Skip to content

Instantly share code, notes, and snippets.

@tonysangha

tonysangha/bubble_network.ps1

Last active August 4, 2017 11:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tonysangha/838488286225a6680465f2047c37b4ef to your computer and use it in GitHub Desktop.
Save tonysangha/838488286225a6680465f2047c37b4ef to your computer and use it in GitHub Desktop.
Download ZIP
PowerNSX script to create a bubble network, consisting of Logical Switches, DLR, ESG and Firewall Rules
Raw
bubble_network.ps1
<#
Created by Tony Sangha
July 2017
tonysangha.com
version 0.1
####################################
macOS PowerCLI specific commands
Get-Module -ListAvailable PowerCLI* | Import-Module
Get-Module -ListAvailable PowerNSX* | Import-Module
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
connect-nsxserver -server 192.168.2.58 -username administrator@vsphere.local `
-password VMware1! -VIUsername administrator@vsphere.local -VIPassword VMware1!
#>
#######################################
### Edit any parameters here only ###
#######################################
$nsx_manager_ip = '192.168.2.58'
$transport_zone_name = 'tz'
$datastore = "DELL"
$edge_cluster = "mgmt"
# DLR, ESG and Sec & Grp names, will be created randomly if not changed here
$dlr_name = "DLR-" + (get-random).toString()
$esg_name = "ESG-" + (get-random).toString()
$sg_name = "SG-BUBBLE-" + (get-random).toString()
$sec_name = "BUBBLE-NETWORK-" + (get-random).toString()
<# Logical Switch and IP Addressing for the Edge Services Gateway Bubble Router
Logical Switch, IP and Next Hop IP's are required for Uplink and Internal
Interfaces. Uplink logical switch should already be available in NSX-v and
will not be dynamically created by this script #>
$esg_uplink_ls = "plr_ls_transit"
$esg_uplink_ip = "172.16.32.50/24"
$esg_uplink_next_hop = "172.16.32.1"
$esg_internal_ip = "192.168.0.254/24"
<# Logical Switch and IP Information for Internal networks and for HA/Uplink
interfaces on the DLR. Variable $logical_switch_name_ip can be appended to
with interfaces and IP Addresses as required #>
$dlr_uplink_ls_ip = @{'ls_transit'='192.168.0.1/24'}
$dlr_ha_mgmt_ls = "ls_ha_mgmt"
$logical_switch_name_ip= @{'ls_web'='192.168.1.1/24';
'ls_app'='192.168.2.1/24';
'ls_db'='192.168.3.1/24';
'ls_services'='192.168.4.1/24';
'ls_shared'='192.168.5.1/24';
'ls_finance'='192.168.6.1/24';
'ls_hr'='192.168.7.1/24'
}
# Use a Summary route if possible for logical switches created above or append
$esg_to_dlr_static_routes=@('192.168.0.0/21','172.16.34.0/24')
####################################
### DO NOT EDIT BEYOND THIS LINE ###
####################################
write-host -ForegroundColor Magenta `
" ____ _ _ _ _ _ _ _ `
| _ \ | | | | | | | \ | | | | | | `
| |_) |_ _| |__ | |__ | | ___ | \| | ___| |___ _____ _ __| | __ `
| _ <| | | | '_ \| '_ \| |/ _ \ | . ` |/ _ \ __\ \ /\ / / _ \| '__| |/ / `
| |_) | |_| | |_) | |_) | | __/ | |\ | __/ |_ \ V V / (_) | | | < `
|____/ \__,_|_.__/|_.__/|_|\___| |_| \_|\___|\__| \_/\_/ \___/|_| |_|\_\ `
`
"
write-host -ForegroundColor DarkYellow "Starting Execution of PowerNSX Script"
#######################################
### Create Local Logical Switches ###
#######################################
# Get and Store Transport Zone object in a variable
$tz = get-nsxtransportzone $transport_zone_name
<# Create NSX Logical switches in the designated transport zone, by looping
though the $logical_switch_name_ip hash table #>
foreach($item in $logical_switch_name_ip.keys){
$ls = new-nsxlogicalswitch -name $item -transportzone $tz `
-Description "Created with PowerNSX"
write-host -ForegroundColor cyan "Created Switch:" $ls.name
}
# Create Logical Switch for DLR HA/MGMT network and Bubble Internal Transit
$ls = new-nsxlogicalswitch -name $dlr_uplink_ls_ip.keys -transportzone $tz
write-host -ForegroundColor cyan "Created Switch:" $ls.name
$ls = new-nsxlogicalswitch -name $dlr_ha_mgmt_ls -transportzone $tz
write-host -ForegroundColor cyan "Created Switch:" $ls.name
#######################################
### Create Distributed Logical Router #
#######################################
# Create empty hash table to store internal interface specs for the DLR
$internal_int_specs = New-Object System.Collections.ArrayList
<# Loop over the logical_switch_name_ip hashtable and add interface specs
to empty specs table created above #>
foreach($item in $logical_switch_name_ip.GetEnumerator()){
$ip_address = $item.Value.split('/')
$internal = New-NsxLogicalRouterinterfacespec -Name $item.Name `
-Type internal `
-ConnectedTo (Get-NsxLogicalSwitch -TransportZone $tz `
-name $item.Name) `
-PrimaryAddress $ip_address[0] `
-SubnetPrefixLength $ip_address[1]
