I revert changes  manually on NSX level. Seems to work fine to me. You have to find the way to identify proper rules on Firewall tabs in NSX because it is presented like identifiers rather than human readable rules.

Hello,

I need to automate in PowerCLI one more Step during Org VDC setup, the "Edge Gateway Creation".

At the moment it looks like the only way to do that is directly via API (via PowerShell in my Case):

vCloud Air Documentation Center

Has anyone done that before in PowerCLI / PowerShell or maybe a better way that via API?

Kind Regards,

Markus

Hi,

First of all thanks for answering, at least someone gave feedback!!

It´s so hard with vCloud Director and NSX to find some answers to not standard questions...

I´m not sure I fully understood your answer, let me phrase my question again :

1) I enable Distributed Firewall on Customer X (vCloud Director tenant)

2) Run some test

3) I decide I want to disable Distributed Firewall on Customer X (vCloud Director tenant)

4) I´m confronted with not having a "disable" button (like the enable button which does exist to enable Distributed Firewall)

I delete the default rule that seems to be the only rule generated by enabling Distributed Firewall, now at this point :

5) Is the Distributed Firewall feature disabled for Customer X (vCloud Director tenant) ?

From what you are saying I understand that you are pointing me to NSX on the vSphere level, to go check on the Edge Gateway of Customer X to see if there might be some firewalls rules left behind even though the Distributed Firewall screen shows me nothing, is that correct ?

So based on your answer what I can gather is that to disable Distributed Firewall I need to delete all the firewall rules on the Distributed Firewall screen of the Edge Gateway for the tenant and also check at the NSX level if there might be some rules left, did I understand that correctly?

Thanks again for your feedback!

Regards,

Carlos.

5 - no, it's not, yet.  And yes, you have to go to vSphere NSX plugin and manually remove rules not on Edge Gateway tabs, but Firewall tab. If you remove guid's from that tab and go back to the vCloud VDC and choose Manage Firewall from context menu, "Enable Firewall" switch is presented again.

Is there some sort of formal VMware NFV certification for virtual network functions?

Yes!!!!

You hit exactly what I was looking for!

After removing that GUID from the vSphere NSX Firewall tab I can say that the Distributed Firewall is disabled for that Tenant!

I finally can say that I know how to enable and disable Distributed Firewall on a tenant

Thank you so much, this was just itching in my head and it was just one of the many things pending in our VMware/NSX/vCloud Director implementation that was just not clear to me how to solve.

One could say that it´s a cumbersome way to disable it since the enabled button lives on the tenant why not the disable button? but hey, at least now I know how to do it.

Thanks again, this allows me to move to other questions (I didn´t wanted to flood the community with many questions at the same time).

Regards,

Carlos!

Hi there,

Just wanted to report a minor GUI defect in vCloud Director 8.20.0.1 (Build 5439762) when adding new Users to the System Org; so vCloud Director 8.20 introduced the ability for roles to be defined at an Organizational level and not just at a Global Level which allows roles to be defined and assigned on a per Organization level (including the System Org); previously you could only add users with System Administrator role access. There is a bug in the GUI screen to add LDAP users that does not allow you to select a role:

To work around this create the user with the System Administrator role and then Edit the user and change it to the desired role.

Kind regards,

Adrian Begg

thanks Adrian

Hello,

I'm unable to find information regarding the IPSEC functionality of vCloud/NSX. We would like to pass all traffic (default gateway) thru an IPSEC tunnel, is this possible with vCloud 8.10 and NSX 6.2.7 ?

Can this be done thru vCloud GUI or does it need configuration thru NSX edge GW config?

Kind regards,

Bastiaan

Hi All

during installation of the VCloud Director we got this error,  we did some troubleshooting with this results, someone has an idea about why?

Thanks for your help

Demetrio

[root@vCloudC402 logs]# service vmware-vcd status

vmware-vcd-watchdog is running

vmware-vcd-cell is dead, but pidfile exists

[root@vCloudC402 logs]#

[root@vCloudC402 logs]# service vmware-vcd restart

Stopping vmware-vcd-watchdog: [  OK  ]

Stopping vmware-vcd-cell: [  OK  ]

Starting vmware-vcd-watchdog: [  OK  ]

Starting vmware-vcd-cell [  OK  ]

[root@Centos7-Test ~]# sqlplus "teiaxeio1/summerio@147.214.6.51:1521/AXECLOUD"

SQL*Plus: Release 12.1.0.2.0 Production on Tue Jun 13 15:20:03 2017

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Connected to:

Oracle Database 11g Release 11.2.0.4.0 - 64bit Production

##vcloud-container-debug.log

2017-06-13 15:13:49,067 | INFO     | Spring Context: com.vmware.vcloud.ui.h5cellapp | BundleWarScanner | WAR Bundle found: h5-webapp - vCloud UI HTML5 Web Application (com.vmware.vcloud.h5-webapp) |

2017-06-13 15:13:49,078 | INFO     | Spring Context: com.vmware.vcloud.ui.h5cellapp | WarBundleManager | WAR Bundle: h5-webapp - vCloud UI HTML5 Web Application (com.vmware.vcloud.h5-webapp) has Context Path: /tenant |

2017-06-13 15:13:49,100 | DEBUG    | WebApp: com.vmware.vcloud.h5-webapp on: /tenant | DefaultJettyWarDeployer | Unpacking bundle h5-webapp - vCloud UI HTML5 Web Application (com.vmware.vcloud.h5-webapp) to folder [/opt/vmware/vcloud-director/tmp/jetty-tenant3165691230836904232.osgi] |

2017-06-13 15:13:49,188 | INFO     | WebApp: com.vmware.vcloud.h5-webapp on: /tenant | DefaultJettyWarDeployer        | Base resource for web application h5-webapp - vCloud UI HTML5 Web Application (com.vmware.vcloud.h5-webapp) is file:/opt/vmware/vcloud-director/tmp/jetty-tenant3165691230836904232.osgi/ |

2017-06-13 15:13:49,362 | INFO     | CellApplicationManagerImpl CellApplication starter | Html5CellApplication | Starting bundle: com.vmware.vcloud.h5-webapp |

2017-06-13 15:13:49,364 | DEBUG    | OSGI Delegator - listener dispatcher | EventHelper | Dispatcher service is unavailable. Queuing event: Event [id=43128724-90bc-4c76-808b-134a3400f6b5, timestamp=1497359629364, type=com/vmware/vcloud/event/cell/modify, serviceNamespace=com.vmware.vcloud, properties={

cellApplication.intermediateState=STARTING_FROM_STOPPED,

cellApplication.name=com.vmware.vcloud.ui.h5cellapp.Html5CellApplication,

cellApplication.originState=STOPPED,

cellApplication.simpleName=Html5CellApplication,

cellApplication.simpleState=started,

cellApplication.targetState=STARTED,

cellApplication.transitionState=SUCCESS,

currentContext.cell.uuid=,

currentContext.org.id=System(com.vmware.vcloud.entity.org:a93c9db9-7471-3192-8d09-a8f7eeda85f9),

currentContext.success=true,

currentContext.user.id=system(com.vmware.vcloud.entity.user:808cc07b-7092-3666-bcc5-89910188d5e7),

currentContext.user.name=system,

currentContext.user.proxyAddress=,

entity.id=com.vmware.vcloud.common.cell.event.CommonCellEventBuilder$$Lambda$20/406620132@28a0b22a,

entity.name=com.vmware.vcloud.common.cell.event.CommonCellEventBuilder$$Lambda$19/1776288533@1a85438d,

entity.type=com.vmware.vcloud.entity.cell,

}] |

2017-06-13 15:13:49,455 | INFO     | WebApp: com.vmware.vcloud.h5-webapp on: /tenant | JasperLocator | Found JSP Support for: h5-webapp - vCloud UI HTML5 Web Application (com.vmware.vcloud.h5-webapp) |

##Cell.log

All required system properties are present

An unspecified error occurred during application start

All required local configuration properties are present

Successfully bound network port: 80 on host address: 10.33.32.4

Successfully bound network port: 443 on host address: 10.33.32.4

Successfully bound network port: 8999 on host address: 10.33.32.4

All required local configuration properties are present

Successfully initialized system cryptography

Successfully configured HTTP SSL Connector from certificate store: /opt/vmware/vcloud-director/etc/certificates

Current locale "en" verified successfully.

