The challenge

Cybersecurity and protection against ransomware attacks are among the top priorities for most customers who have successfully implemented or are going through a digital transformation. According to the ESG’s 2022 Technology Spending Intentions Survey:

• 69 percent of respondents shared that their spending on cybersecurity will increase in 2022 (#1).
• 48 percent of respondents believe their IT organizations have a problematic shortage of existing skills in this area (#1).
• 38 percent of respondents believe that strengthening cybersecurity will drive the majority of technology spending in their organization in the next 12 months (#1).

The data clearly shows that this area is one of the top concerns for our customers today. They need solutions that significantly simplify increasing cybersecurity activities due to a perceived skills shortage.

It is worth reiterating the critical role that networking plays within Hyperconverged Infrastructure (HCI). In contrast to legacy three-tier architectures, which typically have a dedicated storage network and storage, HCI architecture is more integrated and simplified. Its design lets you share the same network infrastructure for workload-related traffic and intercluster communication with the software-defined storage. The accessibility of the running workloads (from the external network) depends on the reliability of this network infrastructure, and on setting it up properly. The proper setup also impacts the performance and availability of the storage and, as a result, the whole HCI system. To prevent human error, it is best to employ automated solutions to enforce configuration best practices.

VxRail as an HCI system supports VMware NSX, which provides tremendous value for increasing cybersecurity in the data center, with features like microsegmentation and AI-based behavioral analysis and prevention of threats. Although NSX is fully validated with VxRail as a part of VMware Cloud Foundation (VCF) on VxRail platform, setting it outside of VCF requires strong networking skills. The comprehensive capabilities of this network virtualization platform might be overwhelming for VMware vSphere administrators who are not networking experts. What if you only want to consume the security features? This scenario might present a common challenge, especially for customers who are deploying small VxRail environments with few nodes and do not require full VCF on the VxRail stack.

The great news is that VMware recognized these customer challenges and now offers a simplified method to deploy NSX for security use cases. This method fits the improved operational experience our customers are used to with VxRail. This experience is possible with a new VMware vCenter Plug-in for NSX, which we introduce in this blog.

NSX and security

NSX is a comprehensive virtualization platform that provides advanced networking and security capabilities that are entirely decoupled from the physical infrastructure. Implementing networking and security in software, distributed across the hosts responsible for running virtual workloads, provides significant benefits:

• Flexibility—Total flexibility for positioning workloads in the data center enables optimal use of compute resources (a key aspect of virtualization).
• Optimal consumption of CPU resources —Advanced NSX features only consume CPU from the hosts when they are used. This consumption leads to lower cost and simplified provisioning when compared to running the features on dedicated appliances.
• High performance—NSX features are performed in VMware ESXi kernel space, a unique capability on vSphere.

The networking benefits are evident for large deployments, with NSX running in almost all Fortune 100 companies and many medium scale businesses. In today’s world of widespread viruses, ransomware, and even cyber warfare, the security aspect of NSX built on top of the NSX distributed firewall (DFW) is relevant to vSphere customers, regardless of their size.

The NSX DFW is a software firewall instantiated on the vNICs of the virtual machines in the data center. Thanks to its inline position, it provides maximum filtering granularity because it can inspect the traffic coming in and going out of every virtual machine without requiring redirection of the traffic to a security appliance, as shown in the following figure. It also moves along with the virtual machine during vMotion and maintains its state.

Figure 1: Traditional firewall appliance compared to the NSX DFW

The NSX DFW state-of-the-art capabilities are configured centrally from the NSX Manager and allow implementing security policies independently of the network infrastructure. This method makes it easy to implement microsegmentation and compliance requirements without dedicating racks, servers, or subnets to a specific type of workload. With the NSX DFW, security teams can deploy advanced threat prevention capabilities such as distributed IDS/IPS, network sandboxing, and network traffic analysis/network detection and response (NTA/NDR) to protect against known and zero-day threats.

