An administrator can configure NAT, firewall, and similar services on an existing Edge Gateway by updating its EdgeGatewayServiceConfiguration.

The Configuration element of an EdgeGateway includes an EdgeGatewayServiceConfiguration element, which can contain definitions of any of the services listed in Edge Gateways. Details of service configurations vary, but the mechanism is the same for creating or updating any Edge Gateway service. Note that some services require a reference to one or more Edge Gateway interfaces, and cannot be configured until those interfaces exist.

Important: IPv6 edge gateways support limited services. In VMware Cloud Director, IPv6 edge gateways support edge firewalls, distribute firewalls, and static routing.

Prerequisites

This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.

Verify that your organization VDC contains an Edge Gateway. If it does not, a system administrator can create one.

Verify that the Edge Gateway is not an Advanced Gateway. If the EdgeGateway element that represents this Edge Gateway has an AdvancedNetworkingEnabled element whose value is true, using the VMware Cloud Director API to configure Edge Gateway services can produce unexpected results. Use the VMware Cloud Director API for NSX instead. See VMware Knowledge Base article http://kb.vmware.com/kb/2147625

Procedure

  1. Retrieve the XML representation of the Edge Gateway.
  2. Examine the response to locate the Link element that contains the URL for configuring services on the Edge Gateway.
    This element has a rel attribute value of add and a type attribute value of application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml, as the following example shows:
    <Link
       href="https://vcloud.example.com/api/admin/edgeGateway/2000/action/configureServices"
       rel="add" 
       type="application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml"/>
  3. Copy the EdgeGatewayServiceConfiguration element from the EdgeGateway you retrieved in Step 1.
    The configureServices action replaces the entire contents of the existing EdgeGatewayServiceConfiguration with the one in the request body. Using the existing EdgeGatewayServiceConfiguration as the basis for your modifications reduces the chances of unintentional service changes.
  4. Modify the EdgeGatewayServiceConfiguration that you copied in Step 3 to add, remove, or change the services that this Edge Gateway offers.
    An EdgeGatewayServiceConfiguration element can contain any of the following elements:
    • FirewallService
    • GatewayDhcpService
    • GatewayIpsecVpnService
    • LoadBalancerService
    • NatService
    • StaticRoutingService
  5. POST the modified EdgeGatewayServiceConfiguration element to the URL in the value of the href attribute of the configureServices link described in Step 2.

Results

The server takes the requested action and returns a Task element that tracks the progress of the request.

When the task completes successfully, the EdgeGatewayServiceConfiguration element you POSTed replaces the one you copied in Step 3.

Example: Configure Services on an Edge Gateway

This example replaces the default firewall service on the Edge Gateway created in Create an Edge Gateway. For details about this FirewallService, see Firewall Service Configurations

This example replaces the default firewall service on an Edge Gateway. For details about this FirewallService, see Firewall Service Configurations

Request:
POST https://vcloud.example.com/api/admin/edgeGateway/2000/action/configureServices
Content-Type: application/vnd.vmware.admin.edgeGatewayServiceConfiguration+xml
...
<?xml version="1.0" encoding="UTF-8"?>
<EdgeGatewayServiceConfiguration
   xmlns="http://www.vmware.com/vcloud/v1.5">
   <FirewallService>
      <IsEnabled>true</IsEnabled>
      <DefaultAction>allow</DefaultAction>
      <LogDefaultAction>false</LogDefaultAction>
      <FirewallRule>
         <IsEnabled>true</IsEnabled>
         <Description>allow incoming ssh</Description>
         <Policy>allow</Policy>
         <Protocols>
            <Tcp>true</Tcp>
         </Protocols>
         <DestinationPortRange>22</DestinationPortRange>
         <DestinationIp>Internal</DestinationIp>
         <SourcePortRange>Any</SourcePortRange>
         <SourceIp>External</SourceIp>
         <EnableLogging>true</EnableLogging>
      </FirewallRule>
      <FirewallRule>
         <IsEnabled>true</IsEnabled>
         <Description>deny incoming telnet</Description>
         <Policy>drop</Policy>
         <Protocols>
            <Tcp>true</Tcp>
         </Protocols>
         <DestinationPortRange>23</DestinationPortRange>
         <DestinationIp>Internal</DestinationIp>
         <SourcePortRange>Any</SourcePortRange>
         <SourceIp>External</SourceIp>
         <EnableLogging>false</EnableLogging>
      </FirewallRule>
   </FirewallService>
</EdgeGatewayServiceConfiguration>
Response:
202 Accepted
Content-Type: application/vnd.vmware.vcloud.task+xml
...
<Task
   href="https://vcloud.example.com/api/task/2120"
   ...
   status="running"
   operation="Updating services EdgeGateway theEdge(2000)"
   ... >
</Task>