Bootstrap application: complete

Application startup event: Waiting for subsystem 'com.vmware.vcloud.common.core'

Application startup event: Waiting for subsystem 'com.vmware.vcloud.computeservice.broker'

Application startup event: Waiting for subsystem 'com.vmware.vcloud.consoleproxy'

Application startup event: Waiting for subsystem 'com.vmware.vcloud.networking-server'

Application startup event: Waiting for subsystem 'com.vmware.vcloud.cloud-proxy-server'

Application startup event: Subsystem 'com.vmware.vcloud.cloud-proxy-server' startup initiated.

Application startup event: Subsystem 'com.vmware.vcloud.networking-server' startup initiated.

Application startup begins: Subsystem 'com.vmware.vcloud.cloud-proxy-server' at 6/13/17 3:14 PM

Application startup begins: Subsystem 'com.vmware.vcloud.networking-server' at 6/13/17 3:14 PM

Application startup event: Subsystem 'com.vmware.vcloud.common.core' startup initiated.

Application startup begins: Subsystem 'com.vmware.vcloud.common.core' at 6/13/17 3:14 PM

Error starting application: Database schema version is not compatible with this release. Requires version

[ "2.1.9", "6.0.116", "7.0.0", [ "1.0.44", "45.2.0", [ "19.9.0", "11.0.0", "8.0.0" ], [ "6.0.0", "6.0.0" ], [ "14.0.0", "4.0.0", "6.0.0", "9.0.0", "5.0.0" ], [ "7.0.0", "3.0.0", "4.0.0", "12.0.0", "2.0.0", "2.0.0", "7.0.0", "3.0.0", "6.0.0", "5.0.0", "15.0.0", "5.0.0", "20.0.0" ] ], "71.0.0" ]

but found version

[ "2.1.9", "6.0.116", "7.0.0", [ "1.0.44", "45.2.0", [ "19.9.0", "11.0.0", "8.0.0" ], [ "6.0.0", "6.0.0" ], [ "3.0.0.transition", "4.0.0", "6.0.0", "9.0.0", "5.0.0" ], [ "7.0.0", "3.0.0", "4.0.0", "12.0.0", "2.0.0", "2.0.0", "7.0.0", "3.0.0", "6.0.0", "5.0.0", "15.0.0", "5.0.0", "20.0.0" ] ], "0.0.0.transition" ]

##vmware-vcd-watchdog.log

2017-06-13 15:06:43 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:07:43 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:07:50 | INFO  | Started vmware-vcd-cell (pid=20164)

2017-06-13 15:07:53 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:08:53 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:09:00 | INFO  | Started vmware-vcd-cell (pid=20643)

2017-06-13 15:09:04 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:10:04 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:10:11 | INFO  | Started vmware-vcd-cell (pid=21085)

2017-06-13 15:10:14 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:11:14 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:11:21 | INFO  | Started vmware-vcd-cell (pid=21513)

2017-06-13 15:11:25 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:12:25 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:12:32 | INFO  | Started vmware-vcd-cell (pid=22115)

2017-06-13 15:12:36 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:13:36 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:13:43 | INFO  | Started vmware-vcd-cell (pid=22550)

2017-06-13 15:13:47 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:14:47 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:14:54 | INFO  | Started vmware-vcd-cell (pid=23064)

2017-06-13 15:14:57 | WARN  | Server status returned HTTP/1.1 404

2017-06-13 15:15:57 | ALERT | vmware-vcd-cell is dead but /var/run/vmware-vcd-cell.pid exists, attempting to restart it

2017-06-13 15:16:04 | INFO  | Started vmware-vcd-cell (pid=23498)

2017-06-13 15:16:07 | WARN  | Server status returned HTTP/1.1 404

What version of VCD are we running ?

Logs are reporting ->  Database schema version is not compatible with this release

[ "2.1.9", "6.0.116", "7.0.0", [ "1.0.44", "45.2.0", [ "19.9.0", "11.0.0", "8.0.0" ], [ "6.0.0", "6.0.0" ], [ "14.0.0", "4.0.0", "6.0.0", "9.0.0", "5.0.0" ], [ "7.0.0", "3.0.0", "4.0.0", "12.0.0", "2.0.0", "2.0.0", "7.0.0", "3.0.0", "6.0.0", "5.0.0", "15.0.0", "5.0.0", "20.0.0" ] ], "71.0.0" ]

but found version

[ "2.1.9", "6.0.116", "7.0.0", [ "1.0.44", "45.2.0", [ "19.9.0", "11.0.0", "8.0.0" ], [ "6.0.0", "6.0.0" ], [ "3.0.0.transition", "4.0.0", "6.0.0", "9.0.0", "5.0.0" ], [ "7.0.0", "3.0.0", "4.0.0", "12.0.0", "2.0.0", "2.0.0", "7.0.0", "3.0.0", "6.0.0", "5.0.0", "15.0.0", "5.0.0", "20.0.0" ] ], "0.0.0.transition" ]

Can you check and confirm if current VCD version is supported with Oracle Database 11g Release 11.2.0.4.0 - 64bit Production ?

VMware Product Interoperability Matrices

in vCloud director under our only provider VDC its showing the CPU "Total" metric as being 120Ghz despite it being nearer 180Ghz. Where does it pull this information from as were trying to report on current usage and need this corrected

This is cut from a script I was using to create fully nested labs for customer and internal use. It allowed for custom private IP space in any configuration and had a standard set of NAT, Firewall, LB and DHCP settings. It's ugly but it works, let me know if you have any questions.

        $firewall = New-Object VMware.VimAutomation.Cloud.Views.Gateway

        $firewall.Name = $orgName

        $firewall.Configuration = New-Object VMware.VimAutomation.Cloud.Views.GatewayConfiguration

        $firewall.Configuration.BackwardCompatibilityMode = $false

        $firewall.Configuration.GatewayBackingConfig = "compact"

        $firewall.Configuration.UseDefaultRouteForDnsRelay = $true

        $firewall.Configuration.HaEnabled = $true

        $firewall.Configuration.EdgeGatewayServiceConfiguration = New-Object VMware.VimAutomation.Cloud.Views.GatewayFeatures

        $firewall.Configuration.GatewayInterfaces = New-Object VMware.VimAutomation.Cloud.Views.GatewayInterfaces

        $firewall.Configuration.GatewayInterfaces.GatewayInterface = New-Object VMware.VimAutomation.Cloud.Views.GatewayInterface

        $firewall.Configuration.GatewayInterfaces.GatewayInterface += New-Object VMware.VimAutomation.Cloud.Views.GatewayInterface

        $firewall.Configuration.GatewayInterfaces.GatewayInterface += New-Object VMware.VimAutomation.Cloud.Views.GatewayInterface

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].DisplayName = "ExNet"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].Network = $ExNetExternalNetwork.Href

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].InterfaceType = "uplink"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].UseForDefaultRoute = $false

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].ApplyRateLimit = $false

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].DisplayName = "VMNet"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].Network = $VMNetExternalNetwork.Href

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].InterfaceType = "uplink"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].UseForDefaultRoute = $false

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].ApplyRateLimit = $false

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].DisplayName = "PublicNet"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].Network = $PublicNetwork[0].Href

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].InterfaceType = "uplink"

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].UseForDefaultRoute = $true

