Last active
August 4, 2017 11:34
-
-
Save tonysangha/838488286225a6680465f2047c37b4ef to your computer and use it in GitHub Desktop.
PowerNSX script to create a bubble network, consisting of Logical Switches, DLR, ESG and Firewall Rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Created by Tony Sangha | |
July 2017 | |
tonysangha.com | |
version 0.1 | |
#################################### | |
macOS PowerCLI specific commands | |
Get-Module -ListAvailable PowerCLI* | Import-Module | |
Get-Module -ListAvailable PowerNSX* | Import-Module | |
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | |
connect-nsxserver -server 192.168.2.58 -username administrator@vsphere.local ` | |
-password VMware1! -VIUsername administrator@vsphere.local -VIPassword VMware1! | |
#> | |
####################################### | |
### Edit any parameters here only ### | |
####################################### | |
$nsx_manager_ip = '192.168.2.58' | |
$transport_zone_name = 'tz' | |
$datastore = "DELL" | |
$edge_cluster = "mgmt" | |
# DLR, ESG and Sec & Grp names, will be created randomly if not changed here | |
$dlr_name = "DLR-" + (get-random).toString() | |
$esg_name = "ESG-" + (get-random).toString() | |
$sg_name = "SG-BUBBLE-" + (get-random).toString() | |
$sec_name = "BUBBLE-NETWORK-" + (get-random).toString() | |
<# Logical Switch and IP Addressing for the Edge Services Gateway Bubble Router | |
Logical Switch, IP and Next Hop IP's are required for Uplink and Internal | |
Interfaces. Uplink logical switch should already be available in NSX-v and | |
will not be dynamically created by this script #> | |
$esg_uplink_ls = "plr_ls_transit" | |
$esg_uplink_ip = "172.16.32.50/24" | |
$esg_uplink_next_hop = "172.16.32.1" | |
$esg_internal_ip = "192.168.0.254/24" | |
<# Logical Switch and IP Information for Internal networks and for HA/Uplink | |
interfaces on the DLR. Variable $logical_switch_name_ip can be appended to | |
with interfaces and IP Addresses as required #> | |
$dlr_uplink_ls_ip = @{'ls_transit'='192.168.0.1/24'} | |
$dlr_ha_mgmt_ls = "ls_ha_mgmt" | |
$logical_switch_name_ip= @{'ls_web'='192.168.1.1/24'; | |
'ls_app'='192.168.2.1/24'; | |
'ls_db'='192.168.3.1/24'; | |
'ls_services'='192.168.4.1/24'; | |
'ls_shared'='192.168.5.1/24'; | |
'ls_finance'='192.168.6.1/24'; | |
'ls_hr'='192.168.7.1/24' | |
} | |
# Use a Summary route if possible for logical switches created above or append | |
$esg_to_dlr_static_routes=@('192.168.0.0/21','172.16.34.0/24') | |
#################################### | |
### DO NOT EDIT BEYOND THIS LINE ### | |
#################################### | |
write-host -ForegroundColor Magenta ` | |
" ____ _ _ _ _ _ _ _ ` | |
| _ \ | | | | | | | \ | | | | | | ` | |
| |_) |_ _| |__ | |__ | | ___ | \| | ___| |___ _____ _ __| | __ ` | |
| _ <| | | | '_ \| '_ \| |/ _ \ | . ` |/ _ \ __\ \ /\ / / _ \| '__| |/ / ` | |
| |_) | |_| | |_) | |_) | | __/ | |\ | __/ |_ \ V V / (_) | | | < ` | |
|____/ \__,_|_.__/|_.__/|_|\___| |_| \_|\___|\__| \_/\_/ \___/|_| |_|\_\ ` | |
` | |
" | |
write-host -ForegroundColor DarkYellow "Starting Execution of PowerNSX Script" | |
####################################### | |
### Create Local Logical Switches ### | |
####################################### | |
