share's Issues
test
PowerNSX 3Tier App Build
Author: Anthony Burke t:@pandom_ b:networkinferno.net
Revisions: Nick Bradford, Dimitri Desmidt
version 1.0
September 9, 2016
--------------------------------------------------
____ ** _ _ __** ____ __ _ ____ _ _
( _ \ / \ / )( ( __)( _ ( ( / ___)( / )
) /( O )\ /\ / ) _) ) // /_ \ ) (
() **/ (/_)(___)())**)(___/(/_)
PowerShell extensions for NSX for vSphere
--------------------------------------------------
<#
Copyright © 2016 VMware, Inc. All Rights Reserved.
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTIBILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more details.
You should have received a copy of the General Public License version 2 along with this program.
If not, see https://www.gnu.org/licenses/gpl-2.0.html.
The full text of the General Public License 2.0 is provided in the COPYING file.
Some files may be comprised of various open source software components, each of which
has its own license that is located in the source code of the respective component.”
>
Note: The OvfConfiguration portion of this example relies on this OVA. The securityGroup and Firewall configuration have a MANDATORY DEPENDANCY on this OVA being deployed at runtime. The script will fail if the conditions are not met. This OVA can be found here http://goo.gl/oBAFgq
This paramter block defines global variables which a user can override with switches on execution.
param (
##################
# Script control #
##################
# Deploy 3Tier-App Network $BuildTopology=[true|false] and $TopologyType=[static|ospf]
$BuildTopology=$true,
$TopologyType="static",
# Deploy 3Tier-App vApp + Create Security for it [true|false]
$DeployvApp=$true,
####################
# vCenter Clusters #
####################
$EdgeClusterName = "Cluster-MgtEdge",
$EdgeDatastoreName = "NFS_Lab1",
$EdgeUplinkNetworkName = "vDS-External_PG",
# Cluster-Compute
$ComputeClusterName = "Cluster-CompA",
$ComputeDatastoreName = "NFS_Lab1",
$computevdsnametransport = "vDS-Transport",
#############################
# NSX Network configuration #
#############################
# Name of Logical Switches
$TransitLsName = "PowerNSX-Transit",
$WebLsName = "PowerNSX-Web",
$AppLsName = "PowerNSX-App",
$DbLsName = "PowerNSX-Db",
$MgmtLsName = "PowerNSX-Mgmt",
# Name of Logical Routers
$EdgeName = "PowerNSX-Edge01",
$LdrName = "PowerNSX-dlr01",
# Logical Subnets
$WebNetwork = "10.0.1.0/24",
$AppNetwork = "10.0.2.0/24",
$DbNetwork = "10.0.3.0/24",
# Logical Routers
$EdgePassword = "VMware1!VMware1!",
$EdgeUplinkPrimaryAddress = "20.20.20.2",
$EdgeInternalPrimaryAddress = "172.16.1.1",
$EdgeDefaultGW = "20.20.20.1",
$LdrUplinkPrimaryAddress = "172.16.1.2",
$LdrWebPrimaryAddress = "10.0.1.1",
$LdrAppPrimaryAddress = "10.0.2.1",
$LdrDbPrimaryAddress = "10.0.3.1",
# Logical Networks IP Addresses if OSPF configuration
$LdrUplinkProtocolAddress = "172.16.1.3",
$TransitOspfAreaId = "10",
# Logical Load Balancers
$EdgeVIP1 = "20.20.20.6",
$EdgeVIP2 = "172.16.1.6",
$LbAlgo = "round-robin",
$WebpoolName = "WebPool1",
$ApppoolName = "AppPool1",
$WebVipName = "WebVIP",
$AppVipName = "AppVIP",
$WebAppProfileName = "WebAppProfile",
$AppAppProfileName = "AppAppProfile",
$VipProtocol = "http",
$VIP_Member_Port = "80",
##############################
# 3Tier-App vApp information #
##############################
# 3Tier-App location
$3TierAppLocation = "C:\Tmp\3_Tier-App-v1.6.ova",
# 3Tier-App vapp Name
$vAppName = "PowerNSX-vApp",
#WebTier
$Web01Name = "Web01",
$Web01Ip = "10.0.1.11",
$Web02Name = "Web02",
$Web02Ip = "10.0.1.12",
#AppTier
$App01Name = "App01",
$App01Ip = "10.0.2.11",
$App02Name = "App02",
$App02Ip = "10.0.2.12",
$Db01Name = "Db01",
$Db01Ip = "10.0.3.11",
#DB Tier
$Db02Name = "Db02",
$Db02Ip = "10.0.3.12",
#Subnet
$DefaultSubnetMask = "255.255.255.0",
$DefaultSubnetBits = "24",
##############################
# NSX Security configuration #
##############################
# Security Groups
$WebSgName = "PowerNSX_SG_Web",
$WebSgDescription = "Web Security Group",
$AppSgName = "PowerNSX_SG_App",
$AppSgDescription = "App Security Group",
$DbSgName = "PowerNSX_SG_Db",
$DbSgDescription = "DB Security Group",
$vAppSgName = "PowerNSX_SG_3TierApp",
$vAppSgDescription = "3TierApp ALL Security Group",
#Security Tags
$StWebName = "PowerNSX-3TA-Web",
$StAppName = "PowerNSX-3TA-App",
$StDbName = "PowerNSX-3TA-Db",
#DFW
$FirewallSectionName = "PowerNSX-Section"
)
Do Not modify below this line! :)
Set-StrictMode -Version latest
Validation of PowerCLI version. PowerCLI 6 is requried due to OvfConfiguration commands.
[int]$PowerCliMajorVersion = (Get-PowerCliVersion).major
if ( -not ($PowerCliMajorVersion -ge 6 ) ) { throw "OVF deployment tools requires PowerCLI version 6 or above" }
try {
$EdgeCluster = get-cluster $EdgeClusterName -errorAction Stop
$EdgeDatastore = get-datastore $EdgeDatastoreName -errorAction Stop
$ComputeDatastore = get-datastore $ComputeDatastoreName -errorAction Stop
$EdgeUplinkNetwork = get-vdportgroup $EdgeUplinkNetworkName -errorAction Stop
}
catch {
throw "Failed getting vSphere Inventory Item: $_"
}
Building out the required Logical Switches
function Build-LogicalSwitches {
#Logical Switches
write-host -foregroundcolor "Green" "Creating Logical Switches..."
Creates four logical switches with each being assigned to a global varaible.
$Global:TsTransitLs = Get-NsxTransportZone | New-NsxLogicalSwitch $TransitLsName
$Global:TsWebLs = Get-NsxTransportZone | New-NsxLogicalSwitch $WebLsName
$Global:TsAppLs = Get-NsxTransportZone | New-NsxLogicalSwitch $AppLsName
$Global:TsDbLs = Get-NsxTransportZone | New-NsxLogicalSwitch $DbLsName
$Global:TsMgmtLs = Get-NsxTransportZone | New-NsxLogicalSwitch $MgmtLsName
}
Building out the DLR.
function Build-Dlr {
###
# DLR
# DLR Appliance has the uplink router interface created first.
write-host -foregroundcolor "Green" "Creating DLR"
$TsLdrvNic0 = New-NsxLogicalRouterInterfaceSpec -type Uplink -Name $TransitLsName -ConnectedTo $TsTransitLs -PrimaryAddress $LdrUplinkPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits
# The DLR is created and assigned to a portgroup, and the datastore/cluster required
$TsLdr = New-NsxLogicalRouter -name $LdrName -ManagementPortGroup $TsMgmtLs -interface $TsLdrvNic0 -cluster $EdgeCluster -datastore $EdgeDatastore
## Adding DLR interfaces after the DLR has been deployed. This can be done any time if new interfaces are required.
# Added to pipe to out-null to supporess output that we dont need.
write-host -foregroundcolor Green "Adding Web LIF to DLR"
$TsLdr | New-NsxLogicalRouterInterface -Type Internal -name $WebLsName -ConnectedTo $TsWebLs -PrimaryAddress $LdrWebPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits | out-null
write-host -foregroundcolor Green "Adding App LIF to DLR"
$TsLdr | New-NsxLogicalRouterInterface -Type Internal -name $AppLsName -ConnectedTo $TsAppLs -PrimaryAddress $LdrAppPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits | out-null
write-host -foregroundcolor Green "Adding DB LIF to DLR"
$TsLdr | New-NsxLogicalRouterInterface -Type Internal -name $DbLsName -ConnectedTo $TsDbLs -PrimaryAddress $LdrDbPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits | out-null
}
Function Configure-DlrDefaultRoute {
## DLR Routing - default route from DLR with a next-hop of the Edge.
write-host -foregroundcolor Green "Setting default route on DLR to $EdgeInternalPrimaryAddress"
##The first line pulls the uplink name coz we cant assume we know the index ID
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | Set-NsxLogicalRouterRouting -DefaultGatewayVnic $TsLdrTransitInt.index -DefaultGatewayAddress $EdgeInternalPrimaryAddress -confirm:$false | out-null
}
Function Build-Edge {
## Defining the uplink and internal interfaces to be used when deploying the edge. Note there are two IP addreses on these interfaces. $EdgeVIP2 and $EdgeVIP1 are the VIPs
$edgevnic0 = New-NsxEdgeinterfacespec -index 0 -Name "Uplink" -type Uplink -ConnectedTo $EdgeUplinkNetwork -PrimaryAddress $EdgeUplinkPrimaryAddress -SecondaryAddress $EdgeVIP1 -SubnetPrefixLength $DefaultSubnetBits
$edgevnic1 = New-NsxEdgeinterfacespec -index 1 -Name $TransitLsName -type Internal -ConnectedTo $TsTransitLs -PrimaryAddress $EdgeInternalPrimaryAddress -SubnetPrefixLength $DefaultSubnetBits -SecondaryAddress $EdgeVIP2
## Deploy appliance with the defined uplinks
write-host -foregroundcolor "Green" "Creating Edge"
$Global:TSEdge1 = New-NsxEdge -name $EdgeName -cluster $EdgeCluster -datastore $EdgeDatastore -Interface $edgevnic0,$edgevnic1 -Password $EdgePassword
}
function Set-EdgeFwDefaultAccept {
#Change the default FW policy of the edge. At the time of writing there is not an explicit cmdlet to do this, so we update the XML manually and push it back using Set-NsxEdge
write-host -foregroundcolor "Green" "Setting $EdgeName firewall default rule to permit"
$TsEdge1 = get-nsxedge $TsEdge1.name
$TsEdge1.features.firewall.defaultPolicy.action = "accept"
$TsEdge1 | Set-NsxEdge -confirm:$false | out-null
}
Function Configure-EdgeDefaultRoute {
## Edge Routing - default route from Edge with a next-hop of $EdgeDefaultGW.
write-host -foregroundcolor Green "Setting default route on Edge to $EdgeDefaultGW"
Get-NSXEdge "$EdgeName" | Get-NsxEdgeRouting | Set-NsxEdgeRouting -DefaultGatewayAddress $EdgeDefaultGW -confirm:$false | out-null
}
function Set-EdgeStaticRoute {
write-host -foregroundcolor "Green" "Adding static route to Web, App and DB networks to $EdgeName"
##Static route from Edge to Web and App via DLR Uplink if -topologytype is not defined or static selected
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | New-NsxEdgestaticroute -Network $WebNetwork -NextHop $LdrUplinkPrimaryAddress -confirm:$false | out-null
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | New-NsxEdgestaticroute -Network $AppNetwork -NextHop $LdrUplinkPrimaryAddress -confirm:$false | out-null
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | New-NsxEdgestaticroute -Network $DbNetwork -NextHop $LdrUplinkPrimaryAddress -confirm:$false | out-null
}
function Configure-EdgeOSPF {
#If -TopoologyType ospf is selected then this function is run.
write-host -foregroundcolor Green "Configuring Edge OSPF"
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | set-NsxEdgeRouting -EnableOspf -RouterId $EdgeUplinkPrimaryAddress -confirm:$false | out-null
#Remove the dopey area 51 NSSA - just to show example of complete OSPF configuration including area creation.
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | Get-NsxEdgeOspfArea -AreaId 51 | Remove-NsxEdgeOspfArea -confirm:$false
#Create new Area 0 for OSPF
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | New-NsxEdgeOspfArea -AreaId $TransitOspfAreaId -Type normal -confirm:$false | out-null
#Area to interface mapping
Get-NsxEdge $EdgeName | Get-NsxEdgerouting | New-NsxEdgeOspfInterface -AreaId $TransitOspfAreaId -vNic 1 -confirm:$false | out-null
}
function Configure-LogicalRouterOspf {
write-host -foregroundcolor Green "Configuring Logicalrouter OSPF"
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | set-NsxLogicalRouterRouting -EnableOspf -EnableOspfRouteRedistribution -RouterId $LdrUplinkPrimaryAddress -ProtocolAddress $LdrUplinkProtocolAddress -ForwardingAddress $LdrUplinkPrimaryAddress -confirm:$false | out-null
#Remove the dopey area 51 NSSA - just to show example of complete OSPF configuration including area creation.
