Introducing PyVMC: a Python-based tool for VMware Cloud on AWS

Last updated – 12th March 2020 with recorded demo. Verified to work on VMC release 1.10.

More and more of our customers are automating as many common tasks as possible. There are many ways to script, codify or automate tasks with VMware Cloud on AWS (direct API calls, Terraform/Packer, PowerCLI, VMware vRealize Automation, etc…). Read more Santosh’s recent blog post on all the options.

The more I used Python (for side projects, such as vTagSync), the more I enjoyed it and I ended up building a pretty comprehensive Python client anyone can download and use with VMware Cloud on AWS.

Matt Dreyer (LinkedIn) actually started the script (originally called “skyscraper.py” for reasons too long to be explained in this post) and I took it and added a large chunk of the networking code. So a lot of credit and kudos go to Matt. All errors and bugs would be mine though.

Note this is not to interact with your VMware Cloud on AWS vCenter but to run tasks such as creating and deleting networks, setting up security groups and services and building network security rules on the Management and Compute Gateways.

Many of the commands will also work with VMware Cloud on Dell EMC and VMware Cloud on AWS Outposts. And because VMware Cloud on AWS uses NSX-T under the hood, most of the commands will actually work with ‘traditional’ (on-prem) NSX-T with very little re-writing effort.

The advantage of using Python is that you can take many functions and leverage a Function-As-A-Service platform (AWS Lambda or VMware VEBA) to automate an VMC action based upon an event.

The other advantage is that Python is remarkable simple and even someone with average programming skills like me can build it with a bit of trial and error.

The 5-minute below walks through how to use PyVMC with a practical example. We are setting up access to a VM inside my VMC vCenter, using NAT and opening a rule on the compute gateway.

Do I need Python knowledge to use this tool?

None whatsover. Seriously – you only need to:

  • Install the required Python packages:
    • pip3 install requests
    • pip3 install Ptable
    • pip3 install configparser
  • Download PyVMC.py on GitHub and the config file config.ini,
  • Update config.ini with your VMware Cloud on AWS credentials

That’s it! Just run the command and then you will be good to go.

Is it supported?

Sorry but no, this is a community-based effort. Use it at your own risk. It has extensively been tested though and I’ll endeavour to fix any bugs.

Which version of VMware Cloud on AWS has it been tested against?

Versions 1.9 and 1.10. I don’t guarantee support with previous versions. I will, however, endeavour to verify compatibility as we release new versions.

What if I find a bug or need a new feature?

Please raise it on GitHub and I will look into it.

Where can I find documentation about VMware Cloud on AWS:

Please check the online documentation:

Where can I find documentation about the supported PyVMC commands?

Read on:

Show your VMs:

$ ./pyVMC.py show-vms
+-------------------------------------------+------------+--------------------------------------+
|                Display_Name               |   Status   |             External_ID              |
+-------------------------------------------+------------+--------------------------------------+
|                   DSL20                   | VM_RUNNING | 500d48ee-dc6d-6b35-d19a-dd3a98692222 |
|                   DSL21                   | VM_RUNNING | 500d7c29-4fb4-a41e-21e9-2de65916d1fa |
| Network-Insight-5.1.0.1577527983-platform | VM_RUNNING | 500d47f3-69fb-99c4-5776-306777f0ca6b |
|   Network-Insight-5.1.0.1577527983-proxy  | VM_RUNNING | 500d1798-f91c-2ea2-7c31-9a38a652f460 |
+-------------------------------------------+------------+--------------------------------------+

Show your SDDCs:

$ ./pyVMC.py show-sddcs
+--------------------------------------+
|                OrgID                 |
+--------------------------------------+
| 7421a286-f7bf-4f34-8567-XXXXaYYYY    |
+--------------------------------------+
+------------------------------+-------+--------+-------+--------------------------------------+
|             Name             | Cloud | Status | Hosts |                  ID                  |
+------------------------------+-------+--------+-------+--------------------------------------+
|            SDDC2             |  AWS  | READY  |   1   | 1f1166d1-5210-4784-a73b-4440990ca532 |
|            SDDC3             |  AWS  | READY  |   1   | 55eb8c3b-aeb8-4eac-bfcf-dd7d1638510f |
|            SDDC1             |  AWS  | READY  |   1   | e39f8021-17f7-4a8e-a8ac-ae414a8bd541 |
+------------------------------+-------+--------+-------+--------------------------------------+

Show information about your SDDC:

$ ./pyVMC.py show-sddc-state

This is your current environment:
+-------+--------------------------------------+--------+-------+-----------+-----------------+
|  Name |                  Id                  | Status |  Type |   Region  | Deployment Type |
+-------+--------------------------------------+--------+-------+-----------+-----------------+
| SDDC2 | 1f1166d1-5210-4784-a73b-4440990ca532 | READY  | 1NODE | US_WEST_2 |    SINGLE_AZ    |
+-------+--------------------------------------+--------+-------+-----------+-----------------+

Show the users in the organizations

% ./pyVMC.py show-org-users
+------------+--------------+------------------------+
| First Name |  Last Name   |       User Name        |
+------------+--------------+------------------------+
|  Nicolas   |    Vibert    | nvibert @ vmware.com   |
+------------+--------------+------------------------+

Show all the available networks:

% ./pyVMC.py show-network
+-----------------------------+--------------------------------------+--------+------------------+------------------+
|             Name            |                  id                  |  Type  |     Network      | Default Gateway  |
+-----------------------------+--------------------------------------+--------+------------------+------------------+
|             LS20            |                 LS20                 | ROUTED | 192.168.20.0/24  | 192.168.20.1/24  |
|             LS21            |                 LS21                 | ROUTED | 192.168.21.0/24  | 192.168.21.1/24  |
|         network-nico        |             network-nico             | ROUTED |  172.16.18.0/24  |  172.16.18.1/24  |
|        network-nico-2       |            network-nico-2            | ROUTED |  172.16.19.0/24  |  172.16.19.1/24  |
|          nico-net-1         |              nico-net-1              | ROUTED | 192.168.220.0/23 | 192.168.220.1/23 |
|          nico-net-2         |              nico-net-2              | ROUTED | 192.168.230.0/23 | 192.168.230.1/23 |
|      sddc-192.168.100.0     | 040ef060-307b-11ea-b20b-3b4df4493d02 | ROUTED | 192.168.100.0/24 | 192.168.100.1/24 |
| test-network-segment-second | 75ca6dd0-30a1-11ea-83ef-9d6838aaf2bc | ROUTED | 192.168.200.0/24 | 192.168.200.1/24 |
+-----------------------------+--------------------------------------+--------+------------------+------------------+

Creating a new network (DHCP):

% ./pyVMC.py new-network nico-network routed 172.16.70.1/24 172.16.70.2-172.16.70.10 vmc.local
The following network has been created:
+--------------+----------------+--------------------------+-------------+--------------+
|     Name     |    Gateway     |           DHCP           | Domain Name | Routing Type |
+--------------+----------------+--------------------------+-------------+--------------+
| nico-network | 172.16.70.1/24 | 172.16.70.2-172.16.70.10 |  vmc.local  |    ROUTED    |
+--------------+----------------+--------------------------+-------------+--------------+

Create a new network (static):

% ./pyVMC.py new-network nico-network-static routed 172.16.80.1/24                                   
The following network has been created:
+---------------------+----------------+--------------+
|         Name        |    Gateway     | Routing Type |
+---------------------+----------------+--------------+
| nico-network-static | 172.16.80.1/24 |    ROUTED    |
+---------------------+----------------+--------------+

Create a new network (disconnected):

% ./pyVMC.py new-network nico-network-disconnected disconnected 172.16.71.1/24
The following network has been created:
+---------------------------+----------------+--------------+
|            Name           |    Gateway     | Routing Type |
+---------------------------+----------------+--------------+
| nico-network-disconnected | 172.16.71.1/24 | DISCONNECTED |
+---------------------------+----------------+--------------+

Remove a network

% ./pyVMC.py remove-network nico-network-static
The network nico-network-static has been deleted

Show Compute Gateway Rules

% ./pyVMC.py show-cgw-rule 
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+
|                  id                  |                  Name                 |                                      Source                                      |        Destination         | Action |            Applied To           | Sequence Number |
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+
|            test-nico-101             |             test-nico-101             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | ALLOW  |             ['vpn']             |        0        |
|            test-nico-102             |             test-nico-102             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | ALLOW  |             ['vpn']             |        0        |
|            test-nico-103             |             test-nico-103             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | REJECT |             ['vpn']             |        0        |
|            test-nico-104             |             test-nico-104             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | REJECT |             ['vpn']             |        0        |
| 5f421e30-3c6a-11ea-b3ef-5f6cd9f0c3fc |               tttttesdtt              |                               ['test-cgw-nico-2']                                | ['directConnect_prefixes'] | ALLOW  | ['cross-vpc', 'direct-connect'] |        10       |
|             nico-python              |              nico-python              |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | ALLOW  |   ['direct-connect', 'public']  |        20       |
|             testhjrthrht             |              testhjrthrht             |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | ALLOW  |            ['public']           |        30       |
|            testhjrthgggg             |             testhjrthgggg             |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | REJECT |             ['vpn']             |        40       |
| ab5fabb0-387e-11ea-bcfd-199cf62de0f2 |           New Rule - Test-2           |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | ALLOW  |             ['vpn']             |        50       |
|         testhjrthfffggggrrr          |          testhjrthfffggggrrr          |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | REJECT |   ['direct-connect', 'public']  |        50       |
| f735c350-3089-11ea-af7e-fb8b4b9aad2b |             Access to vRNI            |                                     ['ANY']                                      |     ['vRNI_Collector']     | ALLOW  |            ['public']           |        60       |
| 076aac40-3080-11ea-b81d-0772633bbf28 |             SDDCs to VPCs             |                                ['SDDC2', 'SDDC1']                                |      ['VPC2', 'VPC1']      | ALLOW  |        ['direct-connect']       |        70       |
| 9afadb60-3080-11ea-b81d-0772633bbf28 |             VPCs to SDDCs             |                                 ['VPC1', 'VPC2']                                 |     ['SDDC1', 'SDDC2']     | ALLOW  |        ['direct-connect']       |        80       |
| 6ee14da0-3069-11ea-b065-677bcc76874d |             SDDC1 to SDDC2            |                                    ['SDDC1']                                     |         ['SDDC2']          | ALLOW  |        ['direct-connect']       |        90       |
| 95ad18b0-3069-11ea-b065-677bcc76874d |             SDDC2 to SDDC1            |                                    ['SDDC2']                                     |         ['SDDC1']          | ALLOW  |        ['direct-connect']       |       100       |
| 1436e760-3079-11ea-b20b-3b4df4493d02 | Allow traffic out from SDDC-network-1 |                     ['e02a3fb0-307a-11ea-8c35-d3004a567864']                     |          ['ANY']           | ALLOW  |             ['all']             |       110       |
| 418ebc70-2f1a-11ea-9a0c-51716b13788c |              Internet-out             | ['23660838-497d-4184-bfd4-84b9ea7ee317', 'e9435342-a3f5-4196-9aaa-d3350fc46ef7'] |          ['ANY']           | ALLOW  |            ['public']           |       120       |
|           default-vti-rule           |            Default VTI Rule           |                                     ['ANY']                                      |          ['ANY']           |  DROP  |             ['vpn']             |       130       |
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+

Create a CGW security rule:

The format is: new-cgw-rule [NAME] [SOURCE-GROUPS] [DESTINATION-GROUPS] [SERVICE] [ACTION] [SCOPE] [SEQUENCE-NUMBER].

The sequence-number (to work out the priority of the security rule) is optional.

% ./pyVMC.py new-cgw-rule nico-python-compute-gw-rule test-cgw-nico test-cgw-nico-2 HTTP ALLOW VPN 100

 The rule has been created.
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+
|                  id                  |                  Name                 |                                      Source                                      |        Destination         | Action |            Applied To           | Sequence Number |
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+
|            test-nico-101             |             test-nico-101             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | ALLOW  |             ['vpn']             |        0        |
|            test-nico-102             |             test-nico-102             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | ALLOW  |             ['vpn']             |        0        |
|            test-nico-103             |             test-nico-103             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | REJECT |             ['vpn']             |        0        |
|            test-nico-104             |             test-nico-104             |                           ['SDDC1', 'test-cgw-nico-2']                           |          ['ANY']           | REJECT |             ['vpn']             |        0        |
| 5f421e30-3c6a-11ea-b3ef-5f6cd9f0c3fc |               tttttesdtt              |                               ['test-cgw-nico-2']                                | ['directConnect_prefixes'] | ALLOW  | ['cross-vpc', 'direct-connect'] |        10       |
|             nico-python              |              nico-python              |                               ['test-cgw-nico-2']                                |    ['test-cgw-nico-3']     | ALLOW  |   ['direct-connect', 'public']  |        20       |
|                                        |    ['test-cgw-nico-2']     | ALLOW  |             ['vpn']             |       100       |
|     nico-python-compute-gw-rule      |      nico-python-compute-gw-rule      |                                ['test-cgw-nico']                                 |    ['test-cgw-nico-2']     | ALLOW  |             ['vpn']             |       100       |
|           nico-python-rule           |            nico-python-rule           |                                ['test-cgw-nico']                                 |    ['test-cgw-nico-2']     | ALLOW  |             ['vpn']             |       100       |
| 1436e760-3079-11ea-b20b-3b4df4493d02 | Allow traffic out from SDDC-network-1 |                     ['e02a3fb0-307a-11ea-8c35-d3004a567864']                     |          ['ANY']           | ALLOW  |             ['all']             |       110       |
| 418ebc70-2f1a-11ea-9a0c-51716b13788c |              Internet-out             | ['23660838-497d-4184-bfd4-84b9ea7ee317', 'e9435342-a3f5-4196-9aaa-d3350fc46ef7'] |          ['ANY']           | ALLOW  |            ['public']           |       120       |
|           default-vti-rule           |            Default VTI Rule           |                                     ['ANY']                                      |          ['ANY']           |  DROP  |             ['vpn']             |       130       |
+--------------------------------------+---------------------------------------+----------------------------------------------------------------------------------+----------------------------+--------+---------------------------------+-----------------+

Instead of using the groups, you can also use ANY.

 ./pyVMC.py new-cgw-rule nico-python-compute-gw-rule-any any test-cgw-nico-2 HTTP ALLOW VPN 100

You can also create rules over different interfaces, such as the Direct Connect or over VPN. The accepted interfaces are:

  • all
  • direct-connect
  • public (Internet Interface and for policy-based VPN)
  • cross-vpc
  • vpn (for route-based VPN)
% ./pyVMC.py new-cgw-rule nico-python-compute-gw-rule-any-dx any test-cgw-nico-2 HTTP REJECT Direct-connect 100

Here is a detailed example:

$ ./pyVMC.py new-cgw-rule nic-python any any HTTP ALLOW all 

<Response [200]>

 The rule has been created.
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+------------+-----------------+
|                  id                  |         Name        |                       Source                       |                    Destination                     | Action | Applied To | Sequence Number |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+------------+-----------------+
|              nic-python              |      nic-python     |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |  ['all']   |        0        |
| 9af14250-540a-11ea-a675-19761a8dbdb8 | SDDC1 to SDDC2 Flat | ['SDDC1-WebFlat', 'SDDC1-DbFlat', 'SDDC1-AppFlat'] |          ['WebFlat', 'DbFlat', 'AppFlat']          |  DROP  |  ['vpn']   |       312       |
| ebaca320-5409-11ea-a675-19761a8dbdb8 | SDDC2 to SDDC1 Flat |          ['WebFlat', 'DbFlat', 'AppFlat']          | ['SDDC1-DbFlat', 'SDDC1-WebFlat', 'SDDC1-AppFlat'] |  DROP  |  ['vpn']   |       624       |
| b6e8cca0-529b-11ea-9067-73a527fb18ad |     SDDC2 To Ext    |       ['SDDC2-Db', 'SDDC2-Web', 'SDDC2-App']       |       ['SDDC1-Web', 'SDDC1-Db', 'SDDC1-App']       |  DROP  |  ['vpn']   |       1249      |
| 34d0d050-529b-11ea-9067-73a527fb18ad |    SDDC2 From Ext   |       ['SDDC1-Db', 'SDDC1-App', 'SDDC1-Web']       |       ['SDDC2-Web', 'SDDC2-Db', 'SDDC2-App']       |  DROP  |  ['vpn']   |       2499      |
| 1fb16770-529b-11ea-9067-73a527fb18ad |   Default VTI Rule  |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |  ['vpn']   |       4999      |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+------------+-----------------+
$ ./pyVMC.py new-cgw-rule nic-python-dx any any HTTP ALLOW direct-connect

<Response [200]>

 The rule has been created.
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|                  id                  |         Name        |                       Source                       |                    Destination                     | Action |     Applied To     | Sequence Number |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|              nic-python              |      nic-python     |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['all']       |        0        |
|            nic-python-dx             |    nic-python-dx    |                      ['ANY']                       |                      ['ANY']                       | ALLOW  | ['direct-connect'] |        0        |
| 9af14250-540a-11ea-a675-19761a8dbdb8 | SDDC1 to SDDC2 Flat | ['SDDC1-WebFlat', 'SDDC1-DbFlat', 'SDDC1-AppFlat'] |          ['WebFlat', 'DbFlat', 'AppFlat']          |  DROP  |      ['vpn']       |       312       |
| ebaca320-5409-11ea-a675-19761a8dbdb8 | SDDC2 to SDDC1 Flat |          ['WebFlat', 'DbFlat', 'AppFlat']          | ['SDDC1-DbFlat', 'SDDC1-WebFlat', 'SDDC1-AppFlat'] |  DROP  |      ['vpn']       |       624       |
| b6e8cca0-529b-11ea-9067-73a527fb18ad |     SDDC2 To Ext    |       ['SDDC2-Db', 'SDDC2-Web', 'SDDC2-App']       |       ['SDDC1-Web', 'SDDC1-Db', 'SDDC1-App']       |  DROP  |      ['vpn']       |       1249      |
| 34d0d050-529b-11ea-9067-73a527fb18ad |    SDDC2 From Ext   |       ['SDDC1-Db', 'SDDC1-App', 'SDDC1-Web']       |       ['SDDC2-Web', 'SDDC2-Db', 'SDDC2-App']       |  DROP  |      ['vpn']       |       2499      |
| 1fb16770-529b-11ea-9067-73a527fb18ad |   Default VTI Rule  |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['vpn']       |       4999      |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+

$ ./pyVMC.py new-cgw-rule nic-python-inet any any HTTP ALLOW public

<Response [200]>

 The rule has been created.
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|                  id                  |         Name        |                       Source                       |                    Destination                     | Action |     Applied To     | Sequence Number |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|              nic-python              |      nic-python     |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['all']       |        0        |
|            nic-python-dx             |    nic-python-dx    |                      ['ANY']                       |                      ['ANY']                       | ALLOW  | ['direct-connect'] |        0        |
|           nic-python-inet            |   nic-python-inet   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |     ['public']     |        0        |
| 9af14250-540a-11ea-a675-19761a8dbdb8 | SDDC1 to SDDC2 Flat | ['SDDC1-WebFlat', 'SDDC1-DbFlat', 'SDDC1-AppFlat'] |          ['WebFlat', 'DbFlat', 'AppFlat']          |  DROP  |      ['vpn']       |       312       |
| ebaca320-5409-11ea-a675-19761a8dbdb8 | SDDC2 to SDDC1 Flat |          ['WebFlat', 'DbFlat', 'AppFlat']          | ['SDDC1-DbFlat', 'SDDC1-WebFlat', 'SDDC1-AppFlat'] |  DROP  |      ['vpn']       |       624       |
| b6e8cca0-529b-11ea-9067-73a527fb18ad |     SDDC2 To Ext    |       ['SDDC2-Db', 'SDDC2-Web', 'SDDC2-App']       |       ['SDDC1-Web', 'SDDC1-Db', 'SDDC1-App']       |  DROP  |      ['vpn']       |       1249      |
| 34d0d050-529b-11ea-9067-73a527fb18ad |    SDDC2 From Ext   |       ['SDDC1-Db', 'SDDC1-App', 'SDDC1-Web']       |       ['SDDC2-Web', 'SDDC2-Db', 'SDDC2-App']       |  DROP  |      ['vpn']       |       2499      |
| 1fb16770-529b-11ea-9067-73a527fb18ad |   Default VTI Rule  |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['vpn']       |       4999      |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+