# Get and Store Transport Zone object in a variable | |
$tz = get-nsxtransportzone $transport_zone_name | |
<# Create NSX Logical switches in the designated transport zone, by looping | |
though the $logical_switch_name_ip hash table #> | |
foreach($item in $logical_switch_name_ip.keys){ | |
$ls = new-nsxlogicalswitch -name $item -transportzone $tz ` | |
-Description "Created with PowerNSX" | |
write-host -ForegroundColor cyan "Created Switch:" $ls.name | |
} | |
# Create Logical Switch for DLR HA/MGMT network and Bubble Internal Transit | |
$ls = new-nsxlogicalswitch -name $dlr_uplink_ls_ip.keys -transportzone $tz | |
write-host -ForegroundColor cyan "Created Switch:" $ls.name | |
$ls = new-nsxlogicalswitch -name $dlr_ha_mgmt_ls -transportzone $tz | |
write-host -ForegroundColor cyan "Created Switch:" $ls.name | |
####################################### | |
### Create Distributed Logical Router # | |
####################################### | |
# Create empty hash table to store internal interface specs for the DLR | |
$internal_int_specs = New-Object System.Collections.ArrayList | |
<# Loop over the logical_switch_name_ip hashtable and add interface specs | |
to empty specs table created above #> | |
foreach($item in $logical_switch_name_ip.GetEnumerator()){ | |
$ip_address = $item.Value.split('/') | |
$internal = New-NsxLogicalRouterinterfacespec -Name $item.Name ` | |
-Type internal ` | |
-ConnectedTo (Get-NsxLogicalSwitch -TransportZone $tz ` | |
-name $item.Name) ` | |
-PrimaryAddress $ip_address[0] ` | |
-SubnetPrefixLength $ip_address[1] | |
$x = $internal_int_specs.Add($internal) | |
} | |
# Create Interface Specification for Uplink Interface | |
$dlr_uplink_int_spec = New-NsxLogicalRouterinterfacespec -Name ` | |
$dlr_uplink_ls_ip.keys -Type uplink ` | |
-ConnectedTo (Get-NsxLogicalSwitch -TransportZone $tz ` | |
-name $dlr_uplink_ls_ip.keys) ` | |
-PrimaryAddress ($dlr_uplink_ls_ip.values.split('/')[0]) ` | |
-SubnetPrefixLength ($dlr_uplink_ls_ip.values.split('/')[1]) | |
<# Create Distributed Logical Router, attach interfaces and configure static | |
routes.#> | |
write-host -ForegroundColor cyan "Creating Logical Router (DLR):" $dlr_name | |
$dlr_rtr = New-NsxLogicalRouter -Name $dlr_name -ManagementPortGroup ` | |
(Get-NsxLogicalSwitch $dlr_ha_mgmt_ls) ` | |
-Interface $dlr_uplink_int_spec ` | |
-Cluster (Get-Cluster $edge_cluster) -Datastore ` | |
(get-datastore $datastore) | |
# Add Internal interfaces to newly created Distributed Logical Router | |
write-host -ForegroundColor yellow "Adding Logical Switches to:" $dlr_name | |
foreach($item in $internal_int_specs){ | |
write-host -ForegroundColor cyan $item.Name "LS added to:" $dlr_name | |
$x = New-NsxLogicalRouterInterface -LogicalRouter ` | |
(get-nsxlogicalrouter $dlr_name.name) ` | |
-ConnectedTo (Get-NsxLogicalSwitch $item.Name) ` | |
-Name $item.Name -Type "Internal" ` | |
-PrimaryAddress $item.addressGroups.addressGroup.primaryAddress ` | |
-SubnetPrefixLength $item.addressGroups.addressGroup.subnetPrefixLength | |
} | |
# Add static default route to ESG Internal Interface | |
$route = New-NsxLogicalRouterStaticRoute -LogicalRouter ` | |
(get-nsxlogicalrouter $dlr_name.name | Get-NsxLogicalRouterRouting) ` | |
-NextHop $esg_internal_ip.split('/')[0] ` | |
-Network '0.0.0.0/0' -confirm:$false | |
