NSX Cloud. Part 2 : Working with CSM

NSX Cloud. Part 2 : Working with CSM
After successful installation, now there is time for CSM configurations. There are two integrations that needs to take place: one is with on-prem NSX-T Manager and another is with public cloud accounts. Let’s get started on this:
Login to CSM and navigate to settings and click configure .Enter NSX Manager hostname (FQDN is preffered) or IP address, credentials and thumbprint. Click Connect
Once connectivity is successful, this part is over and we can move on to the next piece to integrate public cloud accounts. Click Finish.
Before actually adding any public account (Azure or AWS), we will need to make some preparations and run scripts that are available on [downloads.vmware.com] under Drivers & Tools section
Once you unpack it there will be two folders : one for AWS and one for Azure
Let’s start with AWS side, since i found it a bit easier to implement. Script will generate IAM profile and role required by PCG. You will need Linux box and have the following installed there:
AWS CLI
JQ
Openssl
Below guide will help you to install AWS CLI on your machine
https://docs.aws.amazon.com/cli/latest/userguide/install-linux.html
- Connect to your Linux machine and install pip**
[root@ns1 ~]# curl -O https://bootstrap.pypa.io/get-pip.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1659k 100 1659k 0 0 2157k 0 –:–:– –:–:– –:–:– 2157k [root@ns1 ~]# python get-pip.py –user Collecting pip Downloading https://files.pythonhosted.org/packages/d8/f3/413bab4ff08e1fc4828dfc59996d721917df8e8583ea85385d51125dceff/pip-19.0.3-py2.py3-none-any.whl (1.4MB) 100% |████████████████████████████████| 1.4MB 5.0MB/s Collecting wheel Downloading https://files.pythonhosted.org/packages/96/ba/a4702cbb6a3a485239fbe9525443446203f00771af9ac000fa3ef2788201/wheel-0.33.1-py2.py3-none-any.whl Installing collected packages: pip, wheel The script wheel is installed in ‘/root/.local/bin’ which is not on PATH. Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location. Successfully installed pip-19.0.3 wheel-0.33.1
- Install AWS CLI**
[root@ns1 ~]# pip install awscli –upgrade –user Collecting awscli Downloading https://files.pythonhosted.org/packages/aa/ea/cb62728e9b38f9d8c620d60815f8dd54ca015f6b9af8f5a3d03d9b2e3c64/awscli-1.16.115-py2.py3-none-any.whl (1.4MB) 100% |████████████████████████████████| 1.5MB 12.1MB/s Collecting botocore==1.12.105 (from awscli) Downloading https://files.pythonhosted.org/packages/cf/ce/acc9013dee20fc94c9b9ae121f5b7b342a206f0d577be1e5c6129811194a/botocore-1.12.105-py2.py3-none-any.whl (5.3MB) 100% |████████████████████████████████| 5.3MB 597kB/s Collecting colorama<=0.3.9,>=0.2.5 (from awscli) Downloading https://files.pythonhosted.org/packages/db/c8/7dcf9dbcb22429512708fe3a547f8b6101c0d02137acbd892505aee57adf/colorama-0.3.9-py2.py3-none-any.whl Collecting rsa<=3.5.0,>=3.1.2 (from awscli) Downloading https://files.pythonhosted.org/packages/e1/ae/baedc9cb175552e95f3395c43055a6a5e125ae4d48a1d7a924baca83e92e/rsa-3.4.2-py2.py3-none-any.whl (46kB) 100% |████████████████████████████████| 51kB 21.2MB/s Collecting docutils>=0.10 (from awscli) Downloading https://files.pythonhosted.org/packages/50/09/c53398e0005b11f7ffb27b7aa720c617aba53be4fb4f4f3f06b9b5c60f28/docutils-0.14-py2-none-any.whl (543kB) 100% |████████████████████████████████| 552kB 6.2MB/s Collecting s3transfer<0.3.0,>=0.2.0 (from awscli) Downloading https://files.pythonhosted.org/packages/d7/de/5737f602e22073ecbded7a0c590707085e154e32b68d86545dcc31004c02/s3transfer-0.2.0-py2.py3-none-any.whl (69kB) 100% |████████████████████████████████| 71kB 4.5MB/s Requirement already satisfied, skipping upgrade: PyYAML<=3.13,>=3.10 in /usr/lib64/python2.7/site-packages (from awscli) (3.12) Collecting jmespath<1.0.0,>=0.7.1 (from botocore==1.12.105->awscli) Downloading https://files.pythonhosted.org/packages/83/94/7179c3832a6d45b266ddb2aac329e101367fbdb11f425f13771d27f225bb/jmespath-0.9.4-py2.py3-none-any.whl Collecting python-dateutil<3.0.0,>=2.1; python_version >= “2.7” (from botocore==1.12.105->awscli) Downloading https://files.pythonhosted.org/packages/41/17/c62faccbfbd163c7f57f3844689e3a78bae1f403648a6afb1d0866d87fbb/python_dateutil-2.8.0-py2.py3-none-any.whl (226kB) 100% |████████████████████████████████| 235kB 32.6MB/s Requirement already satisfied, skipping upgrade: urllib3<1.25,>=1.20; python_version == “2.7” in /usr/lib/python2.7/site-packages (from botocore==1.12.105->awscli) (1.22) Requirement already satisfied, skipping upgrade: pyasn1>=0.1.3 in /usr/lib/python2.7/site-packages (from rsa<=3.5.0,>=3.1.2->awscli) (0.4.3) Collecting futures<4.0.0,>=2.2.0; python_version == “2.6” or python_version == “2.7” (from s3transfer<0.3.0,>=0.2.0->awscli) Downloading https://files.pythonhosted.org/packages/2d/99/b2c4e9d5a30f6471e410a146232b4118e697fa3ffc06d6a65efde84debd0/futures-3.2.0-py2-none-any.whl Requirement already satisfied, skipping upgrade: six>=1.5 in /usr/lib/python2.7/site-packages (from python-dateutil<3.0.0,>=2.1; python_version >= “2.7”->botocore==1.12.105->awscli) (1.11.0) Installing collected packages: jmespath, docutils, python-dateutil, botocore, colorama, rsa, futures, s3transfer, awscli The scripts pyrsa-decrypt, pyrsa-decrypt-bigfile, pyrsa-encrypt, pyrsa-encrypt-bigfile, pyrsa-keygen, pyrsa-priv2pub, pyrsa-sign and pyrsa-verify are installed in ‘/root/.local/bin’ which is not on PATH. Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location. Successfully installed awscli-1.16.115 botocore-1.12.105 colorama-0.3.9 docutils-0.14 futures-3.2.0 jmespath-0.9.4 python-dateutil-2.8.0 rsa-3.4.2 s3transfer-0.2.0
- Install JQ and OpenSSL. In my case i already had OpenSSL installed**
[root@ns1 ~]# yum install jq Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: repos-lax.psychz.net * epel: mirror.prgmr.com * extras: mirrors.ocf.berkeley.edu * updates: mirrors.ocf.berkeley.edu Resolving Dependencies –> Running transaction check —> Package jq.x86_64 0:1.5-1.el7 will be installed –> Processing Dependency: libonig.so.2()(64bit) for package: jq-1.5-1.el7.x86_64 –> Running transaction check —> Package oniguruma.x86_64 0:5.9.5-3.el7 will be installed –> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: jq x86_64 1.5-1.el7 epel 153 k Installing for dependencies: oniguruma x86_64 5.9.5-3.el7 epel 129 k Transaction Summary ================================================================================ Install 1 Package (+1 Dependent package) Total download size: 282 k Installed size: 906 k Is this ok [y/d/N]: y Downloading packages: (1⁄2): jq-1.5-1.el7.x86_64.rpm | 153 kB 00:00 (2⁄2): oniguruma-5.9.5-3.el7.x86_64.rpm | 129 kB 00:01 ——————————————————————————– Total 208 kB/s | 282 kB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : oniguruma-5.9.5-3.el7.x86_64 1⁄2 Installing : jq-1.5-1.el7.x86_64 2⁄2 Verifying : oniguruma-5.9.5-3.el7.x86_64 1⁄2 Verifying : jq-1.5-1.el7.x86_64 2⁄2 Installed: jq.x86_64 0:1.5-1.el7 Dependency Installed: oniguruma.x86_64 0:5.9.5-3.el7 Complete! For openssl, do ” yum install openssl”
- Configure your AWS to get authenticated . You will need to have your access key and secret key ID ready for your AWS account**
[root@ns1 bin]# ./aws configure AWS Access Key ID [None]: ****** AWS Secret Access Key [None]: ******* Default region name [None]: us-west-1 Default output format [None]: json
- Once authenticated, issue some test commands like listing your S3 buckets to make sure that you can interact with your account using AWS CLI**
[root@ns1 bin]# ./aws s3 ls 2017-09-25 14:08:16 nizami-bucket1
- Move file from your previously downloaded script folder nsx_csm_iam_script.sh into Linux machine and run it**
[root@ns1 ~]#bash nsx_csm_iam_script.sh AWS Profile is set as default AWS CLI configuration verified successfully. openssl installation verified successfully. JSON parser ‘jq’ installation verified successfully. If you get errors in above output, verify your dependency installations (Openssl and jq) and your AWS credentials) ******************* Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no] yes We will be creating IAM user for CSM and respective role for PCG What do you want to name the IAM User? nsx-csm Creating IAM user nsx-csm and IAM role nsx_pcg_service … Note role name as we will need to later for integration with CSM **************** IAM user and role creation successful. Please check file ./aws_details.txt for user credentials and role name information. Do you want add trust relationship for any Transit VPC account? [yes/no] no Script execution successful! Detailed script logs are generated in file ./nsx_csm_iam_script.log Look now for aws_details.txt file that should look like this [root@ns1 ~]# more aws_details.txt “AccessKeyId”: ******* “SecretAccessKey”: **** “RoleName”: “nsx_pcg_service”, you will need values of those keys and rolename during integration
- Go back to CSM and navigate to Clouds–>AWS and click ADD**
Fill in information from file above : Access Key, Secret Key and Gateway Role name and click ADD - Once account gets added successfully you should see the something similar to this
******************************Azure preparations
To run the scripts on Azure side, we will need the following
PowerShell 5 or higher
AzureRM Module
Let’s start
- Launch Windows PowerShell and check version
- Install AzureRM Module
- Log in to your Azure account. Pop-up window will appear to enter your credentials
- Navigate to your account in Azure portal and search “Subscription”. We will need this to run our script
- Navigate to the folder where script was copied over and launch/.CreateNSXRoles.ps1 -subscriptionID _YourSubscriptionID_This will result in generation of Service Principal and identity roles for CSM and PCG. Output will be written in text file. We will need that later when adding Azure account into CSM
- Login to CSM and navigate to Clouds–>Azure and click ADD
Fill in information stored in text file. Default PCG role name is “nsx-pcg-role”. Click ADD - Once account gets added successfully you should see the something similar to this
- Launch Windows PowerShell and check version
This concludes CSM preparations. Next part will be dedicated to routing configurations. Stay tuned…
Author- Nizami Mammadov CCIE#22247, VCAP-NV