posted

3 Comments

A key element of designing a secure hybrid cloud is getting visibility into the network traffic of your cloud-based applications.

VMware vCloud® Air™ supports the ability for customers to collect information about traffic coming to and from their edge gateway through the use of a syslog server. Powered by VMware network virtualization, the edge gateway provides advanced networking services (like DHCP, static routing, load balancing, and VPN) and oversight over traffic through the use of firewall and NAT rules. By configuring your vCloud Air edge gateway to transfer log data to your syslog server, you can then set up alerts or notifications and build reports with your preferred tools.

Access to the edge gateway log data is through the vCloud API. I will go over the vCloud API element in detail, how to configure this through a REST Client, and show example syslog messages. This post will focus on the vCloud Air subscription service, but the concepts apply to vCloud Air OnDemand as well.

As a bonus, you can download a Python script written by Scott Schaefer on the vCloud Air team if you are unfamiliar with vCloud APIs.

vCloud API Changes

VMware has recently added the new element in “GatewayConfigurationType” within the vCloud API.

API EndPoint: /api/admin/edgeGateway/{gw-id}
Operation: GET/PUT

In addition, VMware is supporting a new action on the customer’s edge gateway “/configureSyslogServerSettings”
API EndPoint: (vCloudDirectorURL)/api/admin/edgeGateway/{gw-id}/actions/configureSyslogServerSettings

Example:
https://p1v14-vcd.vchs.vmware.com:443/api/admin/edgeGateway/4XXXXXXXX-705f-4824-9c35-111111f11ddd/action/configureSyslogServerSettings
The SyslogServerSettings as the body =

POST: action/configureSyslogServerSettings

Requirements to Configure Syslog IP
For this walk-through you will need:

  • A REST client
  • vCloud Air credentials
  • Configured syslog server and IP address

REST Client
You will need a REST client to issue API commands to vCloud Air. I used Firefox add-on REST Client, mainly to show my work within a GUI.  There are a lot of other clients you can use including cURL and Google.

Firefox: https://addons.mozilla.org/en-US/firefox/addon/restclient/
cURL: http://curl.haxx.se/
Google: https://code.google.com/p/rest-client/downloads/list

vCloud Air Credentials
Username: Username will be in the form of Name@domain@OrgvDC. For example: GeorgeKobar@VMware@TechMarketing. I will cover this in detail later on how to obtain the name of the Org vDC. Password: Self explanatory

Configured Syslog Server
I installed vRealize Log Insight as my syslog server (http://www.vmware.com/products/vrealize-log-insight) but you can use other syslog software solutions such as Kiwi Syslog (http://www.kiwisyslog.com/).

The syslog server should be connected to a network that is accessible to the edge gateway. I configured my syslog server to be within the vCloud Air environment on a Routed Organization network. This ensures syslog traffic from the edge gateway is sent to the syslog server. Below is an example where the syslog server IP address is 192.168.25.2:

CAPTURE3

Another option is hosting the syslog server on-premises through an encrypted tunnel.

CAPTURE4

Edge Gateway Syslog Configuration Walk-through

  1. Here are the high-level steps that are needed to configure the Edge Gateway
  2. Log in to the vCloud Air using a REST client to obtain a token
  3. Configure authorization header, accept header, and content header
  4. Query edge gateways to obtain gateway ID (gw-id)
  5. Place SyslogServerSettings XML into the body and POST changes
  6. Configure firewall rules to log on edge gateway
  7. Observe messages from syslog server

Log in to the vCloud Air using a REST Client to obtain a token
In order to interact with vCloud Air by API you must first log into the service and receive a token. This token is placed into the authorization header for future use. This step is outlined in the following KB: Logging in to the VMware vCloud Director API using VMware vCloud Air credentials. I won’t go into too much detail as it is already outlined well in this KB but I do want to point out a few items.

Finding your vCloud Director URL. Here are quick screenshots to direct you on how to find the URL:

1.
Capture5

2.
CAPTURE6

3.
CAPTURE7

Configure Authorization Header, Accept Header, and Content Header
Once you have obtained your token you will need to create three headers.

Authorization Header
Create a custom header within the REST Client. In the Name enter x-vcloud-authorization and copy your token in the Value field.

Capture8

Accept Header
Create another custom header where Name=Accept and Value=application/*+xml;version=5.6

CAPTURE9

Content Header
Create the last custom header where Name=Content-Type and Value=application/*+xml;

CAPTURE10

All three headers:

CAPTURE11

Query edge gateways to obtain gateway ID (gw-id)
We need to query the edge gateways within the vCloud Air virtual data center to retrieve the gateway id. This gateway id (gw-id) is to identify which gateway we want to configure the syslog IP. Set the Method to GET in the REST client and use the following URL {vCD_URL}/api/query?type=edgeGateway

For example here is my URL:

https://p1v14-vcd.vchs.vmware.com:443/api/query?type=edgeGateway

Please note it is case sensitive. Select SEND in REST Client

CAPTURE12

Here is a sample of the Response Body (preview) from this GET:

Capture13a

Look for the name of the edge you would like to modify. My edge is called TECHMARKETING-GKOBAR-GW. Take note of the following URL associated with it:

https://p1v14-vcd.vchs.vmware.com:443/api/admin/edgeGateway/4ff4bb6c-705f-4824-XXXX-XXX664f73ddd.

The gw-id is 4ff4bb6c-705f-4824-XXXX-XXX64f73ddd but we will be using the gw-id URL in addition to action/configureSyslogServerSettings to make our changes.

For example:

https://p1v14-vcd.vchs.vmware.com:443/api/admin/edgeGateway/4ff4bb6c-705f-4824-XXXX-XXX664f73ddd/action/configureSyslogServerSettings.

We will use this URL in the next step.

Place SyslogServerSettings XML into the body and POST changes
Place the last URL from the previous step into the REST Client and change Method to POST. In the Body copy the following:

Replace the syslogIPaddress with the IP address of your syslog server. In my example, it is 192.168.25.2.

capture15

Select SEND and you should receive a 202 Accepted.

Capture16

You can query the edge and look at the Response Body to ensure the change has been made: Use the same URL, however remove “/action/configureSyslogServerSettings” and change Method to GET.

capture17

Configure Firewall Rules to Log on Edge Gateway
We will now need to set the firewall rules within the edge gateway to log. I recommend making this change in the vCloud Director interface because you can select specific rules to log and you can also log the default firewall rule. If the default is DENY then you can see the denied traffic being logged on your syslog server.

Navigate to vCloud Air UI, Select > My Subscriptions > Select a Cloud Region (like US-Nevada) > Virtual Data Center > Gateways Tab > Manage in vCloud Director.

A second window will open with the vCloud Director web UI. Right-click on the edge gateway and select Edge Gateway Services… Select Firewall Tab. I have already selected a few firewall rules and the Default action to log.

capture18

To log a firewall rule select the rule and edit and place a check mark and select OK and Apply.

capture19

Observe messages from Syslog Server
After setting firewall wall rule to log we can now see messages on our syslog server.

Here is a quick screen capture of vRealize Log Insight

Capture23a

ICMP ALLOW Example:

capture20

DENY Traffic Example (Default Log):

capture21

DENY RDP Example (Default Log):

capture22

Bonus:
Not familiar with APIs or specifically vCloud APIs? Scott Schaefer, a Cloud Architect in vCloud Air, has written a Python script to change the syslog IP address on the edge gateway. You can find and download the script named SyslogIP.py from Github here: https://github.com/sschaefervmw/vshieldSyslog

How to use the Python script:
Download and install the most recent version of Python. The only dependency is the Requests package. I moved the SyslogIP.py script to the same folder I installed Python for simplicity.

Open the script in a text editor. I used Notepad ++. Edit lines 8-12 with your correct information and save.

8 API_URL = “Place vCD URL Here” #Cloud API URL ending in /api/
9 EDGE_NAME = ‘Place Edge Name Here’ #Edge Gateway Name
10 SYSLOG_IP = ‘Place Syslog IP Here’ #IP of syslog server
11 USERNAME = ‘Place Username Here’ #Username@orgname E.g: email@domain.com@org
12 PASSWORD = ‘Place Password Here’ #Password

To run the script in a command prompt navigate to the Python folder and type python syslog.py.

I hope you enjoyed the walk-through. You can follow me on Twitter @GeorgeKobar. If you want additional reading material you can find it here:

For more information about vCloud Air, visit vcloud.vmware.com.

Be sure to subscribe to the the vCloud blog with your favorite RSS reader, or follow our social channels at @vCloud and Facebook.com/VMwarevCloud for the latest updates.

 

 

_bizo_data_partner_id = “7871”;

(function() {
var s = document.getElementsByTagName(“script”)[0];
var b = document.createElement(“script”);
b.type = “text/javascript”;
b.async = true;
b.src = (window.location.protocol === “https:” ? “https://sjs” : “http://js”) + “.bizographics.com/insight.min.js”;
s.parentNode.insertBefore(b, s);
})();