 43 | { 44 | $token = Get-Content -Path "$SlackToken\token.txt" 45 | } 46 | # Here is the body of the message created from a hash table 47 | $PostMessage =@{ 48 | token="$Token"; 49 | channel="$Channel"; 50 | text="$Text"; 51 | username="$BotName"; 52 | icon_url="$Icon" 53 | } 54 | 55 | $global:post = Invoke-RestMethod -Uri $Uri -Body $PostMessage 56 | $global:post 57 | } -------------------------------------------------------------------------------- /SysSet/SysSet.ps1: -------------------------------------------------------------------------------- 1 | #SysSet - A syslog configuration tool for NSX. 2 | 3 | param ( 4 | 5 | [string[]]$SyslogIPaddress = @("192.168.100.189, 192.168.100.190"), 6 | [string]$SyslogProtocol = "udp", 7 | [string]$SyslogLevel = "debug", 8 | [string]$SyslogStatus = "true" 9 | ) 10 | 11 | 12 | # Collect the routers and edges 13 | $Edges = Get-NsxEdge 14 | #$Dlrs = Get-NsxLogicalRouter 15 | # Add Controllers 16 | 17 | foreach ($edge in $edges) { 18 | 19 | 20 | $status = $edge.features.syslog.enabled 21 | 22 | if ($status -eq "false"){ 23 | write-host -foregroundcolor yellow "Enabling Syslog for $($edge.name)" 24 | #Updates from false to true 25 | $edge.features.syslog.enabled = "$SyslogStatus" 26 | 27 | #Creating the XML that is required that is mising. serverAddresses -> ipAddress is missing 28 | #and is required when enabling. Cannot enable without it. 29 | 30 | $newElement = $Edge.OwnerDocument.CreateElement("serverAddresses") 31 | Add-XmlElement -xmlRoot $newelement -xmlElementName "ipAddress" -xmlElementText "$SyslogIpAddress" 32 | $edge.features.syslog.AppendChild($newElement) | out-null 33 | 34 | $edge | Set-NsxEdge -confirm:$false | out-null 35 | 36 | write-host -foregroundcolor green "Configuring Syslog values for $($edge.name)" 37 | #recollecting Edge for latest revision 38 | $edge = Get-NsxEdge -name $($edge.name) 39 | 40 | $edge.features.syslog.protocol = "$SyslogProtocol" 41 | $edge.vseLogLevel = "$SyslogLevel" 42 | $edge | Set-NsxEdge -confirm:$false | out-null 43 | 44 | } 45 | else { 46 | 47 | $edge.features.syslog.serverAddresses.ipAddress = "$SyslogIpAddress" 48 | $edge.features.syslog.protocol = "$SyslogProtocol" 49 | $edge.vseLogLevel = "$SyslogLevel" 50 | write-host -foregroundcolor green "Updating Syslog on $($edge.name)" 51 | $edge | Set-NsxEdge -confirm:$false | out-null 52 | } 53 | 54 | 55 | } 56 | 57 | ## UNTESTED 58 | # foreach ($dlr in $dlrs){ 59 | 60 | # $status = $dlr.features.syslog.enabled 61 | 62 | # if ($status -eq "false"){ 63 | # write-host -foregroundcolor yellow "Enabling Syslog for $($dlr.name)" 64 | # #Updates from false to true 65 | # $dlr.features.syslog.enabled = "$SyslogStatus" 66 | 67 | # #Creating the XML that is required that is mising. serverAddresses -> ipAddress is missing 68 | # #and is required when enabling. Cannot enable without it. 69 | 70 | # $newElement = $dlr.OwnerDocument.CreateElement("serverAddresses") 71 | # Add-XmlElement -xmlRoot $newelement -xmlElementName "ipAddress" -xmlElementText "$SyslogIpAddress" 72 | # $dlr.features.syslog.AppendChild($newElement) | out-null 73 | 74 | # $dlr | Set-NsxLogicalRouter -confirm:$false 75 | 76 | # write-host -foregroundcolor green "Configuring Syslog values for $($dlr.name)" 77 | # #recollecting Edge for latest revision 78 | # $dlr = Get-NsxLogicalRouter -name $($dlr.name) 79 | 80 | # $dlr.features.syslog.protocol = "$SyslogProtocol" 81 | # $dlr.vseLogLevel = "$SyslogLevel" 82 | # $dlr | Set-NsxLogicalRouter -confirm:$false | out-null 83 | 84 | # } 85 | # else { 86 | 87 | # $dlr.features.syslog.serverAddresses.ipAddress = "$SyslogIpAddress" 88 | # $dlr.features.syslog.protocol = "$SyslogProtocol" 89 | # $dlr.vseLogLevel = "$SyslogLevel" 90 | # write-host -foregroundcolor green "Updating Syslog on $($dlr.name)" 91 | # $dlr | Set-NsxLogicalRouter -confirm:$false | out-null 92 | # } 93 | # } -------------------------------------------------------------------------------- /Terraform/Deploy 3 Tier App/main.tf: -------------------------------------------------------------------------------- 1 | ## Connect to NSX Manager. 2 | provider "nsxt" { 3 | host = "nsxmgr-01a.corp.local" 4 | username = "admin" 5 | password = "VMware1!" 6 | insecure = true 7 | } 8 | ## Collect data 9 | data "nsxt_transport_zone" "TZ1" { 10 | display_name = "TZ1" 11 | } 12 | 13 | data "nsxt_logical_tier0_router" "T0" { 14 | display_name = "T0" 15 | } 16 | 17 | data "nsxt_edge_cluster" "EC1" { 18 | display_name = "EC1" 19 | } 20 | 21 | ## Create T1 Router. 22 | resource "nsxt_logical_tier1_router" "T1" { 23 | description = "T1 provisioned by Terraform" 24 | display_name = "T1-TF" 25 | failover_mode = "PREEMPTIVE" 26 | high_availability_mode = "ACTIVE_STANDBY" 27 | edge_cluster_id = "${data.nsxt_edge_cluster.EC1.id}" 28 | enable_router_advertisement = "true" 29 | advertise_connected_routes = "true" 30 | 31 | 32 | tags = [{ scope = "princeps" 33 | tag = "augustus"} 34 | ] 35 | } 36 | 37 | ## Connect T1 to T0. 38 | resource "nsxt_logical_router_link_port_on_tier0" "T0-RP" { 39 | # description = "${nsxt_logical_router_link_port_on_tier0.T0-RP.display_name} to ${nsxt_logical_router_link_port_on_tier1.T1-RP.display_name}" 40 | display_name = "T0-RP" 41 | logical_router_id = "${data.nsxt_logical_tier0_router.T0.id}" 42 | tags = [{ 43 | scope = "princeps" 44 | tag = "augustus"} 45 | ] 46 | } 47 | 48 | 49 | resource "nsxt_logical_router_link_port_on_tier1" "T1-RP" { 50 | # description = "${nsxt_logical_router_link_port_on_tier0.T0-RP.display_name} to ${nsxt_logical_router_link_port_on_tier1.T1-RP.display_name}" 51 | display_name = "T1-RP" 52 | logical_router_id = "${nsxt_logical_tier1_router.T1.id}" 53 | linked_logical_router_port_id = "${nsxt_logical_router_link_port_on_tier0.T0-RP.id}" 54 | tags = [{ 55 | scope = "princeps" 56 | tag = "augustus"} 57 | ] 58 | } 59 | ## Create Logical Switches 60 | resource "nsxt_logical_switch" "WEBLS" { 61 | count = 1 62 | admin_state = "UP" 63 | description = "Web LS provisioned by Terraform" 64 | display_name = "Web LS" 65 | transport_zone_id = "${data.nsxt_transport_zone.TZ1.id}" 66 | replication_mode = "MTEP" 67 | 68 | tags = [{ scope = "princeps" 69 | tag = "augustus"} 70 | ] 71 | } 72 | resource "nsxt_logical_switch" "APPLS" { 73 | count = 1 74 | admin_state = "UP" 75 | description = "App LS provisioned by Terraform" 76 | display_name = "App LS" 77 | transport_zone_id = "${data.nsxt_transport_zone.TZ1.id}" 78 | replication_mode = "MTEP" 79 | 80 | tags = [{ scope = "princeps" 81 | tag = "augustus"} 82 | ] 83 | } 84 | resource "nsxt_logical_switch" "DBLS" { 85 | count = 1 86 | admin_state = "UP" 87 | description = "Db LS provisioned by Terraform" 88 | display_name = "Db LS" 89 | transport_zone_id = "${data.nsxt_transport_zone.TZ1.id}" 90 | replication_mode = "MTEP" 91 | 92 | tags = [{ scope = "princeps" 93 | tag = "augustus"} 94 | ] 95 | } 96 | ## Create ports on respective LS. 97 | resource "nsxt_logical_port" "LPWEB" { 98 | count = 1 99 | admin_state = "UP" 100 | description = "LP-WEB provisioned by Terraform" 101 | display_name = "LP-WEB" 102 | logical_switch_id = "${nsxt_logical_switch.WEBLS.id}" 103 | tags = [{ scope = "princeps" 104 | tag = "augustus"} 105 | ] 106 | } 107 | 108 | resource "nsxt_logical_port" "LPAPP" { 109 | count = 1 110 | admin_state = "UP" 111 | description = "LP-WEB provisioned by Terraform" 112 | display_name = "LP-APP" 113 | logical_switch_id = "${nsxt_logical_switch.APPLS.id}" 114 | tags = [{ scope = "princeps" 115 | tag = "augustus"} 116 | ] 117 | } 118 | 119 | resource "nsxt_logical_port" "LPDB" { 120 | count = 1 121 | admin_state = "UP" 122 | description = "LP-WEB provisioned by Terraform" 123 | display_name = "LP-DB" 124 | logical_switch_id = "${nsxt_logical_switch.DBLS.id}" 125 | tags = [{ scope = "princeps" 126 | tag = "augustus"} 127 | ] 128 | } 129 | ## Create LIFs on T1 DLR. 130 | resource "nsxt_logical_router_downlink_port" "DP1" { 131 | count = 1 132 | description = "LIF-WEB provisioned by Terraform" 133 | display_name = "LIF-WEB" 134 | logical_router_id = "${nsxt_logical_tier1_router.T1.id}" 135 | linked_logical_switch_port_id = "${nsxt_logical_port.LPWEB.id}" 136 | subnets = [{ip_addresses = ["172.16.10.1"], prefix_length = 24} 137 | ] 138 | tags = [{ scope = "princeps" 139 | tag = "augustus"} 140 | ] 141 | } 142 | 143 | resource "nsxt_logical_router_downlink_port" "DP2" { 144 | count = 1 145 | description = "LIF-APP provisioned by Terraform" 146 | display_name = "LIF-APP" 147 | logical_router_id = "${nsxt_logical_tier1_router.T1.id}" 148 | linked_logical_switch_port_id = "${nsxt_logical_port.LPAPP.id}" 149 | subnets = [{ip_addresses = ["172.16.20.1"], prefix_length = 24} 150 | ] 151 | tags = [{ scope = "princeps" 152 | tag = "augustus"} 153 | ] 154 | } 155 | 156 | resource "nsxt_logical_router_downlink_port" "DP3" { 157 | count = 1 158 | description = "LIF-DB provisioned by Terraform" 159 | display_name = "LIF-DB" 160 | logical_router_id = "${nsxt_logical_tier1_router.T1.id}" 161 | linked_logical_switch_port_id = "${nsxt_logical_port.LPDB.id}" 162 | subnets = [{ip_addresses = ["172.16.30.1"], prefix_length = 24} 163 | ] 164 | tags = [{ scope = "princeps" 165 | tag = "augustus"} 166 | ] 167 | } 168 | 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /k8s-harbor-dump/daemon.json: -------------------------------------------------------------------------------- 1 | { 2 | "insecure-registries" : ["harbor-tenant-01.sg.lab"] 3 | } 4 | -------------------------------------------------------------------------------- /nsxt-dynamictags.ps1: -------------------------------------------------------------------------------- 1 | ### 2 | ## Demo for Damo 3 | # By Burkey 4 | # 5 | 6 | ##Credentials 7 | $vcuser = "administrator@vsphere.local" 8 | $nsxuser = "admin" 9 | $password = "VMware1!" 10 | 11 | ## VC Objects 12 | 13 | $clustername = "Compute" 14 | $dsname = "CompData" 15 | $vmname1 = "Test-VM-001" 16 | $vmname2 = "Test-VM-002" 17 | 18 | 19 | ## NSX-T objects 20 | $edgeClusterName = "edgecluster1" 21 | $transportZoneName = "TZ" 22 | $logicalRouterNameT0 = "Tier0_LR" 23 | $firewallSectionName = "automation_section" 24 | $firewallRuleName = "automation_rule" 25 | $nsgroupname = "dynamic-ns" 26 | $logicalRouterNameT1 = "Tier1_LR_automation" 27 | $ls1name = "LS1_automation" 28 | $ls2name = "LS2_automation" 29 | 30 | ## Hashtable for Tags 31 | 32 | $DemoTags = @{} 33 | $DemoTags.Add("scope", "production") 34 | $DemoTags.Add("tag","web") 35 | 36 | ################## 37 | 38 | ########### 39 | #Connection Management 40 | write-host -foregroundcolor Green "Connecting to vCenter and NSX-T Manager" 41 | 42 | $null = Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false -confirm:$false -WarningAction "silentlycontinue" -ErrorAction Ignore 43 | $null = Set-PowerCLIConfiguration -InvalidCertificateAction ignore -confirm:$false -WarningAction "silentlycontinue" -ErrorAction Ignore 44 | Connect-NsxtServer -Server nsxmgr-01a.corp.local -User $nsxuser -Password $password -WarningAction "silentlycontinue" -ErrorAction Ignore | Out-Null 45 | Connect-VIServer -Server vc-01a.corp.local -User $vcuser -Password $password -WarningAction "silentlycontinue" -ErrorAction Ignore | Out-Null 46 | 47 | 48 | 49 | ########### 50 | #NSX-T Service Import 51 | $serviceEdgeClusters = Get-NsxTService com.vmware.nsx.edge_clusters 52 | $serviceLogicalPorts = Get-NsxtService com.vmware.nsx.logical_ports 53 | $serviceLogicalSwitch = Get-NsxtService com.vmware.nsx.logical_switches 54 | $serviceTransportZones = Get-NsxTService com.vmware.nsx.transport_zones 55 | $serviceLogicalRouters = Get-NsxTService com.vmware.nsx.logical_routers 56 | $serviceLogicalRouterPorts = Get-NsxTService com.vmware.nsx.logical_router_ports 57 | $serviceLogicalRouterAdvertisements = Get-NsxTService com.vmware.nsx.logical_routers.routing.advertisement 58 | $serviceNsGroup = Get-NsxtService com.vmware.nsx.ns_groups 59 | $serviceFirewallSections = Get-NsxtService com.vmware.nsx.firewall.sections 60 | $serviceFirewallSectionRules = Get-NsxTService com.vmware.nsx.firewall.sections.rules 61 | 62 | 63 | 64 | ########### 65 | # Creating the Logical Topology 66 | #Collect pre-req objectss 67 | write-host -foregroundcolor Green "Collecting UUIDs for $transportZoneName, $edgeClusterName, and $logicalRouterNameT0 " 68 | $transportZone = $serviceTransportZones.list().results | Where-Object {$_.display_name -eq $transportZoneName} 69 | $edgeCluster = $serviceEdgeClusters.list().results | Where-Object {$_.display_name -eq $edgeClusterName} 70 | $tier0Router = $serviceLogicalRouters.list().results | Where-Object {$_.display_name -eq $logicalRouterNameT0 } 71 | 72 | #Create T1 router k8st1 73 | write-host -foregroundcolor Green "Creating T1 router $logicalRouterNameT1" 74 | $specLogicalRouterT1 = $serviceLogicalRouters.help.create.logical_router.Create() 75 | $specLogicalRouterT1.display_name = $logicalRouterNameT1 76 | $specLogicalRouterT1.edge_cluster_id = $edgeCluster.id 77 | $specLogicalRouterT1.router_type = "TIER1" 78 | $t1router = $serviceLogicalRouters.create($specLogicalRouterT1) 79 | 80 | # Create a logical switch for LS_1 81 | write-host -foregroundcolor Green "Creating logical switch on $ls1name" 82 | $specLogicalSwitch = $serviceLogicalSwitch.help.create.logical_switch.Create() 83 | $specLogicalSwitch.display_name = $ls1name 84 | $specLogicalSwitch.transport_zone_id = $transportZone.id 85 | $specLogicalSwitch.admin_state = "UP" 86 | $specLogicalSwitch.replication_mode = "MTEP" 87 | $specLogicalSwitch.tags.Add($DemoTags) | Out-Null 88 | $ls1 = $serviceLogicalSwitch.create($specLogicalSwitch) 89 | 90 | # Create a logical switch for LS_2 91 | write-host -foregroundcolor Green "Creating logical switch on $ls2name" 92 | $specLogicalSwitch = $serviceLogicalSwitch.help.create.logical_switch.Create() 93 | $specLogicalSwitch.display_name = $ls2name 94 | $specLogicalSwitch.transport_zone_id = $transportZone.id 95 | $specLogicalSwitch.admin_state = "UP" 96 | $specLogicalSwitch.replication_mode = "MTEP" 97 | $specLogicalSwitch.tags.Add($DemoTags) | Out-Null 98 | $ls2 = $serviceLogicalSwitch.create($specLogicalSwitch) 99 | 100 | # Create a port on the logical switch pod_access 101 | write-host -foregroundcolor Green "Creating logical port on $logicalRouterNameT1" 102 | $specLogicalSwitchPort = $serviceLogicalPorts.help.create.logical_port.create() 103 | $specLogicalSwitchPort.display_name = "LP-$ls1name" 104 | $specLogicalSwitchPort.description = "Logical Port for $($logicalRouterNameT1)" 105 | $specLogicalSwitchPort.admin_state = "UP" 106 | $specLogicalSwitchPort.logical_switch_id = $ls1.id 107 | $lsport1 = $serviceLogicalPorts.create($specLogicalSwitchPort) 108 | 109 | # Create a router downlink port and connect it to the switchport above 110 | write-host -foregroundcolor Green "Creating LIF on $($t1router.display_name) for $ls1name" 111 | $specLogicalRouterDownlinkPort = $serviceLogicalRouterPorts.Help.create.logical_router_port.logical_router_down_link_port.Create() 112 | $specLogicalRouterDownlinkPort.description = "Logical Router LIF for $ls1name" 113 | $specLogicalRouterDownlinkPort.display_name = "LIF_$ls1name" 114 | $specLogicalRouterDownlinkPort.linked_logical_switch_port_id = @{"target_id" = $lsport1.id } 115 | $specLogicalRouterDownlinkPort.subnets.Add(@{"ip_addresses" = @("172.16.243.1"); "prefix_length" = "24"}) | Out-Null 116 | $specLogicalRouterDownlinkPort.logical_router_id = $t1router.id 117 | $t1routerRpls1 = $serviceLogicalRouterPorts.create($specLogicalRouterDownlinkPort) 118 | 119 | # Create a port on the logical switch pod_access 120 | write-host -foregroundcolor Green "Creating logical port on $logicalRouterNameT1" 121 | $specLogicalSwitchPort = $serviceLogicalPorts.help.create.logical_port.create() 122 | $specLogicalSwitchPort.display_name = "LP-$ls2name" 123 | $specLogicalSwitchPort.description = "Logical Port for $($logicalRouterNameT1)" 124 | $specLogicalSwitchPort.admin_state = "UP" 125 | $specLogicalSwitchPort.logical_switch_id = $ls2.id 126 | $lsport2 = $serviceLogicalPorts.create($specLogicalSwitchPort) 127 | 128 | # Create a router downlink port and connect it to the switchport above 129 | write-host -foregroundcolor Green "Creating LIF on $($t1router.display_name) for $ls2name" 130 | $specLogicalRouterDownlinkPort = $serviceLogicalRouterPorts.Help.create.logical_router_port.logical_router_down_link_port.Create() 131 | $specLogicalRouterDownlinkPort.description = "Logical Router LIF for $ls2name" 132 | $specLogicalRouterDownlinkPort.display_name = "LIF_$ls2name" 133 | $specLogicalRouterDownlinkPort.linked_logical_switch_port_id = @{"target_id" = $lsport2.id } 134 | $specLogicalRouterDownlinkPort.subnets.Add(@{"ip_addresses" = @("172.16.244.1"); "prefix_length" = "24"}) | Out-Null 135 | $specLogicalRouterDownlinkPort.logical_router_id = $t1router.id 136 | $t1routerRpls2 = $serviceLogicalRouterPorts.create($specLogicalRouterDownlinkPort) 137 | 138 | 139 | # Create linked Port on Tier 0 for tier1 140 | write-host -foregroundcolor Green "Creating router port on $($t1router.display_name)" 141 | 142 | $specLinkedRouterPortOnT0 = $serviceLogicalRouterPorts.help.create.logical_router_port.logical_router_link_port_on_TIE_r0.Create() 143 | $specLinkedRouterPortOnT0.description = "Port on T0 Router for $($t1router.display_name) (ID: $($t1router.id))" 144 | $specLinkedRouterPortOnT0.display_name = "LinkedPortOnT0_$($t1router.display_name)" 145 | $specLinkedRouterPortOnT0.logical_router_id = $tier0Router.id 146 | $linkedRouterPortOnT0 = $serviceLogicalRouterPorts.create($specLinkedRouterPortOnT0) 147 | write-host -foregroundcolor Green "Creating router port on $($tier0router.display_name)" 148 | # Create linked port on Tier 1 for to T0 149 | $specLinkedRouterPortOnT1 = $serviceLogicalRouterPorts.help.create.logical_router_port.logical_router_link_port_on_TIE_r1.Create() 150 | $specLinkedRouterPortOnT1.description = "Port on T1 Router for $($tier0Router.display_name) (ID: $($tier0Router.id))" 151 | $specLinkedRouterPortOnT1.display_name = "LinkedPortOnT1_$($tier0Router.display_name)" 152 | $specLinkedRouterPortOnT1.logical_router_id = $t1Router.id 153 | $specLinkedRouterPortOnT1.linked_logical_router_port_id = @{"target_id" = $linkedRouterPortOnT0.id} 154 | $linkedRouterPortOnT1 = $serviceLogicalRouterPorts.create($specLinkedRouterPortOnT1) 155 | 156 | #Redistribution 157 | write-host -foregroundcolor Green "Advertising nsx_connected routes on $logicalRouterNameT1" 158 | $logicalRouterAdvertisementConfig = $serviceLogicalRouterAdvertisements.get($t1router.id) 159 | $logicalRouterAdvertisementConfig.enabled = $True 160 | $logicalRouterAdvertisementConfig.advertise_nsx_connected_routes = $True 161 | $logicalRouterAdvertisementConfig.advertise_lb_vip = $True 162 | $serviceLogicalRouterAdvertisements.update($t1router.id, $logicalRouterAdvertisementConfig) | Out-Null 163 | 164 | 165 | ########### 166 | #Create VM 167 | 168 | write-host -foregroundcolor Green "Creating Shell VMs $vmname1 and $vmname2 " 169 | 170 | $ds = Get-Datastore $dsname 171 | $cl = Get-Cluster $clustername 172 | $vmhost = $cl | get-vmhost | select -first 1 173 | $folder = get-folder -type VM -name vm 174 | $vmsplat = @{ 175 | "VMHost" = $vmhost 176 | "Location" = $folder 177 | "ResourcePool" = $cl 178 | "Datastore" = $ds 179 | "DiskGB" = 1 180 | "DiskStorageFormat" = "Thin" 181 | "NumCpu" = 1 182 | "Floppy" = $false 183 | "CD" = $false 184 | "GuestId" = "other26xLinuxGuest" 185 | "MemoryMB" = 512 186 | } 187 | # 188 | 189 | $vm1 = new-vm -name $vmname1 @vmsplat 190 | $vm2 = new-vm -name $vmname2 @vmsplat 191 | 192 | 193 | 194 | write-host -foregroundcolor Green "Attaching VMs $vmname1 and $vmname2 to $($ls1.display_name) and $($ls2.display_name) " 195 | 196 | $null = $vm1 | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName $ls1.display_name -confirm:$false 197 | $null = $vm2 | Get-NetworkAdapter | Set-NetworkAdapter -NetworkName $ls2.display_name -confirm:$false 198 | 199 | 200 | $null = $vm1 | Start-VM 201 | $null = $vm2 | Start-VM 202 | 203 | 204 | ### CREATING NS GROUP BASED ON TAGS 205 | write-host -foregroundcolor Green "Creating NSgroup with Dynamic Tag criteria" 206 | 207 | $nsgroupmembership = @{} 208 | $nsgroupmembership.Add("resource_type", "NSGroupTagExpression") 209 | $nsgroupmembership.Add("scope", "production") 210 | $nsgroupmembership.Add("target_type", "LogicalSwitch") 211 | $nsgroupmembership.Add("tag", "web") 212 | $nsgroupmembership.Add("scope_op", "EQUALS") 213 | $nsgroupmembership.Add("tag_op", "EQUALS") 214 | 215 | 216 | $specNsGroup = $serviceNsGroup.Help.create.ns_group.Create() 217 | $specNsGroup.resource_type ="NSGroup" 218 | $specNsGroup.display_name = "$nsgroupname" 219 | $specNsGroup.membership_criteria.Add($nsgroupmembership) | Out-Null 220 | $nsGroup = $serviceNsGroup.Create($specNsGroup) 221 | 222 | 223 | ### Creating Firewall Section 224 | write-host -foregroundcolor Green "Creating Firewall section $firewallsectionName" 225 | 226 | $anchorid = "dummyid" 227 | $spec = $serviceFirewallSections.help.create.firewall_section.create() 228 | $spec.display_name = "$firewallSectionName" 229 | $spec.section_type = "LAYER3" 230 | $spec.stateful = $True 231 | $firewallsection = $serviceFirewallSections.Create($spec) 232 | 233 | ### Creating Firewall Rule 234 | 235 | write-host -foregroundcolor Green "Creating Firewall rule $firewallrulename" 236 | 237 | $sourceSpec1 = $serviceFirewallSectionRules.help.create.firewall_rule.sources.Element.Create() 238 | $sourceSpec1.target_id = $nsgroup.id 239 | $sourceSpec1.target_type = $nsgroup.resource_type 240 | 241 | $spec = $serviceFirewallSectionRules.help.create.firewall_rule.create() 242 | $spec.display_name = "$firewallRuleName" 243 | $spec.action = "ALLOW" 244 | # $spec.direction = "IN_OUT" 245 | # $spec.ip_protocol="IPV4_IPV6" 246 | $spec.resource_type="FirewallRule" 247 | $spec.sources.Add($sourcespec1) | Out-Null 248 | $rule = $serviceFirewallSectionRules.Create($firewallSection.id, $spec) 249 | 250 | write-host -ForegroundColor Green "Completed" 251 | write-host -ForegroundColor Green "I am adding members of $($LS1.display_name) and $($LS2.display_name) to $($nsGroup.display_name) via Tag " 252 | write-host -ForegroundColor Cyan "To cleanup please Delete