top of page
  • Rajeshkumar M

SRM - Shell script to automate NSX-T Load balancer reconfiguration/recovery during failover


In my previous article, I was using SRM to recover vRealize cluster configured with NSX-T load balancer over the stretched network.

I have the load balancer service is up in primary site and the secondary site load balancer configured same as primary site and kept the LB service disabled state in secondary site to avoid the conflict.

When recovering using SRM, I will detach the Site A standalone T1 from LB service in primary site and then attach the Site B stand alone T1 to LB service in recovery site. Also, I delete static route and service interface in standalone T1 configured for LB service and create same service interface and static route in Site B standalone T1.

To automate this LB reconfiguration, i have created script and placed in SRM appliance then configured the SRM recovery step to call this script from SRM appliance when executing the recovery step.

I used shell script to call the NSX-T API to automate because it will not have any api library dependency like python.


Fig 1

Fig 1, i have created a command section named Load Balancer Configuration in the recovery plan to run a script from SRM appliance.


Fig 2

Fig 2, included the script name and path in the SRM command and placed all script and related files are in recovery site SRM appliance under /home/admin path. The same way we need place the script in primary site as wall with swapped primary and secondary site information that will be called during the fall back.

Please note the T1 and LB variables mentioned in the script are ID's not names, you can use GET method to get the ID's. Also, i used principle identity user role to authenticate NSX-T and you can use user/password authentication if you want, please refer my other article to create a principle identity in NSX-T.


lbScript.sh


#!/bin/bash

nsxfqdnPrimary="site-a-nsx.corp.local"
nsxfqdnSecondary="site-b-nsx.corp.local"
certFileA="/home/admin/scriptuser.pem"
certFileB="/home/admin/scriptuser.pem"
lbAt1="T1-LB"
lbBt1="T1-LB"
lbA="Application-LB"
lbB="Application-LB"
staticroute="Application-LB-Route"
serviceint="application-Service-Interface"

echo "----------------Script Begin------------------------"

echo "---------------Disable LB in Primary Site A --------"

echo "Current static route configuration in primary site "

curl --cert $certFileA -k -X GET https://$nsxfqdnPrimary/policy/api/v1/infra/tier-1s/$lbAt1/static-routes

echo "--------- Delete static route in primary site ------"
curl --cert $certFileA -k -X DELETE https://$nsxfqdnPrimary/policy/api/v1/infra/tier-1s/$lbAt1/static-routes/$staticroute

sleep 5

echo "------LB service is attached with T1 in primary site --"
curl --cert $certFileA -k -X GET https://$nsxfqdnPrimary/policy/api/v1/infra/lb-services/$lbA

echo "------------ LB service is detach from primary site T1 -"
curl --cert $certFileA -k -X PATCH "https://$nsxfqdnPrimary/policy/api/v1/infra/lb-services/$lbA" -H "content-type: application/json" -d @/home/admin/detachLB.json

sleep 5

echo "-------------Service Interface in primary site --------"
curl --cert $certFileA -k -X GET https://$nsxfqdnPrimary/policy/api/v1/infra/tier-1s/$lbAt1/locale-services/default/interfaces/$serviceint

echo "--------- Delete Service Interface in primary site ----"
curl --cert $certFileA -k -X DELETE "https://$nsxfqdnPrimary/policy/api/v1/infra/tier-1s/$lbAt1/locale-services/default/interfaces/$serviceint"

sleep 5

echo "----------Enable LB in Recovery Site B-------------"


echo "------------Create static route in secondary site site --"
curl --cert $certFileB -k -X PATCH "https://$nsxfqdnSecondary/policy/api/v1/infra/tier-1s/$lbBt1/static-routes/$staticroute" -H "content-type: application/json" -d @/home/admin/staticroute.json

sleep 5

curl --cert $certFileB -k -X GET "https://$nsxfqdnSecondary/policy/api/v1/infra/tier-1s/$lbBt1/static-routes"

echo "-----Create service interface in secondary site site--- "
curl --cert $certFileB -k -X PATCH "https://$nsxfqdnSecondary/policy/api/v1/infra/tier-1s/$lbBt1/locale-services/default/interfaces/$serviceint" -H "content-type: application/json" -d @/home/admin/serviceinterface.json

sleep 5

curl --cert $certFileB -k -X GET "https://$nsxfqdnSecondary/policy/api/v1/infra/tier-1s/$lbBt1/locale-services/default/interfaces/$serviceint"

echo "-----------Attach LB service in secondary site with T1 ----"
curl --cert $certFileB -k -X PATCH "https://$nsxfqdnSecondary/policy/api/v1/infra/lb-services/$lbB" -H "content-type: application/json" -d @/home/admin/attacheLB.json

sleep 5

curl --cert $certFileB -k -X GET "https://$nsxfqdnSecondary/policy/api/v1/infra/lb-services/$lbB"


echo "------------------Script End--------------------------"

the above script I use to pass the payload via json file, below are the json file content.


detachLB.json


{
    "connectivity_path": ""
}

attacheLB.json


{
    "connectivity_path": "/infra/tier-1s/T1-LB"
}

staticroute.json


{
  "network": "0.0.0.0/0",
 "next_hops": [
    {
     "ip_address": "10.10.100.253",
     "admin_distance": 1
    }
  ]
}

serviceinterface.json


{
 "segment_path" : "/global-infra/segments/Stretched-Application-NW",
 "resource_type" : "Tier1Interface",
 "subnets" : [ {
   "ip_addresses" : [ "10.10.100.1" ],
   "prefix_len" : 24
  } ]
}

The script is only for primary site to recovery site failover, when you fallback you can use same script with update primary and secondary NSX-T manager fqdn in reverse order. I used principle identity to access the NSX-T API, I have created a separate article to create principle identity in NSX-T to authenticate.

92 views0 comments

Recent Posts

See All

vSphere Tags to NSX-T Tags

I created a simple powercli script to copy the vSphere Tags to NSX-T, it helped me to copy the NSX-T tags on the recovery VM's in non-federated/local NSX-T managers. Since SRM retain the vSphere TAG's

vIDM Locl user password reset without email link

When resetting config admin or any local user password in VMware identity manager will trigger an email link, if in case the smtp is not working/configured we can use API call to reset the password. Y

Comments


bottom of page