您可以在雲端範本設計和部署中使用網路、安全性和負載平衡器資源與設定。
如需雲端範本設計代碼選項的摘要,請參閱〈vRealize Automation 資源類型架構〉。
這些範例說明了基本雲端範本設計中的網路、安全和負載平衡器資源。
網路
資源案例 | 範例雲端範本設計代碼 |
---|---|
vSphere 機器具有多個 NIC,且這些 NIC 連線到指派了 DHCP IP 的 vSphere 網路和 NSX 網路
|
resources: demo-machine: type: Cloud.vSphere.Machine properties: image: ubuntu flavor: small networks: - network: ${resource["demo-vSphere-Network"].id} deviceIndex: 0 - network: ${resource["demo-NSX-Network"].id} deviceIndex: 1 demo-vSphere-Network: type: Cloud.vSphere.Network properties: networkType: existing demo-NSX-Network: type: Cloud.NSX.Network properties: networkType: outbound |
使用 vlanIds 內容指定包含 3 個 VLAN (123、456 和 7) 的陣列的 NSX 私人網路 |
formatVersion: 1 inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: test flavor: test networks: - network: '${resource.Cloud_NSX_Network_1.id}' Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: private vlanIds: - 123 - 456 - 7 |
為 Azure 虛擬機器部署新增具有靜態 IP 位址的私人網路 | formatVersion: 1 inputs: {} resources: Cloud_Azure_Machine_1: type: Cloud.Machine properties: image: photon flavor: Standard_B1ls networks: - network: '${resource.Cloud_Network_1.id}' assignment: static address: 10.0.0.45 assignPublicIpAddress: false Cloud_Network_1: type: Cloud.Network properties: networkType: existing |
可以將靜態 IP 指派與 vRealize IPAM (隨 vRealize Automation 提供的內部 IPAM,或以 vRA IPAM SDK 為基礎的外部 IPAM,例如,VMware Marketplace 中提供的 Infloblox 外掛程式之一的 IPAM) 搭配使用。不支援 |
resources: demo_vm: type: Cloud.vSphere.Machine properties: image: 'photon' cpuCount: 1 totalMemoryMB: 1024 networks: - network: ${resource.demo_nw.id} assignment: static demo_nw: type: Cloud.vSphere.Network properties: networkType: existing |
在現有部署的 Cloud.NSX.NAT 資源中新增或編輯 NAT 和 DNAT 連接埠轉送規則。 |
resources: gw: type: Cloud.NSX.Gateway properties: networks: - ${resource.akout.id} nat: type: Cloud.NSX.Nat properties: networks: - ${resource.akout.id} natRules: - translatedInstance: ${resource.centos.networks[0].id} index: 0 protocol: TCP kind: NAT44 type: DNAT sourceIPs: any sourcePorts: 80 translatedPorts: 8080 destinationPorts: 8080 description: edit - translatedInstance: ${resource.centos.networks[0].id} index: 1 protocol: TCP kind: NAT44 type: DNAT sourceIPs: any sourcePorts: 90 translatedPorts: 9090 destinationPorts: 9090 description: add gateway: ${resource.gw.id} centos: type: Cloud.vSphere.Machine properties: image: WebTinyCentOS65x86 flavor: small customizationSpec: Linux networks: - network: ${resource.akout.id} assignment: static akout: type: Cloud.NSX.Network properties: networkType: outbound constraints: - tag: nsxt-nat-1-M2 |
使用內部 IP 而非公用 IP 的公有雲機器。此範例使用特定的網路識別碼。 附註: |
resources: wf_proxy: type: Cloud.Machine properties: image: ubuntu 16.04 flavor: small constraints: - tag: 'platform:vsphere' networks: - network: '${resource.wf_net.id}' assignPublicIpAddress: false |
使用 NSX 網路資源類型的 NSX-V 或 NSX-T 的路由網路。 |
Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: routed |
將標籤新增至雲端範本中的機器 NIC 資源。 | formatVersion: 1 inputs: {} resources: Cloud_Machine_1: type: Cloud.vSphere.Machine properties: flavor: small image: ubuntu networks: - name: '${resource.Cloud_Network_1.name}' deviceIndex: 0 tags: - key: 'nic0' value: null - key: internal value: true - name: '${resource.Cloud_Network_2.name}' deviceIndex: 1 tags: - key: 'nic1' value: null - key: internal value: false |
