Using VMware Cloud on AWS SDDC-Group APIs (Part 4)

-

Gilles Chekroun


Lead VMware Cloud on AWS Solutions Architect
---


Following the Part1,  Part2 and Part3 I am adding now more description and use of SDDC Grouping APIs.
In this article, I will focus on:
  • Add/Remove Direct Connect Gateway Association
  • Detailed SDDC Group info
  • Static vTGW routes for VPCs

Add Direct Connect Gateway Association

On AWS Console, create a DX Gateway

and note the DXGW ID for the config.ini parameters
The SDDC Grouping API for DXGW Association is:
A code example would be: 
def attach_dxgw(routes, resource_id, org_id, dxgw_owner, dxgw_id, region, session_token):
    myHeader = {'csp-auth-token': session_token}
    myURL = "{}/network/{}/aws/operations".format(BaseURL, org_id)
    body = {
        "type": "ASSOCIATE_DIRECT_CONNECT_GATEWAY",
        "resource_id": resource_id,
        "resource_type": "network-connectivity-config",
        "config" : {
            "type": "AwsAssociateDirectConnectGatewayConfig",
            "direct_connect_gateway_association": {
                "direct_connect_gateway_id": dxgw_id,
                "direct_connect_gateway_owner": dxgw_owner,
                "peering_region_configs": [
                    {
                    "allowed_prefixes": routes,
                    "region": region
                    }
                ]
            }
        }
    }    
    response = requests.post(myURL, json=body, headers=myHeader)  
    json_response = response.json()
    task_id = json_response ['id']
    return task_id

Note the "type" of "ASSOCIATE_DIRECT_CONNECT_GATEWAY" and "config" "type" of "AwsAssociateDirectConnectGatewayConfig"
The vtc.py will use the option attach-dxgw

% python vtc.py attach-dxgw

===== Add DXGW Association =========

1: SDDC-Group_API: 31bbd613-e3a0-431b-a287-6c25d99e5786

2: API-test: 53dd006c-932a-47da-87aa-7aeb45ab07bb

3: Test-Terraform: cac26ea6-91c3-4cd9-acdb-3467e1495fec

4: Prod_VTGW: e0396f55-d4df-43dc-9fb1-66dea8a8a4d0

   Select SDDC Group: 1

   Enter route(s) to add (space separated): 10.100.0.0/16 10.200.0.0/16

PENDING

....

FINISHED in 00min 10sec

(vmc) gilleschekroun@Gilles-MBP VTCtests % 


VMC Console displays:
Note the Status "REQUESTED". That means the Customer should go to AWS Console and accept the Proposed Association . . . 
. . . and eventually add more prefixes there.

After a few minutes, the TGW association is ready with 3 prefixes.

Detailed SDDC Group Info

Using the "network-connectivity-configs" API and all "traits" we can get a complete view of the SDDC Group Networking
The vtc.py will use that and the option is get-group-info

% python vtc.py get-group-info

===== SDDC Group info =========

1: SDDC-Group_API: 31bbd613-e3a0-431b-a287-6c25d99e5786

2: API-test: 53dd006c-932a-47da-87aa-7aeb45ab07bb

3: Test-Terraform: cac26ea6-91c3-4cd9-acdb-3467e1495fec

4: Prod_VTGW: e0396f55-d4df-43dc-9fb1-66dea8a8a4d0

   Select SDDC Group: 1


ORG ID      : 7421a286-f7bf-4f34-8567-779b83d75fb5

SDDC Group

==========

    Name      : SDDC-Group_API

    Group ID  : 31bbd613-e3a0-431b-a287-6c25d99e5786

    Creator   : gchekroun@vmware.com

    Date/Time : 2021-03-22T08:25:20.703162Z

SDDCs

=====

    SDDC_ID 1: 56357a86-64af-4e0e-9cd3-6683c6862b4f

Transit Gateway

===============

    TGW_ID    : tgw-07945840e529fe4cd

    Region    : US West (Oregon)