in the following order: " 253 | write-host -ForegroundColor Cyan "Firewall Section $($firewallsection.display_name) " 254 | write-host -ForegroundColor Cyan "NSgroup $($nsGroup.display_name) " 255 | write-host -ForegroundColor Cyan "VMs $($vm1.name) and $($vm2.name) " 256 | write-host -ForegroundColor Cyan "Router $($t1router.display_name) " 257 | write-host -ForegroundColor Cyan "Logical Ports on $($LS1.display_name) and $($LS2.display_name) " 258 | write-host -ForegroundColor Cyan "Logical Switches $($LS1.display_name) and $($LS2.display_name) " 259 | 260 | write-host -ForegroundColor Green "!!Automation is fun!!" 261 | 262 | 263 | 264 | 265 | 266 | # #Delete FW section 267 | # $section = $serviceFirewallSections.List().results | ? {$_.display_name -eq $firewallsectionName} 268 | # $null= $serviceFirewallSections.Delete($section.id) 269 | # #Delete NSG 270 | # $nsg = $serviceNsGroup.List().results | ? {$_.display_name -eq "$nsgroupname"} 271 | # $null = $serviceNsGroup.Delete($nsg.id) 272 | # #Delete VM 273 | # get-vm Test* | stop-vm -confirm:$false 274 | # get-vm Test* | remove-vm -DeletePermanently -confirm:$false 275 | 276 | -------------------------------------------------------------------------------- /nsxt-k8s/single-master-node/ubuntu/kubeadm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubeadm.k8s.io/v1alpha1 2 | kind: MasterConfiguration 3 | kubernetesVersion: v1.10.5 4 | api: 5 | advertiseAddress: 10.1.1.129 6 | bindPort: 6443 -------------------------------------------------------------------------------- /nsxt-k8s/single-master-node/ubuntu/ncp-rc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nsx-ncp-config 5 | namespace: nsx-system 6 | labels: 7 | version: v1 8 | data: 9 | ncp.ini: | 10 | [DEFAULT] 11 | [coe] 12 | cluster = k8s-cluster1 13 | nsxlib_loglevel=INFO 14 | [ha] 15 | [k8s] 16 | apiserver_host_ip = 10.1.1.129 17 | apiserver_host_port = 6443 18 | ca_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 19 | client_token_file = /var/run/secrets/kubernetes.io/serviceaccount/token 20 | [nsx_v3] 21 | nsx_api_managers = nsxmgr-01a.corp.local 22 | nsx_api_user = admin 23 | nsx_api_password = VMware1! 24 | insecure = True 25 | subnet_prefix = 28 26 | use_native_loadbalancer = True 27 | pool_algorithm = 'ROUND_ROBIN' 28 | service_size = 'SMALL' 29 | virtual_servers_per_lbs = 10 30 | tier0_router = Tier0_LR 31 | overlay_tz = TZ 32 | container_ip_blocks = e77b1435-54af-43bc-8045-9a22b8e3bdf9 33 | external_ip_pools = b1b80f47-97de-4d1a-81d8-93bf6c98d613 34 | top_firewall_section_marker = aedcc7ec-ccf1-44ee-a66e-b371371b87e9 35 | bottom_firewall_section_marker = 001fd432-cd48-4339-926e-d692032cb0e7 36 | --- 37 | apiVersion: v1 38 | kind: ReplicationController 39 | metadata: 40 | name: nsx-ncp 41 | namespace: nsx-system 42 | labels: 43 | tier: nsx-networking 44 | component: nsx-ncp 45 | version: v1 46 | spec: 47 | replicas: 1 48 | template: 49 | metadata: 50 | labels: 51 | tier: nsx-networking 52 | component: nsx-ncp 53 | version: v1 54 | spec: 55 | hostNetwork: true 56 | serviceAccountName: ncp-svc-account 57 | containers: 58 | - name: nsx-ncp 59 | image: harbor-tenant-01.sg.lab/singapore-infra/nsx-ncp:2.3.0 60 | imagePullPolicy: IfNotPresent 61 | env: 62 | - name: NCP_NAME 63 | valueFrom: 64 | fieldRef: 65 | fieldPath: metadata.name 66 | - name: NCP_NAMESPACE 67 | valueFrom: 68 | fieldRef: 69 | fieldPath: metadata.namespace 70 | livenessProbe: 71 | exec: 72 | command: 73 | - /bin/sh 74 | - -c 75 | - check_pod_liveness nsx-ncp 76 | initialDelaySeconds: 5 77 | timeoutSeconds: 5 78 | periodSeconds: 10 79 | failureThreshold: 5 80 | volumeMounts: 81 | - name: config-volume 82 | mountPath: /etc/nsx-ujo/ncp.ini 83 | subPath: ncp.ini 84 | readOnly: true 85 | volumes: 86 | - name: config-volume 87 | configMap: 88 | name: nsx-ncp-config -------------------------------------------------------------------------------- /nsxt-k8s/single-master-node/ubuntu/nsx-node-agent-ds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nsx-node-agent-config 5 | namespace: nsx-system 6 | labels: 7 | version: v1 8 | data: 9 | ncp.ini: | 10 | [DEFAULT] 11 | debug = True 12 | [coe] 13 | cluster = k8s-cluster1 14 | nsxlib_loglevel=INFO 15 | [ha] 16 | [k8s] 17 | apiserver_host_ip = 10.1.1.129 18 | apiserver_host_port = 6443 19 | ca_file = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 20 | client_token_file = /var/run/secrets/kubernetes.io/serviceaccount/token 21 | [nsx_node_agent] 22 | [nsx_kube_proxy] 23 | --- 24 | apiVersion: extensions/v1beta1 25 | kind: DaemonSet 26 | metadata: 27 | name: nsx-node-agent 28 | namespace: nsx-system 29 | labels: 30 | tier: nsx-networking 31 | component: nsx-node-agent 32 | version: v1 33 | spec: 34 | updateStrategy: 35 | type: RollingUpdate 36 | template: 37 | metadata: 38 | annotations: 39 | labels: 40 | tier: nsx-networking 41 | component: nsx-node-agent 42 | version: v1 43 | spec: 44 | hostNetwork: true 45 | serviceAccountName: nsx-node-agent-svc-account 46 | containers: 47 | - name: nsx-node-agent 48 | image: harbor-tenant-01.sg.lab/singapore-infra/nsx-ncp:2.3.0 49 | imagePullPolicy: IfNotPresent 50 | command: ["start_node_agent"] 51 | livenessProbe: 52 | exec: 53 | command: 54 | - /bin/sh 55 | - -c 56 | - check_pod_liveness nsx-node-agent 57 | initialDelaySeconds: 5 58 | timeoutSeconds: 5 59 | periodSeconds: 10 60 | failureThreshold: 5 61 | securityContext: 62 | privileged: true 63 | capabilities: 64 | add: 65 | - NET_ADMIN 66 | - SYS_ADMIN 67 | - SYS_PTRACE 68 | - DAC_READ_SEARCH 69 | volumeMounts: 70 | - name: config-volume 71 | mountPath: /etc/nsx-ujo/ncp.ini 72 | subPath: ncp.ini 73 | readOnly: true 74 | - name: openvswitch 75 | mountPath: /var/run/openvswitch 76 | - name: cni-sock 77 | mountPath: /var/run/nsx-ujo 78 | - name: netns 79 | mountPath: /var/run/netns 80 | - name: proc 81 | mountPath: /host/proc 82 | readOnly: true 83 | - name: nsx-kube-proxy 84 | image: harbor-tenant-01.sg.lab/singapore-infra/nsx-ncp:2.3.0 85 | imagePullPolicy: IfNotPresent 86 | command: ["start_kube_proxy"] 87 | livenessProbe: 88 | exec: 89 | command: 90 | - /bin/sh 91 | - -c 92 | - check_pod_liveness nsx-kube-proxy 93 | initialDelaySeconds: 5 94 | periodSeconds: 5 95 | securityContext: 96 | capabilities: 97 | add: 98 | - NET_ADMIN 99 | - SYS_ADMIN 100 | - SYS_PTRACE 101 | - DAC_READ_SEARCH 102 | - DAC_OVERRIDE 103 | volumeMounts: 104 | - name: config-volume 105 | mountPath: /etc/nsx-ujo/ncp.ini 106 | subPath: ncp.ini 107 | readOnly: true 108 | - name: openvswitch 109 | mountPath: /var/run/openvswitch 110 | volumes: 111 | - name: config-volume 112 | configMap: 113 | name: nsx-node-agent-config 114 | - name: cni-sock 115 | hostPath: 116 | path: /var/run/nsx-ujo 117 | - name: netns 118 | hostPath: 119 | path: /var/run/netns 120 | - name: proc 121 | hostPath: 122 | path: /proc 123 | - name: openvswitch 124 | hostPath: 125 | path: /var/run/openvswitch -------------------------------------------------------------------------------- /nsxt-k8s/single-master-node/ubuntu/rbac-ncp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: ncp-svc-account 5 | namespace: nsx-system 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1beta1 9 | metadata: 10 | name: ncp-cluster-role 11 | rules: 12 | - apiGroups: 13 | - "" 14 | - extensions 15 | - networking.k8s.io 16 | resources: 17 | - deployments 18 | - endpoints 19 | - pods 20 | - pods/log 21 | - namespaces 22 | - networkpolicies 23 | - nodes 24 | - replicationcontrollers 25 | - secrets 26 | verbs: 27 | - get 28 | - watch 29 | - list 30 | --- 31 | kind: ClusterRole 32 | apiVersion: rbac.authorization.k8s.io/v1beta1 33 | metadata: 34 | name: ncp-patch-role 35 | rules: 36 | - apiGroups: 37 | - "" 38 | - extensions 39 | resources: 40 | - ingresses 41 | - services 42 | verbs: 43 | - get 44 | - watch 45 | - list 46 | - update 47 | - patch 48 | - apiGroups: 49 | - "" 50 | - extensions 51 | resources: 52 | - ingresses/status 53 | - services/status 54 | verbs: 55 | - replace 56 | - update 57 | - patch 58 | --- 59 | kind: ClusterRoleBinding 60 | apiVersion: rbac.authorization.k8s.io/v1beta1 61 | metadata: 62 | name: ncp-cluster-role-binding 63 | roleRef: 64 | apiGroup: rbac.authorization.k8s.io 65 | kind: ClusterRole 66 | name: ncp-cluster-role 67 | subjects: 68 | - kind: ServiceAccount 69 | name: ncp-svc-account 70 | namespace: nsx-system 71 | --- 72 | kind: ClusterRoleBinding 73 | apiVersion: rbac.authorization.k8s.io/v1beta1 74 | metadata: 75 | name: ncp-patch-role-binding 76 | roleRef: 77 | apiGroup: rbac.authorization.k8s.io 78 | kind: ClusterRole 79 | name: ncp-patch-role 80 | subjects: 81 | - kind: ServiceAccount 82 | name: ncp-svc-account 83 | namespace: nsx-system 84 | 85 | --- 86 | apiVersion: v1 87 | kind: ServiceAccount 88 | metadata: 89 | name: nsx-node-agent-svc-account 90 | namespace: nsx-system 91 | --- 92 | kind: ClusterRole 93 | apiVersion: rbac.authorization.k8s.io/v1 94 | metadata: 95 | name: nsx-node-agent-cluster-role 96 | rules: 97 | - apiGroups: 98 | - "" 99 | resources: 100 | - endpoints 101 | - services 102 | verbs: 103 | - get 104 | - watch 105 | - list 106 | --- 107 | kind: ClusterRoleBinding 108 | apiVersion: rbac.authorization.k8s.io/v1 109 | metadata: 110 | name: nsx-node-agent-cluster-role-binding 111 | roleRef: 112 | apiGroup: rbac.authorization.k8s.io 113 | kind: ClusterRole 114 | name: nsx-node-agent-cluster-role 115 | subjects: 116 | - kind: ServiceAccount 117 | name: nsx-node-agent-svc-account 118 | namespace: nsx-system -------------------------------------------------------------------------------- /vRA Load Balancer/vRA_Load_Balancer.ps1: -------------------------------------------------------------------------------- 1 | # author : anthony Burke 2 | # company: VMware 3 | #-------------------------------------------------- 4 | # ____ __ _ _ ____ ____ __ _ ____ _ _ 5 | # ( _ \ / \ / )( \( __)( _ \( ( \/ ___)( \/ ) 6 | # ) __/( O )\ /\ / ) _) ) // /\___ \ ) ( 7 | # (__) \__/ (_/\_)(____)(__\_)\_)__)(____/(_/\_) 8 | # PowerShell extensions for NSX for vSphere 9 | #-------------------------------------------------- 10 | 11 | #Permission is hereby granted, free of charge, to any person obtaining a copy of 12 | #this software and associated documentation files (the 'Software'), to deal in 13 | #the Software without restriction, including without limitation the rights to 14 | #use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 15 | #of the Software, and to permit persons to whom the Software is furnished to do 16 | #so, subject to the following conditions: 17 | 18 | #The above copyright notice and this permission notice shall be included in all 19 | #copies or substantial portions of the Software. 20 | 21 | #THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 22 | #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 23 | #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 24 | #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 25 | #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 26 | #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 27 | #SOFTWARE. 28 | 29 | ### Note 30 | #This powershell scrip should be considered entirely experimental and dangerous 31 | #and is likely to kill babies, cause war and pestilence and permanently block all 32 | #your toilets. Seriously - It's still in development, not tested beyond lab 33 | #scenarios, and its recommended you dont use it for any production environment 34 | #without testing extensively! 35 | 36 | ## Note: The OvfConfiguration portion of this example relies on this OVA. The securityGroup and Firewall configuration have a MANDATORY DEPENDANCY on this OVA being deployed at runtime. The script will fail if the conditions are not met. This OVA can be found here http://goo.gl/oBAFgq 37 | 38 | # This paramter block defines global variables which a user can override with switches on execution. 39 | param ( 40 | 41 | #Infrastructure 42 | $vraEdgeName = 'vRA-Edge-032', 43 | $EdgeUplinkPrimaryAddress = '192.168.100.192', 44 | $EdgeUplinkSecondaryAddress = '192.168.100.193', 45 | $EdgeUplinkTertiaryAddress = '192.168.100.194', 46 | 47 | #vRA Nodes 48 | $VraVa01Name = 'vRA-VA-011', 49 | $VraVa01Ip = '10.26.38.47', 50 | $VraVa02Name = 'vRA-VA-02', 51 | $VraVa02Ip = '10.26.38.48', 52 | $VraIaas01Name = 'vRA-Iaas-01', 53 | $VraIaas01Ip = '10.26.38.49', 54 | $VraIaas02Name = 'vRA-Iaas-02', 55 | $VraIaas02Ip = '10.26.38.50', 56 | $VraIaas03Name = 'vRA-Iaas-03', 57 | $VraIaas03Ip = '10.26.38.49', 58 | $VraIaas04Name = 'vRA-Iaas-04', 59 | $VraIaas04Ip = '10.26.38.50', 60 | #Subnet 61 | $DefaultSubnetMask = '255.255.255.0', 62 | $DefaultSubnetBits = '24', 63 | 64 | #Port 65 | $HttpPort = '80', 66 | $HttpsPort = '443', 67 | 68 | 69 | #Compute 70 | $ClusterName = 'Mgmt01', 71 | $DatastoreName = 'MgmtData', 72 | $CompClusterName = 'Compute01', 73 | $CompDatastoreName = 'CompData', 74 | $EdgeUplinkNetworkName = 'Internal', 75 | $Password = 'VMware1!VMware1!', 76 | 77 | 78 | 79 | ##LoadBalancer 80 | $LbAlgo = 'ROUND-ROBIN', 81 | $MgrPoolName = 'PL-vRA-iaas-mgr', 82 | $WebPoolName = 'PL-vRA-iaas-web', 83 | $AppPoolName = 'PL-vRA-application-va', 84 | $MgrVipName = 'VP-vRA-Mgr', 85 | $WebVipName = 'VP-vRA-Web', 86 | $AppVipName = 'VP-vRA-App', 87 | $WebAppProfileName = 'AP-vRA-Web', 88 | $MgrAppProfileName = 'AP-vRA-Mgr', 89 | $AppAppProfileName = 'AP-vRA-App', 90 | $VipProtocol = 'HTTPS', 91 | ## Monitors for the three pools 92 | $ManagerMonitorName = 'MN-vRA-Manager', 93 | $ManagerMonitorInterval = '10', 94 | $ManagerMonitorTimeout = '10', 95 | $ManagerMonitorRetries = '3', 96 | $ManagerMonitorType = 'HTTPS', 97 | $ManagerMonitorMethod = 'GET', 98 | $ManagerMonitorUrl = '/VMPSProvision', 99 | $ManagerMonitorReceive = 'ProvisionService', 100 | $WebMonitorName = 'MN-vRA-Web', 101 | $WebMonitorInterval = '10', 102 | $WebMonitorTimeout = '10', 103 | $WebMonitorRetries = '3', 104 | $WebMonitorType = 'HTTPS', 105 | $WebMonitorMethod = 'GET', 106 | $WebMonitorUrl = '/wapi/api/status/web', 107 | $WebMonitorRecieve = 'REGISTERED', 108 | $ApplicationMonitorName = 'MN-vRA-Application', 109 | $ApplicationMonitorInterval = '10', 110 | $ApplicationMonitorTimeout = '10', 111 | $ApplicationMonitorRetries = '3', 112 | $ApplicationMonitorType = 'HTTPS', 113 | $ApplicationMonitorMethod = 'GET', 114 | $ApplicationMonitorUrl = '/wapi/api/services/health', 115 | $ApplicationMonitorExpected = '200 OK' 116 | 117 | ) 118 | 119 | 120 | 121 | ## Validation of PowerCLI version. PowerCLI 6 is requried due to OvfConfiguration commands. 122 | 123 | [int]$PowerCliMajorVersion = (Get-PowerCliVersion).major 124 | 125 | if ( -not ($PowerCliMajorVersion -ge 6 ) ) { throw 'OVF deployment tools requires PowerCLI version 6 or above' } 126 | 127 | try { 128 | $Cluster = get-cluster $ClusterName -errorAction Stop 129 | $DataStore = get-datastore $DatastoreName -errorAction Stop 130 | $EdgeUplinkNetwork = get-vdportgroup $EdgeUplinkNetworkName -errorAction Stop 131 | $CompCluster = Get-Cluster $CompClusterName -errorAction Stop 132 | $CompDataStore = get-datastore $CompDataStoreName -errorAction Stop 133 | } 134 | catch { 135 | throw 'Failed getting vSphere Inventory Item: $_' 136 | } 137 | 138 | # EDGE 139 | 140 | ## Defining the uplink and internal interfaces to be used when deploying the edge. Note there are two IP addreses on these interfaces. $EdgeInternalSecondaryAddress and $EdgeUplinkSecondaryAddress are the VIPs 141 | #$edgevnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $EdgeUplinkPrimaryAddress -SecondaryAddress $EdgeUplinkSecondaryAddress,$EdgeUplinkTertiaryAddress -SubnetPrefixLength $DefaultSubnetBits 142 | 143 | # CONNECTED EDGE 144 | ## Uncomment the below two lines to connect to uplink portgroup defined in $EdgeUplinkNetworkName 145 | $EdgeUplinkNetwork = get-vdportgroup $EdgeUplinkNetworkName 146 | $edgevnic0 = New-NsxEdgeinterfacespec -index 0 -Name 'Uplink' -type Uplink -PrimaryAddress $EdgeUplinkPrimaryAddress -SecondaryAddress $EdgeUplinkSecondaryAddress,$EdgeUplinkTertiaryAddress -SubnetPrefixLength $DefaultSubnetBits -ConnectedTo $EdgeUplinkNetwork 147 | ## Secondary Interface (connected to DLR or Logical Switch) can be modified or uncommented. Ensure variables are populated in top parameter block 148 | #$edgevnic1 = New-NsxEdgeinterfacespec -index 1 -Name $TsTransitLsName -type Internal -ConnectedTo $TsTransitLs -PrimaryAddress $EdgeInternalPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits -SecondaryAddress $EdgeInternalSecondaryAddress 149 | 150 | ## Deploy appliance with the defined uplinks 151 | write-host -foregroundcolor 'Green' "Creating $VraEdgeName" 152 | $VraEdge = New-NsxEdge -name $VraEdgeName -cluster $Cluster -datastore $DataStore -Interface $edgevnic0 -Password $Password 153 | 154 | 155 | write-host -foregroundcolor 'Green' "Setting $VraEdgeName firewall default rule to permit" 156 | $VraEdge = get-nsxedge $VraEdge.name 157 | $VraEdge.features.firewall.defaultPolicy.action = 'accept' 158 | $VraEdge | Set-NsxEdge -confirm:$false | out-null 159 | 160 | write-host -foregroundcolor 'Green' "Enabling LoadBalancing on $VraEdgeName" 161 | Get-NsxEdge $VraEdge | Get-NsxLoadBalancer | Set-NsxLoadBalancer -Enabled | out-null 162 | #Building the LB monitors 163 | write-host -foregroundcolor 'Green' "Building vRealize Automation health monitors on $VraEdgeName" 164 | 165 | $ManMon = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerMonitor -Name $ManagerMonitorName -TypeHttps -interval $ManagerMonitorInterval -timeout $ManagerMonitorTimeout -MaxRetries $ManagerMonitorRetries -Method $ManagerMonitorMethod -Url $ManagerMonitorUrl -receive $ManagerMonitorReceive 166 | 167 | $WebMon = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerMonitor -Name $WebMonitorName -TypeHttps -interval $WebMonitorInterval -timeout $WebMonitorTimeout -MaxRetries $WebMonitorRetries -Method $WebMonitorMethod -Url $WebMonitorUrl -receive $WebMonitorRecieve 168 | 169 | 170 | $AppMon = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerMonitor -Name $ApplicationMonitorName -TypeHttps -interval $ApplicationMonitorInterval -timeout $ApplicationMonitorTimeout -MaxRetries $ApplicationMonitorRetries -Method $ApplicationMonitorMethod -Url $ApplicationMonitorUrl -Expected $ApplicationMonitorExpected 171 | 172 | # Create App Profiles. 173 | write-host -foregroundcolor 'Green' "Creating Application Profiles on $VraEdgeName" 174 | $WebAppProfile = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerApplicationProfile -Name $WebAppProfileName -Type $VipProtocol -SslPassthrough 175 | $MgrAppProfile = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerApplicationProfile -Name $MgrAppProfileName -Type $VipProtocol -SslPassthrough 176 | $AppAppProfile = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | new-NsxLoadBalancerApplicationProfile -Name $AppAppProfileName -Type $VipProtocol -SslPassthrough 177 | 178 | # Edge LB config - define pool members. By way of example, we will use two different methods for defining pool membership. Webpool via predefine memberspec first... 179 | 180 | 181 | $webpoolmember1 = New-NsxLoadBalancerMemberSpec -name $VraIaas01Name -IpAddress $VraIaas01Ip -Port $HttpsPort 182 | $webpoolmember2 = New-NsxLoadBalancerMemberSpec -name $VraIaas02Name -IpAddress $VraIaas02Ip -Port $HttpsPort 183 | 184 | write-host -foregroundcolor 'Green' "Creating Application Pool $WebPoolName on $VraEdgeName" 185 | # ... And create the web pool 186 | $WebPool = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerPool -name $WebPoolName -Description 'vRA Web Pool' -Transparent:$false -Monitor $WebMon -Algorithm $LbAlgo -MemberSpec $webpoolmember1,$webpoolmember2 187 | 188 | # ... And now add the pool members 189 | $mgrpoolmember1 = New-NsxLoadBalancerMemberSpec -name $VraIaas03Name -IpAddress $VraIaas03Ip -Port $HttpsPort 190 | $mgrpoolmember2 = New-NsxLoadBalancerMemberSpec -name $VraIaas04Name -IpAddress $VraIaas04Ip -Port $HttpsPort 191 | 192 | # Now, method two for the App Pool Create the pool with empty membership. 193 | write-host -foregroundcolor 'Green' "Creating Application Pool $MgrPoolName on $VraEdgeName" 194 | $MgrPool = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerPool -name $MgrPoolName -Description 'vRA Manager Pool' -Transparent:$false -Monitor $ManMon -Algorithm $LbAlgo -Memberspec $mgrpoolmember1,$mgrpoolmember2 195 | 196 | # Creating the App Pool and its members 197 | $AppPoolmember1 = New-NsxLoadBalancerMemberSpec -name $VraVa01Name -IpAddress $VraVa01Ip -Port $HttpsPort 198 | $AppPoolmember2 = New-NsxLoadBalancerMemberSpec -name $VraVa02Name -IpAddress $VraVa02Ip -Port $HttpsPort 199 | 200 | # Now, method two for the App Pool Create the pool with empty membership. 201 | write-host -foregroundcolor 'Green' "Creating Application Pool $AppPoolName on $VraEdgeName" 202 | $AppPool = Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerPool -name $AppPoolName -Description 'vRA Application Pool' -Transparent:$false -Algorithm $LbAlgo -Monitor $AppMon -Memberspec $AppPoolmember1,$AppPoolmember2 203 | 204 | 205 | 206 | # Create the VIPs for the relevent WebPools. Applied to the Secondary interface variables declared. 207 | write-host -foregroundcolor 'Green' "Creating VIPs $WebVipName, $AppVipName, and $MgrVipName" 208 | Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | Add-NsxLoadBalancerVip -name $WebVipName -Description $WebVipName -ipaddress $EdgeUplinkPrimaryAddress -Port $HttpsPort -Protocol $VipProtocol -ApplicationProfile $WebAppProfile -DefaultPool $WebPool -AccelerationEnabled | out-null 209 | Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | Add-NsxLoadBalancerVip -name $MgrVipName -Description $MgrVipName -ipaddress $EdgeUplinkSecondaryAddress -Port $HttpsPort -Protocol $VipProtocol -ApplicationProfile $MgrAppProfile -DefaultPool $MgrPool -AccelerationEnabled | out-null 210 | Get-NsxEdge $vraEdgeName | Get-NsxLoadBalancer | Add-NsxLoadBalancerVip -name $AppVipName -Description $AppVipName -ipaddress $EdgeUplinkTertiaryAddress -Protocol $VipProtocol -Port $HttpsPort -ApplicationProfile $AppAppProfile -DefaultPool $AppPool -AccelerationEnabled | out-null 211 | 212 | 213 | write-host -foregroundcolor 'Green' "Edge $vraEdgeName created" 214 | 215 | 216 | --------------------------------------------------------------------------------