write-host -ForegroundColor yellow $route.network "route created on:" ` | |
$dlr_name | |
####################################### | |
### Edge Services Gateway ### | |
####################################### | |
$esg_uplink_int_spec = New-NsxEdgeInterfaceSpec -Name $esg_uplink_ls ` | |
-Type Uplink ` | |
-ConnectedTo (Get-NsxLogicalSwitch $esg_uplink_ls) ` | |
-PrimaryAddress $esg_uplink_ip.split('/')[0] ` | |
-SubnetPrefixLength $esg_uplink_ip.split('/')[1] -Index 0 | |
$esg_internalint_spec = New-NsxEdgeInterfaceSpec -Name $dlr_uplink_ls_ip.keys ` | |
-Type Internal ` | |
-ConnectedTo (Get-NsxLogicalSwitch $dlr_uplink_ls_ip.keys) ` | |
-PrimaryAddress $esg_internal_ip.split('/')[0] ` | |
-SubnetPrefixLength $esg_internal_ip.split('/')[1] -Index 1 | |
write-host -ForegroundColor cyan "Creating Edge Services Router:" $esg_name | |
$esg_rtr = New-NsxEdge -Name $esg_name -Datastore (get-datastore $datastore) ` | |
-cluster (get-cluster $edge_cluster) -Username admin ` | |
-Password VMware1!VMware1! -FormFactor compact -AutoGenerateRules ` | |
-FwEnabled -Interface $esg_uplink_int_spec,$esg_internalint_spec | |
# Create static routes back to the DLR | |
write-host -ForegroundColor cyan "Creating Routes on ESG:" $esg_name | |
foreach($item in $esg_to_dlr_static_routes){ | |
$x = Get-NsxEdge $esg_name | Get-NsxEdgeRouting | New-NsxEdgeStaticRoute ` | |
-Network $item -NextHop $dlr_uplink_ls_ip.Values.split('/')[0] ` | |
-confirm:$false | |
write-host -ForegroundColor yellow $item "route created on:" ` | |
$esg_name | |
} | |
# Create Default Route 0/0 to Perimeter Edge Services Gateway | |
$route = Get-NsxEdge $esg_name | Get-NsxEdgeRouting | New-NsxEdgeStaticRoute ` | |
-Network '0.0.0.0/0' -NextHop $esg_uplink_next_hop -confirm:$false | |
write-host -ForegroundColor yellow $route.network "route created on:" ` | |
$esg_name | |
####################################### | |
### DFW Firewall Rules ### | |
####################################### | |
# Create Security Group containing all logical switches | |
write-host -ForegroundColor cyan "Creating Security Group" | |
$sg = New-NsxSecurityGroup -name $sg_name | |
write-host -ForegroundColor yellow "Security Group " $sg.name " created" | |
foreach($item in $internal_int_specs){ | |
Add-NsxSecurityGroupMember (Get-NsxSecurityGroup $sg_name) ` | |
-Member (Get-NsxLogicalSwitch $item.Name) | |
} | |
# Create new NSX Firewall Section | |
write-host -ForegroundColor cyan "Creating Firewall Section" $sec_name | |
$section = New-NsxFirewallSection -name $sec_name | |
write-host -ForegroundColor cyan "Creating Rules in Section" $sec_name | |
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name ` | |
"$sg_name -> any - deny" -Source $sg ` | |
-Action 'deny' | |
write-host -ForegroundColor yellow "Rule ID" $rule.id "created" | |
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name ` | |
"any -> $sg_name - deny" ` | |
-Destination $sg ` | |
-Action 'deny' | |
write-host -ForegroundColor yellow "Rule ID" $rule.id "created" | |
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name ` | |
"$sg_name -> $sg_name - allow" -Source $sg ` | |
-Destination $sg ` | |
-Action 'allow' | |
write-host -ForegroundColor yellow "Rule ID" $rule.id "created" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment