Monday, March 28, 2022

NSX-T resources in VMC

 

We will create some NSX components on VMC via Terraform


1.1. Segments

You have to use this resource nsxt_policy_fixed_segment , if you try to use the normal resource of the on premises NSX-T , that will not work and you will get an error.


# you can replace the variables with names or numbers as you like

resource "nsxt_policy_fixed_segment" "projectLSW" {
  display_name      = "LSW-VMC-${var.lswNumber}-01"
  connectivity_path =  var.connectivity_path  

   subnet {
    cidr = var.subnet
  }
   tag {
    scope = "LSW"
    tag   = "LSW-VMC-${var.lswNumber}-01"
  }
  advanced_config {
    connectivity = "ON"
  }
}


1.2. SEC Groups


Whenever you create a group in VMC, you have to specify the domain of this group. The domain will be either cgw or mgw

cgw: used for compute groups that will be used in the compute FW rules

mgw: used for the management groups that will be used in the management FW rules


# the below SEC Group will have the LSW as a member {it will match the TAG which we are applying on the Segment}

resource "nsxt_policy_group" "projectSG" {
  display_name = "SG-VMC-VPC-${var.lswNumber}"
  domain       = "cgw"
  criteria {
    condition {
      key         = "Tag"
      member_type = "Segment"
      operator    = "EQUALS"
      value       = "LSW-VMC-${var.lswNumber}-01"
    }
  }
}


1.3. IP SET

# NSX-T is unlike NSX-V , you have to create SEC group and put your subnet as a member in this SEC group, because there is no option to create IPSET directly

 

resource "nsxt_policy_group" "SG-IPSET-5_5_5_5_32-To-VPC-7e" {
  display_name = "SG-IPSET-5_5_5_5_32-To-VPC-7e"
  domain       = "cgw"
  criteria {
    ipaddress_expression {
      ip_addresses = ["5.5.5.5"]
    }
  }
}



1.4. Service


resource "nsxt_policy_service" "SRV-TCP-P-4444" {
  display_name = "SRV-TCP-P-4444"


 l4_port_set_entry {
    display_name = "SRV-TCP-P-4444"
    protocol     = "TCP"
    destination_ports = ["4444"]
  }
}




1.5. SEC TAG


# I am using here a dummy VM to apply all the NSX-T Tags on it , because if the TAG is not applied on any resource, the NSX will delete it automatically 


resource "nsxt_policy_vm_tags" "projectTAGs" {
  instance_id = var.vmBIOS  tag {
    scope = "FWP"
    tag   = "FWP-${var.lswNumber}-Dummy"
  }
}



1.6. FW Policy


Whenever you create a FW policy, you have to specify the domain of the policy. The domain will be either cgw or mgw


  resource "nsxt_policy_security_policy" "projectFWP" {
  display_name = "FWP-VPC-${var.lswNumber}"
  category   = "Application"
  scope      = [nsxt_policy_group.projectSG.path]
  domain       = "cgw"
  locked     = false
  stateful   = true
  tcp_strict = false



at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

NSX-T (local log in) with VIDM integration

We will explain how to log in with a local account to your NSX-T which integrated with VIDM. We integrated our NSX-T into the VIDM. We had a...