$ ./pyVMC.py new-cgw-rule nic-python-vpc any any HTTP ALLOW cross-vpc

<Response [200]>

 The rule has been created.
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|                  id                  |         Name        |                       Source                       |                    Destination                     | Action |     Applied To     | Sequence Number |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|              nic-python              |      nic-python     |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['all']       |        0        |
|            nic-python-dx             |    nic-python-dx    |                      ['ANY']                       |                      ['ANY']                       | ALLOW  | ['direct-connect'] |        0        |
|           nic-python-inet            |   nic-python-inet   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |     ['public']     |        0        |
|            nic-python-vpc            |    nic-python-vpc   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |   ['cross-vpc']    |        0        |
| 9af14250-540a-11ea-a675-19761a8dbdb8 | SDDC1 to SDDC2 Flat | ['SDDC1-WebFlat', 'SDDC1-DbFlat', 'SDDC1-AppFlat'] |          ['WebFlat', 'DbFlat', 'AppFlat']          |  DROP  |      ['vpn']       |       312       |
| ebaca320-5409-11ea-a675-19761a8dbdb8 | SDDC2 to SDDC1 Flat |          ['WebFlat', 'DbFlat', 'AppFlat']          | ['SDDC1-DbFlat', 'SDDC1-WebFlat', 'SDDC1-AppFlat'] |  DROP  |      ['vpn']       |       624       |
| b6e8cca0-529b-11ea-9067-73a527fb18ad |     SDDC2 To Ext    |       ['SDDC2-Db', 'SDDC2-Web', 'SDDC2-App']       |       ['SDDC1-Web', 'SDDC1-Db', 'SDDC1-App']       |  DROP  |      ['vpn']       |       1249      |
| 34d0d050-529b-11ea-9067-73a527fb18ad |    SDDC2 From Ext   |       ['SDDC1-Db', 'SDDC1-App', 'SDDC1-Web']       |       ['SDDC2-Web', 'SDDC2-Db', 'SDDC2-App']       |  DROP  |      ['vpn']       |       2499      |
| 1fb16770-529b-11ea-9067-73a527fb18ad |   Default VTI Rule  |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['vpn']       |       4999      |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
$ ./pyVMC.py new-cgw-rule nic-python-vpn any any HTTP ALLOW vpn

<Response [200]>

 The rule has been created.
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|                  id                  |         Name        |                       Source                       |                    Destination                     | Action |     Applied To     | Sequence Number |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+
|              nic-python              |      nic-python     |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['all']       |        0        |
|            nic-python-dx             |    nic-python-dx    |                      ['ANY']                       |                      ['ANY']                       | ALLOW  | ['direct-connect'] |        0        |
|           nic-python-inet            |   nic-python-inet   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |     ['public']     |        0        |
|            nic-python-vpc            |    nic-python-vpc   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |   ['cross-vpc']    |        0        |
|            nic-python-vpn            |    nic-python-vpn   |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['vpn']       |        0        |
| 9af14250-540a-11ea-a675-19761a8dbdb8 | SDDC1 to SDDC2 Flat | ['SDDC1-WebFlat', 'SDDC1-DbFlat', 'SDDC1-AppFlat'] |          ['WebFlat', 'DbFlat', 'AppFlat']          |  DROP  |      ['vpn']       |       312       |
| ebaca320-5409-11ea-a675-19761a8dbdb8 | SDDC2 to SDDC1 Flat |          ['WebFlat', 'DbFlat', 'AppFlat']          | ['SDDC1-DbFlat', 'SDDC1-WebFlat', 'SDDC1-AppFlat'] |  DROP  |      ['vpn']       |       624       |
| b6e8cca0-529b-11ea-9067-73a527fb18ad |     SDDC2 To Ext    |       ['SDDC2-Db', 'SDDC2-Web', 'SDDC2-App']       |       ['SDDC1-Web', 'SDDC1-Db', 'SDDC1-App']       |  DROP  |      ['vpn']       |       1249      |
| 34d0d050-529b-11ea-9067-73a527fb18ad |    SDDC2 From Ext   |       ['SDDC1-Db', 'SDDC1-App', 'SDDC1-Web']       |       ['SDDC2-Web', 'SDDC2-Db', 'SDDC2-App']       |  DROP  |      ['vpn']       |       2499      |
| 1fb16770-529b-11ea-9067-73a527fb18ad |   Default VTI Rule  |                      ['ANY']                       |                      ['ANY']                       | ALLOW  |      ['vpn']       |       4999      |
+--------------------------------------+---------------------+----------------------------------------------------+----------------------------------------------------+--------+--------------------+-----------------+

The commands above created the following on the Compute Gateway:

CGW rules created in Python

Remove CGW Rule

% ./pyVMC.py remove-cgw-rule nico-python-compute-gw-rule
The rule nico-python-compute-gw-rule has been deleted

Show Management Gateway Rules

% ./pyVMC.py show-mgw-rule
+--------------------------------------+-----------------------+----------------------------+-----------------+------------------------------+--------+-----------------+
|                  ID                  |          Name         |           Source           |   Destination   |           Services           | Action | Sequence Number |
+--------------------------------------+-----------------------+----------------------------+-----------------+------------------------------+--------+-----------------+
|           nico-test-python           |    nico-test-python   |          ['ANY']           |   ['VCENTER']   |    ['HTTPS', 'ICMP-ALL']     | ALLOW  |        0        |
|         nico-test-python-10          |  nico-test-python-10  |          ['ANY']           |   ['VCENTER']   | ['HTTPS', 'SSO', 'ICMP-ALL'] | ALLOW  |        0        |
|         nico-test-python-40          |  nico-test-python-40  |          ['ANY']           |   ['VCENTER']   | ['HTTPS', 'SSO', 'ICMP-ALL'] | ALLOW  |        0        |
| 7d490130-3c53-11ea-a092-ebd5a5fad4fd |        nico-ui        | ['mgw-group', 'test-nico'] | ['NSX-MANAGER'] |          ['HTTPS']           | ALLOW  |        5        |
| 4762ba10-3079-11ea-b20b-3b4df4493d02 |      NSX inbound      |          ['ANY']           | ['NSX-MANAGER'] |          ['HTTPS']           | ALLOW  |        10       |
|             test-nico-40             |      test-nico-40     |      ['NSX-MANAGER']       |  ['test-nico']  |           ['ANY']            | ALLOW  |        20       |
| 68678d3c-69e8-49f9-908c-a9e1dcfde013 |    vCenter Inbound    |          ['ANY']           |   ['VCENTER']   | ['HTTPS', 'SSO', 'ICMP-ALL'] | ALLOW  |        20       |
|                 ESXI                 |   ESXi Outbound Rule  |          ['ESXI']          |     ['ANY']     |           ['ANY']            | ALLOW  |        30       |
|             test-nico-20             |      test-nico-20     | ['mgw-group', 'test-nico'] | ['NSX-MANAGER'] |          ['HTTPS']           | ALLOW  |        40       |
|               VCENTER                | vCenter Outbound Rule |        ['VCENTER']         |     ['ANY']     |           ['ANY']            | ALLOW  |        40       |
+--------------------------------------+-----------------------+----------------------------+-----------------+------------------------------+--------+-----------------+

Create MGW rule:

The format is: new-mgw-rule [NAME] [SOURCE-GROUPS] [DESTINATION-GROUPS] [SERVICE] [ACTION] [SEQUENCE-NUMBER].

The sequence-number (to work out the priority of the security rule) is optional.

Unlike the CGW, there is no need to define a scope for a MGW rule. There’s only one interface on the Management Gateway.

% ./pyVMC.py new-mgw-rule nic-python-cgw any vCenter HTTPS ALLOW 

<Response [200]>

 The rule has been created.
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+
|                  ID                  |                      Name                     |    Source   | Destination |        Services       | Action | Sequence Number |
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+
|            nic-python-cgw            |                 nic-python-cgw                |   ['ANY']   | ['VCENTER'] |       ['HTTPS']       | ALLOW  |        0        |
| f2417649-6bc8-42cd-afc1-d7f8120c41f0 | vCenter Inbound set up by Terraform - test 2  |   ['ANY']   | ['VCENTER'] | ['ICMP-ALL', 'HTTPS'] | ALLOW  |        0        |
| 624f500b-7c4f-4ac5-8db0-1d9de46e2242 |               ESXi Outbound Rule              |   ['ESXI']  |   ['ANY']   |        ['ANY']        | ALLOW  |        1        |
| 8699ff8b-ba86-41e7-8bd8-f73357873ba4 |             vCenter Outbound Rule             | ['VCENTER'] |   ['ANY']   |        ['ANY']        | ALLOW  |        2        |
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+

The rule created is the following:

MGW rule

Remove MGW rule:

The command removes the rule and displays the updated firewall rule table.

% ./pyVMC.py remove-mgw-rule nic-python-cgw
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+
|                  ID                  |                      Name                     |    Source   | Destination |        Services       | Action | Sequence Number |
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+
| f2417649-6bc8-42cd-afc1-d7f8120c41f0 | vCenter Inbound set up by Terraform - test 2  |   ['ANY']   | ['VCENTER'] | ['HTTPS', 'ICMP-ALL'] | ALLOW  |        20       |
| 624f500b-7c4f-4ac5-8db0-1d9de46e2242 |               ESXi Outbound Rule              |   ['ESXI']  |   ['ANY']   |        ['ANY']        | ALLOW  |        30       |
| 8699ff8b-ba86-41e7-8bd8-f73357873ba4 |             vCenter Outbound Rule             | ['VCENTER'] |   ['ANY']   |        ['ANY']        | ALLOW  |        40       |
+--------------------------------------+-----------------------------------------------+-------------+-------------+-----------------------+--------+-----------------+

Show the public IP addresses allocated to the SDDC:

Read more on the topic on the following blog posts: Internet Access Deep Dive on VMC on AWS and NAT Deep Dive on VMC on AWS.

% ./pyVMC.py show-sddc-public-ip
+----------------+--------------------------------------+----------------------+
|       IP       |                  id                  |        Notes         |
+----------------+--------------------------------------+----------------------+
| 44.224.121.XXX | 3c0276c0-309b-11ea-83ef-9d6838aaf2bc |      test-nico       |
| 44.230.148.XX  |            vrni-platform             | vrni-platform-update |
+----------------+--------------------------------------+----------------------+

Request a public IP:

$ ./pyVMC.py new-sddc-public-ip nico-21
+---------------+--------------------------------------+------------------+
| IP | id | Notes |
+---------------+--------------------------------------+------------------+
| 35.155.169.29 | nico-20 | nico-20 |
| 35.165.51.180 | nico-21 | nico-21 |
+---------------+--------------------------------------+------------------+

Remove a public IP address

$ ./pyVMC.py remove-sddc-public-ip nico-21
+---------------+--------------------------------------+------------------+
|       IP      |                  id                  |      Notes       |
+---------------+--------------------------------------+------------------+
| 44.225.142.74 | 34f0eb90-57b6-11ea-ae9d-67cfb1f0c136 | nico-public-ip-2 |
|  34.209.35.36 | aab61c20-57b5-11ea-b11c-8510cfba4fd6 |  nico-public-ip  |
| 35.155.169.29 |               nico-20                |     nico-20      |
+---------------+--------------------------------------+------------------+

Show NAT rules

% ./pyVMC.py show-nat     
+--------------------+---------------------+----------------+-------+-----------------+----------+
|         ID         |         Name        |   Public IP    | Ports |   Internal IP   | Enabled? |
+--------------------+---------------------+----------------+-------+-----------------+----------+
| test-nico-NAT-port | test-nico-NAT-port3 | 44.224.121.185 |  1024 |   172.16.10.10  |   True   |
|   vRNI_Platform    | vRNI Platform msmit | 44.230.148.61  |  any  | 192.168.100.243 |   True   |
+--------------------+---------------------+----------------+-------+-----------------+----------+

Show NAT rules statistics for a specific rule

% ./pyVMC.py show-nat vRNI_Platform
+---------------+-----------------+-------------+---------------+
|    NAT Rule   | Active Sessions | Total Bytes | Total Packets |
+---------------+-----------------+-------------+---------------+
| vRNI_Platform |        61       |  275890519  |    1894035    |
+---------------+-----------------+-------------+---------------+

Create a new NAT rule:

There are two types of NAT rules: reflexive/any or port-based (destination NAT). For ANY rule, where we translate all traffic, regardless of the port, the format is the following

$ ./pyVMC.py new-nat-rule nico-nat-any-2 any 35.155.169.29 172.10.10.14

By default, logging is disabled and the rule is enabled but you can change this with adding true/false as subsequent parameters (the first one for logging and the second for the status).

$ ./pyVMC.py new-nat-rule nico-nat-any-2 any 35.155.169.29 172.10.10.14

$ ./pyVMC.py new-nat-rule nico-nat-any any 35.155.169.29 172.10.10.10 true true

$ ./pyVMC.py show-nat
+--------------+--------------+---------------+-------+--------------+----------+
|      ID      |     Name     |   Public IP   | Ports | Internal IP  | Enabled? |
+--------------+--------------+---------------+-------+--------------+----------+
| nico-nat-any | nico-nat-any | 35.155.169.29 |  any  | 172.10.10.10 |   True   |
+--------------+--------------+---------------+-------+--------------+----------+

For DNAT rule, the format is the following:

$ ./pyVMC.py new-nat-rule nico-nat-bgp-2 DNAT 35.155.169.29 172.10.10.15 BGP 443 
NAT rules created with PyVMC

Remove NAT rules

$ ./pyVMC.py remove-nat-rule nico-nat-any

None


+--------------------+--------------------+---------------+-------+--------------+----------+
|         ID         |        Name        |   Public IP   | Ports | Internal IP  | Enabled? |
+--------------------+--------------------+---------------+-------+--------------+----------+
|    nico-nat-bgp    |    nico-nat-bgp    | 35.155.169.29 |  443  | 172.10.10.15 |   True   |
|   nico-nat-bgp-2   |   nico-nat-bgp-2   | 35.155.169.29 |  443  | 172.10.10.15 |  False   |
| nico-nat-reflexive | nico-nat-reflexive | 35.155.169.29 |  any  | 172.10.10.10 |   True   |
|    nico-nat-tcp    |    nico-nat-tcp    | 35.155.169.29 |  443  | 172.10.10.13 |   True   |
|      nico-tcp      |      nico-tcp      | 44.225.142.74 |  464  | 172.16.10.10 |   True   |
+--------------------+--------------------+---------------+-------+--------------+----------+

Show MGW groups:

% ./pyVMC.py show-group mgw       
+--------------------+--------------------+
|         ID         |        Name        |
+--------------------+--------------------+
|        ESXI        |        ESXi        |
|    NSX-MANAGER     |    NSX Manager     |
|     mgw-group      |     mgw-group      |
| nico-cli-mgw-group | nico-cli-mgw-group |
|     test-nico      |     test-nico      |
|      VCENTER       |      vCenter       |
+--------------------+--------------------+

Show specific MGW group:

% ./pyVMC.py show-groups mgw nico-cli-mgw-group
The group nico-cli-mgw-group is based on the IP addresses criteria:
['172.16.10.1', '172.16.20.1']
% ./pyVMC.py show-groups mgw mgw-group         
The group mgw-group is based on the IP addresses criteria:
['11.11.11.11/32']
% ./pyVMC.py show-groups mgw test-nico
The group test-nico is based on the IP addresses criteria:
['10.10.10.10', '10.10.20.10']

Create MGW group:

The Management Gateway groups are quite simple. It’s just a list of IP addresses. I actually built two ways to create the group. Either all in a single line, listing each IP addresses or IP addresses range (separated by a comma) or using the prompt to create the groups:

$ ./pyVMC.py new-group mgw nico-python-mgw 
Please enter IP address (for example, "172.16.10.20") or type 'done' when your list is finished:10.10.10.10
Please enter IP address (for example, "172.16.10.20") or type 'done' when your list is finished:172.16.10.10
Please enter IP address (for example, "172.16.10.20") or type 'done' when your list is finished:done
['10.10.10.10', '172.16.10.10']


$ ./pyVMC.py show-group mgw nico-python-mgw
The group nico-python-mgw is based on the IP addresses criteria:
['10.10.10.10', '172.16.10.10']

Here is the alternative:

$ ./pyVMC.py new-group mgw nico-python-mgw-2 10.10.20.20,172.16.20.10

Show CGW groups:

% ./pyVMC.py show-group cgw          
+--------------------------------------+--------------------------+
|                  ID                  |           Name           |
+--------------------------------------+--------------------------+
| e02a3fb0-307a-11ea-8c35-d3004a567864 |     192.168.100.0/24     |
| 23660838-497d-4184-bfd4-84b9ea7ee317 |           LS20           |
| e9435342-a3f5-4196-9aaa-d3350fc46ef7 |           LS21           |
|                SDDC1                 |          SDDC1           |
|                SDDC2                 |          SDDC2           |
|                 VPC1                 |           VPC1           |
|                 VPC2                 |           VPC2           |
|               member-1               |         member-1         |
|             nico-all-VMs             |       nico-all-VMs       |
|            nico-cgw-group            |      nico-cgw-group      |
|          nico-cgw-group-10           |    nico-cgw-group-10     |
|          nico-cgw-group-100          |    nico-cgw-group-100    |
|         nico-cgw-group-1000          |   nico-cgw-group-1000    |
|         nico-cgw-group-10405         |   nico-cgw-group-10405   |
|         nico-cgw-group-10415         |   nico-cgw-group-10415   |
|                 test                 |           test           |
|            test-cgw-2-ips            |      test-cgw-2-ips      |
|            test-cgw-nico             |      test-cgw-nico       |
|           test-cgw-nico-2            |     test-cgw-nico-2      |
|           test-cgw-nico-3            |     test-cgw-nico-3      |
|           test-cgw-nico-4            |     test-cgw-nico-4      |
|           test-cgw-nico-6            |     test-cgw-nico-6      |
|           test-cgw-nico-8            |     test-cgw-nico-8      |
|       test-nico-cgw-5-criteria       | test-nico-cgw-5-criteria |
|        test-nico-mix-members         |  test-nico-mix-members   |
|            vRNI_Collector            |      vRNI Collector      |
+--------------------------------------+--------------------------+

Show specific CGW groups:

% ./pyVMC.py show-group cgw nico-cgw-group-10415

 The following Virtual Machines are part of the Group.
+-------+
|  Name |
+-------+
| DSL20 |
| DSL21 |
+-------+
% ./pyVMC.py show-group cgw vRNI_Collector      

 The following Virtual Machines are part of the Group.
+-------------------------------------------+
|                    Name                   |
+-------------------------------------------+
| Network-Insight-5.1.0.1577527983-platform |

Create new CGW group:

The Compute groups are more complex to create. They can be based on ip-addresses, based on a list of VMs or based on criteria (matching the name of a VM for example).

Here again, I give you the option to create all in one line or using the prompt.

$ ./pyVMC.py new-group cgw pyvmc-ip-based ip-based
ip-based
Please enter IP address ("172.16.10.20") or type 'done' when your list is finished: 192.168.10.10
Please enter IP address ("172.16.10.20") or type 'done' when your list is finished: 192.168.20.10
Please enter IP address ("172.16.10.20") or type 'done' when your list is finished: 192.168.30.10
Please enter IP address ("172.16.10.20") or type 'done' when your list is finished: done
['192.168.10.10', '192.168.20.10', '192.168.30.10']
200

$ ./pyVMC.py new-group cgw pyvmc-ip-based-2 ip-based 192.168.10.0/24,172.16.30.0/24
ip-based
200

Show services:

% ./pyVMC.py show-services                        
+--------------------------------------------------------------+--------------------------------------------------------------+
|                              ID                              |                             Name                             |
+--------------------------------------------------------------+--------------------------------------------------------------+
|                          AD_Server                           |                          AD Server                           |
|                   Active_Directory_Server                    |                   Active Directory Server                    |
|                 Active_Directory_Server_UDP                  |                 Active Directory Server UDP                  |
|                             BGP                              |                             BGP                              |
|                           CIM-HTTP                           |                           CIM-HTTP                           |               
|            vCentre_Operations_Manager_(vApp)_5.x             |            vCentre Operations Manager (vApp) 5.x             |
|               vCentre_Operations_Standard_1.x                |               vCentre Operations Standard 1.x                |
+--------------------------------------------------------------+--------------------------------------------------------------+
% 

Show specific service:

% ./pyVMC.py show-services Nico-service
T
+-----------------------+-----------------------+----------+--------------+-------------------+
|           ID          |          Name         | Protocol | Source Ports | Destination Ports |
+-----------------------+-----------------------+----------+--------------+-------------------+
| Nico-service-entry-id | Nico-service-entry-id |   UDP    |      []      |      ['8080']     |
+-----------------------+-----------------------+----------+--------------+-------------------+

Create a new service:

A service is essentially a group of layer 4 ports and protocol. A service is actually made of service entries. The NSX-T guide explains it in details here.

There are already over 400 pre-defined services that comes pre-defined but you might want to create new services. Some services have a single service entry but some of multiple service entries.

$ ./pyVMC.py new-service 
Please input the name of the service:py-nico-service
Please enter the Service Entry ID:service-entry-nico
Please enter the L4 Protocol:TCP
Please enter the Source Ports or type 'done' when your list is finished:done
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished:8080
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished:8081
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished:done
T
+--------------------+--------------------+----------+--------------+-------------------+
|         ID         |        Name        | Protocol | Source Ports | Destination Ports |
+--------------------+--------------------+----------+--------------+-------------------+
| service-entry-nico | service-entry-nico |   TCP    |      []      |  ['8080', '8081'] |
+--------------------+--------------------+----------+--------------+-------------------+

$ ./pyVMC.py new-service 
Please input the name of the service:py-nico-multiple-service-entries
Please enter the Service Entry ID:se-1
Please enter the L4 Protocol:UDP
Please enter the Source Ports or type 'done' when your list is finished:443
Please enter the Source Ports or type 'done' when your list is finished:done
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished:next
Please enter the Service Entry ID:se-2
Please enter the L4 Protocol:TCP
Please enter the Source Ports or type 'done' when your list is finished:done
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished:8080
Please enter the Destination Ports, type 'next' when you want to define another service entry or 'done' if you have finished::done
T
+------+------+----------+--------------+-------------------+
|  ID  | Name | Protocol | Source Ports | Destination Ports |
+------+------+----------+--------------+-------------------+
| se-2 | se-2 |   TCP    |      []      |      ['8080']     |
| se-1 | se-1 |   UDP    |   ['443']    |         []        |
+------+------+----------+--------------+-------------------+

This is what the commands below created:

Services

Show DNS Zones:

% ./pyVMC.py show-dns-zones            
+--------------+---------------------------------+------------------+------------------------+
|      ID      |               Name              | DNS Domain Names |    upstream_servers    |
+--------------+---------------------------------+------------------+------------------------+
|      1       |                1                |        []        |      ['1.2.3.1']       |
| cgw-dns-zone |   Compute Gateway Default Zone  |        []        | ['8.8.8.8', '8.8.4.4'] |
| mgw-dns-zone | Management Gateway Default Zone |        []        | ['8.8.8.8', '8.8.4.4'] |

Show DNS Services

% ./pyVMC.py show-dns-services

Here are the Management DNS Services:
+---------------+----------------------------------+-------------+
|       ID      |               Name               | Listener IP |
+---------------+----------------------------------+-------------+
| dns-forwarder | Management Gateway DNS Forwarder | 10.3.192.11 |
+---------------+----------------------------------+-------------+

Here are the Compute DNS Services:
+---------------+-------------------------------+-------------+
|       ID      |              Name             | Listener IP |
+---------------+-------------------------------+-------------+
| dns-forwarder | Compute Gateway DNS Forwarder | 10.3.192.12 |
+---------------+-------------------------------+-------------+

Show the Public IP used for VPN:

This public IP is the one you would connect to if you were to build a remote IPSec VPN to your VMware Cloud on AWS SDDC.

% ./pyVMC.py show-vpn-internet-ip 
44.231.62.149

Show configured VPN:

% ./pyVMC.py show-vpn            
+--------------------+--------------------------------------+---------------+----------------+
|        Name        |                  ID                  | Local Address | Remote Address |
+--------------------+--------------------------------------+---------------+----------------+
| SDDC2 to SDDC1 VPN | 0011c040-322a-11ea-9ca2-4f1d03e0bc96 |   Public-IP1  | 44.226.164.52  |
+--------------------+--------------------------------------+---------------+----------------+

Show VPN statistics:

% ./pyVMC.py show-vpn 0011c040-322a-11ea-9ca2-4f1d03e0bc96 

+--------+------------+-------------+
| Status | Packets In | Packets Out |
+--------+------------+-------------+
|   UP   |     0      |      0      |
+--------+------------+-------------+

Show IPSec VPN profiles:

