Contents

vRA 8 + NSX-T Blog Series Part 4: vRA 8 Blueprint with Existing Security Group (vRA tag)

You can create a vRA 8 blueprint to deploy machines and place them in existing NSX-T security group(s) using vRA tags.

Demo Product Versions

  • vSphere 6.5 U3
  • vRA 8.0.1 (including vRSLCM and vIDM)
  • NSX-T 2.5.1
  • vSAN 6.6.1

Prerequisites

vRA 8:

  • NSX-T account connected
  • Basic infrastructure configured (Projects, Cloud Zones, Flavor Mappings, Image Mappings)

NSX-T:

  • security group(s) configured

Process Overview

  1. Create a tag on the existing security group(s).
  2. Create a blueprint with Cloud Agnostic Machine, NSX Network, and Security Group objects.
  3. Specify which security group will be used by adding a constraint tag on the Security Group object.

optional steps:

  • Create inputs in the blueprint to customize the machine name.

Demo / Example

Configure Security Group Tag

  1. Go to “Infrastructure” > “Security” (under Resources).
  2. Select the security group you want to add a tag to.
  3. Click “TAGS”.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step3.png
  4. Enter name of a new tag in “Add tags” section then press “Enter” and save.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step4.png
  5. Check that the tag has been created properly.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step5.png

Create and Configure Blueprint

  1. Go to “Blueprints” and Click “+ NEW” to create a new blueprint. (or you can choose to use an existing blueprint and skip this section).
  2. Give a name to the blueprint and choose a project.
  3. Drag on a Cloud Agnostic Machine and a NSX Network onto the canvas.
  4. Connect the Cloud Agnostic Machine to the NSX Network on the canvas.
  5. On the right side in the YAML file, choose an image and size for the machine.
  6. Under - network: , add the line assignment: static to give a static IP address to the machine from the IP range we’ve created.
  7. For the NSX network, change the networkType under properties accordingly depending on whether you are using existing or on-demand network. In this demo, I’ll be using an existing network.

Configure Blueprint Security Group

  1. Drag a Security Group onto the canvas.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step13.png
  2. For the security group, below securityGroupType, add the line constraints: then another line - tag: and type the tag of the existing security group you want to use.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step14.png
  3. For the machine, under networks, add a line called securityGroups:.
  4. Add the line - '${resource.<insert security group object name>.id}' below to connect the security group to the machine.
    /2020-03-19-vra8-nsxt-existing-security-group-using-vra-tags/step16.png
  5. Click “TEST”.
  6. Click “DEPLOY” to create a new deployment.
  7. Give it a deployment name, choose “Current Draft”, the click “DEPLOY”.

Verify Deployment

  1. Once deployed, go to “Deployments” tab in vRA and note the IP address of the deployment.
  2. Now log into NSX-T UI and go to “Inventory” > “Groups”.
  3. Click “View Members” of the security group you have used in the blueprint.
  4. Click “IP Addresses” and you’ll see the IP address of the deployment.

Demo / Example Blueprint YAML File

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
formatVersion: 1
inputs:
  vm-name:
    type: string
    title: name
    default: existing-sg-vm
resources:
  Cloud_SecurityGroup_1:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: existing
      constraints:
        - tag: vra-test-sg
  Cloud_Machine_1:
    type: Cloud.Machine
    properties:
      image: centos-temp
      flavor: small
      customizationSpec: linux
      name: '${input.vm-name}'
      networks:
        - network: '${resource.Cloud_NSX_Network_1.id}'
          assignment: static
          securityGroups:
            - '${resource.Cloud_SecurityGroup_1.id}'
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      constraints:
        - tag: 'subnet-cidr:192.168.35.0/24'