By: Michael Haines (Senior Cloud Security Architect)
Originally posted in the VMware vCloud Blog on 11/23/11
In my last blog, I covered how you, as the Network and Security System Administrator at “Example Systems,” used the vShield Edge REST API.
In the final blog of this series, you will learn how to ‘Stop’ and ‘Start’ the vShield Security Services using the vShield Edge REST API.
If you haven’t already done so, be sure to check out the previous installments in this blog series. In my first blog, I introduced a hypothetical Network and Security System Administrator in a hypothetical scenario and showed how to get started using the vShield API. In my second and third blogs, I detailed how you as the Network and Security System Administrator could utilize the Automation tools with vShield App for scalability through the REST APIs.
Stopping the vShield Edge Security Services (Load Balancer) (Basic)
To stop the vShield Edge Load Balancer server run the following command VSE-LB-Stop.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carrage returns and line breaks.
Stopping the vShield Edge Security Services (Load Balancer) (Advanced)
Now that you as the Network and Security System Administrator know the status of the vShield Edge Services, you can now begin to 'Stop', 'Start' and 'Configure' them. You will first check and confirm the status of the vShield Edge Services Load Balancer using the following request:
Next, you are going to 'stop' the vShield Edge Services Load Balancer and then check the status of the Load Balancer as in the above example. The main points of interest from a Network and Security System Administrator point of view are as follows. In the first request to stop the vShield Edge Service:
- The VERB has now changed from a 'GET' to a 'POST' (1)
- The HTTP result code has changed from 'On Success: 200 OK ' (2)
NOTE:
The return status code 204 No Content is not an error. In this case the server has fulfilled the request but does not need to return an entity-body. For a full list of the HTTP/1.1: Status Code Definitions please see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html.
In the second request the Network and Security System Administrator is verifying the vShield Edge Service Load Balancer status. Here again the main points of interest are as follows:
- Return HTTP result code status (3)
- Status of the VPN Service (4)
The View from the vSphere Client (Services Stopped)
Here the Network and Security System Administrator has just confirmed the status of the vShield Edge Services using the vSphere Client. As you can see, the Service Status is the same from the UI as it is from the vShield REST API.
Starting the vShield Services (Load Balancer) (Basic)
To start the vShield Edge Load Balancer server run the following command VSE-LB-Status-Start-Status.bat
http://blogs.vmware.com/.a/6a00d8341c328153ef01539373d634970b-piNote: The above command must be executed on one line, so if you are experiencing any problems check for carrage returns and line breaks.
Starting the vShield Services (Load Balancer) (Advanced)
The Network and Security System Administrator is now going to 'Start' the vShield Edge Services Load Balancer. Here you will first check and confirm the status of the vShield Edge Services Load Balancer using the following request and then 'Start' the Load Balancer.
- The VERB has now changed from a 'GET' to a 'POST' (1)
- The HTTP result code has changed from 'On Success: 200 OK '(2)
In the second request you are verifying the vShield Edge Service Load Balancer status. Here again the main points of interest are as follows:
- Return HTTP result code status (3)
- Status of the VPN Service (4)
The View from vSphere Client (Services Started)
Here the Network and Security System Administrator has just confirmed the status of the vShield Edge Services using the vSphere Client. As you can see again, the Service Status is the same from the UI as it is from the vShield REST API. A few points to note:
- Be sure to reload the 'Refresh Status' button (1)
- Check the 'Service Status'
- Here you can see the 'Service Status' of the Load Balancer which is 'Running'
Returning the vShield Services Configuration (Load Balancer)
As the Network and Security System Administrator you are now at a stage where you now want to 'check' the current configuration if one exists, 'delete' any existing configuration if one exists and 'add' a new Load Balancer configuration to the vShield Edge device. You will first start by issuing a request to get the current configuration details of the vShield Services Load Balancer as in the example above. As you can see, there is quite a lot of information that is returned and in this case the Network and Security System Administrator needs to know and understand what is the important information related to the Load Balancer service configuration. With that in mind first look at the vshieldEdgeConfiguration as denoted by (1) and (2) which represents the full configuration present on the vShield Edge device. The next step is to locate and read the Load Balancer configuration information which is denoted by (3) and (4). You can see that there is already a Load Balancer configured with the following information:
External IP: 192.168.110.207 Load Balancer Servers: 10.10.10.30 on Port: 80 Load Balancer Servers: 10.10.10.31 on Port: 80 Algorithm: round-robin Log: true
Returning the vShield Services Configuration (Load Balancer) (Basic)
To get and return the vShield Edge configuration information run the following command VSE-LB-Configuration.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
vShield Manager View of the Load Balancer Configuration (Advanced)
The Network and Security System Administrator can also see the vShield Edge Load Balancer Configuration in the vShield Manager UI.
Deleting the Current vShield Services Configuration (Load Balancer) (Basic)
To delete the vShield Edge Load Balancer configuration run the following command VSE-LB-Delete.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Deleting the Current vShield Services Configuration (Load Balancer) (Advanced)
You are now ready to delete the current vShield Services Load Balancer configuration. The Network and Security System Administrator issues the following request as in the above example. After successfully completing this if you, as the Network and Security System Administrator, wanted to get the current configuration you would not see any reference to the load balancer configuration. Here again the main points of interest for you as the Network and Security System Administrator are as follows:
- The VERB has now changed from a 'GET' to a 'POST' (1)
- The HTTP result code has changed from 'On Success: 200 OK ' (2)
vShield Manager View after Deleting the Current vShield Services Configuration (Load Balancer)
Once you have deleted the current vShield Service configuration, you can go to the vShield Manager UI to verify the status of the Load Balancer.
Adding the New vShield Services Configuration (Load Balancer) (Basic)
To Add the vShield Edge Load Balancer configuration run the following command VSE-LB-Add.bat
http://dl.dropbox.com/u/37072735/VSE-LB-Add.bat
Note: The above command must be executed on one line, so if you are experiencing any problems check for carriage returns and line breaks.
Adding the New vShield Services Configuration (Load Balancer) (Advanced)
As the Network and Security System Administrator you are now required to implement a new vShield Services Load Balancer configuration to load balance between the Web Servers in your organization. To accomplish this you will issue the following request as in the above example.
After successfully completing this if you were to get the current configuration you would see the newly created load balancer configuration. Here again the main points of interest as the Network and Security System Administrator are as follows:
- The VERB has now changed from a 'GET' to a 'POST' (1)
- The HTTP result code has changed from 'On Success: 200 OK ' (2)
Verifying the vShield Services Configuration (Load Balancer)
You are now able to verify the vShield Services Load Balancer Configuration using the above request or using the vShield Manager. Again, you can verify the Load Balancer information is correct by looking at the beginning (1) and end (2) of the Load Balancer configuration. You will also note the VERB has changed from a 'GET' to a 'POST' (3) and the HTTP result code has changed from 'On Success : 200 OK ' (4)
As the Network and Security System Administrator you have been able to get the current Load Balancer vShield Services Configuration, Delete the current Load Balancer vShield Services Configuration and Add a New Load Balancer vShield Services Configuration using the vShield REST API.
Special thanks to Kaushal Bansal, Sr MTS at VMware for all his help and support. I hope this blog series was useful for understanding the vShield API implementation. For future updates and blog posts, be sure to follow @vCloud and @VMwareSP on Twitter!