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].ApplyRateLimit = $false

$ExNetexternalSubnet = New-Object VMware.VimAutomation.Cloud.Views.SubnetParticipation

        $ExNetexternalSubnet.Gateway = $ExNetExternalNetwork.Gateway

        $ExNetexternalSubnet.Netmask = $ExNetExternalNetwork.Netmask

        $ExNetexternalSubnet.IpAddress = $ExNetExternalBlock[0]

        $ExNetexternalSubnet.IpRanges = New-Object VMware.VimAutomation.Cloud.Views.IpRanges

        $ExNetexternalSubnet.IpRanges.IpRange = New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $ExNetexternalSubnet.IpRanges.IpRange[0].StartAddress = $ExNetexternalSubnet.IpAddress # ### $firstExternalIP

        $ExNetexternalSubnet.IpRanges.IpRange[0].EndAddress =   $ExNetexternalSubnet.IpAddress  # ### $lastExternalIP

        $VMNetexternalSubnet = New-Object VMware.VimAutomation.Cloud.Views.SubnetParticipation

        $VMNetexternalSubnet.Gateway = $VMNetExternalNetwork.Gateway

        $VMNetexternalSubnet.Netmask = $VMNetExternalNetwork.Netmask

        $VMNetexternalSubnet.IpAddress = $VMNetExTernalBlock[0]

        $VMNetexternalSubnet.IpRanges = New-Object VMware.VimAutomation.Cloud.Views.IpRanges

        $VMNetexternalSubnet.IpRanges.IpRange = New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $VMNetexternalSubnet.IpRanges.IpRange += New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $VMNetexternalSubnet.IpRanges.IpRange += New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $VMNetexternalSubnet.IpRanges.IpRange[0].StartAddress = $VMNetexternalSubnet.IpAddress # ### $firstExternalIP

        $VMNetexternalSubnet.IpRanges.IpRange[0].EndAddress =   $VMNetexternalSubnet.IpAddress  # ### $firstExternalIP

        $VMNetexternalSubnet.IpRanges.IpRange[1].StartAddress = $VMNetExTernalBlock[1] # ### $SecondExternalIP

        $VMNetexternalSubnet.IpRanges.IpRange[1].EndAddress =   $VMNetExTernalBlock[1]  # ### $SecondExternalIP

        $VMNetexternalSubnet.IpRanges.IpRange[2].StartAddress = $VMNetExTernalBlock[2] # ### $ThirdExternalIP

        $VMNetexternalSubnet.IpRanges.IpRange[2].EndAddress =   $VMNetExTernalBlock[2]  # ### $ThirdExternalIP

        $PublicexternalSubnet = New-Object VMware.VimAutomation.Cloud.Views.SubnetParticipation

        $PublicexternalSubnet.Gateway = $PublicNetwork[0].Gateway.IPAddressToString

        $PublicexternalSubnet.Netmask = $PublicNetwork[0].Netmask

        if ($PublicExternalBlock.count -eq 1) {

            $PublicexternalSubnet.IpAddress = $PublicExternalBlock

            } else {

            $PublicexternalSubnet.IpAddress = $PublicExternalBlock[0]

            }

        $PublicexternalSubnet.IpRanges = New-Object VMware.VimAutomation.Cloud.Views.IpRanges

        $PublicexternalSubnet.IpRanges.IpRange = New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $PublicexternalSubnet.IpRanges.IpRange[0].StartAddress = $PublicexternalSubnet.IpAddress # ### $firstExternalIP

        $PublicexternalSubnet.IpRanges.IpRange[0].EndAddress =   $PublicexternalSubnet.IpAddress  # ### $lastExternalIP

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[0].SubnetParticipation = $ExNetexternalSubnet

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[1].SubnetParticipation = $VMNetexternalSubnet

        $firewall.Configuration.GatewayInterfaces.GatewayInterface[2].SubnetParticipation = $PublicexternalSubnet

        $orgVdc.ExtensionData.CreateEdgeGateway($firewall)

        write-host "Please wait, we're currently rolling out the Edge Firewall..."

        sleep 20

        While ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

        if ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

            sleep 120

            write-host "Please wait, we're currently rolling out the Edge Firewall..."

        }}

        sleep 20

        #Create an Internal network on the Edge gateway

        $edgeGateway = Search-Cloud -QueryType EdgeGateway -Name $orgName | Get-CIView | where {$_.name -like "$orgName*"}

        $ExNetnetwork = New-Object VMware.VimAutomation.Cloud.Views.OrgVdcNetwork

        $ExNetnetwork.EdgeGateway = $edgeGateway.Id

        $ExNetnetwork.isShared = $false

        $ExNetnetwork.Configuration = New-Object VMware.VimAutomation.Cloud.Views.NetworkConfiguration

        $ExNetnetwork.Name = "ExNet-Inside"

        $ExNetnetwork.Configuration.IpScopes = New-Object VMware.VimAutomation.Cloud.Views.IpScopes

        $ExNetnetwork.Configuration.FenceMode = "natRouted"

        $IpScope = New-Object VMware.VimAutomation.Cloud.Views.IpScope

        $IpScope.Gateway = $ExNetinternalGateway

        $IpScope.Netmask = $ExNetinternalNetmask

        $IpScope.Dns1 = $ExNetinternalGateway

        $IpScope.DnsSuffix = 'mv.rackspace.com'

        $IpScope.IpRanges = New-Object VMware.VimAutomation.Cloud.Views.IpRanges

        $IpScope.IpRanges.IpRange = New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $IpScope.IpRanges.IpRange[0].StartAddress = $ExNetfirstInternalIP

        $IpScope.IpRanges.IpRange[0].EndAddress = $ExNetlastInternalIP

        $ExNetnetwork.Configuration.IpScopes.IpScope += $IpScope

        $orgVdc.ExtensionData.CreateNetwork($ExNetnetwork)

        write-host "Please wait, we're currently rolling out the ExNet-Inside network..."

        sleep 20

        While ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

        if ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

            sleep 120

            write-host "Please wait, we're currently rolling out the ExNet-Inside network..."

        }}

        sleep 20

        $VMNetnetwork = New-Object VMware.VimAutomation.Cloud.Views.OrgVdcNetwork

        $VMNetnetwork.EdgeGateway = $edgeGateway.Id

        $VMNetnetwork.isShared = $false

        $VMNetnetwork.Configuration = New-Object VMware.VimAutomation.Cloud.Views.NetworkConfiguration

        $VMNetnetwork.Name = "VMNet-Inside"

        $VMNetnetwork.Configuration.IpScopes = New-Object VMware.VimAutomation.Cloud.Views.IpScopes

        $VMNetnetwork.Configuration.FenceMode = "natRouted"

        $IpScope = New-Object VMware.VimAutomation.Cloud.Views.IpScope

        $IpScope.Gateway = $VMNetinternalGateway

        $IpScope.Netmask = $VMNetinternalNetmask

        $IpScope.Dns1 = $VMNetinternalGateway

        $IpScope.DnsSuffix = 'mv.rackspace.com'

        $IpScope.IpRanges = New-Object VMware.VimAutomation.Cloud.Views.IpRanges

        $IpScope.IpRanges.IpRange = New-Object VMware.VimAutomation.Cloud.Views.IpRange

        $IpScope.IpRanges.IpRange[0].StartAddress = $VMNetfirstInternalIP

        $IpScope.IpRanges.IpRange[0].EndAddress = $VMNetlastInternalIP

        $VMNetnetwork.Configuration.IpScopes.IpScope += $IpScope

        $orgVdc.ExtensionData.CreateNetwork($VMNetnetwork)

        write-host "Please wait, we're currently rolling out the VMNet-Inside network..."

        sleep 20

        While ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

        if ((Search-Cloud -QueryType EdgeGateway | get-ciview | where {$_.name -eq $orgName}).tasks.task.Status -eq "running") {

            sleep 120

            write-host "Please wait, we're currently rolling out the VMNet-Inside network..."

        }}

        sleep 20

        #Setup the firewall services for the network

        $firewallService = New-Object VMware.VimAutomation.Cloud.Views.FirewallService

        $firewallService.DefaultAction = "drop"

        $firewallService.FirewallRule = New-Object VMware.VimAutomation.Cloud.Views.FirewallRule

        $firewallService.FirewallRule += New-Object VMware.VimAutomation.Cloud.Views.FirewallRule

        $firewallService.FirewallRule += New-Object VMware.VimAutomation.Cloud.Views.FirewallRule

        $firewallService.FirewallRule += New-Object VMware.VimAutomation.Cloud.Views.FirewallRule

        $firewallService.FirewallRule += New-Object VMware.VimAutomation.Cloud.Views.FirewallRule

        $firewallService.firewallRule[0].Description = "Default Outgoing Allowed"

        $firewallService.firewallRule[0].IsEnabled = $true

        $firewallService.firewallRule[0].Protocols = New-Object VMware.VimAutomation.Cloud.Views.FirewallRuleTypeProtocols

        $firewallService.firewallRule[0].Protocols.any = $true

        $firewallService.firewallRule[0].Policy = "allow"

        $firewallService.firewallRule[0].SourceIp = "internal"

        $firewallService.firewallRule[0].DestinationIp = "any"

        $firewallService.firewallRule[0].Port = "-1"

        $firewallService.firewallRule[0].SourcePort = "-1"

        $firewallService.firewallRule[0].EnableLogging = $false

        $firewallService.firewallRule[1].Description = "IAD Bastion Access"

        $firewallService.firewallRule[1].IsEnabled = $true

        $firewallService.firewallRule[1].Protocols = New-Object VMware.VimAutomation.Cloud.Views.FirewallRuleTypeProtocols

        $firewallService.firewallRule[1].Protocols.any = $true

        $firewallService.firewallRule[1].Policy = "allow"

        $firewallService.firewallRule[1].SourceIp = "69.20.0.1"

        $firewallService.firewallRule[1].DestinationIp = "internal"

        $firewallService.firewallRule[1].Port = "-1"

        $firewallService.firewallRule[1].SourcePort = "-1"

        $firewallService.firewallRule[1].EnableLogging = $false

        $firewallService.firewallRule[2].Description = "NTP Access"

        $firewallService.firewallRule[2].IsEnabled = $true

        $firewallService.firewallRule[2].Protocols = New-Object VMware.VimAutomation.Cloud.Views.FirewallRuleTypeProtocols

        $firewallService.firewallRule[2].Protocols.udp = $true

        $firewallService.firewallRule[2].Policy = "allow"

        $firewallService.firewallRule[2].SourceIp = "72.3.128.240"

        $firewallService.firewallRule[2].DestinationIp = "internal"

        $firewallService.firewallRule[2].Port = "123"

        $firewallService.firewallRule[2].SourcePort = "123"

        $firewallService.firewallRule[2].EnableLogging = $false

        $firewallService.firewallRule[3].Description = "DFW Bastion Access"

        $firewallService.firewallRule[3].IsEnabled = $true

        $firewallService.firewallRule[3].Protocols = New-Object VMware.VimAutomation.Cloud.Views.FirewallRuleTypeProtocols

        $firewallService.firewallRule[3].Protocols.any = $true

        $firewallService.firewallRule[3].Policy = "allow"

        $firewallService.firewallRule[3].SourceIp = "72.3.128.84"

        $firewallService.firewallRule[3].DestinationIp = "internal"

        $firewallService.firewallRule[3].Port = "-1"

        $firewallService.firewallRule[3].SourcePort = "-1"

        $firewallService.firewallRule[3].EnableLogging = $false

        $firewallService.firewallRule[4].Description = "Lon3 Bastion Access"

        $firewallService.firewallRule[4].IsEnabled = $true

        $firewallService.firewallRule[4].Protocols = New-Object VMware.VimAutomation.Cloud.Views.FirewallRuleTypeProtocols

        $firewallService.firewallRule[4].Protocols.any = $true

        $firewallService.firewallRule[4].Policy = "allow"

        $firewallService.firewallRule[4].SourceIp = "212.100.225.42"

        $firewallService.firewallRule[4].DestinationIp = "internal"

        $firewallService.firewallRule[4].Port = "-1"

        $firewallService.firewallRule[4].SourcePort = "-1"

        $firewallService.firewallRule[4].EnableLogging = $false

        $edgeGateway.ConfigureServices($firewallService)

        write-host "Please wait, we're currently rolling out the default firewall rules..."

        sleep 30

        #creating NAT rules on the edge for PAT connectivity and RDP Inbound to the Windows Jump Server

        Write-Host "Creating SNAT and DNAT Rules"

        New-SNATRule -EdgeGateway $orgName -ExternalNetwork $PublicNetwork[0] -OriginalIP $ExNetSubnet -TranslatedIP $PublicexternalSubnet.IpAddress

        sleep 30

        New-DNATRule -EdgeGateway $orgName -ExternalNetwork $PublicNetwork[0] -OriginalIP $PublicexternalSubnet.IpAddress -OriginalPort "3389" -TranslatedIP $SQLExNet -TranslatedPort "3389" -Protocol "tcp"

        sleep 30

Going to make some assumptions here so bear with me.

• You're trying to setup either new Organizations or OrgvDC's
• You want to have all inbound/outbound traffic for these OrgvDC's routed through an IPsec VPN
• You want to use vCloud to deploy the edge itself and then setup the VPN

Assuming those above 3 statements are correct then yes you can do this. This can be done via either the GUI or via the API/PowerCLI module for vCloud. If you need some more guidance hit me up.

So basically you want the VM's to connect to each other via their public IP's, not the internal NAT. This should work assuming you have DNS setup correctly on the Edge itself. The VM's will resolve their public IP's if the VM's point to the Edge as the DNS source and the Edge points to your external DNS servers with public IP's as their source.

Basically whatever the forward and reverse DNS entries are set to is what the VM's will resolve to and attempt to communicate over.

Hi Folks,

Hoping somebody can help. My Environment is a follows

vCD 5.1

vCenter 5.1

vSM  5.1.2

Up until yesterday everything worked just fine. vCloud users could create vApps, add VM,s Create vApp networks, join the vApp network to an external network and configure NAT, all within vCD. vCD(service account) would then create the portgrups in vCenter, vSM then deployed the EDGE in vCenter, all worked perfectly. Now for some reason vShiled Manager is unable to deploy the edge. vCD throws up these error messages when trying to deplay the Edge:

Unable to deploy network "Training-vSheild(urn:uuid:3cea8772-3c16-48a9-9ced-bfb1e9ba538a)".

org.springframework.web.client.RestClientException: Unrecognized vShield Manager response. vShield Manager is unable to process the request or some other error occurred at vShield Manager, please check vShield Manager logs for details.

I cannot find more details specific to this in the vSM.

I have take a a look at the vCD logs and can see things like:

DELETE request for "https://10.207.131.68:443/api/2.0/xvs/switches/dvs-65/networks/dvportgroup-37283" resulted in 403 (Forbidden); invoking error handler

Error deploying vApp:

Unable to deploy network "Training-vSheild"

I can ping VSM from vCD so there is connectivity. VSM can see vCenter. Not sure whats broken here.

What are my options?

thanks folks.

Can you log into the vSM using the password and username supplied in the admin section? Sounds like vSM is bouncing access from vCD API calls.

I can login to vSM using using username and passord that vCD uses to connect to vCenter. Is that what oyu are asking?

Hello, yes, all points are correct.

What steps do I need to go thru?

Thanks.

I got it already. NSX Edge GW is policy baes IPSEC VPN. So when adding the remote network 0.0.0.0/0 it automaticly created a routing entry for it.

Thanks for the help.