Using VMware Cloud on AWS SDDC-Group APIs (Part 1)

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---
Following the article on SDDC Grouping here, VMware has now a bunch of APIs to drive the VMware Transit Connect. 
All APIs documentation are in the VMware Cloud on AWS Developer Center 

API Explorer

The API Explorer tab has 3 main topics:
  • Cloud Services Platform
  • VMware Cloud
  • VMware Cloud on AWS
The Cloud Service Platform (CSP) is needed for User Authentication. The user needs to have a valid API Token to be able to generate a session token that can be used for API calls.
The API used for that is:
Note the "Base URL" 
https://console.cloud.vmware.com/csp/gateway
that needs to front end the API URL. This will exchange an ORG based API Token to a user access token that is needed for EVERY API call.

The VMware Cloud section is the one that we need for anything related to SDDC Grouping.
There are 2 sections:
  • Inventory
  • Network
The Inventory will allow you, for example, to get a list of SDDCs in that ORG using:
Note the "Base URL" 
https://vmc.vmware.com/api
that here also, needs to front end any API URL.
You can execute the API call directly from the console.
WARNING - BE CAREFUL, all APIs executed from the API Explorer are done against your live environment, please execute with caution. 
Scrolling down will show you an EXECUTE Button and the API response in the console like:
Here we can see that we have 4 SDDCs in our ORG.
Every main section in the API response is expandable. For example if I click on Deployment (M15-SDDC), I will get more details about that SDDC.
The Network section is where we are going to focus for the SDDC Grouping.

Create an SDDC Group

To create an SDDC group and attach one or more SDDC, we need to use the following API:
Fill the requested body with a description, a name for the SDDC group and the SDDC ID or list of IDs to attach and click EXECUTE
This operation will create the SDDC Group and attach "M15-SDDC"

Asynchronous Operations

One VERY Important point is that the SDDC Group creation also create the VMware managed TGW and that takes time.
It is mandatory to check the Operation Completion and make sure it has a status of COMPLETED.
After every API call in that group, an "Operation ID" is returned.
To monitor the completion of the task, the following API should be used:
This API can NOT be used in the console since we don't have the "operation_id"
The "operation_id" is a parameter that is in the JSON response of the SDDC Group creation API and in fact with any VMC API call.
When using Python to call the APIs, it's simple to return the operation_id in the function. For example:
def create_sddc_group(name, deployment_id, org_id, session_token):
    myHeader = {'csp-auth-token': session_token}
    myURL = "{}/network/{}/core/network-connectivity-configs/
    create-group-network-connectivity".format(BaseURL, org_id)
    body = {
        "name": name,
        "description": name,
        "members": [
            {
                "id": deployment_id
            }
        ]
    }
    response = requests.post(myURL, json=body, headers=myHeader)
    json_response = response.json()
    task_id = json_response ['operation_id']
    return task_id
The function returns the task_id which is the operation_id in the API JSON response
Then I am using another function that will loop on the status of the Task and wait for it to be "COMPLETED" or "FAILED"
def get_task_status(task_id, org_id, session_token):
    myHeader = {'csp-auth-token': session_token}
    myURL = "{}/operation/{}/core/operations/{}".format(BaseURL, org_id, task_id)
    response = requests.get(myURL, headers=myHeader)
    json_response = response.json()
    status = json_response ['state']['name']
    print(status)
    start = time.time()
    while(status != "COMPLETED"):
        sys.stdout.write(".")
        sys.stdout.flush()
        time.sleep(2)
        response = requests.get(myURL, headers=myHeader)
        json_response = response.json()
        status = json_response ['state']['name']
        if status == "FAILED":
            print("\nTask FAILED ")
            print(json_response['error_message'])
            break
    elapse = time.time() - start
    minutes = elapse // 60
    seconds = elapse - (minutes * 60)
    print("\nFINISHED in", '{:02}min {:02}sec'.format(int(minutes), int(seconds)))
    return

This will print dots "." every 2 seconds and stamp the total time it takes to complete.
 

% python vtc.py 


Please give an argument like:

    create-sddc-group [name]


% python vtc.py create-sddc-group SDDC-Group_API


=====Creating SDDC Group=========

PENDING

...................................................................................

FINISHED in 03min 33sec

% 


Next Steps

I will add more functionality to the vtc.py program that you can download here.

Thanks for reading.

Comments

  1. AnonymousOctober 28, 2022 at 5:47 PM

    I don't see core-operation in the API Explorer Inventory section. Has that been removed?

    ReplyDelete
    Replies
    1. Gilles ChekrounOctober 31, 2022 at 9:45 AM

      why are you "anonymous" ?? tell me who you are and I will answer

      Delete
    2. AnonymousNovember 1, 2022 at 7:24 PM

      Hi Gilles, my name is Ryan and I work for a VMware partner focusing on VMC. A project I'm currently working on requires PowerShell code to preform some of the tasks that are included in vtc.py. I haven't stepped up to Python yet and do all my VMC automation with PowerShell and PowerCLI. Your blog and vtc.py have given me a much better understanding of working with APIs in VMC. As for my original question, I don't see the core-operation section in the API explorer but ended up finding out that the URL to poll SDDC group creation status works fine. I'll try to connect on LinkedIn and you can message me if you're curious about any other details on my current project. Thanks for the very informative blog!

      Delete
    3. GillesNovember 2, 2022 at 9:56 AM

      Yes indeed it disappeared - i have reported that internally at VMware. The API url is still OK and you saw it in the blog or in VTC.PY. By the way I have updated VTC.PY recently to include External TGW functions.

      Delete
  2. Gilles ChekrounOctober 31, 2022 at 9:44 AM

    This comment has been removed by the author.

    ReplyDelete

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Costs analysis for Data Transfer via VMware Managed TGW

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Every customer design is different but all of them should include a costs analysis specifically when using VMware managed Transit Gateway or AWS Transit Gateway. The AWS page here has very useful information for us to be able to understand costs. Transit Gateway Costs TGW pricing is split in 2 components: A fixed price for infrastructure connectivity per hour. Depending on the attachments, various account owners are charged.  A variable price for processing data via the TGW. Price is per GB. The sending account is charged. Prices depend on regions and range from $0.05 to $0.09 per attachment per hour. Who is charged? See AWS page VPC attachments The VPC account owner is charged and is billed hourly. VPN attachments The TGW account owner is billed hourly. Site-to-Site VPN connection pricing still applies in addition to the VPN TGW attachments. Direct Connect Gateway attachments The DXGW account owner is billed hourly.
Read more