您可以在雲端範本設計和部署中使用網路、安全性和負載平衡器資源與設定。

如需雲端範本設計代碼選項的摘要,請參閱〈vRealize Automation 資源類型架構〉

這些範例說明了基本雲端範本設計中的網路、安全和負載平衡器資源。

網路

資源案例 範例雲端範本設計代碼
vSphere 機器具有多個 NIC,且這些 NIC 連線到指派了 DHCP IP 的 vSphere 網路和 NSX 網路

resources:
  demo-machine:
    type: Cloud.vSphere.Machine
    properties:
      image: ubuntu
      flavor: small
      networks:
        - network: ${resource["demo-vSphere-Network"].id}
          deviceIndex: 0
        - network: ${resource["demo-NSX-Network"].id}
          deviceIndex: 1
  demo-vSphere-Network:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
  demo-NSX-Network:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
     
使用 vlanIds 內容指定包含 3 個 VLAN (123、456 和 7) 的陣列的 NSX 私人網路
formatVersion: 1
inputs: {}
resources:
  Cloud_Machine_1:
    type: Cloud.Machine
    properties:
      image: test
      flavor: test
      networks:
       - network: '${resource.Cloud_NSX_Network_1.id}'  
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: private
      vlanIds:
         - 123 
         - 456
         - 7
     
為 Azure 虛擬機器部署新增具有靜態 IP 位址的私人網路
formatVersion: 1
inputs: {}
resources:
  Cloud_Azure_Machine_1:
    type: Cloud.Machine
    properties:
      image: photon
      flavor: Standard_B1ls
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignment: static
          address: 10.0.0.45
          assignPublicIpAddress: false
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing

可以將靜態 IP 指派與 vRealize IPAM (隨 vRealize Automation 提供的內部 IPAM,或以 vRA IPAM SDK 為基礎的外部 IPAM,例如,VMware Marketplace 中提供的 Infloblox 外掛程式之一的 IPAM) 搭配使用。不支援 assignment: static 的其他用途,如有關 vRealize Automation 雲端範本中的網路資源的詳細資訊〈注意須知〉部分中所述。

resources:
  demo_vm:
    type: Cloud.vSphere.Machine
    properties:
      image: 'photon'
      cpuCount: 1
      totalMemoryMB: 1024
      networks:
        - network: ${resource.demo_nw.id}
          assignment: static
  demo_nw:
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
在現有部署的 Cloud.NSX.NAT 資源中新增或編輯 NAT 和 DNAT 連接埠轉送規則。
resources:
  gw:
    type: Cloud.NSX.Gateway
    properties:
      networks:
        - ${resource.akout.id}
  nat:
    type: Cloud.NSX.Nat
    properties:
      networks:
        - ${resource.akout.id}
      natRules:
        - translatedInstance: ${resource.centos.networks[0].id}
          index: 0
          protocol: TCP
          kind: NAT44
          type: DNAT
          sourceIPs: any
          sourcePorts: 80
          translatedPorts: 8080
          destinationPorts: 8080
          description: edit
        - translatedInstance: ${resource.centos.networks[0].id}
          index: 1
          protocol: TCP
          kind: NAT44
          type: DNAT
          sourceIPs: any
          sourcePorts: 90
          translatedPorts: 9090
          destinationPorts: 9090
          description: add
      gateway: ${resource.gw.id}
  centos:
    type: Cloud.vSphere.Machine
    properties:
      image: WebTinyCentOS65x86
      flavor: small
      customizationSpec: Linux
      networks:
        - network: ${resource.akout.id}
          assignment: static
  akout:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      constraints:
        - tag: nsxt-nat-1-M2
        

使用內部 IP 而非公用 IP 的公有雲機器。此範例使用特定的網路識別碼。

附註:network: 選項在 networks: 設定中用來指定目標網路識別碼。networks: 設定中的 name: 選項已被取代,因此不應使用。

resources:
  wf_proxy:
    type: Cloud.Machine
    properties:
      image: ubuntu 16.04
      flavor: small
      constraints:
        - tag: 'platform:vsphere'
      networks:
        - network: '${resource.wf_net.id}'
          assignPublicIpAddress: false

使用 NSX 網路資源類型的 NSX-VNSX-T 的路由網路。

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: routed
將標籤新增至雲端範本中的機器 NIC 資源。
formatVersion: 1
inputs: {}
resources:
 Cloud_Machine_1:
 type: Cloud.vSphere.Machine
 properties:
  flavor: small
  image: ubuntu
  networks:
     - name: '${resource.Cloud_Network_1.name}'
     deviceIndex: 0
     tags: 
      - key: 'nic0'
        value: null
      - key: internal
        value: true
     - name: '${resource.Cloud_Network_2.name}'
     deviceIndex: 1
     tags: 
      - key: 'nic1'
        value: null
      - key: internal
        value: false

為輸出網路標記 NSX-T 邏輯交換器。

NSX-TVMware Cloud on AWS 支援標記。

如需有關此案例的詳細資訊,請參閱社群部落格文章〈使用 Cloud Assembly 在 NSX 中建立標籤〉

Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: outbound
      tags: 
        - key: app
          value: opencart

安全群組

資源案例 範例雲端範本設計代碼

已將限制標籤套用至機器 NIC 的現有安全群組。

若要使用現有的安全群組,請為 securityGroupType 內容輸入 existing

您可以使用標籤限制將標籤指派給 Cloud.SecurityGroup 資源,以配置現有的安全群組。不含標籤的安全群組無法在雲端範本設計中使用。

必須為 securityGroupType: existing 安全群組資源設定限制標籤。這些限制必須與現有安全群組上設定的標籤相符。無法為 securityGroupType: new 安全群組資源設定限制標籤。

formatVersion: 1
inputs: {}
resources:
  allowSsh_sg:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: existing
      constraints:
        - tag: allowSsh
  compute:
    type: Cloud.Machine
    properties:
      image: centos
      flavor: small
      networks:
        - network: '${resource.prod-net.id}'
          securityGroups:
            - '${resource.allowSsh_sg.id}'
  prod-net:
    type: Cloud.Network
    properties:
      networkType: existing

具有兩個防火牆規則的隨選安全群組,用於說明 AllowDeny 存取選項。

resources:
  Cloud_SecurityGroup_1:
    type: Cloud.SecurityGroup
    properties:
      securityGroupType: new
      rules:
        - ports: 5000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Allow
          direction: inbound
          name: allow_5000
          protocol: TCP
        - ports: 7000
          source: 'fc00:10:000:000:000:56ff:fe89:48b4'
          access: Deny
          direction: inbound
          name: deny_7000
          protocol: TCP
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      image: photon
      cpuCount: 1
      totalMemoryMB: 256
      networks:
        - network: '${resource.Cloud_Network_1.id}'
          assignIPv6Address: true
          assignment: static
          securityGroups:
            - '${resource.Cloud_SecurityGroup_1.id}'
  Cloud_Network_1:
    type: Cloud.Network
    properties:
      networkType: existing
具有 2 個安全群組的複雜雲端範本,其中包括:
  • 1 個現有安全群組
  • 1 個隨選安全群組 (包含多個防火牆規則範例)
  • 1 個 vSphere 機器
  • 1 個現有網路

此範例說明了以下內容的各種不同組合:通訊協定和連接埠、服務、IP CIDR (作為來源和目的地)、IP 範圍 (作為來源或目的地),以及任何、IPv6 和 (::/0) 選項。

對於機器 NIC,您可以指定已連線的網路和安全群組。您也可以指定 NIC 索引或 IP 位址。

formatVersion: 1
inputs: {}
resources:
  DEMO_ESG : existing security group - security group 1)
    type: Cloud.SecurityGroup
    properties:
      constraints:
        - tag: BlockAll
      securityGroupType: existing (designation of existing for security group 1) 
  DEMO_ODSG: (on-demand security group - security group 2))
    type: Cloud.SecurityGroup
    properties:
      rules: (multiple firewall rules in this section)
        - name: IN-ANY (rule 1)
          source: any
          service: any
          direction: inbound
          access: Deny
        - name: IN-SSH (rule 2)
          source: any
          service: SSH
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 3)
          source: 33.33.33.1-33.33.33.250
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IPv-6-ANY-SOURCE (rule 4)
          source: '::/0'
          protocol: TCP
          ports: 223
          direction: inbound
          access: Allow
        - name: IN-SSH-IP (rule 5)
          source: 44.44.44.1/24
          protocol: UDP
          ports: 22-25
          direction: inbound
          access: Allow
        - name: IN-EXISTING-SG (rule 6)
          source: '${resource["DEMO_ESG"].id}'
          protocol: ICMPv6
          direction: inbound
          access: Allow
        - name: OUT-ANY (rule 7)
          destination: any
          service: any
          direction: outbound
          access: Deny
        - name: OUT-TCP-IPv6 (rule 8)
          destination: '2001:0db8:85a3::8a2e:0370:7334/64'
          protocol: TCP
          ports: 22
          direction: outbound
          access: Allow
        - name: IPv6-ANY-DESTINATION (rule 9)
          destination: '::/0'
          protocol: UDP
          ports: 23
          direction: outbound
          access: Allow
        - name: OUT-UDP-SERVICE (rule 10)
          destination: any
          service: NTP
          direction: outbound
          access: Allow
      securityGroupType: new (designation of on-demand for security group 2)
  DEMO_VC_MACHINE: (machine resource)
    type: Cloud.vSphere.Machine 
    properties:
      image: PHOTON
      cpuCount: 1
      totalMemoryMB: 1024
      networks: (Machine network NICs)
        - network: '${resource.DEMO_NW.id}'
          securityGroups:
            - '${resource.DEMO_ODSG.id}'
            - '${resource.DEMO_ESG.id}'
  DEMO_NETWORK: (network resource)
    type: Cloud.vSphere.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsx62