$x = $internal_int_specs.Add($internal)
}
# Create Interface Specification for Uplink Interface
$dlr_uplink_int_spec = New-NsxLogicalRouterinterfacespec -Name `
$dlr_uplink_ls_ip.keys -Type uplink `
-ConnectedTo (Get-NsxLogicalSwitch -TransportZone $tz `
-name $dlr_uplink_ls_ip.keys) `
-PrimaryAddress ($dlr_uplink_ls_ip.values.split('/')[0]) `
-SubnetPrefixLength ($dlr_uplink_ls_ip.values.split('/')[1])
<# Create Distributed Logical Router, attach interfaces and configure static
routes.#>
write-host -ForegroundColor cyan "Creating Logical Router (DLR):" $dlr_name
$dlr_rtr = New-NsxLogicalRouter -Name $dlr_name -ManagementPortGroup `
(Get-NsxLogicalSwitch $dlr_ha_mgmt_ls) `
-Interface $dlr_uplink_int_spec `
-Cluster (Get-Cluster $edge_cluster) -Datastore `
(get-datastore $datastore)
# Add Internal interfaces to newly created Distributed Logical Router
write-host -ForegroundColor yellow "Adding Logical Switches to:" $dlr_name
foreach($item in $internal_int_specs){
write-host -ForegroundColor cyan $item.Name "LS added to:" $dlr_name
$x = New-NsxLogicalRouterInterface -LogicalRouter `
(get-nsxlogicalrouter $dlr_name.name) `
-ConnectedTo (Get-NsxLogicalSwitch $item.Name) `
-Name $item.Name -Type "Internal" `
-PrimaryAddress $item.addressGroups.addressGroup.primaryAddress `
-SubnetPrefixLength $item.addressGroups.addressGroup.subnetPrefixLength
}
# Add static default route to ESG Internal Interface
$route = New-NsxLogicalRouterStaticRoute -LogicalRouter `
(get-nsxlogicalrouter $dlr_name.name | Get-NsxLogicalRouterRouting) `
-NextHop $esg_internal_ip.split('/')[0] `
-Network '0.0.0.0/0' -confirm:$false
write-host -ForegroundColor yellow $route.network "route created on:" `
$dlr_name
#######################################
### Edge Services Gateway ###
#######################################
$esg_uplink_int_spec = New-NsxEdgeInterfaceSpec -Name $esg_uplink_ls `
-Type Uplink `
-ConnectedTo (Get-NsxLogicalSwitch $esg_uplink_ls) `
-PrimaryAddress $esg_uplink_ip.split('/')[0] `
-SubnetPrefixLength $esg_uplink_ip.split('/')[1] -Index 0
$esg_internalint_spec = New-NsxEdgeInterfaceSpec -Name $dlr_uplink_ls_ip.keys `
-Type Internal `
-ConnectedTo (Get-NsxLogicalSwitch $dlr_uplink_ls_ip.keys) `
-PrimaryAddress $esg_internal_ip.split('/')[0] `
-SubnetPrefixLength $esg_internal_ip.split('/')[1] -Index 1
write-host -ForegroundColor cyan "Creating Edge Services Router:" $esg_name
$esg_rtr = New-NsxEdge -Name $esg_name -Datastore (get-datastore $datastore) `
-cluster (get-cluster $edge_cluster) -Username admin `
-Password VMware1!VMware1! -FormFactor compact -AutoGenerateRules `
-FwEnabled -Interface $esg_uplink_int_spec,$esg_internalint_spec
# Create static routes back to the DLR
write-host -ForegroundColor cyan "Creating Routes on ESG:" $esg_name
foreach($item in $esg_to_dlr_static_routes){
$x = Get-NsxEdge $esg_name | Get-NsxEdgeRouting | New-NsxEdgeStaticRoute `
-Network $item -NextHop $dlr_uplink_ls_ip.Values.split('/')[0] `
-confirm:$false
write-host -ForegroundColor yellow $item "route created on:" `
$esg_name
}
# Create Default Route 0/0 to Perimeter Edge Services Gateway
$route = Get-NsxEdge $esg_name | Get-NsxEdgeRouting | New-NsxEdgeStaticRoute `
-Network '0.0.0.0/0' -NextHop $esg_uplink_next_hop -confirm:$false
write-host -ForegroundColor yellow $route.network "route created on:" `
$esg_name
#######################################
### DFW Firewall Rules ###
#######################################
# Create Security Group containing all logical switches
write-host -ForegroundColor cyan "Creating Security Group"
$sg = New-NsxSecurityGroup -name $sg_name
write-host -ForegroundColor yellow "Security Group " $sg.name " created"
foreach($item in $internal_int_specs){
Add-NsxSecurityGroupMember (Get-NsxSecurityGroup $sg_name) `
-Member (Get-NsxLogicalSwitch $item.Name)
}
# Create new NSX Firewall Section
write-host -ForegroundColor cyan "Creating Firewall Section" $sec_name
$section = New-NsxFirewallSection -name $sec_name
write-host -ForegroundColor cyan "Creating Rules in Section" $sec_name
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name `
"$sg_name -> any - deny" -Source $sg `
-Action 'deny'
write-host -ForegroundColor yellow "Rule ID" $rule.id "created"
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name `
"any -> $sg_name - deny" `
-Destination $sg `
-Action 'deny'
write-host -ForegroundColor yellow "Rule ID" $rule.id "created"
$rule = Get-NsxFirewallSection $section.name | New-NsxFirewallRule -Name `
"$sg_name -> $sg_name - allow" -Source $sg `
-Destination $sg `
-Action 'allow'
write-host -ForegroundColor yellow "Rule ID" $rule.id "created"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment