vRA 8 + NSX-T Blog Series Part 5: vRA 8 Blueprint with Existing Security Group (segment port tag)
You can create a vRA 8 blueprint to deploy machines and place them in existing NSX-T security group(s) by putting tags on the machine segment port(s).
Update: July 26, 2021
Starting with vRA 8.2, using segment port tags to place machines in NSX-T security groups longer works. Thanks to my colleague, Mukesh Idnani, for this finding!
Demo Product Versions
- vSphere 6.5 U3
- vRA 8.0.1 (including vRSLCM and vIDM)
- NSX-T 2.5.1
- vSAN 6.6.1
- NSX-T account connected
- Basic infrastructure configured (Projects, Cloud Zones, Flavor Mappings, Image Mappings)
- Security group(s) configured
- Configure Membership Criteria of the existing security group(s).
- Create a blueprint with Cloud Agnostic Machine and NSX Network objects.
- Configure the tag on the machine network in the blueprint to place a tag on the machine segment port.
- Create inputs in the blueprint to customize the machine name.
Demo / Example
Configure Security Group Membership Criteria
- Log into NSX-T and go to “Inventory” > “Groups”.
- Edit the security group you want to configure.
- Click “Set Members”.
- Click “+ ADD CRITERIA”.
- Select “Segment Port” in the first column under “Criteria”.
- Enter the name of the tag and the scope. You need both for vRA blueprint.
Create and Configure Blueprint
- Go to “Blueprints” and Click “+ NEW” to create a new blueprint (or you can choose to use an existing blueprint and skip this section).
- Give a name to the blueprint and choose a project.
- Drag on a Cloud Agnostic Machine and a NSX Network onto the canvas. Note that you do not need to add the Security Group object to the blueprint.
- Connect the Cloud Agnostic Machine to the NSX Network on the canvas.
- On the right side in the YAML file, choose an image and size for the machine.
- network:, add the line
assignment: staticto give a static IP address to the machine from the IP range we’ve created.
- For the NSX network, change the
propertiesaccordingly depending on whether you have configured existing or on-demand networks in the network profile. In this demo, I’ll be using an existing network.
Add Segment Port Tag in Blueprint
- For the machine, under
networks, add a line under
- Add the line
- key: <insert scope name>.
- Add the line
value: <insert tag name>below. Make sure they are aligned. Note that anything following a hashtag is a comment in YAML.
- Click “TEST”.
- Click “DEPLOY” to create a new deployment.
- Give it a deployment name, choose “Current Draft”, the cick “DEPLOY”.
- Once deployed, go to “Deployments” tab in vRA and note the IP address of the deployment.
- Now log into NSX-T UI and go to “Inventory” > “Groups”.
- Click “View Members” of the security group you have used.
- Click “IP Addresses” and you’ll see the IP address of the deployment.
- If you want to see the segment port tag that has been applied, log into NSX-T and go to “Advanced Networking & Security” > “Switching”.
- Select the overlay network that the machine has been placed on.
- Find the logical port that belongs to the machine. You can see the VM name if you look at the “Attachment” column. If you don’t know the VM name that has been created, go to vRA 8 UI > “Deployments” and check the deployment.
- Select the logical port and click “Actions” > “Manage Tags”.
- You should see the tag that you’ve specified in the blueprint.
Demo / Example Blueprint YAML File