vCloud

Hi,
I created a script that takes a CSV file and creates DNAT and SNAT rules in vCloud Director on the NSX-T Edge. SNAT works without issues, DNAT rules that do have an applicationPortProfile work as well, but when the applicationPortProfile should be ANY, I can't get it to work.

Normally the JSON I send when a ApplicationPortProfile is used looks like this:

{  "logging": true,  "type": "DNAT",  "name": "GabeTest",  "description": "Test Rule",  "dnatExternalPort": "any",  "applicationPortProfile": {    "name": "LDAP-tcp-636",    "id": "urn:vcloud:applicationPortProfile:ede2c52a-xxxxxx"  },  "firewallMatch": "MATCH_EXTERNAL_ADDRESS",  "enabled": true,  "externalAddresses": "92.xx.xx.xx",  "internalAddresses": "192.xx.xx.xx"}

That works fine.

But for "ANY", I can't seem to find the correct way to create the JSON. When I leave out ApplicationPortProfile completely, the API accepts my command, but in vCloud Director I get an error creating the rule:

[ fbd0158b-xxxxxxxx ] Bad Request: Error occurred in the backing network provider: Field level validation errors: {value 'any' of property translated_ports violates format 'port-or-range'}, error code 255

I tried several options with the applicationportprofile, leaving the fields in it, but empty or setting to $null, but nothing works. Last resort is to create an ANY application group but I don't think that is the way to do it.

When I create such a rule manually and then read the rule from the api, it looks like this in vscode (powershell):

I have no idea how to address this, any tip is welcome

The issue arises because the "any" value for dnatExternalPort is not valid-this field expects a port or a range of ports, not a string literal "any". When setting the rule in vCloud Director, selecting "ANY" likely translates internally to an omitted or adjusted field.

Solution:
Remove the "dnatExternalPort" field from the JSON entirely to indicate all ports, or set it to "1-65535" if the API requires a value:

Best regards

WS

Hi,
I created a script that takes a CSV file and creates DNAT and SNAT rules in vCloud Director on the NSX-T Edge. SNAT works without issues, DNAT rules that do have an applicationPortProfile work as well, but when the applicationPortProfile should be ANY, I can't get it to work.

Normally the JSON I send when a ApplicationPortProfile is used looks like this:

{  "logging": true,  "type": "DNAT",  "name": "GabeTest",  "description": "Test Rule",  "dnatExternalPort": "any",  "applicationPortProfile": {    "name": "LDAP-tcp-636",    "id": "urn:vcloud:applicationPortProfile:ede2c52a-xxxxxx"  },  "firewallMatch": "MATCH_EXTERNAL_ADDRESS",  "enabled": true,  "externalAddresses": "92.xx.xx.xx",  "internalAddresses": "192.xx.xx.xx"}

That works fine.

But for "ANY", I can't seem to find the correct way to create the JSON. When I leave out ApplicationPortProfile completely, the API accepts my command, but in vCloud Director I get an error creating the rule:

[ fbd0158b-xxxxxxxx ] Bad Request: Error occurred in the backing network provider: Field level validation errors: {value 'any' of property translated_ports violates format 'port-or-range'}, error code 255

I tried several options with the applicationportprofile, leaving the fields in it, but empty or setting to $null, but nothing works. Last resort is to create an ANY application group but I don't think that is the way to do it.

When I create such a rule manually and then read the rule from the api, it looks like this in vscode (powershell):

I have no idea how to address this, any tip is welcome

Yes, thank you. That was the issue. Discovered it late saturday night.

Seems you know a lot about the API, would you know why I get time outs (BUSY) messages so easily when I created rules? I was importing 100 rules and after about 10 it would often time-out so I had to extra sleep timers.

The issue arises because the "any" value for dnatExternalPort is not valid-this field expects a port or a range of ports, not a string literal "any". When setting the rule in vCloud Director, selecting "ANY" likely translates internally to an omitted or adjusted field.

Solution:
Remove the "dnatExternalPort" field from the JSON entirely to indicate all ports, or set it to "1-65535" if the API requires a value:

Best regards

WS

Hi,
I created a script that takes a CSV file and creates DNAT and SNAT rules in vCloud Director on the NSX-T Edge. SNAT works without issues, DNAT rules that do have an applicationPortProfile work as well, but when the applicationPortProfile should be ANY, I can't get it to work.

Normally the JSON I send when a ApplicationPortProfile is used looks like this:

{  "logging": true,  "type": "DNAT",  "name": "GabeTest",  "description": "Test Rule",  "dnatExternalPort": "any",  "applicationPortProfile": {    "name": "LDAP-tcp-636",    "id": "urn:vcloud:applicationPortProfile:ede2c52a-xxxxxx"  },  "firewallMatch": "MATCH_EXTERNAL_ADDRESS",  "enabled": true,  "externalAddresses": "92.xx.xx.xx",  "internalAddresses": "192.xx.xx.xx"}

That works fine.

But for "ANY", I can't seem to find the correct way to create the JSON. When I leave out ApplicationPortProfile completely, the API accepts my command, but in vCloud Director I get an error creating the rule:

[ fbd0158b-xxxxxxxx ] Bad Request: Error occurred in the backing network provider: Field level validation errors: {value 'any' of property translated_ports violates format 'port-or-range'}, error code 255

I tried several options with the applicationportprofile, leaving the fields in it, but empty or setting to $null, but nothing works. Last resort is to create an ANY application group but I don't think that is the way to do it.

When I create such a rule manually and then read the rule from the api, it looks like this in vscode (powershell):

I have no idea how to address this, any tip is welcome

Hi, The timeout (BUSY) message you are receiving during the creation of multiple rules is likely due to the rate limit or the backend processing delay in vCloud Director's NSX-T API. When you send too many requests in a short period of time, the API may queue or reject requests if it becomes overwhelmed.

you can...

1) Increase Delay Between Requests:
Add longer sleep intervals (e.g., 1–2 seconds between requests) to avoid overwhelming the API. You can experiment with the optimal delay by starting at 1 second and adjusting as needed.

ie: for rule in rules:
    create_dnat_rule(rule)
    sleep(2)  # Add delay between requests

2) Batch Requests: Instead of sending 100 individual API requests back-to-back, send rules in smaller batches (e.g., 10–20 rules) and pause between batches to allow the backend to "catch up."

3) Retry Logic: Implement a retry mechanism so that if the API returns BUSY, the script retries after a random interval instead of failing entirely.

ie:
for rule in rules:
    success = False
    while not success:
        response = create_dnat_rule(rule)
        if response.status_code == 503:  # BUSY status
            sleep(random.uniform(2, 5))  # Retry after 2–5 seconds
        else:
            success = True


I hope this helps you solve it, greetings

WS!

Yes, thank you. That was the issue. Discovered it late saturday night.

Seems you know a lot about the API, would you know why I get time outs (BUSY) messages so easily when I created rules? I was importing 100 rules and after about 10 it would often time-out so I had to extra sleep timers.

The issue arises because the "any" value for dnatExternalPort is not valid-this field expects a port or a range of ports, not a string literal "any". When setting the rule in vCloud Director, selecting "ANY" likely translates internally to an omitted or adjusted field.

Solution:
Remove the "dnatExternalPort" field from the JSON entirely to indicate all ports, or set it to "1-65535" if the API requires a value:

Best regards

WS

Hi,
I created a script that takes a CSV file and creates DNAT and SNAT rules in vCloud Director on the NSX-T Edge. SNAT works without issues, DNAT rules that do have an applicationPortProfile work as well, but when the applicationPortProfile should be ANY, I can't get it to work.

Normally the JSON I send when a ApplicationPortProfile is used looks like this:

{  "logging": true,  "type": "DNAT",  "name": "GabeTest",  "description": "Test Rule",  "dnatExternalPort": "any",  "applicationPortProfile": {    "name": "LDAP-tcp-636",    "id": "urn:vcloud:applicationPortProfile:ede2c52a-xxxxxx"  },  "firewallMatch": "MATCH_EXTERNAL_ADDRESS",  "enabled": true,  "externalAddresses": "92.xx.xx.xx",  "internalAddresses": "192.xx.xx.xx"}

That works fine.

But for "ANY", I can't seem to find the correct way to create the JSON. When I leave out ApplicationPortProfile completely, the API accepts my command, but in vCloud Director I get an error creating the rule:

[ fbd0158b-xxxxxxxx ] Bad Request: Error occurred in the backing network provider: Field level validation errors: {value 'any' of property translated_ports violates format 'port-or-range'}, error code 255

I tried several options with the applicationportprofile, leaving the fields in it, but empty or setting to $null, but nothing works. Last resort is to create an ANY application group but I don't think that is the way to do it.

When I create such a rule manually and then read the rule from the api, it looks like this in vscode (powershell):

I have no idea how to address this, any tip is welcome