To create either private networks without access to outside networks or outbound networks with one-way access to upstream networks, you create a network profile with isolation and specify the isolation type.
This procedure provides the steps to create a network that supports isolation using a subnet, and includes optional steps that show how to create the network using an external subnet, security groups, or a VLAN transport zone. The network profile that uses a VLAN transport zone only supports private networks.
Prerequisites
- Verify that all general prerequisites and prerequisites for the Cloud Assembly Infrastructure as a Service (IaaS) service have been satisfied. See Prerequisites for API Use Case Examples.
- Verify that you have the cloud account ID for the new cloud account that you added. See Adding Cloud Accounts.
- Verify that you have the region ID for the regions you want to include in the profile. See the procedure in Create Network Profiles.
- For simplicity, examples use us-east-1 as the external region ID.
- Verify that you have the IDs for the non-public fabric networks you want to include in the profile. See the procedure in Create Network Profiles.
Procedure
Example: Create various types of network profiles with isolation
- A subnet.
- An external subnet.
- Security groups.
- A VLAN transport zone.
$ url='https://appliance.domain.com'
$ api_version='2021-07-15'
$ cloud_account_id='c8c3c9bfdb449475-7f703c5265a63d87-5fa34c478df36b060e1ca3551254c4033013bf3283908e4661cd1c6fb2f8b9ae-ce5aad01092b47558644f6b6615d'
$ region_id='37d6c1acf4a8275586468873c739'
Filter for network domains associated with the cloud account ID and in the external region ID us-east-1.
curl -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer $access_token" "$url/iaas/api/network-domains?apiVersion=$api_version&"'$filter='"externalRegionId%20eq%20'us-east-1'%20and%20cloudAccountId%20eq%20'$cloud_account_id'" | jq "."
A snippet of the response shows the ID for a network domain that you can include in your network profile.
... "externalId": "vpc-4511a53d", "name": "rainpole-dev", "id": "233df662ec3b4875575931653ef00", "createdAt": "2022-04-02", "updatedAt": "2022-04-02", "organizationId": "8327d53f-91ea-420a-8613-ba8f3149db95", "orgId": "8327d53f-91ea-420a-8613-ba8f3149db95", "_links": { "cloud-accounts": { "hrefs": [ "/iaas/api/cloud-accounts/c8c3c9bfdb449475-7f703c5265a63d87-f8e705d89b2569e1aac66c6d00bf4fc7ef4b1c44100f0e944af31eb8ba3d2a5a-5a45a4b9d5c72475575931611aa28", "/iaas/api/cloud-accounts/c8c3c9bfdb449475-7f703c5265a63d87-5fa34c478df36b060e1ca3551254c4033013bf3283908e4661cd1c6fb2f8b9ae-ce5aad01092b47558644f6b6615d" ] }, "self": { "href": "/iaas/api/network-domains/233df662ec3b4875575931653ef00" ...
To create a network profile with a VLAN transport zone, ensure that the network domain you choose includes a custom property for the transport zone.
... "customProperties": { "__path": "/infra/sites/default/enforcement-points/default/transport-zones/9a358e99-5734-4926-b718-37cf4862f4bf", "__host_identifier": "[\"host-16\",\"host-23\",\"host-21\"]", "__cluster_identifier": "[\"domain-c8\"]", "__transportZoneTrafficType": "VLAN_BACKED", "path": "/infra/sites/default/enforcement-points/default/transport-zones/9a358e99-5734-4926-b718-37cf4862f4bf" } ...
With the IDs of fabric networks that you want to include in your profile and the network domain ID you want to include, create a network profile named example-network-profile-with-isolation-by-subnet.
$ curl -X POST \ $url/iaas/api/network-profiles?apiVersion=$api_version \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $access_token" \ -d '{ "name":"example-network-profile-with-isolation-by-subnet", "description":"Example Network Profile", "regionId":"'$region_id'", "isolationType" : "SUBNET", "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", "isolatedNetworkCIDRPrefix" : "27", "fabricNetworkIds": [ "c19bd2921af95075575931654066a", "8fe650cc09d0627558d55c9ba1793" ], "tags": [ { "key": "env", "value": "prod" } ] }' | jq "."
A snippet of the response shows the network profile ID.
...
"name": "example-network-profile-with-isolation-by-subnet",
"description": "Example Network Profile",
"id": "2065036880e1c47558f1693558870",
"updatedAt": "2022-04-02",
...
Provide the isolationExternalFabricNetworkId to create a network profile with isolation using an external subnet.
$ curl -X POST \ $url/iaas/api/network-profiles?apiVersion=$api_version \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $access_token" \ -d '{ "name":"example-network-profile-with-isolation-by-external-subnet", "description":"Example Network Profile", "regionId":"'$region_id'", "isolationType" : "SUBNET", "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", "isolatedNetworkCIDRPrefix" : "27", "isolationExternalFabricNetworkId": "c19bd2921af95075575931654066a", "fabricNetworkIds": [ "c19bd2921af95075575931654066a", "8fe650cc09d0627558d55c9ba1793" ], "tags": [ { "key": "env", "value": "prod" } ] }' | jq "."
A snippet of the response shows the network profile ID.
...
"name": "example-network-profile-with-isolation-by-external-subnet",
"description": "Example Network Profile",
"id": "2065036880e1c47558f16bd085288",
"updatedAt": "2022-04-02",
...
Use the "isolationType": "SECURITY_GROUP" to create a network profile with isolation using a security group. Because this isolation does not use a subnet, this request does not use a network domain ID.
$ curl -X POST \ $url/iaas/api/network-profiles?apiVersion=$api_version \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $access_token" \ -d '{ "name":"example-network-profile-with-isolation-by-security-group", "description":"Example Network Profile", "regionId":"'$region_id'", "isolationType" : "SECURITY_GROUP", "fabricNetworkIds": [ "c19bd2921af95075575931654066a", "8fe650cc09d0627558d55c9ba1793" ], "tags": [ { "key": "env", "value": "prod" } ] }' | jq "."
A snippet of the response shows the network profile ID.
...
"name": "example-network-profile-with-isolation-by-security-group",
"description": "Example Network Profile",
"id": "bdab0d4c28af6e7558f16c78f5468",
"updatedAt": "2022-04-02",
...
Create a network profile with isolation using a VLAN transport zone.
$ curl -X POST \ $url/iaas/api/network-profiles?apiVersion=$api_version \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $access_token" \ -d '{ "name":"example-network-profile-with-VLAN-transport-zone", "description":"Example Network Profile", "regionId":"'$region_id'", "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", "isolatedNetworkCIDRPrefix" : "27", "fabricNetworkIds": [ "c19bd2921af95075575931654066a", "8fe650cc09d0627558d55c9ba1793" ], "tags": [ { "key": "env", "value": "prod" } ] }' | jq "."
A snippet of the response shows the network profile ID.
...
"name": "example-network-profile-with-VLAN-transport-zone",
"description": "Example Network Profile",
"id": "9cb2d111c768927558f043ec13d70",
"updatedAt": "2022-04-02",
...