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | Get-NsxLogicalRouterOspfArea -AreaId 51 | Remove-NsxLogicalRouterOspfArea -confirm:$false
#Create new Area
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterOspfArea -AreaId $TransitOspfAreaId -Type normal -confirm:$false | out-null
#Area to interface mapping
$TsLdrTransitInt = get-nsxlogicalrouter | get-nsxlogicalrouterinterface | ? { $.name -eq $TransitLsName}
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterOspfInterface -AreaId $TransitOspfAreaId -vNic $TsLdrTransitInt.index -confirm:$false | out-null
#Enable Redistribution into OSPF of connected routes.
Get-NsxLogicalRouter $LdrName | Get-NsxLogicalRouterRouting | New-NsxLogicalRouterRedistributionRule -Learner ospf -FromConnected -Action permit -confirm:$false | out-null
}
function Build-LoadBalancer {
# Switch that enables Loadbanacing on $EdgeName
write-host -foregroundcolor "Green" "Enabling LoadBalancing on $EdgeName"
Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | Set-NsxLoadBalancer -Enabled | out-null
# Edge LB config - define pool members. By way of example, we will use two different methods for defining pool membership. Webpool via predefine memberspec first...
write-host -foregroundcolor "Green" "Creating Web Pool"
$webpoolmember1 = New-NsxLoadBalancerMemberSpec -name $Web01Name -IpAddress $Web01Ip -Port $VIP_Member_Port
$webpoolmember2 = New-NsxLoadBalancerMemberSpec -name $Web02Name -IpAddress $Web02Ip -Port $VIP_Member_Port
# ... And create the web pool
$WebPool = Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerPool -name $WebPoolName -Description "Web Tier Pool" -Transparent:$true -Algorithm $LbAlgo -Memberspec $webpoolmember1,$webpoolmember2
# Now, method two for the App Pool Create the pool with empty membership.
write-host -foregroundcolor "Green" "Creating App Pool"
$AppPool = Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerPool -name $AppPoolName -Description "App Tier Pool" -Transparent:$false -Algorithm $LbAlgo
# ... And now add the pool members
$AppPool = $AppPool | Add-NsxLoadBalancerPoolMember -name $App01Name -IpAddress $App01Ip -Port $VIP_Member_Port
$AppPool = $AppPool | Add-NsxLoadBalancerPoolMember -name $App02Name -IpAddress $App02Ip -Port $VIP_Member_Port
# Create App Profiles. It is possible to use the same but for ease of operations this will be two.
write-host -foregroundcolor "Green" "Creating Application Profiles for Web and App"
$WebAppProfile = Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | New-NsxLoadBalancerApplicationProfile -Name $WebAppProfileName -Type $VipProtocol
$AppAppProfile = Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | new-NsxLoadBalancerApplicationProfile -Name $AppAppProfileName -Type $VipProtocol
# Create the VIPs for the relevent WebPools. Applied to the Secondary interface variables declared.
write-host -foregroundcolor "Green" "Creating VIPs"
Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | Add-NsxLoadBalancerVip -name $WebVipName -Description $WebVipName -ipaddress $EdgeVIP1 -Protocol $VipProtocol -Port $VIP_Member_Port -ApplicationProfile $WebAppProfile -DefaultPool $WebPool -AccelerationEnabled | out-null
Get-NsxEdge $EdgeName | Get-NsxLoadBalancer | Add-NsxLoadBalancerVip -name $AppVipName -Description $AppVipName -ipaddress $EdgeVIP2 -Protocol $VipProtocol -Port $VIP_Member_Port -ApplicationProfile $AppAppProfile -DefaultPool $AppPool -AccelerationEnabled | out-null
}
NOTE: From here below this requires the OVF that VMware uses internally. Please customise for your three tier application. This works for OVA1.6
function deploy-3TiervApp {
write-host -foregroundcolor "Green" "Deploying 'The 3TierApp' application "
# vCenter and the VDS has no understanding of a "Logical Switch". It only sees it as a VDS portgroup. This looks up the Logical Switch defined by the variable $WebLsName and runs iterates the result across Get-NsxBackingPortGroup. The results are used below in the networkdetails section.
$WebNetwork = get-nsxtransportzone | get-nsxlogicalswitch $WebLsName | Get-NsxBackingPortGroup
$AppNetwork = get-nsxtransportzone | get-nsxlogicalswitch $AppLsName | Get-NsxBackingPortGroup
$DbNetwork = get-nsxtransportzone | get-nsxlogicalswitch $DbLsName | Get-NsxBackingPortGroup
$WebNetwork =
$AppNetwork = $AppNetwork | ? {$.vdswitch.name -eq ("$computevdsnametransport")}
$DbNetwork = $DbNetwork | ? {$_.vdswitch.name -eq ("$computevdsnametransport")}
$WebNetwork = $WebNetwork.name
$AppNetwork = $AppNetwork.name
$DbNetwork = $DbNetwork.name
$ComputeCluster = Get-Cluster $ComputeClusterName
## Compute details - finds the host with the least used memory for deployment.
$VMHost = $ComputeCluster | Get-VMHost | Sort MemoryUsageGB | Select -first 1
## Using the PowerCLI command, get OVF draws on the location of the OVA from the defined variable.
$OvfConfiguration = Get-OvfConfiguration -Ovf $3TierAppLocation
#networkdetails need to be defined.
$OvfConfiguration.NetworkMapping.vxw_dvs_24_virtualwire_3_sid_10001_Web_LS_01.Value = "$WebNetwork"
$OvfConfiguration.NetworkMapping.vxw_dvs_24_virtualwire_4_sid_10002_App_LS_01.Value = "$AppNetwork"
$OvfConfiguration.NetworkMapping.vxw_dvs_24_virtualwire_5_sid_10003_DB_LS_01.Value = "$DbNetwork"
## VMdetails
$OvfConfiguration.common.app_ip.Value = $EdgeVIP2
$OvfConfiguration.common.Web01_IP.Value = $Web01Ip
$OvfConfiguration.common.Web02_IP.Value = $Web02Ip
$OvfConfiguration.common.Web_Subnet.Value = $DefaultSubnetMask
$OvfConfiguration.common.Web_Gateway.Value = $LdrWebPrimaryAddress
$OvfConfiguration.common.App01_IP.Value = $App01Ip
$OvfConfiguration.common.App02_IP.Value = $App02Ip
$OvfConfiguration.common.App_Subnet.Value = $DefaultSubnetMask
$OvfConfiguration.common.App_Gateway.Value = $LdrAppPrimaryAddress
$OvfConfiguration.common.DB01_IP.Value = $DB01Ip
$OvfConfiguration.common.DB_Subnet.Value = $DefaultSubnetMask
$OvfConfiguration.common.DB_Gateway.Value = $LdrDbPrimaryAddress
With all the desired OVF configuration done it is time to run the deployment.
Import-vApp -Source $3TierAppLocation -OvfConfiguration $OvfConfiguration -Name $vAppName -Location $ComputeCluster -VMHost $Vmhost -Datastore $ComputeDatastore | out-null
write-host -foregroundcolor "Green" "Starting $vAppName vApp components"
Get-vApp "PowerNSX-vApp" | Start-VApp -RunAsync -confirm:$false | out-null
}
function Apply-Microsegmentation {
write-host -foregroundcolor Green "Getting Services"
#This assumes they exist, which they do in the default NSX deployment.
