NSX Cloud. Part 2 : Working with CSM


NSX Cloud. Part 2 : Working with CSM

After successful installation, now there is time for CSM configurations. There are two integrations that needs to take place: one is with on-prem NSX-T Manager and another is with public cloud accounts. Let’s get started on this:

Login to CSM and navigate to settings and click configure .Enter NSX Manager hostname (FQDN is preffered) or IP address, credentials and thumbprint. Click Connect

Once connectivity is successful, this part is over and we can move on to the next piece to integrate public cloud accounts. Click Finish.
Before actually adding any public account (Azure or AWS), we will need to make some preparations and run scripts that are available on [] under Drivers & Tools section

Once you unpack it there will be two folders : one for AWS and one for Azure

Let’s start with AWS side, since i found it a bit easier to implement.  Script will generate IAM profile and role required by PCG. You will need Linux box and have the following installed there:




Below guide will help you to install AWS CLI on your machine

  1. Connect to your Linux machine and install pip**
    [root@ns1 ~]# curl -O
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 1659k 100 1659k 0 0 2157k 0 –:–:– –:–:– –:–:– 2157k
    [root@ns1 ~]# python –user
    Collecting pip
    Downloading (1.4MB)
    100% |████████████████████████████████| 1.4MB 5.0MB/s
    Collecting wheel
    Installing collected packages: pip, wheel
    The script wheel is installed in ‘/root/.local/bin’ which is not on PATH.
    Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location.
    Successfully installed pip-19.0.3 wheel-0.33.1
  2. Install AWS CLI**
    [root@ns1 ~]# pip install awscli –upgrade –user
    Collecting awscli
    Downloading (1.4MB)
    100% |████████████████████████████████| 1.5MB 12.1MB/s
    Collecting botocore==1.12.105 (from awscli)
    Downloading (5.3MB)
    100% |████████████████████████████████| 5.3MB 597kB/s
    Collecting colorama<=0.3.9,>=0.2.5 (from awscli)
    Collecting rsa<=3.5.0,>=3.1.2 (from awscli)
    Downloading (46kB)
    100% |████████████████████████████████| 51kB 21.2MB/s
    Collecting docutils>=0.10 (from awscli)
    Downloading (543kB)
    100% |████████████████████████████████| 552kB 6.2MB/s
    Collecting s3transfer<0.3.0,>=0.2.0 (from awscli)
    Downloading (69kB)
    100% |████████████████████████████████| 71kB 4.5MB/s
    Requirement already satisfied, skipping upgrade: PyYAML<=3.13,>=3.10 in /usr/lib64/python2.7/site-packages (from awscli) (3.12)
    Collecting jmespath<1.0.0,>=0.7.1 (from botocore==1.12.105->awscli)
    Collecting python-dateutil<3.0.0,>=2.1; python_version >= “2.7” (from botocore==1.12.105->awscli)
    Downloading (226kB)
    100% |████████████████████████████████| 235kB 32.6MB/s
    Requirement already satisfied, skipping upgrade: urllib3<1.25,>=1.20; python_version == “2.7” in /usr/lib/python2.7/site-packages (from botocore==1.12.105->awscli) (1.22)
    Requirement already satisfied, skipping upgrade: pyasn1>=0.1.3 in /usr/lib/python2.7/site-packages (from rsa<=3.5.0,>=3.1.2->awscli) (0.4.3)
    Collecting futures<4.0.0,>=2.2.0; python_version == “2.6” or python_version == “2.7” (from s3transfer<0.3.0,>=0.2.0->awscli)
    Requirement already satisfied, skipping upgrade: six>=1.5 in /usr/lib/python2.7/site-packages (from python-dateutil<3.0.0,>=2.1; python_version >= “2.7”->botocore==1.12.105->awscli) (1.11.0)
    Installing collected packages: jmespath, docutils, python-dateutil, botocore, colorama, rsa, futures, s3transfer, awscli
    The scripts pyrsa-decrypt, pyrsa-decrypt-bigfile, pyrsa-encrypt, pyrsa-encrypt-bigfile, pyrsa-keygen, pyrsa-priv2pub, pyrsa-sign and pyrsa-verify are installed in ‘/root/.local/bin’ which is not on PATH.
    Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location.
    Successfully installed awscli-1.16.115 botocore-1.12.105 colorama-0.3.9 docutils-0.14 futures-3.2.0 jmespath-0.9.4 python-dateutil-2.8.0 rsa-3.4.2 s3transfer-0.2.0
  3. Install JQ and OpenSSL. In my case i already had OpenSSL installed**
    [root@ns1 ~]# yum install jq
    Loaded plugins: fastestmirror, langpacks
    Loading mirror speeds from cached hostfile
    * base:
    * epel:
    * extras:
    * updates:
    Resolving Dependencies
    –> Running transaction check
    —> Package jq.x86_64 0:1.5-1.el7 will be installed