AWS info

========

    AWS Account  : 0631xxxxxxxx

    RAM Share ID : VMC-Group-8e9f8eb8-8247-4a64-852c-75337e6f0d8d

    Status       : ASSOCIATED

    VPC 1        :vpc-057a6843d429a93bb

        State         : AVAILABLE

        Attachment    : tgw-attach-09ed28712fbebcb0e

        Static Routes : 172.172.0.0/16, 1.1.0.0/16, 2.2.0.0/16

DX Gateway

==========

    DXGW ID   : 222fa2fb-a12f-48ff-b9a0-f08f4f789ea7

    DXGW Owner: 0631xxxxxxxx

    Status    : CONNECTED

    Prefixes  : 10.100.0.0/16, 10.210.0.0/16, 10.200.0.0/16

(vmc) gilleschekroun@Gilles-MBP VTCtests % 


Remove Direct Connect Gateway Association

Similarly, for removing a DXGW association we would use the following API:
A code example would be: 
def detach_dxgw(resource_id, org_id, dxgw_id, session_token):
    myHeader = {'csp-auth-token': session_token}
    myURL = "{}/network/{}/aws/operations".format(BaseURL, org_id)
    body = {
        "type": "DISASSOCIATE_DIRECT_CONNECT_GATEWAY",
        "resource_id": resource_id,
        "resource_type": "network-connectivity-config",
        "config" : {
            "type": "AwsDisassociateDirectConnectGatewayConfig",
            "direct_connect_gateway_association": {
                "direct_connect_gateway_id": dxgw_id
            }
        }
    }    
    response = requests.post(myURL, json=body, headers=myHeader)  
    json_response = response.json()
    task_id = json_response ['id']
    return task_id
Note the "type" of "DISASSOCIATE_DIRECT_CONNECT_GATEWAY" and "config" "type" of "AwsDisassociateDirectConnectGatewayConfig"
This Operation takes quite a while (8-10 mins) . . . be patient.
The vtc.py will use the option detach-dxgw

% python vtc.py detach-dxgw   

===== Remove DXGW Association =========

1: SDDC-Group_API: 31bbd613-e3a0-431b-a287-6c25d99e5786

2: API-test: 53dd006c-932a-47da-87aa-7aeb45ab07bb

3: Test-Terraform: cac26ea6-91c3-4cd9-acdb-3467e1495fec

4: Prod_VTGW: e0396f55-d4df-43dc-9fb1-66dea8a8a4d0

   Select SDDC Group: 1

PENDING

......................................................................................................................................................................................................

FINISHED in 08min 38sec

% 

VMware Managed TGW Routes

Within vTGW there are 2 route Domains:
  • Members
  • External
Members route domain: Routes to all SDDCs, VPCs and Direct Connect Gateways.
External  route domain: Routes only to SDDCs 
The API for routes is returning the Domain IDs and then we need to use that ID to get the specific routes.

Code example:
def get_route_tables(resource_id, org_id, session_token):
    myHeader = {'csp-auth-token': session_token}
    myURL = "{}/network/{}/core/network-connectivity-configs/{}/route-tables".format(BaseURL, org_id, resource_id)
    response = requests.get(myURL, headers=myHeader)
    json_response = response.json()
    if  not json_response['content']: 
        print("    Routing Tables empty")
    else:    
        members_id = json_response['content'][0]['id']
        external_id = json_response['content'][1]['id']

        myURL = "{}/network/{}/core/network-connectivity-configs/{}/route-tables/{}/routes".format(BaseURL, org_id, resource_id, members_id)  
        response = requests.get(myURL, headers=myHeader)
        json_response = response.json()
        print("     Members route domain: Routes to all SDDCs, VPCs and Direct Connect Gateways")
        for i in range(len(json_response['content'])):
            print("\tDestination: " + json_response['content'][i]['destination'] + "\t\tTarget: " + json_response['content'][i]['target']['id'])

        myURL = "{}/network/{}/core/network-connectivity-configs/{}/route-tables/{}/routes".format(BaseURL, org_id, resource_id, external_id)  
        response = requests.get(myURL, headers=myHeader)
        json_response = response.json()
        print("     External (VPC and Direct Connect Gateway) route domain: Routes only to member SDDCs")
        for i in range(len(json_response['content'])):
            print("\tDestination: " + json_response['content'][i]['destination'] + "\t\tTarget: " + json_response['content'][i]['target']['id'])
    return
The vtc.py will use the option get-routes

% python vtc.py get-routes  

===== Get TGW route tables =========

1: SDDC-Group_API: 31bbd613-e3a0-431b-a287-6c25d99e5786

2: API-test: 53dd006c-932a-47da-87aa-7aeb45ab07bb

3: Test-Terraform: cac26ea6-91c3-4cd9-acdb-3467e1495fec

4: Prod_VTGW: e0396f55-d4df-43dc-9fb1-66dea8a8a4d0

   Select SDDC Group: 1

    Members route domain: Routes to all SDDCs, VPCs and Direct Connect Gateways

       Destination: 1.1.0.0/16 Target: vpc-057a6843d429a93bb

       Destination: 172.172.0.0/16 Target: vpc-057a6843d429a93bb

       Destination: 2.2.0.0/16 Target: vpc-057a6843d429a93bb

External (VPC and Direct Connect Gateway) route domain: Routes only to member SDDCs

%
Recap of all vtc.py options:

% python vtc.py           


Please give an argument like:


SDDC-Group Operations:

    create-sddc-group [name]

    delete-sddc-group

    get-group-info


SDDC Operations:

    get-sddc-info

    attach-sddc

    detach-sddc 


AWS Operations:

    connect-aws

    disconnect-aws


VPC Operations:

    attach-vpc

    detach-vpc

    vpc-prefixes


DXGW Operations:

    attach-dxgw

    detach-dxgw


TGW Operations:

    get-routes


%

Code available in my Github here

Thanks for reading.

Comments

Post a Comment

Populars

Egress VPC and AWS Transit Gateway (Part1)

-
Image
Gilles Chekroun
 Lead VMware Cloud on AWS Solutions Architect --- Usually my blog posts are customer driven and recently I have been working on a design that would include an Egress VPC and AWS Transit Gateway. This customer is going to use both VMware Managed Transit Gateway and also AWS Transit Gateway. I will split this post in 3 parts: The Egress VPC - this article Adding a VMC SDDC to the Egress VPC here Adding VMware Managed Transit Gateway here Why do we need an Egress VPC? Numerous posts on AWS site  will describe how to build an Egress VPC and the subtleties of the various route tables of the TGW and the Egress VPC itself. The main goal is to have ONE Internet gateway only  that will allow workloads to go out to internet on the Egress VPC. One of the most important point is redundancy and multi-availability zones. Applications usually reside in private subnets, while NAT Gateways reside in a public subnet. NAT Gateways To focus the Internet access to a single point, we can cre
Read more

AWS Transitive routing with Transit Gateways in the same region

-
Image
Gilles Chekroun Lead VMware Cloud on AWS Specialist --- At the AWS Re:invent 2019 conference, the long waited TGW peering functionality was announced and available in a few AWS regions. This is an INTER-REGION peering only meaning that the Transit Gateways need to be in different regions. Hoping that AWS will soon release an INTRA-REGION capability I discussed with a few AWS Solutions Architects in Las Vegas, among them Tom Adamski , about using a VPC as a bridge between two TGWs in the same region. Tom assured me that it is possible opening for the first time the transitive routing capability in AWS networking. Well . . . I needed to test that and see by myself. Test bed For a simple test, I will use 2 TGWs in the same regions with 2 VPCs attached each and another VPC as "bridge" connected to both TGWs. Yes you can connect a VPC up to 5 TGWs . The whole idea is to use this "bridging VPC" and point the default route of the TGWs to it. To do that I c
Read more

Build a VMware Cloud on AWS Content Library using AWS S3

-
Image
Gilles Chekroun Lead NSX Systems Engineer - VMware Europe --- What is a Content Library? DISCLAIMER: External content libraries are not supported by VMware GSS ! vSphere Content Library is a repository where you can store VM templates, vApp templates and other kind of files like ISO.  Administrators can use the templates to deploy VMs and vApps. Each item library can contain multiple files. The basis is  .ovf   together with the description files like .mf and .vmdk If you have .ova files, you can simply un-compress them using the linux command:  tar -xvf SomeFile.ova There are two kind of Libraries: Local and Subscribed. Local Library Local Library stores items in a single vCenter. VM and vApp templates are stored as OVF file format. Subscribed Library You can create a Subscribed Library in the same vCenter and to ensure the content is up-to-date, the library can automatically sync with the source on a regular basis. You can also use the option to download co
Read more