$httpservice = Get-NsxService HTTP
$mysqlservice = Get-NsxService MySQL
write-host -foregroundcolor "Green" "Creating Source IP Groups"
#
$VIP1_IpSet = New-NsxIPSet -Name PowerNSX_VIP1_IpSet -IPAddresses $EdgeVIP1
$VIP2_IpSet = New-NsxIPSet -Name PowerNSX_VIP2_IpSet -IPAddresses $EdgeVIP2
$InternalESG_IpSet = New-NsxIPSet -name PowerNSX_InternalESG_IpSet -IPAddresses $EdgeInternalPrimaryAddress
write-host -foregroundcolor "Green" "Creating Security Tags and appending them"
$STWeb = New-NsxSecurityTag $StWebName
$STApp = New-NsxSecurityTag $STAppName
$STDb = New-NsxSecurityTag $STDbName
$AppVM = get-vm | ? {$.name -match ("App0")}
$DbVM = get-vm | ? {$_.name -match ("Db0")}
$WebVM | New-NsxSecurityTagAssignment -ApplyTag $StWeb
$AppVM | New-NsxSecurityTagAssignment -ApplyTag $StApp
$DbVM | New-NsxSecurityTagAssignment -ApplyTag $StDb
write-host -foregroundcolor "Green" "Creating Security Groups"
#Creates the Web SecurityGroup and creates a static includes based on VMname Web0 which will match Web01 and Web02
$WebSg = New-NsxSecurityGroup -name $WebSgName -description $WebSgDescription -includemember $STWeb
#Creates the App SecurityGroup and creates a static includes based on VMname App0 which will match App01 and App02
$AppSg = New-NsxSecurityGroup -name $AppSgName -description $AppSgDescription -includemember $STApp
#Creates the Db SecurityGroup and creates a static includes based on VMname Db0 which will match Db01
$DbSg = New-NsxSecurityGroup -name $DbSgName -description $DbSgDescription -includemember $StDb
#Creates the 3TierApp SecurityGroup and creates a static includes Security Group Web/App/Db and in turn its members
$3TierAppSg = New-NsxSecurityGroup -name $vAppSgName -description $vAppSgDescription -includemember $WebSg,$AppSg,$DbSg
#Building firewall section with value defined in $FirewallSectionName
write-host -foregroundcolor "Green" "Creating Firewall Section"
$FirewallSection = new-NsxFirewallSection $FirewallSectionName
#Actions
$AllowTraffic = "allow"
$DenyTraffic = "deny"
#Allows Any to reach WebTier (VIP1 is in transparent mode)
write-host -foregroundcolor "Green" "Creating Web Tier rule"
$External_Rule = get-nsxfirewallsection $FirewallSectionName | New-NSXFirewallRule -Name "External_Rule" -Destination $WebSg -Service $HttpService -Action $AllowTraffic -AppliedTo $WebSg -position bottom
#Allows Web tier to reach App Tier via the APP VIP and then the NAT'd vNIC address of the Edge
write-host -foregroundcolor "Green" "Creating Web to App Tier rules"
$Web_to_App_Rule1 = get-nsxfirewallsection $FirewallSectionName | New-NsxFirewallRule -Name "Web_to_App_Rule11" -Source $WebSg -Destination $VIP2_IpSet -Service $HttpService -Action $AllowTraffic -AppliedTo $WebSg,$AppSg -position bottom
$Web_to_App_Rule2 = get-NsxFirewallSection $FirewallSectionName | New-NsxFirewallRule -Name "Web_to_App_Rule2" -Source $InternalEsg_IpSet -Destination $appSg -service $HttpService -Action $Allowtraffic -AppliedTo $AppSg -position bottom
#Allows App tier to reach DB Tier directly
write-host -foregroundcolor "Green" "Creating Db Tier rules"
$App_to_Db_Rule = get-nsxfirewallsection $FirewallSectionName | New-NsxFirewallRule -Name "App_to_Db_Rule1" -Source $AppSg -Destination $DbSg -Service $MySqlService -Action $AllowTraffic -AppliedTo $AppSg,$DbSG -position bottom
write-host -foregroundcolor "Green" "Creating deny all applied to $vAppSgName"
#Default rule that wraps around all VMs within the topolgoy - application specific DENY ALL
$DenyAll = get-nsxfirewallsection $FirewallSectionName | New-NsxFirewallRule -Name "Deny All 3Tier App" -Action $DenyTraffic -AppliedTo $3TierAppSg -position bottom -EnableLogging -tag "$3TierAppSg"
write-host -foregroundcolor "Green" "Segmentation Complete - Application Secure"
}
if ( $BuildTopology ) {
Build-LogicalSwitches
Build-Dlr
Configure-DlrDefaultRoute
Build-Edge
Set-EdgeFwDefaultAccept
Configure-EdgeDefaultRoute
Build-LoadBalancer
switch ( $TopologyType ) {
"static" {
Set-EdgeStaticRoute
}
"ospf" {
Configure-EdgeOSPF
Configure-LogicalRouterOSPF
}
}
}
if ( $DeployvApp ) {
deploy-3TiervApp
Apply-Microsegmentation
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.