To create either private networks without access to outside networks or outbound networks with one-way access to upstream networks, you create a network profile with isolation and specify the isolation type.

This procedure provides the steps to create a network that supports isolation using a subnet, and includes optional steps that show how to create the network using an external subnet, security groups, or a VLAN transport zone. The network profile that uses a VLAN transport zone only supports private networks.

Prerequisites

Procedure

  1. Assign the cloud account ID variable.
    cloud_account_id='<your_cloud_account_id>'
  2. Assign the region ID variable.
    region_id='<your_region_id>'
  3. Filter for network domains associated with the cloud account ID and in the external region ID us-east-1.
    curl -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer $access_token" "$url/iaas/api/network-domains?apiVersion=$api_version&"'$filter='"externalRegionId%20eq%20'us-east-1'%20and%20cloudAccountId%20eq%20'$cloud_account_id'" | jq "."
  4. Examine the response to find the IDs for the network domain that you want to include in your network profile. If you are creating a network profile with a VLAN transport zone, select a network domain that has the custom property "__transportZoneTrafficType":"VLAN_BACKED".
  5. Create a network profile that supports isolation using a subnet and IDs for a non-public network.
    curl -X POST \
      $url/iaas/api/network-profiles?apiVersion=$api_version \
      -H 'Content-Type: application/json' \
      -H "Authorization: Bearer $access_token" \
      -d '{
        "name":"<your-network-profile-with-isolation-by-subnet>",
        "description":"Example Network Profile",
        "regionId":"'$region_id'",
        "isolationType" : "SUBNET",
        "isolationNetworkDomainId" : "<network_domain_id_from_response>",
        "isolatedNetworkCIDRPrefix" : "27",
        "fabricNetworkIds": [
          "<non_public_network_id1>",
          "<non_public_network_id2>"
        ],
        "tags": [ { "key": "env", "value": "prod" } ]
      }' | jq "."
    The response shows the name and ID for the network profile you created.
  6. (Optional) Create a network profile that supports isolation using an external subnet.
    curl -X POST \
      $url/iaas/api/network-profiles?apiVersion=$api_version \
      -H 'Content-Type: application/json' \
      -H "Authorization: Bearer $access_token" \
      -d '{ 
        "name":"<your-network-profile-with-isolation-by-external-subnet>", 
        "description":"Example Network Profile", 
        "regionId":"'$region_id'", 
        "isolationType" : "SUBNET", 
        "isolationNetworkDomainId" : "<network_domain_id_from_response>", 
        "isolatedNetworkCIDRPrefix" : "27", 
        "isolationExternalFabricNetworkId": "<non_public_network_id1>", 
        "fabricNetworkIds": [ 
          "<non_public_network_id1>",
          "<non_public_network_id2>"
        ], 
        "tags": [ { "key": "env", "value": "prod" } ]
      }' | jq "."
    The response shows the name and ID for the network profile you created.
  7. (Optional) Create a network profile that supports isolation using security groups.
    curl -X POST \
      $url/iaas/api/network-profiles?apiVersion=$api_version \
      -H 'Content-Type: application/json' \
      -H "Authorization: Bearer $access_token" \
      -d '{
        "name":"<your-network-profile-with-isolation-by-security-group>", 
        "description":"Example Network Profile", 
        "regionId":"'$region_id'", 
        "isolationType" : "SECURITY_GROUP", 
        "fabricNetworkIds": [ 
          "<non_public_network_id1>",
          "<non_public_network_id2>"
        ], 
        "tags": [ { "key": "env", "value": "prod" } ]
      }' | jq "."
    The response shows the name and ID for the network profile you created.

Example: Create various types of network profiles with isolation

The following examples include the requests used to create a network profiles that support isolation using:
  • A subnet.
  • An external subnet.
  • Security groups.
  • A VLAN transport zone.
Assign the required variables including a cloud account ID and a region ID.
$ url='https://appliance.domain.com'
$ api_version='2021-07-15'
$ cloud_account_id='c8c3c9bfdb449475-7f703c5265a63d87-5fa34c478df36b060e1ca3551254c4033013bf3283908e4661cd1c6fb2f8b9ae-ce5aad01092b47558644f6b6615d'
$ region_id='37d6c1acf4a8275586468873c739'

Filter for network domains associated with the cloud account ID and in the external region ID us-east-1.

curl -X GET -H 'Content-Type: application/json' -H "Authorization: Bearer $access_token" "$url/iaas/api/network-domains?apiVersion=$api_version&"'$filter='"externalRegionId%20eq%20'us-east-1'%20and%20cloudAccountId%20eq%20'$cloud_account_id'" | jq "."

A snippet of the response shows the ID for a network domain that you can include in your network profile.

...            
      "externalId": "vpc-4511a53d",
      "name": "rainpole-dev",
      "id": "233df662ec3b4875575931653ef00",
      "createdAt": "2022-04-02",
      "updatedAt": "2022-04-02",
      "organizationId": "8327d53f-91ea-420a-8613-ba8f3149db95",
      "orgId": "8327d53f-91ea-420a-8613-ba8f3149db95",
      "_links": {
        "cloud-accounts": {
          "hrefs": [
            "/iaas/api/cloud-accounts/c8c3c9bfdb449475-7f703c5265a63d87-f8e705d89b2569e1aac66c6d00bf4fc7ef4b1c44100f0e944af31eb8ba3d2a5a-5a45a4b9d5c72475575931611aa28",
            "/iaas/api/cloud-accounts/c8c3c9bfdb449475-7f703c5265a63d87-5fa34c478df36b060e1ca3551254c4033013bf3283908e4661cd1c6fb2f8b9ae-ce5aad01092b47558644f6b6615d"
          ]
        },
        "self": {
          "href": "/iaas/api/network-domains/233df662ec3b4875575931653ef00"
...

To create a network profile with a VLAN transport zone, ensure that the network domain you choose includes a custom property for the transport zone.

...
      "customProperties": {
        "__path": "/infra/sites/default/enforcement-points/default/transport-zones/9a358e99-5734-4926-b718-37cf4862f4bf",
        "__host_identifier": "[\"host-16\",\"host-23\",\"host-21\"]",
        "__cluster_identifier": "[\"domain-c8\"]",
        "__transportZoneTrafficType": "VLAN_BACKED",
        "path": "/infra/sites/default/enforcement-points/default/transport-zones/9a358e99-5734-4926-b718-37cf4862f4bf"
            }
...

With the IDs of fabric networks that you want to include in your profile and the network domain ID you want to include, create a network profile named example-network-profile-with-isolation-by-subnet.

$ curl -X POST  \
  $url/iaas/api/network-profiles?apiVersion=$api_version  \
  -H 'Content-Type: application/json'  \
  -H "Authorization: Bearer $access_token"  \
  -d '{ 
    "name":"example-network-profile-with-isolation-by-subnet", 
    "description":"Example Network Profile", 
    "regionId":"'$region_id'", 
    "isolationType" : "SUBNET", 
    "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", 
    "isolatedNetworkCIDRPrefix" : "27", 
    "fabricNetworkIds": [ 
      "c19bd2921af95075575931654066a", 
      "8fe650cc09d0627558d55c9ba1793" 
    ], 
    "tags": [ { "key": "env", "value": "prod" } ] 
}' | jq "."

A snippet of the response shows the network profile ID.

...            
  "name": "example-network-profile-with-isolation-by-subnet",
  "description": "Example Network Profile",
  "id": "2065036880e1c47558f1693558870",
  "updatedAt": "2022-04-02",
...

Provide the isolationExternalFabricNetworkId to create a network profile with isolation using an external subnet.

$ curl -X POST  \
  $url/iaas/api/network-profiles?apiVersion=$api_version  \
  -H 'Content-Type: application/json'  \
  -H "Authorization: Bearer $access_token"  \
  -d '{ 
    "name":"example-network-profile-with-isolation-by-external-subnet", 
    "description":"Example Network Profile", 
    "regionId":"'$region_id'", 
    "isolationType" : "SUBNET", 
    "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", 
    "isolatedNetworkCIDRPrefix" : "27", 
    "isolationExternalFabricNetworkId": "c19bd2921af95075575931654066a", 
    "fabricNetworkIds": [ 
      "c19bd2921af95075575931654066a", 
      "8fe650cc09d0627558d55c9ba1793" 
    ], 
    "tags": [ { "key": "env", "value": "prod" } ] 
}' | jq "."

A snippet of the response shows the network profile ID.

...             
  "name": "example-network-profile-with-isolation-by-external-subnet",
  "description": "Example Network Profile",
  "id": "2065036880e1c47558f16bd085288",
  "updatedAt": "2022-04-02",
...

Use the "isolationType": "SECURITY_GROUP" to create a network profile with isolation using a security group. Because this isolation does not use a subnet, this request does not use a network domain ID.

$ curl -X POST  \
  $url/iaas/api/network-profiles?apiVersion=$api_version  \
  -H 'Content-Type: application/json'  \
  -H "Authorization: Bearer $access_token"  \
  -d '{ 
    "name":"example-network-profile-with-isolation-by-security-group", 
    "description":"Example Network Profile", 
    "regionId":"'$region_id'", 
    "isolationType" : "SECURITY_GROUP", 
    "fabricNetworkIds": [ 
     "c19bd2921af95075575931654066a", 
     "8fe650cc09d0627558d55c9ba1793" 
  ], 
  "tags": [ { "key": "env", "value": "prod" } ] 
}' | jq "."

A snippet of the response shows the network profile ID.

...             
  "name": "example-network-profile-with-isolation-by-security-group",
  "description": "Example Network Profile",
  "id": "bdab0d4c28af6e7558f16c78f5468",
  "updatedAt": "2022-04-02",
...

Create a network profile with isolation using a VLAN transport zone.

$ curl -X POST  \
  $url/iaas/api/network-profiles?apiVersion=$api_version  \
  -H 'Content-Type: application/json'  \
  -H "Authorization: Bearer $access_token"  \
  -d '{ 
    "name":"example-network-profile-with-VLAN-transport-zone", 
    "description":"Example Network Profile", 
    "regionId":"'$region_id'", 
    "isolationNetworkDomainId" : "233df662ec3b4875575931653ef00", 
    "isolatedNetworkCIDRPrefix" : "27", 
    "fabricNetworkIds": [ 
      "c19bd2921af95075575931654066a", 
      "8fe650cc09d0627558d55c9ba1793" 
    ], 
    "tags": [ { "key": "env", "value": "prod" } ] 
}' | jq "."

A snippet of the response shows the network profile ID.

...             
  "name": "example-network-profile-with-VLAN-transport-zone",
  "description": "Example Network Profile",
  "id": "9cb2d111c768927558f043ec13d70",
  "updatedAt": "2022-04-02",
...