為輸出網路標記 NSX-T 邏輯交換器。 NSX-T 和 VMware Cloud on AWS 支援標記。 如需有關此案例的詳細資訊,請參閱社群部落格文章〈使用 Cloud Assembly 在 NSX 中建立標籤〉。 |
Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: outbound tags: - key: app value: opencart |
安全群組
資源案例 | 範例雲端範本設計代碼 |
---|---|
已將限制標籤套用至機器 NIC 的現有安全群組。 若要使用現有的安全群組,請為 securityGroupType 內容輸入 existing。 您可以使用標籤限制將標籤指派給 Cloud.SecurityGroup 資源,以配置現有的安全群組。不含標籤的安全群組無法在雲端範本設計中使用。 必須為 |
formatVersion: 1 inputs: {} resources: allowSsh_sg: type: Cloud.SecurityGroup properties: securityGroupType: existing constraints: - tag: allowSsh compute: type: Cloud.Machine properties: image: centos flavor: small networks: - network: '${resource.prod-net.id}' securityGroups: - '${resource.allowSsh_sg.id}' prod-net: type: Cloud.Network properties: networkType: existing |
具有兩個防火牆規則的隨選安全群組,用於說明 |
resources: Cloud_SecurityGroup_1: type: Cloud.SecurityGroup properties: securityGroupType: new rules: - ports: 5000 source: 'fc00:10:000:000:000:56ff:fe89:48b4' access: Allow direction: inbound name: allow_5000 protocol: TCP - ports: 7000 source: 'fc00:10:000:000:000:56ff:fe89:48b4' access: Deny direction: inbound name: deny_7000 protocol: TCP Cloud_vSphere_Machine_1: type: Cloud.vSphere.Machine properties: image: photon cpuCount: 1 totalMemoryMB: 256 networks: - network: '${resource.Cloud_Network_1.id}' assignIPv6Address: true assignment: static securityGroups: - '${resource.Cloud_SecurityGroup_1.id}' Cloud_Network_1: type: Cloud.Network properties: networkType: existing |
具有 2 個安全群組的複雜雲端範本,其中包括:
此範例說明了以下內容的各種不同組合:通訊協定和連接埠、服務、IP CIDR (作為來源和目的地)、IP 範圍 (作為來源或目的地),以及任何、IPv6 和 (::/0) 選項。 對於機器 NIC,您可以指定已連線的網路和安全群組。您也可以指定 NIC 索引或 IP 位址。 |
formatVersion: 1 inputs: {} resources: DEMO_ESG : existing security group - security group 1) type: Cloud.SecurityGroup properties: constraints: - tag: BlockAll securityGroupType: existing (designation of existing for security group 1) DEMO_ODSG: (on-demand security group - security group 2)) type: Cloud.SecurityGroup properties: rules: (multiple firewall rules in this section) - name: IN-ANY (rule 1) source: any service: any direction: inbound access: Deny - name: IN-SSH (rule 2) source: any service: SSH direction: inbound access: Allow - name: IN-SSH-IP (rule 3) source: 33.33.33.1-33.33.33.250 protocol: TCP ports: 223 direction: inbound access: Allow - name: IPv-6-ANY-SOURCE (rule 4) source: '::/0' protocol: TCP ports: 223 direction: inbound access: Allow - name: IN-SSH-IP (rule 5) source: 44.44.44.1/24 protocol: UDP ports: 22-25 direction: inbound access: Allow - name: IN-EXISTING-SG (rule 6) source: '${resource["DEMO_ESG"].id}' protocol: ICMPv6 direction: inbound access: Allow - name: OUT-ANY (rule 7) destination: any service: any direction: outbound access: Deny - name: OUT-TCP-IPv6 (rule 8) destination: '2001:0db8:85a3::8a2e:0370:7334/64' protocol: TCP ports: 22 direction: outbound access: Allow - name: IPv6-ANY-DESTINATION (rule 9) destination: '::/0' protocol: UDP ports: 23 direction: outbound access: Allow - name: OUT-UDP-SERVICE (rule 10) destination: any service: NTP direction: outbound access: Allow securityGroupType: new (designation of on-demand for security group 2) DEMO_VC_MACHINE: (machine resource) type: Cloud.vSphere.Machine properties: image: PHOTON cpuCount: 1 totalMemoryMB: 1024 networks: (Machine network NICs) - network: '${resource.DEMO_NW.id}' securityGroups: - '${resource.DEMO_ODSG.id}' - '${resource.DEMO_ESG.id}' DEMO_NETWORK: (network resource) type: Cloud.vSphere.Network properties: networkType: existing constraints: - tag: nsx62 |
負載平衡器
資源案例 | 範例雲端範本設計代碼 |
---|---|
指定負載平衡器記錄層級、演算法和大小。 |
顯示使用記錄層級、演算法和大小的 NSX 負載平衡器範例: resources: Cloud_LoadBalancer_1: type: Cloud.NSX.LoadBalancer properties: name: myapp-lb network: '${appnet-public.name}' instances: '${wordpress.id}' routes: - protocol: HTTP port: '80' loggingLevel: CRITICAL algorithm: LEAST_CONNECTION type: MEDIUM |
將負載平衡器與具名機器或具名機器 NIC 相關聯。您可以指定 在第一個範例中,在任何網路上部署機器時,部署會使用 在第二個範例中,只有在具名機器 NIC 上部署機器時,部署才會使用 第三個範例顯示了相同 |
您可以使用
instances 內容來定義機器識別碼或機器網路識別碼:
|
將健全狀況檢查設定新增至 NSX 負載平衡器。其他選項包括 httpMethod 、requestBody 和 responseBody 。 |
myapp-lb: type: Cloud.NSX.LoadBalancer properties: name: myapp-lb network: '${appnet-public.name}' instances: '${wordpress.id}' routes: - protocol: HTTP port: '80' algorithm: ROUND_ROBIN instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /mywordpresssite/wp-admin/install.php intervalSeconds: 60 timeoutSeconds: 10 unhealthyThreshold: 10 healthyThreshold: 2 connectionLimit: '50' connectionRateLimit: '50' maxConnections: '500' minConnections: '' internetFacing: true{code} |
具有單肩負載平衡器的隨選網路。 |
inputs: {} resources: mp-existing: type: Cloud.Network properties: name: mp-existing networkType: existing mp-wordpress: type: Cloud.vSphere.Machine properties: name: wordpress count: 2 flavor: small image: tiny customizationSpec: Linux networks: - network: '${resource["mp-private"].id}' mp-private: type: Cloud.NSX.Network properties: name: mp-private networkType: private constraints: - tag: nsxt mp-wordpress-lb: type: Cloud.LoadBalancer properties: name: wordpress-lb internetFacing: false network: '${resource.mp-existing.id}' instances: '${resource["mp-wordpress"].id}' routes: - protocol: HTTP port: '80' instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /index.pl intervalSeconds: 60 timeoutSeconds: 30 unhealthyThreshold: 5 healthyThreshold: 2 |
具有負載平衡器的現有網路。 |
formatVersion: 1 inputs: count: type: integer default: 1 resources: ubuntu-vm: type: Cloud.Machine properties: name: ubuntu flavor: small image: tiny count: '${input.count}' networks: - network: '${resource.Cloud_NSX_Network_1.id}' Provider_LoadBalancer_1: type: Cloud.LoadBalancer properties: name: OC-LB routes: - protocol: HTTP port: '80' instanceProtocol: HTTP instancePort: '80' healthCheckConfiguration: protocol: HTTP port: '80' urlPath: /index.html intervalSeconds: 60 timeoutSeconds: 5 unhealthyThreshold: 5 healthyThreshold: 2 network: '${resource.Cloud_NSX_Network_1.id}' internetFacing: false instances: '${resource["ubuntu-vm"].id}' Cloud_NSX_Network_1: type: Cloud.NSX.Network properties: networkType: existing constraints: - tag: nsxt24prod |
深入瞭解
- vRealize Automation Cloud Assembly 負載平衡器與 NSX-T 搭配使用深入探究
- 使用 Cloud Assembly 和 NSX 實現網路自動化 – 第 1 部分 (包括使用 NSX-T 和 vCenter 雲端帳戶與網路 CIDR)
- 使用 Cloud Assembly 和 NSX 實現網路自動化 – 第 2 部分 (包括使用現有和輸出網路類型)
- 使用 Cloud Assembly 和 NSX 實現網路自動化 – 第 3 部分 (包括使用現有和隨選安全群組)
- 使用 Cloud Assembly 和 NSX 實現網路自動化 – 第 4 部分 (包括使用現有和隨選負載平衡器)