A dedicated solution for security

Many NSX customers who are satisfied with the networking capability of vSphere run their production environment on a VDS with VLAN-backed dvportgroups. They deploy NSX for its security features only, and do not need its advanced networking components. Until now, those customers had to migrate their virtual machines to NSX-backed dvportgroups to benefit from the NSX DFW. This migration is easy but managing networking from NSX modifies the workflow of all the teams, including those teams that are not concerned by security:

Figure 2: Traditional NSX deployment

Starting with NSX 3.2, you can run NSX security on a regular VDS, without introducing the networking components of NSX. The security team receives all the benefits of NSX DFW, and there is no impact to any other team:

Figure 3: NSX Security with vCenter Plugin

Even better, NSX can now integrate further with vCenter, thanks to a plug-in that allows you to configure NSX from the vCenter UI. This method means that NSX can be consumed as a simple security add-on for a traditional vSphere deployment.

How to deploy and configure NSX Security

Requirements

First, we need to ensure that our VxRail environment meets the following requirements:

• vCenter Server 7.0 U3c (included with VxRail 7.0.320)
• VDS 6.7 or later
• The OVA for NSX-T with the vCenter Plugin version 3.2 or later and an appropriate NSX license

Deploy the NSX Manager and the NSX DFW on ESXi hosts

Running NSX in a vSphere environment consists of deploying a single NSX Manager virtual machine protected by vSphere HA. A shortcut in vCenter enables this step:

Figure 4: Deploy the NSX Manager appliance virtual machine from the NSX tab in vCenter

When the NSX Manager is up and running, it sets up a one-to-one association with vCenter and uploads the plug-in that presents the NSX UI in vCenter, as if NSX security is part of vCenter. The vCenter administrator becomes an effective NSX security administrator.

The next step, performed directly from the vCenter UI, is to enter the NSX license and select the cluster on which to install the NSX DFW binaries:

Figure 5: Select the clusters that will receive the NSX DFW binaries

After the DFW binaries are installed on the ESXi hosts, the NSX security is deployed and operational. You can exit the security configuration wizard (and configure directly from the NSX view in the vCenter UI) or let the wizard run.

Run the security configuration wizard

After installing the NSX binaries on the ESXi hosts, the plug-in runs a wizard that guides you through the configuration of basic security rules according to VMware best practices. The wizard gives the vSphere administrator simple guidance for implementing a baseline configuration that the security team can build on later. There are three different steps in this guided workflow.

First step—Segment the data center in groups

Perform the following steps, as shown in the following figure:

• Create an infrastructure group, identifying the services that the workloads in the data center will access. These services typically include DNS, NTP, DHCP servers, and so on.
• Segment the data center coarsely in environments, such as groups like Development, Production, and DMZ.
• Segment the data center finely by identifying applications running across the different environments.

Figure 6: Example of group creation

Second step—Define communication between different groups

Perform the following steps, as shown in the following figure:

• Define which groups can access the infrastructure services
• Define how the different environments communicate with each other
• Define how applications communicate with each other

Figure 7: Define the communication between environments using a graphcial represenation

Third step—Review the configuration and publish it to the NSX DFW

After reviewing the configuration, publish the configuration to NSX:

Figure 8: Review DFW rules before exiting the wizard

The full NSX UI is now available in vCenter. Select the NSX tab to access the NSX UI directly.

Final thoughts

The new VMware vCenter Plug-in for NSX drastically simplifies the deployment and adoption of NSX with VxRail for security use cases. In the past, advanced knowledge of the network virtualization platform was required. A vSphere adminstrator can now deploy it easily, using an intuitive configuration wizard available directly from vCenter. 

The VMware vCenter Plug-in for NSX provides the kind of simplified and optimized experience that VxRail customers are used to when managing their HCI environment. It also addresses the challenge that customers face today, improving security even with a perceived shortage of skills in this area. Also, it can be configured easily and quickly, making the robust NSX security features more available for smaller HCI deployments.

Additional resources:

VMworld 2021 Session: NET1483 - Deploy and Manage NSX-T via vCenter: A Single Console to Drive VMware SDDC

Planning Guide: Dell EMC VxRail Network Planning Guide – Physical and Logical Network Considerations and Planning

ESG Research Report: 2022 Technology Intentions Survey

Authors:

Francois Tallet, Technical Product Manager, VMware

Karol Boguniewicz, Senior Principal Engineering Technologist, Dell Technologies

Well-managed companies are always looking for new ways to increase efficiency and reduce costs while maintaining excellence in the quality of their products and services. Hence, IT departments and service providers look at the cloud and Application Programming Interfaces (APIs) as the enablers for automation, driving efficiency, consistency, and cost-savings.

This blog helps you get started with VxRail API by grouping the most useful VxRail API resources available from various public sources in one place. This list of resources is updated every few months. Consider bookmarking this blog as it is a useful reference.

Before jumping into the list, it is essential to answer some of the most obvious questions:

What is VxRail API?

VxRail API is a feature of the VxRail HCI System Software that exposes management functions with a RESTful application programming interface. It is designed for ease of use by VxRail customers and ecosystem partners who want to better integrate third-party products with VxRail systems. VxRail API is:

• Simple to use—Thanks to embedded interactive web-based documentation and PowerShell integration, you can consume the API easily using a supported web browser or from a familiar command-line interface for Windows and VMware vSphere administrators.
• Powerful—VxRail offers dozens of API calls for essential operations such as automated life cycle management (LCM), and its capabilities are growing with every new release.
• Extensible—This API is designed to complement REST APIs from VMware (such as vSphere Automation API, PowerCLI, and VMware Cloud Foundation on Dell EMC VxRail API), offering a familiar look and feel and vast capabilities.

Why is VxRail API relevant?

VxRail API enables you to use the full power of automation and orchestration services across your data center. This extensibility enables you to build and operate infrastructure with cloud-like scale and agility. It also streamlines the integration of the infrastructure into your IT environment and processes. Instead of manually managing your environment through the user interface, the software can programmatically trigger and run repeatable operations.

More customers are embracing DevOps and Infrastructure as Code (IaC) models because they need reliable and repeatable processes to configure the underlying infrastructure resources that are required for applications. IaC uses APIs to store configurations in code, making operations repeatable and greatly reducing errors.

How can I start? Where can I find more information?

To help you navigate through all available resources, I grouped them by level of technical difficulty, starting with 101 (the simplest, explaining the basics, use cases, and value proposition), through 201, up to 301 (the most in-depth technical level).

101 Level

• Solution Brief—Dell VxRail API – Solution Brief is a concise brochure that describes the VxRail API at a high-level, typical use cases, and where you can find additional resources for a quick start. I highly recommend starting your exploration from this resource.
   
• Learning Tool—VxRail Interactive Journey is the "go-to resource" to learn about VxRail and HCI System Software. It includes a dedicated module for the VxRail API, with essential resources to maximize your learning experience.

• On-demand Session—Automation with VxRail API is a one-hour interactive learning session delivered as part of the Tech Exchange Live VxRail Series, available on-demand. This session is an excellent introduction for anyone new to VxRail API, discussing the value, typical use cases, and how to get started.
• (New!) Instructor Session—Automation with VxRail is a live, interactive training session offered by Dell Technologies Education Services. Hear directly from the VxRail team about new capabilities and what’s on the roadmap for VxRail new releases and the latest advancements.
  During the session you will:
  • Learn about the VxRail ecosystem and leverage its automation capabilities
  • Elevate performance of automated VxRail operations using the latest tools
  • Experience live demonstrations of customer use cases and apply these examples to your environment
  • Increase your knowledge of VxRail API tools such as PowerShell and Ansible modules
  • Receive bonus material to support you in your automation journey
• Infographic—Dell VxRail HCI System Software RESTful API is an infographic that provides quick facts about VxRail HCI System Software differentiation. This infographic explains the value of VxRail API.
• Blog Post—Take VxRail automation to the next level by leveraging APIs is my first blog that focuses on VxRail API. It addresses some of the challenges related to managing a farm of VxRail clusters and how VxRail API can be a solution. It also covers the enhancements introduced in VxRail HCI System Software 4.7.300, such as Swagger and PowerShell integration.
• (New!) Blog Post—VxRail – API PowerShell Module Examples is a blog from my colleague David, explaining how to install and get started with the VxRail API PowerShell Modules Package.
• (New!) Blog Post—Automating VxRail with VxRail API PowerShell Modules from my colleague Allan, explaining how to automate a couple of use cases using the PowerShell Modules Package. Recorded demos included.
• (New!) Blog Post—Automating VxRail with Ansible  also from my colleague Allan, explaining how to install and get started with VxRail Ansible Modules.
• Blog Post—Protecting VxRail from Power Disturbances is my second API-related blog, in which I explain an exciting use case by Eaton, our ecosystem partner, and the first UPS vendor who integrated their power management solution with VxRail using the VxRail API.
• (New!) Blog Post—Protecting VxRail From Unplanned Power Outages: More Choices Available describes another UPS solution integrated with the VxRail API, from our ecosystem partner APC (Schneider Electric).
• Demo—VxRail API – Overview is our first VxRail API demo published on the official Dell YouTube channel. It was recorded using VxRail HCI System Software 4.7.300, explains VxRail API basics, API enhancements introduced in this version, and how you can explore the API using the Swagger UI.
• Demo—VxRail API – PowerShell Package is a continuation of the API overview demo referenced above, focusing on PowerShell integration. It was recorded using VxRail HCI System Software 4.7.300.
• Podcast—VxRail API podcast is part of the CI and HCI Solutions podcast series. This offering is a great option if you like to listen to technical podcasts.

201 Level

• (New!) HoL—Hands On Lab: HOL-0310-01 - Scalable Virtualization, Compute, and Storage with the VxRail REST API allows you to experience the VxRail API in a virtualized demo environment using various tools. This has been premiered at Dell Technologies World 2022 and is a very valuable self-learning tool for VxRail API. It includes four modules:
  • Module 1: Getting Started (~10 min / Basic) - The aim of this module is to get the lab up and running and dip your toe in the VxRail API waters using our web-based interactive documentation.
    • Access interactive API documentation
    • Explore available VxRail API functions
    • Test a VxRail API function
    • Explore Dell Technologies' Developer Portal
  • Module 2: Monitoring and Maintenance (~15 min / Intermediate) - In this module you will navigate our VxRail PowerShell Modules and the VxRail Manager, to become more familiar with the options available to monitor the health indicators of a VxRail cluster. There are also some maintenance tasks that show how these functions can simplify the management of your environment.
    Monitoring the health of a VxRail cluster:
    • Check the cluster's overall health
    • Check the health of the nodes
    • Check the individual components of a node
    Maintenance of a VxRail cluster:
    • View iDRAC IP configuration
    • Collect a log bundle of the VxRail cluster
     • Cluster shutdown (Dry run)
  • Module 3: Cluster Expansion or Scaling Out (~25 min / Advanced) - In this module you will experience our official VxRail Ansible Modules and how easy it is to expand the cluster with an additional node.
    • Connect to Ansible server
    • View VxRail Ansible Modules documentation
    • Add a node to the existing VxRail cluster
    • Verify cluster state after expansion
  • Module 4: Lifecycle Management or LCM (~10 min / Intermediate) - In this module you will experience our VxRail APIs using POSTMAN. You will see how easy LCM operations are using our VxRail API and software.
    • Explore POSTMAN
    • Generate a compliance report
    • Explore LCM pre-check and LCM upgrade API functions available to bring it to the next VxRail version.

• (Updated!) Demo—Interactive Demo: VxRail 7.0 is the updated VxRail 7.0 Interactive Demo that contains the dedicated “VxRail 7.0 API” section that focuses on the API. It includes four modules:
  1. Getting Started—Explains how you can interact with Swagger-based documentation and the Developer Center available from vCenter. The module includes practical examples, such as getting information about the VxRail cluster, collecting inventory, exporting a log bundle, and creating a VM from a template. 
  2. Day 1 – Bring Up—Explains the API-driven deployment of the VxRail cluster using PowerShell. When using the Day 1 API for the VxRail cluster deployment, Professional Services are still required to provide the best customer experience. 
  3. Day 2 – Operations and Extensibility—Discusses some of the Day 2 operations and extensibility with API cookbook examples, the VxRail PowerShell Modules package, VMware PowerCLI, and Ansible.
  4. Cluster Expansion using PowerShell—Walks through the VxRail cluster expansion using the VxRail API PowerShell Modules Package. It also explains how you can use these modules together with VMware PowerCLI.

