可以在云模板设计和部署中使用网络、安全性和负载均衡器资源和设置。
有关云模板设计代码选项的摘要信息,请参见 vRealize Automation 资源类型结构定义。
相关信息,请参见:
这些示例说明了基本云模板设计中的网络、安全和负载均衡器资源。
网络
| 资源场景 | 云模板设计代码示例 |
|---|---|
| vSphere 计算机具有多个网卡,且这些网卡连接到分配了 DHCP IP 的 vSphere 网络和 NSX 网络
|
resources:
demo-machine:
type: Cloud.vSphere.Machine
properties:
image: ubuntu
flavor: small
networks:
- network: ${resource["demo-vSphere-Network"].id}
deviceIndex: 0
- network: ${resource["demo-NSX-Network"].id}
deviceIndex: 1
demo-vSphere-Network:
type: Cloud.vSphere.Network
properties:
networkType: existing
demo-NSX-Network:
type: Cloud.NSX.Network
properties:
networkType: outbound
|
使用 vlanIds 属性指定包含 3 个 VLAN(123、456 和 7)的阵列的 NSX 专用网络 |
formatVersion: 1
inputs: {}
resources:
Cloud_Machine_1:
type: Cloud.Machine
properties:
image: test
flavor: test
networks:
- network: '${resource.Cloud_NSX_Network_1.id}'
Cloud_NSX_Network_1:
type: Cloud.NSX.Network
properties:
networkType: private
vlanIds:
- 123
- 456
- 7
|
| 为 Azure 虚拟机部署添加具有静态 IP 地址的专用网络 | formatVersion: 1
inputs: {}
resources:
Cloud_Azure_Machine_1:
type: Cloud.Machine
properties:
image: photon
flavor: Standard_B1ls
networks:
- network: '${resource.Cloud_Network_1.id}'
assignment: static
address: 10.0.0.45
assignPublicIpAddress: false
Cloud_Network_1:
type: Cloud.Network
properties:
networkType: existing
|
| 可以将静态 IP 分配与 vRealize IPAM(随 vRealize Automation 提供的内部 IPAM,或基于 vRA IPAM SDK 的外部 IPAM,例如,VMware Marketplace 中提供的 Infloblox 插件之一的 IPAM)一起使用。不支持 |
resources:
demo_vm:
type: Cloud.vSphere.Machine
properties:
image: 'photon'
cpuCount: 1
totalMemoryMB: 1024
networks:
- network: ${resource.demo_nw.id}
assignment: static
demo_nw:
type: Cloud.vSphere.Network
properties:
networkType: existing |
在现有部署的 Cloud.NSX.NAT 资源中添加或编辑 NAT 和 DNAT 端口转发规则。 |
resources:
gw:
type: Cloud.NSX.Gateway
properties:
networks:
- ${resource.akout.id}
nat:
type: Cloud.NSX.Nat
properties:
networks:
- ${resource.akout.id}
natRules:
- translatedInstance: ${resource.centos.networks[0].id}
index: 0
protocol: TCP
kind: NAT44
type: DNAT
sourceIPs: any
sourcePorts: 80
translatedPorts: 8080
destinationPorts: 8080
description: edit
- translatedInstance: ${resource.centos.networks[0].id}
index: 1
protocol: TCP
kind: NAT44
type: DNAT
sourceIPs: any
sourcePorts: 90
translatedPorts: 9090
destinationPorts: 9090
description: add
gateway: ${resource.gw.id}
centos:
type: Cloud.vSphere.Machine
properties:
image: WebTinyCentOS65x86
flavor: small
customizationSpec: Linux
networks:
- network: ${resource.akout.id}
assignment: static
akout:
type: Cloud.NSX.Network
properties:
networkType: outbound
constraints:
- tag: nsxt-nat-1-M2
|
| 使用内部 IP(而非公共 IP)的公有云计算机。此示例使用特定网络 ID。 注意: |
resources:
wf_proxy:
type: Cloud.Machine
properties:
image: ubuntu 16.04
flavor: small
constraints:
- tag: 'platform:vsphere'
networks:
- network: '${resource.wf_net.id}'
assignPublicIpAddress: false |
| 使用 NSX 网络资源类型的 NSX-V 或 NSX-T 路由网络。 |
Cloud_NSX_Network_1:
type: Cloud.NSX.Network
properties:
networkType: routed |
| 将标记添加到云模板中的计算机网卡资源。 | formatVersion: 1
inputs: {}
resources:
Cloud_Machine_1:
type: Cloud.vSphere.Machine
properties:
flavor: small
image: ubuntu
networks:
- name: '${resource.Cloud_Network_1.name}'
deviceIndex: 0
tags:
- key: 'nic0'
value: null
- key: internal
value: true
- name: '${resource.Cloud_Network_2.name}'
deviceIndex: 1
tags:
- key: 'nic1'
value: null
- key: internal
value: false |
| 为出站网络标记 NSX-T 逻辑交换机。 NSX-T 和 VMware Cloud on AWS 支持标记。 有关此场景的详细信息,请参见社区博客帖子使用 Cloud Assembly 在 NSX 中创建标记。 |
Cloud_NSX_Network_1:
type: Cloud.NSX.Network
properties:
networkType: outbound
tags:
- key: app
value: opencart
|
安全组
| 资源场景 | 云模板设计代码示例 |
|---|---|
| 对计算机网卡应用了限制标记的现有安全组。 要使用现有安全组,请针对 securityGroupType 属性输入 existing。 可以为 Cloud.SecurityGroup 资源分配标记,以使用标记限制分配现有安全组。不能在云模板设计中使用不包含标记的安全组。 必须为 |
formatVersion: 1
inputs: {}
resources:
allowSsh_sg:
type: Cloud.SecurityGroup
properties:
securityGroupType: existing
constraints:
- tag: allowSsh
compute:
type: Cloud.Machine
properties:
image: centos
flavor: small
networks:
- network: '${resource.prod-net.id}'
securityGroups:
- '${resource.allowSsh_sg.id}'
prod-net:
type: Cloud.Network
properties:
networkType: existing |
| 按需安全组,其中包含两个用于说明 |
resources:
Cloud_SecurityGroup_1:
type: Cloud.SecurityGroup
properties:
securityGroupType: new
rules:
- ports: 5000
source: 'fc00:10:000:000:000:56ff:fe89:48b4'
access: Allow
direction: inbound
name: allow_5000
protocol: TCP
- ports: 7000
source: 'fc00:10:000:000:000:56ff:fe89:48b4'
access: Deny
direction: inbound
name: deny_7000
protocol: TCP
Cloud_vSphere_Machine_1:
type: Cloud.vSphere.Machine
properties:
image: photon
cpuCount: 1
totalMemoryMB: 256
networks:
- network: '${resource.Cloud_Network_1.id}'
assignIPv6Address: true
assignment: static
securityGroups:
- '${resource.Cloud_SecurityGroup_1.id}'
Cloud_Network_1:
type: Cloud.Network
properties:
networkType: existing
|
|
具有 2 个安全组的复杂云模板,其中包括:
此示例说明了以下项的各种不同组合:协议和端口、服务、IP CIDR 作为源和目标,IP 范围作为源或目标以及任意、IPv6 和 (::/0) 选项。 对于计算机网卡,可以指定已连接的网络和安全组。此外,还可以指定网卡索引或 IP 地址。 |
formatVersion: 1
inputs: {}
resources:
DEMO_ESG : existing security group - security group 1)
type: Cloud.SecurityGroup
properties:
constraints:
- tag: BlockAll
securityGroupType: existing (designation of existing for security group 1)
DEMO_ODSG: (on-demand security group - security group 2))
type: Cloud.SecurityGroup
properties:
rules: (multiple firewall rules in this section)
- name: IN-ANY (rule 1)
source: any
service: any
direction: inbound
access: Deny
- name: IN-SSH (rule 2)
source: any
service: SSH
direction: inbound
access: Allow
- name: IN-SSH-IP (rule 3)
source: 33.33.33.1-33.33.33.250
protocol: TCP
ports: 223
direction: inbound
access: Allow
- name: IPv-6-ANY-SOURCE (rule 4)
source: '::/0'
protocol: TCP
ports: 223
direction: inbound
access: Allow
- name: IN-SSH-IP (rule 5)
source: 44.44.44.1/24
protocol: UDP
ports: 22-25
direction: inbound
access: Allow
- name: IN-EXISTING-SG (rule 6)
source: '${resource["DEMO_ESG"].id}'
protocol: ICMPv6
direction: inbound
access: Allow
- name: OUT-ANY (rule 7)
destination: any
service: any
direction: outbound
access: Deny
- name: OUT-TCP-IPv6 (rule 8)
destination: '2001:0db8:85a3::8a2e:0370:7334/64'
protocol: TCP
ports: 22
direction: outbound
access: Allow
- name: IPv6-ANY-DESTINATION (rule 9)
destination: '::/0'
protocol: UDP
ports: 23
direction: outbound
access: Allow
- name: OUT-UDP-SERVICE (rule 10)
destination: any
service: NTP
direction: outbound
access: Allow
securityGroupType: new (designation of on-demand for security group 2)
DEMO_VC_MACHINE: (machine resource)
type: Cloud.vSphere.Machine
properties:
image: PHOTON
cpuCount: 1
totalMemoryMB: 1024
networks: (Machine network NICs)
- network: '${resource.DEMO_NW.id}'
securityGroups:
- '${resource.DEMO_ODSG.id}'
- '${resource.DEMO_ESG.id}'
DEMO_NETWORK: (network resource)
type: Cloud.vSphere.Network
properties:
networkType: existing
constraints:
- tag: nsx62 |
负载均衡器
| 资源场景 | 云模板设计代码示例 |
|---|---|
| 指定负载均衡器日志记录级别、算法和大小。 |
显示使用日志记录级别、算法和大小的 NSX 负载均衡器示例: resources:
Cloud_LoadBalancer_1:
type: Cloud.NSX.LoadBalancer
properties:
name: myapp-lb
network: '${appnet-public.name}'
instances: '${wordpress.id}'
routes:
- protocol: HTTP port: '80'
loggingLevel: CRITICAL
algorithm: LEAST_CONNECTION
type: MEDIUM
|
| 将负载均衡器与指定的计算机或指定的计算机网卡相关联。可以指定 在第一个示例中,在任何网络上部署计算机时,部署都使用 在第二个示例中,仅当计算机部署在指定的计算机网卡上时,部署才使用 第三个示例显示了同一 |
可以使用
instances 属性定义计算机 ID 或计算机网络 ID:
|
将运行状况检查设置添加到 NSX 负载均衡器。其他选项包括 httpMethod、requestBody 和 responseBody。 |
myapp-lb: type: Cloud.NSX.LoadBalancer properties: name: myapp-lb network: '${appnet-public.name}' instances: '${wordpress.id}' routes: - protocol: HTTP port: '80' algorithm: ROUND_ROBIN instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /mywordpresssite/wp-admin/install.php intervalSeconds: 60 timeoutSeconds: 10 unhealthyThreshold: 10 healthyThreshold: 2 connectionLimit: '50' connectionRateLimit: '50' maxConnections: '500' minConnections: '' internetFacing: true{code} |
| 包含单臂负载均衡器的按需网络。 |
inputs: {}
resources:
mp-existing:
type: Cloud.Network
properties:
name: mp-existing
networkType: existing
mp-wordpress:
type: Cloud.vSphere.Machine
properties:
name: wordpress
count: 2
flavor: small
image: tiny
customizationSpec: Linux
networks:
- network: '${resource["mp-private"].id}'
mp-private:
type: Cloud.NSX.Network
properties:
name: mp-private
networkType: private
constraints:
- tag: nsxt
mp-wordpress-lb:
type: Cloud.LoadBalancer
properties:
name: wordpress-lb
internetFacing: false
network: '${resource.mp-existing.id}'
instances: '${resource["mp-wordpress"].id}'
routes:
- protocol: HTTP
port: '80'
instanceProtocol: HTTP
instancePort: '80'
healthCheckConfiguration:
protocol: HTTP
port: '80'
urlPath: /index.pl
intervalSeconds: 60
timeoutSeconds: 30
unhealthyThreshold: 5
healthyThreshold: 2
|
| 包含负载均衡器的现有网络。 |
formatVersion: 1
inputs:
count:
type: integer
default: 1
resources:
ubuntu-vm:
type: Cloud.Machine
properties:
name: ubuntu
flavor: small
image: tiny
count: '${input.count}'
networks:
- network: '${resource.Cloud_NSX_Network_1.id}'
Provider_LoadBalancer_1:
type: Cloud.LoadBalancer
properties:
name: OC-LB
routes:
- protocol: HTTP
port: '80'
instanceProtocol: HTTP
instancePort: '80'
healthCheckConfiguration:
protocol: HTTP
port: '80'
urlPath: /index.html
intervalSeconds: 60
timeoutSeconds: 5
unhealthyThreshold: 5
healthyThreshold: 2
network: '${resource.Cloud_NSX_Network_1.id}'
internetFacing: false
instances: '${resource["ubuntu-vm"].id}'
Cloud_NSX_Network_1:
type: Cloud.NSX.Network
properties:
networkType: existing
constraints:
- tag: nsxt24prod |
了解更多
有关网络和安全组实施方案,请参见如下VMware博客:
- vRealize Automation Cloud Assembly 负载均衡器与 NSX-T 配合使用深入探讨
- 使用 Cloud Assembly 和 NSX 实现网络自动化 – 第 1 部分(包括使用 NSX-T 和 vCenter 云帐户和网络 CIDR)
- 使用 Cloud Assembly 和 NSX 实现网络自动化 – 第 2 部分(包括使用现有的出站网络类型)
- 使用 Cloud Assembly 和 NSX 实现网络自动化 – 第 3 部分(包括使用现有的按需安全组)
- 使用 Cloud Assembly 和 NSX 实现网络自动化 – 第 4 部分(包括使用现有的按需负载均衡器)
