voltron/PowerCLI-Example-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding Route Based VPN functions

Browse Source
This commit is contained in:
William Lam
2019-04-13 13:41:51 -07:00
parent d95806ea2f
commit 423e752404
2 changed files with 371 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psd1
View File

@@ -36,7 +36,7 @@ Description = 'PowerShell Module for Managing NSX-T on VMware Cloud on AWS'
PowerShellVersion = '6.0' PowerShellVersion = '6.0'
# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', 'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', 'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', 'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', 'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup' FunctionsToExport = 'Connect-NSXTProxy', 'Get-NSXTSegment', 'New-NSXTSegment', 'Remove-NSXTSegment', 'Get-NSXTGroup', 'New-NSXTGroup', 'Remove-NSXTGroup', 'Get-NSXTService', 'New-NSXTService', 'Get-NSXTFirewall', 'New-NSXTFirewall', 'Remove-NSXTFirewall', 'Get-NSXTDistFirewallSection', 'Get-NSXTDistFirewall', 'New-NSXTDistFirewall', 'Remove-NSXTDistFirewall', 'Get-NSXTRouteTable', 'Get-NSXTOverviewInfo', 'Get-NSXTInfraScope', 'Get-NSXTInfraGroup', 'New-NSXTRouteBasedVPN', 'Get-NSXTRouteBasedVPN', 'Remove-NSXTRouteBasedVPN'
# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
CmdletsToExport = @() CmdletsToExport = @()

393
Modules/VMware.VMC.NSXT/VMware.VMC.NSXT.psm1
View File

@@ -1641,53 +1641,400 @@ Function Get-NSXTInfraGroup {
.EXAMPLE .EXAMPLE
Get-NSXTInfraGroup -Name "S3 Prefixes" Get-NSXTInfraGroup -Name "S3 Prefixes"
#> #>
param( param(
[Parameter(Mandatory=$false)][String]$Name, [Parameter(Mandatory=$false)][String]$Name,
[Switch]$Troubleshoot [Switch]$Troubleshoot
) )
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else { If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$method = "GET" $method = "GET"
$infraGroupsURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/groups" $infraGroupsURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/groups"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$infraGroupsURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $infraGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $infraGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in retrieving NSX-T Infrastructure Groups"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
$groups = ($requests.Content | ConvertFrom-Json).results
if ($PSBoundParameters.ContainsKey("Name")){
$groups = $groups | where {$_.display_name -eq $Name}
}
$results = @()
foreach ($group in $groups) {
$tmp = [pscustomobject] @{
Name = $group.display_name;
ID = $group.id;
Path = $group.path;
}
$results+=$tmp
}
$results
}
}
}
Function New-NSXTRouteBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 04/13/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Returns all NSX-T Infrastructure Scopes
.DESCRIPTION
This cmdlet retrieves all NSX-T Infrastructure Scopes
.EXAMPLE
New-NSXTRouteBasedVPN -Name VPN3 `
-PublicIP 18.184.241.223 `
-RemotePublicIP 18.194.148.62 `
-BGPLocalIP 169.254.51.2 `
-BGPRemoteIP 169.254.51.1 `
-BGPLocalASN 65056 `
-BGPremoteASN 64512 `
-BGPNeighborID 60 `
-TunnelEncryption AES_256 `
-TunnelDigestEncryption SHA2_256 `
-IKEEncryption AES_256 `
-IKEDigestEncryption SHA2_256 `
-DHGroup GROUP14 `
-IKEVersion IKE_V1 `
-PresharedPassword VMware123. `
-Troubleshoot
#>
param(
[Parameter(Mandatory=$true)][String]$Name,
[Parameter(Mandatory=$true)][String]$PublicIP,
[Parameter(Mandatory=$true)][String]$RemotePublicIP,
[Parameter(Mandatory=$true)][String]$BGPLocalIP,
[Parameter(Mandatory=$true)][String]$BGPRemoteIP,
[Parameter(Mandatory=$false)][int]$BGPLocalPrefix=30,
[Parameter(Mandatory=$true)][ValidateRange(64512,65534)][int]$BGPLocalASN,
[Parameter(Mandatory=$true)][ValidateRange(64512,65534)][int]$RemoteBGPASN,
[Parameter(Mandatory=$true)][String]$BGPNeighborID,
[Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$TunnelEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$TunnelDigestEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("AES_128","AES_256","AES_GCM_128","AES_GCM_192","AES_GCM_256")]$IKEEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("SHA1","SHA2_256")]$IKEDigestEncryption,
[Parameter(Mandatory=$true)][String][ValidateSet("GROUP2","GROUP5","GROUP14","GROUP15","GROUP16")]$DHGroup,
[Parameter(Mandatory=$true)][String][ValidateSet("IKE_V1","IKE_V2","IKE_FLEX")]$IKEVersion,
[Parameter(Mandatory=$true)][String]$PresharedPassword,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
## Configure BGP ASN
$payload = @{
local_as_num = $BGPLocalASN;
}
$body = $payload | ConvertTo-Json -Depth 5
$ASNmethod = "patch"
$bgpAsnURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/bgp"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $ASNmethod`n$bgpAsnURL`n"
Write-Host -ForegroundColor cyan "[DEBUG]`n$body`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $bgpAsnURL -Body $body -Method $ASNmethod -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $bgpAsnURL -Body $body -Method $ASNmethod -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in updating BGP ASN"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
## Configure BGP Neighbor
$payload = @{
resource_type = "BgpNeighborConfig";
id = $BGPNeighborID;
remote_as_num = $RemoteBGPASN;
neighbor_address = $BGPRemoteIP;
}
$body = $payload | ConvertTo-Json -Depth 5
$method = "put"
$bgpNeighborURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/bgp/neighbors/$BGPNeighborID"
if($Troubleshoot) { if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$infraGroupsURL`n" Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$bgpNeighborURL`n"
Write-Host -ForegroundColor cyan "[DEBUG]`n$body`n"
} }
try { try {
if($PSVersionTable.PSEdition -eq "Core") { if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $infraGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck $requests = Invoke-WebRequest -Uri $bgpNeighborURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else { } else {
$requests = Invoke-WebRequest -Uri $infraGroupsURL -Method $method -Headers $global:nsxtProxyConnection.headers $requests = Invoke-WebRequest -Uri $bgpNeighborURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers
} }
} catch { } catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") { if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n" Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break break
} else { } else {
Write-Error "Error in retrieving NSX-T Infrastructure Groups" Write-Error "Error in configuring BGP Neighbor"
Write-Error "`n($_.Exception.Message)`n" Write-Error "`n($_.Exception.Message)`n"
break break
} }
} }
if($requests.StatusCode -eq 200) { if($requests.StatusCode -eq 200) {
$groups = ($requests.Content | ConvertFrom-Json).results ## Configure Route Based Policy VPN
if ($PSBoundParameters.ContainsKey("Name")){ $TunnelSubnets = @{
$groups = $groups | where {$_.display_name -eq $Name} ip_addresses = @("$BGPLocalIP");
prefix_length = $BGPLocalPrefix;
} }
$results = @() $payload = @{
foreach ($group in $groups) { display_name = $Name;
$tmp = [pscustomobject] @{ enabled = $true;
Name = $group.display_name; local_address = $PublicIP;
ID = $group.id; remote_private_address = $RemotePublicIP;
Path = $group.path; remote_public_address = $RemotePublicIP;
passphrases = @("$PresharedPassword");
tunnel_digest_algorithms = @("$TunnelDigestEncryption");
ike_digest_algorithms = @("$IKEDigestEncryption");
ike_encryption_algorithms = @("$IKEEncryption");
enable_perfect_forward_secrecy = $true;
dh_groups = @("$DHGroup");
ike_version = $IKEVersion;
l3vpn_session = @{
resource_type = "RouteBasedL3VpnSession";
tunnel_subnets = @($TunnelSubnets);
default_rule_logging = $false;
force_whitelisting = $false;
routing_config_path = "/infra/tier-0s/vmc/locale-services/default/bgp/neighbors/$BGPNeighborID";
};
tunnel_encryption_algorithms = @("$TunnelEncryption");
}
$body = $payload | ConvertTo-Json -Depth 5
$routeBasedVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$Name"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$bgpNeighborURL`n"
Write-Host -ForegroundColor cyan "[DEBUG]`n$body`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $routeBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $routeBasedVPNURL -Body $body -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in configuring Route Based VPN"
Write-Error "`n($_.Exception.Message)`n"
break
} }
$results+=$tmp
} }
$results
if($requests.StatusCode -eq 200) {
Write-Host "Succesfully created Route Based VPN"
($requests.Content | ConvertFrom-Json)
}
} }
} }
} }
}
Function Get-NSXTRouteBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 04/13/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Returns all NSX-T Route Based VPN Tunnels
.DESCRIPTION
This cmdlet retrieves all NSX-T Route Based VPN Tunnels description
.EXAMPLE
Get-NSXTRouteBasedVPN
.EXAMPLE
Get-NSXTRouteBasedVPN -Name "VPN-T1"
#>
param(
[Parameter(Mandatory=$false)][String]$Name,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$method = "GET"
$routeBaseVPNURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$routeBaseVPNURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $routeBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $routeBaseVPNURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in retrieving NSX-T Route Based VPN Tunnels"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
$groups = ($requests.Content | ConvertFrom-Json).results
if ($PSBoundParameters.ContainsKey("Name")){
$groups = $groups | where {$_.display_name -eq $Name}
}
$results = @()
foreach ($group in $groups) {
$tmp = [pscustomobject] @{
Name = $group.display_name;
ID = $group.id;
Path = $group.path;
RoutingConfigPath = $group.l3vpn_session.routing_config_path;
}
$results+=$tmp
}
$results
}
}
}
Function Remove-NSXTRouteBasedVPN {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 04/13/2019
Organization: VMware
Blog: http://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Removes a route based VPN Tunnel and it's associated BGP neighbor
.DESCRIPTION
This cmdlet removes a route based VPN Tunnel and it's associated BGP neighbor
.EXAMPLE
Remove-NSXTRouteBasedVPN -Name VPN1 -Troubleshoot
#>
Param (
[Parameter(Mandatory=$True)]$Name,
[Switch]$Troubleshoot
)
If (-Not $global:nsxtProxyConnection) { Write-error "No NSX-T Proxy Connection found, please use Connect-NSXTProxy" } Else {
$TunnelId = (Get-NSXTRouteBasedVPN -Name $Name).ID
$path = (Get-NSXTRouteBasedVPN -Name $Name).RoutingConfigPath
# Delete IPSEC tunnel
$method = "DELETE"
$deleteVPNtunnelURL = $global:nsxtProxyConnection.Server + "/policy/api/v1/infra/tier-0s/vmc/locale-services/default/l3vpns/$TunnelId"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$deleteVPNtunnelURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $deleteVPNtunnelURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in removing NSX-T IPSEC Tunnel: $Name"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
Write-Host "Succesfully removed NSX-T IPSEC Tunnel: $Name"
}
# Delete BGP Neighbor
$method = "DELETE"
$deleteBGPnbURL = $global:nsxtProxyConnection.Server + "/policy/api/v1$path"
if($Troubleshoot) {
Write-Host -ForegroundColor cyan "`n[DEBUG] - $method`n$deleteBGPnbURL`n"
}
try {
if($PSVersionTable.PSEdition -eq "Core") {
$requests = Invoke-WebRequest -Uri $deleteBGPnbURL -Method $method -Headers $global:nsxtProxyConnection.headers -SkipCertificateCheck
} else {
$requests = Invoke-WebRequest -Uri $deleteBGPnbURL -Method $method -Headers $global:nsxtProxyConnection.headers
}
} catch {
if($_.Exception.Response.StatusCode -eq "Unauthorized") {
Write-Host -ForegroundColor Red "`nThe NSX-T Proxy session is no longer valid, please re-run the Connect-NSXTProxy cmdlet to retrieve a new token`n"
break
} else {
Write-Error "Error in removing NSX-T BGP Neighbor"
Write-Error "`n($_.Exception.Message)`n"
break
}
}
if($requests.StatusCode -eq 200) {
Write-Host "Succesfully removed NSX-T BGP Neighbor"
}
}
}