The VxRail 7.0 Interactive Demo is a recent asset prepared by our team for the Dell Technologies World 2020 virtual conference. I highly recommend it. It was recorded with VxRail HCI System Software version 7.0.010, which introduced Day 1 API for VxRail cluster deployment.

• Manual—Dell VxRail RESTful API Cookbook is a handy resource for anyone who wants to jump start their VxRail API journey by using code samples documented and tested by our engineering team for the following automation frameworks: 
  1. CURL for shell/CLI available for various operating systems
  2. PowerShell
  3. Ansible
• vBrownBag session—vSphere and VxRail REST API: Get Started in an Easy Way is a vBrownBag community session that took place at the VMworld 2020 TechTalks Live event. There are no slides and no “marketing fluff,” but an extensive demo showing: 
  1. How you can begin your API journey by using interactive, web-based API documentation
  2. How you can use these APIs from different frameworks (such as scripting with PowerShell in Windows environments) and configuration management tools (such as Ansible on Linux)
  3. How you can consume these APIs virtually from any application in any programming language.
• (New!) vBrownBag session—Automating large scale HCI deployments programmatically using REST APIs is a vBrownBag community session that took place at the VMworld 2021 TechTalks Live event. This approx. 10 minute session discusses the sample use cases and tools at your disposal, allowing you to jumpstart your API journey in various frameworks quickly. It includes a demo of VxRail cluster expansion using PowerShell.

301 Level

• Manual—VxRail API User Guide at Dell Technologies Developer Portal is an official web-based version of the reference manual for VxRail API. It provides a detailed description of each available API function.
  Make sure to check the “Tutorials” section of this web-based manual, which contains code examples for various use cases and will replace the API Cookbook over time.
  
• Manual—Dell EMC VxRail Appliance – API User Guide is an official reference manual for VxRail API in PDF format. It provides a detailed description of each available API function, support information for specific VxRail HCI System Software versions, request parameters and possible response codes, successful call response data models, and example values returned. Dell Technologies Support portal access is required.
• (New!) Ansible Modules —The Ansible Modules for Dell VxRail available on GitHub and Ansible Galaxy allow data center and IT administrators to use Red Hat Ansible to automate and orchestrate the configuration and management of Dell VxRail.

The Ansible Modules for Dell VxRail are used for gathering system information and performing cluster level operations. These tasks can be executed by running simple playbooks written in yaml syntax. The modules are written so that all the operations are idempotent, therefore making multiple identical requests has the same effect as making a single request.

• PowerShell Package—VxRail API PowerShell Modules is a package with VxRail.API PowerShell Modules that allows simplified access to the VxRail API, using dedicated PowerShell commands and integrated help. This version supports VxRail HCI System Software 7.0.010 or later.
  Note: You must sign into the Dell Technologies Support portal to access this link successfully.
  
  
• API Reference—vSphere Automation API is an official vSphere REST API reference that provides API documentation, request/response samples, and usage descriptions of the vSphere services.
• API Reference—VMware Cloud Foundation on Dell VxRail API Reference Guide is an official VMware Cloud Foundation (VCF) on VxRail REST API reference that provides API documentation, request/response samples, and usage descriptions of the VCF on VxRail services.
• Blog Post—Deployment of Workload Domains on VMware Cloud Foundation 4.0 on Dell VxRail using Public API is a VMware blog explaining how you can deploy a workload domain on VCF on VxRail using the API with the CURL shell command.

I hope you find this list useful. If so, make sure that you bookmark this blog for your reference. I will update it over time to include the latest collateral.

Enjoy your Infrastructure as Code journey with the VxRail API!

Author: Karol Boguniewicz, Senior Principal Engineering Technologist, VxRail Technical Marketing 

Twitter: @cl0udguide