    –> Processing Dependency: for package: jq-1.5-1.el7.x86_64
    –> Running transaction check
    —> Package oniguruma.x86_64 0:5.9.5-3.el7 will be installed
    –> Finished Dependency Resolution
    Dependencies Resolved
    Package Arch Version Repository Size
    jq x86_64 1.5-1.el7 epel 153 k
    Installing for dependencies:
    oniguruma x86_64 5.9.5-3.el7 epel 129 k
    Transaction Summary
    Install 1 Package (+1 Dependent package)
    Total download size: 282 k
    Installed size: 906 k
    Is this ok [y/d/N]: y
    Downloading packages:
    (12): jq-1.5-1.el7.x86_64.rpm | 153 kB 00:00
    (22): oniguruma-5.9.5-3.el7.x86_64.rpm | 129 kB 00:01
    Total 208 kB/s | 282 kB 00:01
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
    Installing : oniguruma-5.9.5-3.el7.x86_64 12
    Installing : jq-1.5-1.el7.x86_64 22
    Verifying : oniguruma-5.9.5-3.el7.x86_64 12
    Verifying : jq-1.5-1.el7.x86_64 22
    jq.x86_64 0:1.5-1.el7
    Dependency Installed:
    oniguruma.x86_64 0:5.9.5-3.el7
    For openssl, do ” yum install openssl”
  4. Configure your AWS to get authenticated . You will need to have your access key and secret key ID ready for your AWS account**
    [root@ns1 bin]# ./aws configure
    AWS Access Key ID [None]: ******
    AWS Secret Access Key [None]: *******
    Default region name [None]: us-west-1
    Default output format [None]: json
  5. Once authenticated, issue some test commands like listing your S3 buckets to make sure that you can interact with your account using AWS CLI**
    [root@ns1 bin]# ./aws s3 ls
    2017-09-25 14:08:16 nizami-bucket1
  6. Move file from your previously downloaded script folder into Linux machine and run it**
    [root@ns1 ~]#bash
    AWS Profile is set as default
    AWS CLI configuration verified successfully.
    openssl installation verified successfully.
    JSON parser ‘jq’ installation verified successfully.
    If you get errors in above output, verify your dependency installations (Openssl and jq) and your AWS credentials)
    Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no] yes
    We will be creating IAM user for CSM and respective role for PCG
    What do you want to name the IAM User?
    Creating IAM user nsx-csm and IAM role nsx_pcg_service …
    Note role name as we will need to later for integration with CSM
    IAM user and role creation successful. Please check file ./aws_details.txt for user credentials and role name information.
    Do you want add trust relationship for any Transit VPC account? [yes/no] no
    Script execution successful! Detailed script logs are generated in file ./nsx_csm_iam_script.log
    Look now for aws_details.txt file that should look like this
    [root@ns1 ~]# more aws_details.txt
    “AccessKeyId”: *******
    “SecretAccessKey”: ****
    “RoleName”: “nsx_pcg_service”,
    you will need values of those keys and rolename during integration
  7. Go back to CSM and navigate to Clouds–>AWS and click ADD**
    Fill in information from file above : Access Key, Secret Key and Gateway Role name and click ADD
  8. Once account gets added successfully you should see the something similar to this******************************Azure preparations

    To run the scripts on Azure side, we will need the following

    PowerShell 5 or higher

    AzureRM Module

    Let’s start

    1. Launch Windows PowerShell and check version
    2. Install AzureRM Module
    3. Log in to your Azure account. Pop-up window will appear to enter your credentials
    4.  Navigate to your account in Azure portal and search “Subscription”. We will need this to run our script
    5. Navigate to the folder where script was copied over and launch/.CreateNSXRoles.ps1 -subscriptionID _YourSubscriptionID_This will result in generation of Service Principal and identity roles for CSM and PCG. Output will be written in text file. We will need that later when adding Azure account into CSM
    6. Login to CSM and navigate to Clouds–>Azure and click ADD
      Fill in information stored in text file. Default PCG role name is “nsx-pcg-role”. Click ADD
    7. Once account gets added successfully you should see the something similar to this

This concludes CSM preparations. Next part will be dedicated to routing configurations. Stay tuned…

Author-  Nizami Mammadov CCIE#22247, VCAP-NV

Leave your thought here

Your email address will not be published.