Network, security group, and load balancer resource examples in
Automation Assembler

You can use networking, security, and load balancer resources and settings in
Automation Assembler
cloud templates.
For a summary of cloud template code options, see VMware Aria Automation Resource Type Schema.
These examples illustrate network, security, and load balancer resources within basic cloud template designs.

Networks

Resource scenario
Example cloud template design code
vSphere
machine with multiple NICs connected to
vSphere
and
NSX
networks with DHCP IP assignment
resources: demo-machine: type: Cloud.vSphere.Machine properties: image: ubuntu flavor: small networks: - network: ${resource["demo-vSphere-Network"].id} deviceIndex: 0 - network: ${resource["demo-NSX-Network"].id} deviceIndex: 1 demo-vSphere-Network: type: Cloud.vSphere.Network properties: networkType: existing demo-NSX-Network: type: Cloud.NSX.Network properties: networkType: outbound
NSX
private network using the
vlanIds
property to specify an array of 3 VLANs - 123, 456, and 7
formatVersion: 1 inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: test flavor: test networks: - network: '${resource.Cloud_NSX_Network_1.id}' Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: private vlanIds: - 123 - 456 - 7
Add a private network with a static IP address for an Azure VM deployment
formatVersion: 1 inputs: {} resources: Cloud_Azure_Machine_1: type: Cloud.Machine properties: image: photon flavor: Standard_B1ls networks: - network: '${resource.Cloud_Network_1.id}' assignment: static address: 10.0.0.45 assignPublicIpAddress: false Cloud_Network_1: type: Cloud.Network properties: networkType: existing
You can use a static IP assignment with
VMware Aria Automation
IPAM (internal as supplied with
VMware Aria Automation
or external based on the
VMware Aria Automation
IPAM SDK such as for one of the Infloblox plug-ins available in the VMware Marketplace). Other uses of
assignment: static
are not supported, as described in the
Caveats
section of More about network resources in VMware Aria Automation cloud templates.
resources: demo_vm: type: Cloud.vSphere.Machine properties: image: 'photon' cpuCount: 1 totalMemoryMB: 1024 networks: - network: ${resource.demo_nw.id} assignment: static demo_nw: type: Cloud.vSphere.Network properties: networkType: existing
Add or edit NAT and DNAT port forwarding rules in a
Cloud.NSX.NAT
resource for an existing deployment.
resources: gw: type: Cloud.NSX.Gateway properties: networks: - ${resource.akout.id} nat: type: Cloud.NSX.Nat properties: networks: - ${resource.akout.id} natRules: - translatedInstance: ${resource.centos.networks[0].id} index: 0 protocol: TCP kind: NAT44 type: DNAT sourceIPs: any sourcePorts: 80 translatedPorts: 8080 destinationPorts: 8080 description: edit - translatedInstance: ${resource.centos.networks[0].id} index: 1 protocol: TCP kind: NAT44 type: DNAT sourceIPs: any sourcePorts: 90 translatedPorts: 9090 destinationPorts: 9090 description: add gateway: ${resource.gw.id} centos: type: Cloud.vSphere.Machine properties: image: WebTinyCentOS65x86 flavor: small customizationSpec: Linux networks: - network: ${resource.akout.id} assignment: static akout: type: Cloud.NSX.Network properties: networkType: outbound constraints: - tag: nsxt-nat-1-M2
Public cloud machine to use an internal IP instead of a public IP. This example uses a specific network ID.
Note: The
network:
option is used in the
networks:
setting to specify a target network ID. The
name:
option in the
networks:
setting has been deprecated and should not be used.
resources: wf_proxy: type: Cloud.Machine properties: image: ubuntu 16.04 flavor: small constraints: - tag: 'platform:vsphere'
networks:
- network: '${resource.wf_net.id}'
assignPublicIpAddress: false
Routed network using the
NSX
network resource type.
Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: routed
Add a tag to a machine NIC resource in the cloud template.
formatVersion: 1 inputs: {} resources: Cloud_Machine_1: type: Cloud.vSphere.Machine properties: flavor: small image: ubuntu networks: - name: '${resource.Cloud_Network_1.name}' deviceIndex: 0 tags: - key: 'nic0' value: null - key: internal value: true - name: '${resource.Cloud_Network_2.name}' deviceIndex: 1 tags: - key: 'nic1' value: null - key: internal value: false
Tag
NSX-T
logical switches for an outbound network.
Tagging is supported for
NSX-T
and
VMware Cloud on AWS
.
For more information on this scenario, see community blog post Creating Tags in NSX.
Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: outbound tags: - key: app value: opencart

Security groups

Resource scenario
Example cloud template design code
Existing security group with a constraint tag applied to a machine NIC.
To use an existing security group, enter
existing
for the
securityGroupType
property.
You can assign tags to a
Cloud.SecurityGroup
resource to allocate existing security groups by using tag constraints. Security groups that do not contain tags cannot be used in the cloud template design.
Constraint tags must be set for
securityGroupType: existing
security group resources. Those constraints must match the tags set on the existing security groups. Constraint tags cannot be set for
securityGroupType: new
security group resources.
formatVersion: 1 inputs: {} resources: allowSsh_sg:
type: Cloud.SecurityGroup
properties:
securityGroupType: existing
constraints:
- tag: allowSsh
compute: type: Cloud.Machine properties: image: centos flavor: small networks: - network: '${resource.prod-net.id}' securityGroups: - '${resource.allowSsh_sg.id}' prod-net: type: Cloud.Network properties: networkType: existing
On-demand security group with two firewall rules illustrating the
Allow
and
Deny
access options.
resources: Cloud_SecurityGroup_1:
type: Cloud.SecurityGroup
properties:
securityGroupType: new
rules: - ports: 5000 source: 'fc00:10:
000
:
000
:
000
:56ff:fe89:48b4'
access: Allow
direction: inbound
name: allow_5000
protocol: TCP - ports: 7000 source: 'fc00:10:
000
:
000
:
000
:56ff:fe89:48b4'
access: Deny
direction: inbound
name: deny_7000
protocol: TCP Cloud_vSphere_Machine_1: type: Cloud.vSphere.Machine properties: image: photon cpuCount: 1 totalMemoryMB: 256 networks: - network: '${resource.Cloud_Network_1.id}' assignIPv6Address: true assignment: static securityGroups: - '${resource.Cloud_SecurityGroup_1.id}' Cloud_Network_1: type: Cloud.Network properties: networkType: existing
Complex cloud template with 2 security groups, including:
  • 1 existing security group
  • 1 on-demand security group with multiple firewall rule examples
  • 1
    vSphere
    machine
  • 1 existing network
This sample illustrates different combinations of protocols and ports, services, IP CIDR as source and destination, IP range as source or destination, and the options for any, IPv6, and (::/0).
For machine NICs, you can specify the connected network, and security group(s). You can also specify the NIC index or an IP address.
formatVersion: 1 inputs: {} resources: DEMO_ESG :
existing security group - security group 1)
type: Cloud.SecurityGroup
properties: constraints: - tag: BlockAll
securityGroupType: existing
(
designation of existing for security group 1
) DEMO_ODSG: (
on-demand security group - security group 2)
)
type: Cloud.SecurityGroup
properties:
rules:
(
multiple firewall rules in this section
) -
name: IN-ANY
(
rule 1
) source: any service: any direction: inbound
access: Deny
- name: IN-SSH
(
rule 2
) source: any service: SSH direction: inbound
access: Allow
- name: IN-SSH-IP
(
rule 3
) source: 33.33.33.1-33.33.33.250 protocol: TCP ports: 223 direction: inbound
access: Allow
- name: IPv-6-ANY-SOURCE
(
rule 4
) source: '::/0' protocol: TCP ports: 223 direction: inbound
access: Allow
- name: IN-SSH-IP
(
rule 5
) source: 44.44.44.1/24 protocol: UDP ports: 22-25 direction: inbound
access: Allow
- name: IN-EXISTING-SG
(
rule 6
)
source: '${resource["DEMO_ESG"].id}'
protocol: ICMPv6 direction: inbound
access: Allow
- name: OUT-ANY
(
rule 7
) destination: any service: any direction: outbound
access: Deny
- name: OUT-TCP-IPv6
(
rule 8
) destination: '2001:0db8:85a3::8a2e:0370:7334/64' protocol: TCP ports: 22 direction: outbound
access: Allow
- name: IPv6-ANY-DESTINATION
(
rule 9
) destination: '::/0' protocol: UDP ports: 23 direction: outbound
access: Allow
- name: OUT-UDP-SERVICE
(
rule 10
) destination: any service: NTP direction: outbound
access: Allow
securityGroupType: new
(
designation of on-demand for security group 2
) DEMO_VC_MACHINE: (
machine resource
)
type: Cloud.vSphere.Machine
properties: image: PHOTON cpuCount: 1 totalMemoryMB: 1024
networks:
(
Machine network NICs
)
- network: '${resource.DEMO_NW.id}' securityGroups: - '${resource.DEMO_ODSG.id}' - '${resource.DEMO_ESG.id}'
DEMO_NETWORK: (
network resource
)
type: Cloud.vSphere.Network
properties:
networkType: existing
constraints: - tag: nsx62

