Quick Post - SDDC Network Import/Export for VMware Cloud on AWS Fling

I remember back a few years ago when VMware first launched their Flings how useful some of them where (and still are). Seemed like no matter what area of the VMware platform you worked on, there was some sort of fling to made life easier. Back in the day I used to cover my Top Flings and I had my favourites. It’s been a while since I went to the Flings page or in fact used one, but where there is a need, there is a want! That want is around the work i’m doing on VMware Cloud on AWS again and the fact that I am spinning up and destroying Single-Node SDDCs on a daily basis. The networking configuration was taking the longest time to re-configure and time is money with VMware Cloud on AWS!

With that, I knew that I used to have a PowerShell script back in the day to import config items from a .json file, however I wondered if anything had been created that was better and more complete now that NSX-T is in play over when I last seriously tinkering with AWS, when it was NSX-v. After a little searching I came across the VMware Fling that is the SDDC Import/Export for VMware Cloud on AWS.

The SDDC Import/Export for VMware Cloud on AWS tool enables you to save and restore your VMware Cloud on AWS (VMC) Software-Defined Data Center (SDDC) networking and security configuration. There are many situations when customers want to migrate from an existing SDDC to a different one. While HCX addresses the data migration challenge, this tool offers customers the ability to copy the configuration from a source to a destination SDDC.

A few example migration scenarios are:

SDDC to SDDC migration from bare-metal (i3) to a different bare-metal type (i3en)
SDDC to SDDC migration from VMware-based org to an AWS-based org
SDDC to SDDC migration from region (i.e. London) to a different region (i.e. Dublin).

Other use cases are:

Backups – save the entire SDDC configuration
Lab purposes – customers or partners might want to deploy SDDCs with a pre-populated configuration.
DR purposes – deploy a pre-populated configuration in conjunction with VMware Site Recovery or VMware Cloud Disaster Recovery

Quick Setup and Walkthrough

NOTE: For a complete overview and rundown check out the documentation here.

Exporting Network Config

Firstly, you need to get the Org IO and the SDDC ID and have an API Refresh Token generated. The Org ID is tied to your account, while the SDDC ID gets generated once the SDDC has started provisioning. There are a number of ways to get these via PowerShell, the API Explorer (or just API) but the most straight forward way is from the VMC Web Console once the SDDC has been deployed.

From here you need clone the repo from GitHub after which point you can run a command to install the requirements… noting that it needs Phython3 to run the scripts.

Once that is done, you can edit the config files under /config_ini and modify vmc.ini as shown below

The first phase is to go ahead and manually configure the desired networking configuration that you need for the SDDC work. In my case it was a bunch of Custom Groups and Firewall rules to allow access to vCenter from my home as well as rules to allow Veeam Backup & Replication to talk back to the vCenter and ESXi hosts from the Compute to the Management subnets.

To do this you run the export command.

python3 sddc_import_export.py -o export

1	python3 sddc_import_export.py -o export

If all of the export options are enabled (ie, you haven’t modified the other config files), running this will export a set of files under the json directory

Importing the Config

With the json files full of the existing config, we can now spin up subsequent SDDCs and import the the config to get us to a point of desired state network configuration within seconds. For me, this saves me about 20 minutes per SDDC creation and more importantly guarantees consistency and accuracy for the rules.

As you can see below, the vanilla network config will look something like this.

Withe the default Gateway Firewall rules shown below…

Going back to the tool, after editing the vpn.ini file with the new SDDC ID you can run a test import. Import Mode setting at Test is the default and is configured via the config.ini file. This ensures that you can check what is being imported by the tool before committing. Once I ran this a couple of times, I just trusted what was happening, but that was also because I was actioning this against a tinker SDDC.

If all is well with the output of the Test run, then you can change the mode inside the config.ini to Live and run the import command again. It will ask you for a confirmation and then start the process. As you can see below, I got one error because it tried to create a Network Segment that was already there.

python3 sddc_import_export.py -o import

1	python3 sddc_import_export.py -o import

After a few second (my run took 46 seconds) if we go back to the VMC Console we can see that the number of rules and groups have changed.

And the Firewall rules have been configured.

Simple, automated and repeatable… but most of all… efficient!

If I was doing my Top Flings still… this one would rank highly on the list. It’s worth a look for anyone working with VMware Cloud on AWS, but especially for those that are labbing, developing or testing against SDDCs that are being created and destroyed often.

References:

https://flings.vmware.com/sddc-import-export-for-vmware-cloud-on-aws

Click to access sddc-import-export-for-vmware-cloud-on-aws-1.6.0.pdf