必须使用 NSX Manager API 为公有云中的服务设备创建服务定义和虚拟端点。

前提条件

挑选一个预留的 /32 IP 地址作为公有云中服务设备的虚拟端点,例如,100.100.100.100/32。这称为虚拟服务 IP (VSIP)。

注: 如果成对部署服务设备以实现高可用性,不要创建另一个服务定义,而是在 BGP 配置期间将其通告到 PCG 时使用相同的 VSIP。

过程

  1. 要为服务设备创建服务定义,请使用授权的 NSX Manager 凭据运行以下 API 调用:
    POST https://{{NSX Manager-IP}}/policy/api/v1/enforcement-points/default/service-definitions

    示例请求:

    {
         "resource_type":"ServiceDefinition",
         "description":"NS-Service",
         "display_name":"Service_Appliance1",
         "attachment_point":[
            "TIER0_LR"
         ],
         "transports":[
            "L3_ROUTED"
         ],
         "functionalities":[
            "NG_FW", "BYOD"
         ],
         "on_failure_policy":"ALLOW",
         "implementations":[
            "NORTH_SOUTH"
         ],
         "vendor_id" : "Vendor1"
    }

    示例响应:

    {
        "resource_type": "ServiceDefinition",
        "description": "NS-Service",
        "id": "33890153-6eea-4c9d-8e34-7b6532b9d65c",
        "display_name": "Service_Appliance1",
        "attachment_point": [
            "TIER0_LR"
        ],
        "transports": [
            "L3_ROUTED"
        ],
        "functionalities": [
            "NG_FW", "BYOD"
        ],
        "vendor_id": "Vendor1",
        "on_failure_policy": "ALLOW",
        "implementations": [
            "NORTH_SOUTH"
        ],
        "_create_time": 1540424262137,
        "_last_modified_user": "nsx_policy",
        "_system_owned": false,
        "_protection": "REQUIRE_OVERRIDE",
        "_last_modified_time": 1540424262137,
        "_create_user": "nsx_policy",
        "_revision": 0
    }
  2. 要为服务设备创建虚拟端点,请使用授权的 NSX Manager 凭据运行以下 API 调用:
    PATCH https://{{NSX Manager-IP}}policy/api/v1/infra/tier-0s/<tier-0 router ID>/locale-services/cloud/endpoints/virtual-endpoints/Service_Appliance1_Endpoint
    示例请求:
    {
      "resource_type": "VirtualEndpoint",
      "display_name": "Service_Appliance1_Endpoint",
      "target_ips": [
        {
          "ip_addresses": [
            "100.100.100.100"
          ],
          "prefix_length": 32
        }
      ],
      "service_names": [
        "Service_Appliance1"
      ]
    }

    示例响应:

    200 OK
    注: 步骤 1 中的 display_name 必须与步骤 2 中的 service_names 一致。

下一步做什么

设置 IPSec VPN 会话