VMware NSX

 View Only
  • 1.  Cannot Create NSX Edge NAT Rule with REST API JSON

    Posted Jan 11, 2019 01:02 PM

    NSX 6.4.3 on vSphere 6.7, I would assume this is that same for NSX 6.4.x and vSphere 6.x

    Given a proper auth Token and REST API Url to post a new NAT Rule to, what is the proper format for JSON as the body of the POST to create a new NAT Rule?

    URL: https://<Server FQDN>/api/4.0/edges/<Edge Gateway Id>/nat/config/rules

    Method: POST

    Header Info:

    ContentType: application/json

    Accept: application/json

    Authorization: AUTHTOKEN <AuthToken>

    JSON Body:

    {

    "dnatMatchDestinationPort": "any",

    "ruleTag": "70000",

    "description": "NAT Rule 1",

    "vnic": 0,

    "originalAddress": "192.168.128.204",

    "enabled": "true",

    "translatedPort": "any",

    "protocol": "any",

    "loggingEnabled": "true",

    "action": "dnat",

    "dnatMatchSourceAddress": "any",

    "translatedAddress": "192.168.10.4",

    "originalPort": "any"

    }

    When we POST using this method we get this response:

    {"errorCode":10050,"details":"Invalid input ''{0}'' provided for field {1}.","rootCauseString":"natRules","moduleName":"vShield Edge"}

    We have tried wrapping that JSON Body under a Key: natRule and even adding that under a Key: natRules, i.e. {"natRules" : {"natRule": <above JSON Body>}}, regardless of what combination we have tried we continue to get the same response.

    Also, we know about PowerNSX and use it. we are trying to create an Idempotent Script that will create or update based on whether the Object already exists and properties are different than requested and rather than use PowerNSX to create and some other method to update we want to use the same script, just change the method. JSON is much easier to work with and we want to avoid XML, we know XML works, the question is about JSON.



  • 2.  RE: Cannot Create NSX Edge NAT Rule with REST API JSON

    Posted Jan 11, 2019 03:26 PM

    {"errorCode":10050,"details":"Invalid input ''{0}'' provided for field {1}.","rootCauseString":"natRules","moduleName":"vShield Edge"}

    It's complaining about the first value in the first field.

    And if I look at the NSX API reference I can not find the parameter "dnatMatchDestinationPort".

    Only "dnatMatchSourcePort" for dnat rules and "snatMatchDestinationPort" for snat rules.

    See: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/nsx_64_api.pdf (page 362 and 363)



  • 3.  RE: Cannot Create NSX Edge NAT Rule with REST API JSON

    Posted Jan 11, 2019 05:10 PM

    sk84

    You are correct i had that property name wrong. Fixed that and ran again with the same result.

    We are even trying to make sure the properties are in proper sequence/order basing it off the web reference for the request XML

    https://vdc-repo.vmware.com/raw.githubusercontent.com/vmware/nsxraml/6.4/html-version/nsxvapi.html#panel_4_0_edges__edgeId__nat_config_rules

    The XML Schema shows a sequence:


       <xs:sequence>
       <xs:element type="xs:string" name="action"/>
       <xs:element type="xs:string" name="vnic"/>
       <xs:element type="xs:string" name="originalAddress"/>
       <xs:element type="xs:string" name="translatedAddress"/>
       <xs:element type="xs:string" name="dnatMatchSourceAddress"/>
       <xs:element type="xs:string" name="snatMatchDestinationAddress"/>
       <xs:element type="xs:string" name="loggingEnabled"/>
       <xs:element type="xs:string" name="enabled"/>
       <xs:element type="xs:string" name="description"/>
       <xs:element type="xs:string" name="protocol"/>
       <xs:element type="xs:string" name="translatedPort"/>
       <xs:element type="xs:string" name="originalPort"/>
       <xs:element type="xs:string" name="dnatMatchSourcePort"/>
       <xs:element type="xs:string" name="snatMatchDestinationPort"/>
       </xs:sequence>

    We have made an ordered hash table and still same error. Not sure if maybe it is a sequence thing or we are missing some element.



  • 4.  RE: Cannot Create NSX Edge NAT Rule with REST API JSON

    Posted Jan 11, 2019 05:12 PM

    as an quick update the JSON body has been updated to:

    {

      "action": "dnat",

      "vnic": "0",

      "originalAddress": "192.168.200.204",

      "translatedAddress": "192.168.10.4",

      "dnatMatchSourceAddress": "any",

      "loggingEnabled": "true",

      "enabled": "true",

      "description": "NAT Rule 1",

      "protocol": "any",

      "translatedPort": "any",

      "originalPort": "any",

      "dnatMatchSourcePort": "any"

    }



  • 5.  RE: Cannot Create NSX Edge NAT Rule with REST API JSON
    Best Answer

    Posted Jan 11, 2019 06:09 PM

    With your JSON body I received the same error message in our test lab.

    But I have looked at what the JSON Body looks like when I request all nat rules via "GET https://{NSXMANAGER}/api/4.0/edges/{EDGE-ID}/nat/config" and tried something around.

    At the end this body has worked for me:

    {

         "natRulesDtos": [

              {

                   "dnatMatchDestinationPort": "any",

                   "ruleTag": "70000",

                   "description": "NAT Rule 1",

                   "vnic": "0",

                   "originalAddress": "192.168.128.204",

                   "enabled": true,

                   "translatedPort": "any",

                   "protocol": "any",

                   "loggingEnabled": true,

                   "action": "dnat",

                   "dnatMatchSourceAddress": "any",

                   "translatedAddress": "192.168.10.4",

                   "originalPort": "any"

              }

         ]

    }



  • 6.  RE: Cannot Create NSX Edge NAT Rule with REST API JSON

    Posted Jan 11, 2019 06:52 PM

    Sebastian,

    Well I'll be.... That worked!! Thanks for your help! I think Edge Firewall Rules are going to be similar but that is the next hurdle.

    We have done the GET before exactly like you mentioned but never thought to formulate it that way,, Geesh.