% ./pyVMC.py show-vpn-ipsec-profile                       
+--------------------------------------+--------------------------------------+-------------+--------------+------------------------+-----------------+
|                 Name                 |                  ID                  | IKE Version |    Digest    |        DH Group        |    Encryption   |
+--------------------------------------+--------------------------------------+-------------+--------------+------------------------+-----------------+
| 0011c040-322a-11ea-9ca2-4f1d03e0bc96 | 0011c040-322a-11ea-9ca2-4f1d03e0bc96 |    IKE_V2   | ['SHA2_256'] |      ['GROUP14']       |   ['AES_256']   |
|                 CNSA                 |        cnsa-ipsec-ike-profile        |    IKE_V2   | ['SHA2_384'] | ['GROUP15', 'GROUP20'] |   ['AES_256']   |
|                 FIPS                 |        fips-ipsec-ike-profile        |   IKE_FLEX  | ['SHA2_256'] |      ['GROUP20']       |   ['AES_128']   |
|              Foundation              |     foundation-ipsec-ike-profile     |    IKE_V1   | ['SHA2_256'] |      ['GROUP14']       |   ['AES_128']   |
|                PRIME                 |       prime-ipsec-ike-profile        |    IKE_V2   |      []      |      ['GROUP19']       | ['AES_GCM_128'] |
|           Suite-B-GCM-128            |  suite-b-gcm-128-ipsec-ike-profile   |    IKE_V2   | ['SHA2_256'] |      ['GROUP19']       |   ['AES_128']   |
|           Suite-B-GCM-256            |  suite-b-gcm-256-ipsec-ike-profile   |    IKE_V2   | ['SHA2_384'] |      ['GROUP20']       |   ['AES_256']   |
|    nsx-default-l2vpn-ike-profile     |    nsx-default-l2vpn-ike-profile     |    IKE_V2   | ['SHA2_256'] |      ['GROUP14']       |   ['AES_128']   |
|    nsx-default-l3vpn-ike-profile     |    nsx-default-l3vpn-ike-profile     |    IKE_V2   | ['SHA2_256'] |      ['GROUP14']       |   ['AES_128']   |
+--------------------------------------+--------------------------------------+-------------+--------------+------------------------+-----------------+

Show IPSec Tunnel Profiles:

% ./pyVMC.py show-vpn-ipsec-tunnel-profile
+--------------------------------------+--------------------------------------+--------------+------------------------+-----------------+
|                 Name                 |                  ID                  |    Digest    |        DH Group        |    Encryption   |
+--------------------------------------+--------------------------------------+--------------+------------------------+-----------------+
| 0011c040-322a-11ea-9ca2-4f1d03e0bc96 | 0011c040-322a-11ea-9ca2-4f1d03e0bc96 | ['SHA2_256'] |      ['GROUP14']       |   ['AES_256']   |
|                 CNSA                 |      cnsa-ipsec-tunnel-profile       | ['SHA2_384'] | ['GROUP15', 'GROUP20'] |   ['AES_256']   |
|                 FIPS                 |      fips-ipsec-tunnel-profile       |      []      |      ['GROUP20']       | ['AES_GCM_128'] |
|              Foundation              |   foundation-ipsec-tunnel-profile    | ['SHA2_256'] |      ['GROUP14']       |   ['AES_128']   |
|                PRIME                 |      prime-ipsec-tunnel-profile      |      []      |      ['GROUP19']       | ['AES_GCM_128'] |
|           Suite-B-GCM-128            | suite-b-gcm-128-ipsec-tunnel-profile |      []      |      ['GROUP19']       | ['AES_GCM_128'] |
|           Suite-B-GCM-256            | suite-b-gcm-256-ipsec-tunnel-profile |      []      |      ['GROUP20']       | ['AES_GCM_256'] |
|   nsx-default-l2vpn-tunnel-profile   |   nsx-default-l2vpn-tunnel-profile   |      []      |      ['GROUP14']       | ['AES_GCM_128'] |
|   nsx-default-l3vpn-tunnel-profile   |   nsx-default-l3vpn-tunnel-profile   |      []      |      ['GROUP14']       | ['AES_GCM_128'] |
+--------------------------------------+--------------------------------------+--------------+------------------------+-----------------+

Show IPSec VPN Endpoints:

% ./pyVMC.py show-vpn-ipsec-endpoints     
+-------------+-------------+---------------+
|     Name    |      ID     |    Address    |
+-------------+-------------+---------------+
| Private IP1 | Private-IP1 |  10.3.192.13  |
|  Public IP1 |  Public-IP1 | 44.231.62.149 |
+-------------+-------------+---------------+

Show whether Direct Connect is preferred over VPN or vice-versa:

Read more on this in this blog.

% ./pyVMC.py show-sddc-bgp-vpn       
The preferred path is over VPN, with Direct Connect as a back-up.

Show the shadow AWS Account where the SDDC is deployed:

% ./pyVMC.py show-shadow-account
The SDDC is deployed in the 84429365XXX AWS Shadow Account.

Show the connected AWS account and VPC account:

% ./pyVMC.py show-sddc-connected-vpc
+------------------------+-----------------------+----------------+-------------------+-----------------------+----------------+
| Customer-Owned Account |    Connected VPC ID   |     Subnet     | Availability Zone |          ENI          | Service Access |
+------------------------+-----------------------+----------------+-------------------+-----------------------+----------------+
|      76162851XXXX      | vpc-0aee6bfb10ec90cf7 | 172.32.32.0/20 |     us-west-2b    | eni-0544804d4e106228e |      True      |
+------------------------+-----------------------+----------------+-------------------+-----------------------+----------------+

Show the configured MTU over Direct Connect:

% ./pyVMC.py show-mtu               
The MTU over the Direct Connect is 1500 Bytes.

Show Access Token.

This token is required for all API calls. This token is only valid for 30 minutes and is automatically pulled during all the calls listed here. You might want to use this command to make an API call.

% ./pyVMC.py get-access-token   
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNpZ25pbmdfMiJ9.eyJzdWIiOiJ2bXdhcmUuY29tOmExZGQ2YjkzLTM4MjYtNDMwZi1hNjEzLTY2ODZlMzE3ZDNlYiIsImF6cCI6ImNzcF9wcmRfZ2F6X2ludGVybmFsX2NsaWVudF9pZCIsImRvbWFpbiI6InZtd2FyZS5jb20iLCJjb250ZXh0IjoiOTgzNjE0ZGQtZTNlMC00ZDM1LThlOGMtMjM0NDA3NTRhYWMzIiwiaXNzIjoiaHR0cHM6Ly9nYXouY3NwLXZpZG0tcHJvZC5jb20iLCJwZXJtcyI6WyJleHRlcm5hbC95YlVkb1RDMDVrWUZDOVpHNTYwa3BzbjBJOE1fL25zeDpjbG91ZF9hdWRpdG99k-DwuykKx4Ddr_k1EI2sxsGEYgAXrCbGRuI-ZotYTr0pQt6QvDbCu-IrE7dechBL_w63La0RYVoBMY899Cy_p9W2Sd4KELhZXqaTnBHeBNbi-91NojNhfEl0SXY92BpKcFtJ4XpD6cqUG1ZA9xcONlkqpyn55wtP2CgLmoL0EAL9efmSXilVkl_efYB3vYF_jo1M7d65Q9vvxuNvF058NO7nsdq2Hdc0fEG4PaP88dQsv2TVBfPp9_np-0o7okhulomwTdJaoiKDCR4I1u-9q8vNP5N-OWgRBH48CsqDPuIcP6TMonIC2kyZBkBA

I hope you found this tool useful !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s