Using Existing NSX-T Security Groups in VMC on AWS with vRA Cloud
There are different ways you can consume existing NSX-T security groups in a VMC on AWS environment with vRA Cloud templates: through a vRA template or through a network profile.
Demo Product Versions
- vRA Cloud
- VMC on AWS (SDDC version 1.13)
VMC on AWS:
- Active SDDC
- Basic infrastructure configured for the VMC on AWS environment (Cloud Proxy, Cloud Account, Project, Cloud Zone, Flavor Mapping, Image Mapping)
- Using vRA template
- Using vRA network profile
Demos / Examples
Method 1: Using vRA Template
- Under “Compute Groups” in the VMC on AWS UI, create a security group.
- In vRA Cloud Assembly, go to “Resources” > “Security” and add a tag for the security group you just created in VMC on AWS.
- In a vRA Cloud template in vRA Cloud Assembly, drag a Cloud Agnostic Security Group resource on the canvas and connect it to the machine you’d like to place in the security group.
constraints:, add the line
- tag: <insert tag name>.
- Make sure the value for
- After you deploy the template and the deployment is finished, you can go to the VMC on AWS UI, click “View Members” for the security group and verify that the newly created machine is placed in the existing security group.
After the deployment is completed, you can reconfigure the security group in an existing deployment by changing it from a vRA cloud template and choosing “Update an existing deployment”.
Method 1 YAML
Method 2: Using vRA Network Profile
- In vRA Cloud Assembly, go to “Infrastructure” then “Network Profiles”. Create a network profile or edit an existing one.
- Under “Security Groups”, add existing security group(s) that you want to use. In this example, I added two existing security groups.
- In a vRA Cloud template in vRA Cloud Assembly, make sure that the machine(s) being deployed will use the network profile you’ve created. In this example, I have created a capability tag on the network profile and the machine is using that capability tag under
constraints. Note that you do not need a security group resource in the template.
- After you deploy the template and the deployment is finished, you can go to the VMC on AWS UI, click “View Members” for the security group and verify that the newly created machine is placed in the existing security group. I added two security groups to the network profile so the machine deployed has been placed in both security groups. Note that with this method, all the machines deployed with the template will be placed in all the security groups in the network profile.
Method 2 YAML