負載平衡器

資源案例 範例雲端範本設計代碼

指定負載平衡器記錄層級、演算法和大小。

顯示使用記錄層級、演算法和大小的 NSX 負載平衡器範例:

resources:
  Cloud_LoadBalancer_1:
    type: Cloud.NSX.LoadBalancer
    properties:
      name: myapp-lb
      network: '${appnet-public.name}'
      instances: '${wordpress.id}'
      routes:
       - protocol: HTTP port: '80'
         loggingLevel: CRITICAL 
         algorithm: LEAST_CONNECTION
         type: MEDIUM

將負載平衡器與具名機器或具名機器 NIC 相關聯。您可以指定 machine IDmachine network ID,以將機器新增至負載平衡器集區。執行個體內容同時支援機器 (machine by ID) 和 NIC (machine by network ID)。

在第一個範例中,在任何網路上部署機器時,部署會使用 machine by ID 設定對該機器進行負載平衡。

在第二個範例中,只有在具名機器 NIC 上部署機器時,部署才會使用 machine by network ID 設定對該機器進行負載平衡。

第三個範例顯示了相同 instances 選項中使用的兩個設定。

您可以使用 instances 內容來定義機器識別碼或機器網路識別碼:
  • 機器識別碼
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.id}'
       
  • 機器網路識別碼
    Cloud_LoadBalancer_1:
     type: Cloud.LoadBalancer
     properties:
       network: '${resource.Cloud_Network_1.id}'
       instances: '${resource.Cloud_Machine_1.networks[0].id}'
  • 為負載平衡器包含指定一個機器,以及為負載平衡器包含指定另一個機器 NIC:
    instances:
      - resource.Cloud_Machine_1.id
      - resource.Cloud_Machine_2.networks[2].id
將健全狀況檢查設定新增至 NSX 負載平衡器。其他選項包括 httpMethodrequestBodyresponseBody
myapp-lb:
  type: Cloud.NSX.LoadBalancer
  properties:
    name: myapp-lb
    network: '${appnet-public.name}'
    instances: '${wordpress.id}'
    routes:
     - protocol: HTTP
       port: '80'
       algorithm: ROUND_ROBIN
       instanceProtocol: HTTP
       instancePort: '80'
       healthCheckConfiguration:
         protocol: HTTP
         port: '80'
         urlPath: /mywordpresssite/wp-admin/install.php
         intervalSeconds: 60
         timeoutSeconds: 10
         unhealthyThreshold: 10
         healthyThreshold: 2
       connectionLimit: '50'
       connectionRateLimit: '50'
       maxConnections: '500'
       minConnections: ''
     internetFacing: true{code}

具有單肩負載平衡器的隨選網路。

inputs: {}
resources:
  mp-existing:
    type: Cloud.Network
    properties:
      name: mp-existing
      networkType: existing
  mp-wordpress:
    type: Cloud.vSphere.Machine
    properties:
      name: wordpress
      count: 2
      flavor: small
      image: tiny
      customizationSpec: Linux
      networks:
        - network: '${resource["mp-private"].id}'
  mp-private:
    type: Cloud.NSX.Network
    properties:
      name: mp-private
      networkType: private
      constraints:
        - tag: nsxt
  mp-wordpress-lb:
    type: Cloud.LoadBalancer
    properties:
      name: wordpress-lb
      internetFacing: false
      network: '${resource.mp-existing.id}'
      instances: '${resource["mp-wordpress"].id}'
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.pl
            intervalSeconds: 60
            timeoutSeconds: 30
            unhealthyThreshold: 5
            healthyThreshold: 2

具有負載平衡器的現有網路。

formatVersion: 1
inputs:
  count:
    type: integer
    default: 1
resources:
  ubuntu-vm:
    type: Cloud.Machine
    properties:
      name: ubuntu
      flavor: small
      image: tiny
      count: '${input.count}'
      networks:
        - network: '${resource.Cloud_NSX_Network_1.id}'
  Provider_LoadBalancer_1:
    type: Cloud.LoadBalancer
    properties:
      name: OC-LB
      routes:
        - protocol: HTTP
          port: '80'
          instanceProtocol: HTTP
          instancePort: '80'
          healthCheckConfiguration:
            protocol: HTTP
            port: '80'
            urlPath: /index.html
            intervalSeconds: 60
            timeoutSeconds: 5
            unhealthyThreshold: 5
            healthyThreshold: 2
      network: '${resource.Cloud_NSX_Network_1.id}'
      internetFacing: false
      instances: '${resource["ubuntu-vm"].id}'
  Cloud_NSX_Network_1:
    type: Cloud.NSX.Network
    properties:
      networkType: existing
      constraints:
        - tag: nsxt24prod

深入瞭解

如需網路和安全群組實作案例,請參閱 VMware 部落格,例如: