You can use networking, security, and load balancer resources and settings in cloud template designs and deployments.

For a summary of cloud template design code options, see vRealize Automation Resource Type Schema.

These examples illustrate network, security, and load balancer resources within basic cloud template designs.

Networks

Resource scenario Example cloud template design code
vSphere machine with multiple NICs connected to vSphere and NSX networks with DHCP IP assignment

resources:
  demo-machine:
    type: Cloud.vSphere.Machine
    properties:
      image: ubuntu
      flavor: small
      networks:
        - network: ${resource["demo-vSphere-Network"].id}
          deviceIndex: 0
        - network: ${resource["demo-NSX-Network"].id}
          deviceIndex: 1
  demo-vSphere-Network:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
  demo-NSX-Network:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
     
NSX private network using the vlanIds property to specify an array of 3 VLANs - 123, 456, and 7
formatVersion: 1
inputs: {}
resources:
  Cloud_Machine_1:
    type: Cloud.Machine
    properties:
      image: test
      flavor: test
      networks:
       - network: '${resource.Cloud_NSX_Network_1.id}'  
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: private
      vlanIds:
         - 123 
         - 456
         - 7
     
Add a private network with a static IP address for an Azure VM deployment
formatVersion: 1
inputs: {}
resources:
  Cloud_Azure_Machine_1:
    type: Cloud.Machine
    properties:
      image: photon
      flavor: Standard_B1ls
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignment: static
          address: 10.0.0.45
          assignPublicIpAddress: false
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing

You can use a static IP assignment with vRealize IPAM (internal as supplied with vRealize Automation or external based on the vRA IPAM SDK such as for one of the Infloblox plug-ins available in the VMware Marketplace). Other uses of assignment: static are not supported, as described in the Caveats section of More about network resources in vRealize Automation cloud templates.

resources:
  demo_vm:
    type: Cloud.vSphere.Machine
    properties:
      image: 'photon'
      cpuCount: 1
      totalMemoryMB: 1024
      networks:
        - network: ${resource.demo_nw.id}
          assignment: static
  demo_nw:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
Add or edit NAT and DNAT port forwarding rules in a Cloud.NSX.NAT resource for an existing deployment.
resources:
  gw:
    type: Cloud.NSX.Gateway
    properties:
      networks:
        - ${resource.akout.id}
  nat:
    type: Cloud.NSX.Nat
    properties:
      networks:
        - ${resource.akout.id}
      natRules:
        - translatedInstance: ${resource.centos.networks[0].id}
          index: 0
          protocol: TCP
          kind: NAT44
          type: DNAT
          sourceIPs: any
          sourcePorts: 80
          translatedPorts: 8080
          destinationPorts: 8080
          description: edit
        - translatedInstance: ${resource.centos.networks[0].id}
          index: 1
          protocol: TCP
          kind: NAT44
          type: DNAT
          sourceIPs: any
          sourcePorts: 90
          translatedPorts: 9090
          destinationPorts: 9090
          description: add
      gateway: ${resource.gw.id}
  centos:
    type: Cloud.vSphere.Machine
    properties:
      image: WebTinyCentOS65x86
      flavor: small
      customizationSpec: Linux
      networks:
        - network: ${resource.akout.id}
          assignment: static
  akout:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      constraints:
        - tag: nsxt-nat-1-M2
        

Public cloud machine to use an internal IP instead of a public IP. This example uses a specific network ID.

Note: The network: option is used in the networks: setting to specify a target network ID. The name: option in the networks: setting has been deprecated and should not be used.

resources:
  wf_proxy:
    type: Cloud.Machine
    properties:
      image: ubuntu 16.04
      flavor: small
      constraints:
        - tag: 'platform:vsphere'
      networks:
        - network: '${resource.wf_net.id}'
          assignPublicIpAddress: false

Routed network for NSX-V or NSX-T using the NSX network resource type.

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: routed
Add a tag to a machine NIC resource in the cloud template.
formatVersion: 1
inputs: {}
resources:
 Cloud_Machine_1:
 type: Cloud.vSphere.Machine
 properties:
  flavor: small
  image: ubuntu
  networks:
     - name: '${resource.Cloud_Network_1.name}'
     deviceIndex: 0
     tags: 
      - key: 'nic0'
        value: null
      - key: internal
        value: true
     - name: '${resource.Cloud_Network_2.name}'
     deviceIndex: 1
     tags: 
      - key: 'nic1'
        value: null
      - key: internal
        value: false

Tag NSX-T logical switches for an outbound network.

Tagging is supported for NSX-T and VMware Cloud on AWS.

For more information on this scenario, see community blog post Creating Tags in NSX with Cloud Assembly.

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      tags: 
        - key: app
          value: opencart

Security groups

Resource scenario Example cloud template design code

Existing security group with a constraint tag applied to a machine NIC.

To use an existing security group, enter existing for the securityGroupType property.

You can assign tags to a Cloud.SecurityGroup resource to allocate existing security groups by using tag constraints. Security groups that do not contain tags cannot be used in the cloud template design.

Constraint tags must be set for securityGroupType: existing security group resources. Those constraints must match the tags set on the existing security groups. Constraint tags cannot be set for securityGroupType: new security group resources.

formatVersion: 1
inputs: {}
resources:
  allowSsh_sg:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: existing
      constraints:
        - tag: allowSsh
  compute:
    type: Cloud.Machine
    properties:
      image: centos
      flavor: small
      networks:
        - network: '${resource.prod-net.id}'
          securityGroups:
            - '${resource.allowSsh_sg.id}'
  prod-net:
    type: Cloud.Network
    properties:
      networkType: existing

On-demand security group with two firewall rules illustrating the Allow and Deny access options.

resources:
  Cloud_SecurityGroup_1:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - ports: 5000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Allow
          direction: inbound
          name: allow_5000
          protocol: TCP
        - ports: 7000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Deny
          direction: inbound
          name: deny_7000
          protocol: TCP
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      image: photon
      cpuCount: 1
      totalMemoryMB: 256
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignIPv6Address: true
          assignment: static
          securityGroups:
            - '${resource.Cloud_SecurityGroup_1.id}'
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing
Complex cloud template with 2 security groups, including:
  • 1 existing security group
  • 1 on-demand security group with multiple firewall rule examples
  • 1 vSphere machine
  • 1 existing network

This sample illustrates different combinations of protocols and ports, services, IP CIDR as source and destination, IP range as source or destination, and the options for any, IPv6, and (::/0).

For machine NICs, you can specify the connected network, and security group(s). You can also specify the NIC index or an IP address.

formatVersion: 1
inputs: {}
resources:
  DEMO_ESG : existing security group - security group 1)
    type: Cloud.SecurityGroup
    properties:
      constraints:
        - tag: BlockAll
      securityGroupType: existing (designation of existing for security group 1) 
  DEMO_ODSG: (on-demand security group - security group 2))
    type: Cloud.SecurityGroup
    properties:
      rules: (multiple firewall rules in this section)
        - name: IN-ANY (rule 1)
          source: any
          service: any
          direction: inbound
          access: Deny
        - name: IN-SSH (rule 2)
          source: any
          service: SSH
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 3)
          source: 33.33.33.1-33.33.33.250
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IPv-6-ANY-SOURCE (rule 4)
          source: '::/0'
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 5)
          source: 44.44.44.1/24
          protocol: UDP
          ports: 22-25
          direction: inbound
          access: Allow
        - name: IN-EXISTING-SG (rule 6)
          source: '${resource["DEMO_ESG"].id}'
          protocol: ICMPv6
          direction: inbound
          access: Allow
        - name: OUT-ANY (rule 7)
          destination: any
          service: any
          direction: outbound
          access: Deny
        - name: OUT-TCP-IPv6 (rule 8)
          destination: '2001:0db8:85a3::8a2e:0370:7334/64'
          protocol: TCP
          ports: 22
          direction: outbound
          access: Allow
        - name: IPv6-ANY-DESTINATION (rule 9)
          destination: '::/0'
          protocol: UDP
          ports: 23
          direction: outbound
          access: Allow
        - name: OUT-UDP-SERVICE (rule 10)
          destination: any
          service: NTP
          direction: outbound
          access: Allow
      securityGroupType: new (designation of on-demand for security group 2)
  DEMO_VC_MACHINE: (machine resource)
    type: Cloud.vSphere.Machine 
    properties:
      image: PHOTON
      cpuCount: 1
      totalMemoryMB: 1024
      networks: (Machine network NICs)
        - network: '${resource.DEMO_NW.id}'
          securityGroups:
            - '${resource.DEMO_ODSG.id}'
            - '${resource.DEMO_ESG.id}'
  DEMO_NETWORK: (network resource)
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsx62

Load balancers

Resource scenario Example cloud template design code

Specify a load balancer logging level, algorithm, and size.

Sample NSX load balancer showing use of logging level, algorithm, and size:

resources:
  Cloud_LoadBalancer_1:
    type: Cloud.NSX.LoadBalancer
    properties:
      name: myapp-lb
      network: '${appnet-public.name}'
      instances: '${wordpress.id}'
      routes:
       - protocol: HTTP port: '80'
         loggingLevel: CRITICAL 
         algorithm: LEAST_CONNECTION
         type: MEDIUM

Associate a load balancer with a named machine or a named machine NIC. You can specify either machine ID or machine network ID to add the machine to the load balancer pool. The instances property supports both machines (machine by ID) and NICs (machine by network ID).

In the first example, the deployment uses the machine by ID setting to load balance the machine when it is deployed on any network.

In the second example, the deployment uses the machine by network ID setting to load balance the machine only when the machine is deployed on the named machine NIC.

The third example shows both settings used in the same instances option.

You can use the instances property to define a machine ID or a machine network ID:
  • Machine ID
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.id}'
       
  • Machine network ID
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.networks[0].id}'
  • One machine specified for load balancer inclusion and another machine NIC specified for load balancer inclusion:
    instances:
      - resource.Cloud_Machine_1.id
      - resource.Cloud_Machine_2.networks[2].id
Add health check settings to an NSX load balancer. Additional options include httpMethod, requestBody, and responseBody.
myapp-lb:
  type: Cloud.NSX.LoadBalancer
  properties:
    name: myapp-lb
    network: '${appnet-public.name}'
    instances: '${wordpress.id}'
    routes:
     - protocol: HTTP
       port: '80'
       algorithm: ROUND_ROBIN
       instanceProtocol: HTTP
       instancePort: '80'
       healthCheckConfiguration:
         protocol: HTTP
         port: '80'
         urlPath: /mywordpresssite/wp-admin/install.php
         intervalSeconds: 60
         timeoutSeconds: 10
         unhealthyThreshold: 10
         healthyThreshold: 2
       connectionLimit: '50'
       connectionRateLimit: '50'
       maxConnections: '500'
       minConnections: ''
     internetFacing: true{code}

On-demand network with a 1-arm load balancer.

inputs: {}
resources:
  mp-existing:
    type: Cloud.Network
    properties:
      name: mp-existing
      networkType: existing
  mp-wordpress:
    type: Cloud.vSphere.Machine
    properties:
      name: wordpress
      count: 2
      flavor: small
      image: tiny
      customizationSpec: Linux
      networks:
        - network: '${resource["mp-private"].id}'
  mp-private:
    type: Cloud.NSX.Network
    properties:
      name: mp-private
      networkType: private
      constraints:
        - tag: nsxt
  mp-wordpress-lb:
    type: Cloud.LoadBalancer
    properties:
      name: wordpress-lb
      internetFacing: false
      network: '${resource.mp-existing.id}'
      instances: '${resource["mp-wordpress"].id}'
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.pl
            intervalSeconds: 60
            timeoutSeconds: 30
            unhealthyThreshold: 5
            healthyThreshold: 2

Existing network with a load balancer.

formatVersion: 1
inputs:
  count:
    type: integer
    default: 1
resources:
  ubuntu-vm:
    type: Cloud.Machine
    properties:
      name: ubuntu
      flavor: small
      image: tiny
      count: '${input.count}'
      networks:
        - network: '${resource.Cloud_NSX_Network_1.id}'
  Provider_LoadBalancer_1:
    type: Cloud.LoadBalancer
    properties:
      name: OC-LB
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.html
            intervalSeconds: 60
            timeoutSeconds: 5
            unhealthyThreshold: 5
            healthyThreshold: 2
      network: '${resource.Cloud_NSX_Network_1.id}'
      internetFacing: false
      instances: '${resource["ubuntu-vm"].id}'
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsxt24prod

Learn more

For network and security group implementation scenarios, see VMware blogs such as these: