You can use networking, security, and load balancer resources and settings in vRealize Automation Cloud blueprint designs and deployments.

For a summary of blueprint design code options, see vRealize Automation Resource Type Schema.

These examples illustrate sample network, security group, and load balancer resources within basic blueprint designs.

Resource scenario Example blueprint design code

vSphere machine with multiple NICs associated to an NSX network resource

resources:
  demo-machine:
    type: Cloud.vSphere.Machine
    properties:
      image: ubuntu
      flavor: small
      networks:
        - name: '${network-01.id}'
          deviceIndex: 0
        - name: '${network-02.id}'
          deviceIndex: 1  
  Cloud_vSphere_Network_1:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
      name: network-01
  Cloud_vSphere_Network_2:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      name: network-02

Public cloud machine to use internal IP instead of public IP

resources:
  wf_proxy:
    type: Cloud.Machine
    properties:
      image: ubuntu 16.04
      flavor: small
      constraints:
        - tag: 'platform:vsphere'
      networks:
        - name: '${resource.wf_net.id}'
          assignPublicIpAddress: false

Routed network for NSX-V or NSX-T using the NSX network resource type

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: routed

Tagging NSX logical switches for an outbound network

For more information on this scenario, see community blog post Creating Tags in NSX with Cloud Assembly.

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      tags: 
        - key: app
          value: opencart

Existing security group with a constraint tag applied to a machine NIC

To use an existing security group, enter existing for the securityGroupType property.

You can assign tags to a Cloud.SecurityGroup resource to allocate existing security groups by using tag constraints. Security groups that do not contain tags cannot be used in the blueprint design.

formatVersion: 1
inputs: {}
resources:
  allowSsh_sg:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: existing
      constraints:
        - tag: allowSsh
  compute:
    type: Cloud.Machine
    properties:
      image: centos
      flavor: small
      networks:
        - network: '${resource.prod-net.id}'
          securityGroups:
            - '${resource.allowSsh_sg.id}'
  prod-net:
    type: Cloud.Network
    properties:
      networkType: existing

On-demand security group with two firewall rules illustrating the Allow and Deny access options .

To create an on-demand security group, enter new for the securityGroupType property.

To specify firewall rules, use the rules property in the Cloud.SecurityGroup resource.

resources:
  Cloud_SecurityGroup_1:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - ports: 5000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Allow
          direction: inbound
          name: allow_5000
          protocol: TCP
        - ports: 7000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Deny
          direction: inbound
          name: deny_7000
          protocol: TCP
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      image: photon
      cpuCount: 1
      totalMemoryMB: 256
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignIPv6Address: true
          assignment: static
          securityGroups:
            - '${resource.Cloud_SecurityGroup_1.id}'
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing

On-demand network with a 1 arm load balancer

inputs: {}
resources:
  mp-existing:
    type: Cloud.Network
    properties:
      name: mp-existing
      networkType: existing
  mp-wordpress:
    type: Cloud.vSphere.Machine
    properties:
      name: wordpress
      count: 2
      flavor: small
      image: tiny
      customizationSpec: Linux
      networks:
        - network: '${resource["mp-private"].id}'
  mp-private:
    type: Cloud.NSX.Network
    properties:
      name: mp-private
      networkType: private
      constraints:
        - tag: nsxt
  mp-wordpress-lb:
    type: Cloud.LoadBalancer
    properties:
      name: wordpress-lb
      internetFacing: false
      network: '${resource.mp-existing.id}'
      instances: '${resource["mp-wordpress"].id}'
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.pl
            intervalSeconds: 60
            timeoutSeconds: 30
            unhealthyThreshold: 5
            healthyThreshold: 2

Existing network with a load balancer

formatVersion: 1
inputs:
  count:
    type: integer
    default: 1
resources:
  ubuntu-vm:
    type: Cloud.Machine
    properties:
      name: ubuntu
      flavor: small
      image: tiny
      count: '${input.count}'
      networks:
        - network: '${resource.Cloud_NSX_Network_1.id}'
  Provider_LoadBalancer_1:
    type: Cloud.LoadBalancer
    properties:
      name: OC-LB
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.html
            intervalSeconds: 60
            timeoutSeconds: 5
            unhealthyThreshold: 5
            healthyThreshold: 2
      network: '${resource.Cloud_NSX_Network_1.id}'
      internetFacing: false
      instances: '${resource["ubuntu-vm"].id}'
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsxt24prod

Learn more

For network and security implementation scenarios, see VMware blogs such as these: