vCloud

View Only

Managing routing functions from Organization

Henrique_Cicuto posted Jul 23, 2024 02:05 PM

Good afternoon,

Using Cloud Director 10.5.1 with NSX 4.1, I've been trying to enable organization users to configure routing function at their edges or dedicated provider gateway.

I'm basing myself here (Configure Dedicated Provider Gateway Services in the VMware Cloud Director Tenant Portal).

So I built the following:

A private Provider Gateway (NSX T0) using IP Spaces;
Adjusted Global Roles and Rights Bundles to enable all routing related rights (modified my Organization Administrator role to enable those);
Applied the role with all those rights to a user.

The thing is that I'm not seeing any of those options when creating or editing the Edge Gateway. The same happens for both Org Admin and Sys Admin.

What exactly am I missing here to enable those options?

Thank you very much.

Henrique_Cicuto posted Jul 23, 2024 09:04 PM

Tried doing an API call to get the BGP configuration from the Edge (https://developer.broadcom.com/xapis/vmware-cloud-director-openapi/39.0/cloudapi/1.0.0/edgeGateways/gatewayId/routing/bgp/get/) using cloud sysadmin and got the following:

[ c2aa00aa-b1f9-4ee9-a1fe-f8666be1bc53 ] Either you need some or all of the following rights [ORG_VDC_GATEWAY_VIEW_BGP_ROUTING] to perform operations [GATEWAY_VIEW_BGP_ROUTING_NSX_T] for 7ddbbc08-b6dc-476d-af06-51a39d53e3c5 or the target entity is invalid.",

But how is it possible I don't have the right since I'm now using sysadmin who has ALL rights?

===== Update =====

So I did another API call to list the rights in the role and I saw that [ORG_VDC_GATEWAY_VIEW_BGP_ROUTING] is there (its actual name is "Organization vDC Gateway: View BGP Routing").

So that leaves me with the second part of the message that the "the target entity is invalid".

So how come is that possible if the API call is there, in the GUI the roles are there, the docs say we can do it but it looks like we cannot?

tonyanshe posted Jul 24, 2024 05:01 AM

Are you referring to how to advertise a network?

When IP Spaces is being used this is changed.

You need to go the network itself and the connection edit route advertisement

Once enabled the network will appear in the route advertisement page.

If the option is greyed out, you need to check the provider gateway route advertisement topology intention and see if you are allowed to change it.

Other thing to note, once a provider gateway is configured with IP Spaces, BGP settings are now at the provider gateway and not the T1.

Henrique_Cicuto posted Jul 24, 2024 08:01 AM

Ok, so I started playing around, creating a second gateway on NSX and presenting it as a second provider+edge gateways on VCD (just like I did with the first one) but this time I used IP blocks instead of IP spaces and noticed a LOT of differences. I also gave my orgadmin all the related rights for Provider Gateway management inside the Organization.

Private Provider gateway using IP Spaces:

Provider Gateway tab is available on the Networking tab inside the Organization;
Provider Gateway has the following BGP options available: CONFIGURATION (Status, AS Number, Graceful Restart options, Stale Router Timer and ECMP), NEIGHBORS, IP PREFIX LIST, COMMUNITY LISTS, ROUTE MAPS, PERMISSION GROUPS);
Able to modify all BGP options EXCEPT the ones in the CONFIGURATION tab (so orgadmin is unable to disable BGP or change AS number, for example);
Related Edge Gateway has NO BGP configuration options at all;
Related Edge Gateway able to create static routes;
Related Edge has Route Advertisement as read only (unable to change it);
Configuration availability is consistent across Org view and System view;
Behaviour is consistent with either T0 or VRF backed Provider Gateway.

Provider Gateway using IP Blocks (set as dedicated when creating Edge Gateway):

Provider Gateway tab is available on the Networking tab inside the Organization;
Provider Gateway has NO configuration AT ALL (absolutely nothing can be configured);
Related Edge Gateway has the following BGP options available: CONFIGURATION (Status, AS Number, Graceful Restart options, Stale Router Timer and ECMP), NEIGHBORS and IP PREFIX LIST);
Related Edge Gateway is able to modify ALL BGP options if TO (if VRF on CONFIGURATION only able to enable/disable BGP and ECMP);
Related Edge Gateway able to create static routes;
Related Edge has full Route Advertisement control (enable/disable and define subnets);
Configuration availability is consistent across Org view and System view;
Behaviour is consistent with either T0 or VRF backed Provider Gateway (except for BGP CONFIGURATION as mentioned above).

Now I understood why my API calls were talking about invalid object.

With that I can see there are some inconsistencies with the official documentation:

Here mentions that "If you are using NSX 4.1, you can edit the the local AS number on an edge gateway that is backed by a VRF gateway" but that is not true;
This other link mentions that "If you are using a dedicated provider gateway with IP spaces, your system administrator configures static routes and BGP on the provider gateway, and you can manage BGP settings for your NSX edge gateway that is backed by the dedicated provider gateway. You configure route advertisement on the organization VDC network level" but as I mentioned I'm only able to do use with IP Blocks.

There are those as examples and also the fact that it actually took me a while to understand that PRIVATE (IP Spaces) Provider Gateway and DEDICATED (IP Blocks) Provider Gateway are two completely different things.

In the end its my decision on which options I'm gonna make available to my customers but sadly they won't get the full set :-/