Load balancers

Resource scenario
Example cloud template design code
Specify a load balancer logging level, algorithm, and size.
Sample NSX load balancer showing use of logging level, algorithm, and size:
resources: Cloud_LoadBalancer_1:
type: Cloud.NSX.LoadBalancer
properties: name: myapp-lb network: '${appnet-public.name}' instances: '${wordpress.id}' routes: - protocol: HTTP port: '80'
loggingLevel: CRITICAL
algorithm: LEAST_CONNECTION
type: MEDIUM
Associate a load balancer with a named machine or a named machine NIC. You can specify either
machine ID
or
machine network ID
to add the machine to the load balancer pool. The instances property supports both machines (
machine by ID
) and NICs (
machine by network ID
).
In the first example, the deployment uses the
machine by ID
setting to load balance the machine when it is deployed on any network.
In the second example, the deployment uses the
machine by network ID
setting to load balance the machine only when the machine is deployed on the named machine NIC.
The third example shows both settings used in the same
instances
option.
You can use the
instances
property to define a machine ID or a machine network ID:
  • Machine ID
    Cloud_LoadBalancer_1: type: Cloud.LoadBalancer properties: network: '${resource.Cloud_Network_1.id}' instances: '${resource.Cloud_Machine_1.id}'
  • Machine network ID
    Cloud_LoadBalancer_1: type: Cloud.LoadBalancer properties: network: '${resource.Cloud_Network_1.id}' instances: '${resource.Cloud_Machine_1.networks[0].id}'
  • One machine specified for load balancer inclusion and another machine NIC specified for load balancer inclusion:
    instances: - resource.Cloud_Machine_1.id - resource.Cloud_Machine_2.networks[2].id
Add health check settings to an
NSX
load balancer. Additional options include
httpMethod
,
requestBody
, and
responseBody
.
myapp-lb:
type: Cloud.NSX.LoadBalancer
properties: name: myapp-lb network: '${appnet-public.name}' instances: '${wordpress.id}' routes: - protocol: HTTP port: '80' algorithm: ROUND_ROBIN instanceProtocol: HTTP instancePort: '80'
healthCheckConfiguration:
protocol: HTTP
port: '80'
urlPath: /mywordpresssite/wp-admin/install.php
intervalSeconds: 60
timeoutSeconds: 10
unhealthyThreshold: 10
healthyThreshold: 2
connectionLimit: '50' connectionRateLimit: '50' maxConnections: '500' minConnections: '' internetFacing: true{code}
On-demand network with a 1-arm load balancer.
inputs: {} resources: mp-existing: type: Cloud.Network properties: name: mp-existing networkType: existing mp-wordpress: type: Cloud.vSphere.Machine properties: name: wordpress count: 2 flavor: small image: tiny customizationSpec: Linux networks: - network: '${resource["mp-private"].id}' mp-private: type: Cloud.NSX.Network properties: name: mp-private networkType: private constraints: - tag: nsxt mp-wordpress-lb: type: Cloud.LoadBalancer properties: name: wordpress-lb internetFacing: false network: '${resource.mp-existing.id}' instances: '${resource["mp-wordpress"].id}' routes: - protocol: HTTP port: '80' instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /index.pl intervalSeconds: 60 timeoutSeconds: 30 unhealthyThreshold: 5 healthyThreshold: 2
Existing network with a load balancer.
formatVersion: 1 inputs: count: type: integer default: 1 resources: ubuntu-vm: type: Cloud.Machine properties: name: ubuntu flavor: small image: tiny count: '${input.count}' networks: - network: '${resource.Cloud_NSX_Network_1.id}' Provider_LoadBalancer_1: type: Cloud.LoadBalancer properties: name: OC-LB routes: - protocol: HTTP port: '80' instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /index.html intervalSeconds: 60 timeoutSeconds: 5 unhealthyThreshold: 5 healthyThreshold: 2 network: '${resource.Cloud_NSX_Network_1.id}' internetFacing: false instances: '${resource["ubuntu-vm"].id}' Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: existing constraints: - tag: nsxt24prod

Learn more

Related information is available in the following VMware blogs: