You can use networking, security, and load balancer resources and settings in cloud template designs and deployments.

For a summary of cloud template design code options, see vRealize Automation Resource Type Schema.

These examples illustrate sample network, security group, and load balancer resources within basic cloud template designs.

Resource scenario Example cloud template design code

vSphere machine with multiple NICs associated to an NSX network resource.

resources:
  demo-machine:
    type: Cloud.vSphere.Machine
    properties:
      image: ubuntu
      flavor: small
      networks:
       - network: '${resource.Cloud_vSphere_Network_1.id}'  
  Cloud_vSphere_Network_1:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
  Cloud_vSphere_Network_2:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
     
Enable NAT port forwarding by using a Cloud.NSX.Gateway cloud template resource on an outbound network.
...
  gateway:
    type: Cloud.NSX.Gateway
    properties:
      networks:
       - ${resource.out.id}  
  natRules:
    - index: 1
      translatedInstance: ${resource.jumpbox.networks[0].id}
      destinationPorts: 2200
      translatedPorts: 22
      description: inbound ssh
    - index: 2
         ...
     

Specify a load balance logging level, algorithm, and size.

Sample NSX load balancer showing use of logging level, algorithm, and size:

resources:
  Cloud_LoadBalancer_1:
    type: Cloud.NSX.LoadBalancer
    properties:
      name: myapp-lb
      network: '${appnet-public.name}'
      instances: '${wordpress.id}'
      routes:
       - protocol: HTTP port: '80'
         loggingLevel: CRITICAL 
         algorithm: LEAST_CONNECTION
         type: MEDIUM

Associate a load balancer with a named machine or a named machine NIC. You can specify either machine ID or machine network ID to add the machine to the load balancer pool. The instances property supports both machines (machine by ID) and NICs (machine by network ID).

In the first example, the deployment uses the machine by ID setting to load balance the machine when it is deployed on any network.

In the second example, the deployment uses the machine by network ID setting to load balance the machine only when the machine is deployed on the named machine NIC.

The third example shows both settings used in the same instances option.

You can use the instances property to define a machine ID or a machine network ID:
  • Machine ID
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.id}'
       
  • Machine network ID
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.networks[0].id}'
  • One machine specified for load balancer inclusion and another machine NIC specified for load balancer inclusion:
    instances:
      - resource.Cloud_Machine_1.id
      - resource.Cloud_Machine_2.networks[2].id

Public cloud machine to use an internal IP instead of a public IP. This example uses a specific network ID.

Note: The network: option is used in the networks: setting to specify a target network ID. The name: option in the networks: setting has been deprecated and should not be used.

resources:
  wf_proxy:
    type: Cloud.Machine
    properties:
      image: ubuntu 16.04
      flavor: small
      constraints:
        - tag: 'platform:vsphere'
      networks:
        - network: '${resource.wf_net.id}'
          assignPublicIpAddress: false

Routed network for NSX-V or NSX-T using the NSX network resource type.

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: routed
Add a tag to a machine NIC resource in the cloud template.
formatVersion: 1
inputs: {}
resources:
 Cloud_Machine_1:
 type: Cloud.vSphere.Machine
 properties:
  flavor: small
  image: ubuntu
  networks:
     - name: '${resource.Cloud_Network_1.name}'
     deviceIndex: 0
     tags: 
      - key: 'nic0'
        value: null
      - key: internal
        value: true
     - name: '${resource.Cloud_Network_2.name}'
     deviceIndex: 1
     tags: 
      - key: 'nic1'
        value: null
      - key: internal
        value: false

Tag NSX-T logical switches for an outbound network.

Tagging is supported for NSX-T and VMware Cloud on AWS.

For more information on this scenario, see community blog post Creating Tags in NSX with Cloud Assembly.

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      tags: 
        - key: app
          value: opencart

Existing security group with a constraint tag applied to a machine NIC.

To use an existing security group, enter existing for the securityGroupType property.

You can assign tags to a Cloud.SecurityGroup resource to allocate existing security groups by using tag constraints. Security groups that do not contain tags cannot be used in the cloud template design.

Constraint tags must be set for securityGroupType: existing security group resources. Those constraints must match the tags set on the existing security groups. Constraint tags cannot be set for securityGroupType: new security group resources.

formatVersion: 1
inputs: {}
resources:
  allowSsh_sg:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: existing
      constraints:
        - tag: allowSsh
  compute:
    type: Cloud.Machine
    properties:
      image: centos
      flavor: small
      networks:
        - network: '${resource.prod-net.id}'
          securityGroups:
            - '${resource.allowSsh_sg.id}'
  prod-net:
    type: Cloud.Network
    properties:
      networkType: existing

On-demand security group with two firewall rules illustrating the Allow and Deny access options.

resources:
  Cloud_SecurityGroup_1:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - ports: 5000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Allow
          direction: inbound
          name: allow_5000
          protocol: TCP
        - ports: 7000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Deny
          direction: inbound
          name: deny_7000
          protocol: TCP
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      image: photon
      cpuCount: 1
      totalMemoryMB: 256
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignIPv6Address: true
          assignment: static
          securityGroups:
            - '${resource.Cloud_SecurityGroup_1.id}'
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing
Complex cloud template with 2 security groups, including:
  • 1 existing security group
  • 1 on-demand security group with multiple firewall rule examples
  • 1 vSphere machine
  • 1 existing network

This sample illustrates different combinations of protocols and ports, services, IP CIDR as source and destination, IP range as source or destination, and the options for any, IPv6, and (::/0).

For machine NICs, you can specify the connected network, and security group(s). You can also specify the NIC index or an IP address.

formatVersion: 1
inputs: {}
resources:
  DEMO_ESG : existing security group - security group 1)
    type: Cloud.SecurityGroup
    properties:
      constraints:
        - tag: BlockAll
      securityGroupType: existing (designation of existing for security group 1) 
  DEMO_ODSG: (on-demand security group - security group 2))
    type: Cloud.SecurityGroup
    properties:
      rules: (multiple firewall rules in this section)
        - name: IN-ANY (rule 1)
          source: any
          service: any
          direction: inbound
          access: Deny
        - name: IN-SSH (rule 2)
          source: any
          service: SSH
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 3)
          source: 33.33.33.1-33.33.33.250
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IPv-6-ANY-SOURCE (rule 4)
          source: '::/0'
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 5)
          source: 44.44.44.1/24
          protocol: UDP
          ports: 22-25
          direction: inbound
          access: Allow
        - name: IN-EXISTING-SG (rule 6)
          source: '${resource["DEMO_ESG"].id}'
          protocol: ICMPv6
          direction: inbound
          access: Allow
        - name: OUT-ANY (rule 7)
          destination: any
          service: any
          direction: outbound
          access: Deny
        - name: OUT-TCP-IPv6 (rule 8)
          destination: '2001:0db8:85a3::8a2e:0370:7334/64'
          protocol: TCP
          ports: 22
          direction: outbound
          access: Allow
        - name: IPv6-ANY-DESTINATION (rule 9)
          destination: '::/0'
          protocol: UDP
          ports: 23
          direction: outbound
          access: Allow
        - name: OUT-UDP-SERVICE (rule 10)
          destination: any
          service: NTP
          direction: outbound
          access: Allow
      securityGroupType: new (designation of on-demand for security group 2)
  DEMO_VC_MACHINE: (machine resource)
    type: Cloud.vSphere.Machine 
    properties:
      image: PHOTON
      cpuCount: 1
      totalMemoryMB: 1024
      networks: (Machine network NICs)
        - network: '${resource.DEMO_NW.id}'
          securityGroups:
            - '${resource.DEMO_ODSG.id}'
            - '${resource.DEMO_ESG.id}'
  DEMO_NETWORK: (network resource)
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsx62

On-demand network with a 1-arm load balancer.

inputs: {}
resources:
  mp-existing:
    type: Cloud.Network
    properties:
      name: mp-existing
      networkType: existing
  mp-wordpress:
    type: Cloud.vSphere.Machine
    properties:
      name: wordpress
      count: 2
      flavor: small
      image: tiny
      customizationSpec: Linux
      networks:
        - network: '${resource["mp-private"].id}'
  mp-private:
    type: Cloud.NSX.Network
    properties:
      name: mp-private
      networkType: private
      constraints:
        - tag: nsxt
  mp-wordpress-lb:
    type: Cloud.LoadBalancer
    properties:
      name: wordpress-lb
      internetFacing: false
      network: '${resource.mp-existing.id}'
      instances: '${resource["mp-wordpress"].id}'
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.pl
            intervalSeconds: 60
            timeoutSeconds: 30
            unhealthyThreshold: 5
            healthyThreshold: 2

Existing network with a load balancer.

formatVersion: 1
inputs:
  count:
    type: integer
    default: 1
resources:
  ubuntu-vm:
    type: Cloud.Machine
    properties:
      name: ubuntu
      flavor: small
      image: tiny
      count: '${input.count}'
      networks:
        - network: '${resource.Cloud_NSX_Network_1.id}'
  Provider_LoadBalancer_1:
    type: Cloud.LoadBalancer
    properties:
      name: OC-LB
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.html
            intervalSeconds: 60
            timeoutSeconds: 5
            unhealthyThreshold: 5
            healthyThreshold: 2
      network: '${resource.Cloud_NSX_Network_1.id}'
      internetFacing: false
      instances: '${resource["ubuntu-vm"].id}'
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsxt24prod

Learn more

For network and security implementation scenarios, see VMware blogs such as these: