Add VM's of Secondary NSX site to a Universal security tag
Article ID: 316645
Updated On:
Products
VMware NSX
Issue/Introduction
VM's in the secondary NSX site are not available to be selected in the "Assign Security tag to Virtual Machines" box.
Cause
Changes to universal objects can only be made from the primary NSX manager. VM's in the secondary site are not available in the primary NSX manager's database. NSX needs a way to identify the VM's in the secondary site for tagging.
Resolution
- Set the Unique ID selection Criteria in the vSphere web client, following the steps located in the "Working with security tags" section of NSX Admin guide.
Excerpt:
Unique ID Selection
The unique ID selection criteria is used when assigning tags to Virtual Machines on active standby deployments. Unique ID is used by the NSX Manager when a Virtual Machine (VM) goes from standby to active deployment. The unique ID can be based on VM instance UUID, VM BIOS UUID, or VM name or a combination of these options. Note that if the criteria changes (such as a VM name changes) after universal security tags have been created and attached to VMs, the security tag must be detached and reattached to the VMs.
Procedure
The unique ID selection criteria is used when assigning tags to Virtual Machines on active standby deployments. Unique ID is used by the NSX Manager when a Virtual Machine (VM) goes from standby to active deployment. The unique ID can be based on VM instance UUID, VM BIOS UUID, or VM name or a combination of these options. Note that if the criteria changes (such as a VM name changes) after universal security tags have been created and attached to VMs, the security tag must be detached and reattached to the VMs.
Procedure
-
In the vSphere Web Client, navigate to Home > Networking & Security > Installation, select the Management tab.
-
Click the primary NSX Manager. Then select Actions > Unique ID Selection Criteria.
-
Select one or more of the unique ID options:
-
Use Virtual Machine instance UUID (recommended) - The VM instance UUID is generally unique within a VC domain, however there are exceptions such as when deployments are made through snapshots. If the VM instance UUID is not unique we recommend you use the VM BIOS UUID in combination with the VM name.
-
-
Use Virtual Machine BIOS UUID - The BIOS UUID is not guaranteed to be unique within a VC domain, but it is always preserved in case of disaster. We recommend you use BIOS UUID in combination with VM name.
-
Use Virtual Machine Name - If all of the VM names in an environment are unique, then VM name can be used to identify a VM across vCenters. We recommend you use VM name in combination with VM BIOS UUID.
-
Click OK.
- Run a GET API call to acquire the Tag ID of the universal security tag the VM will be added to. Please see the "Working with security tags" section of the NSX API guide.
- Example GET
https://<Primary_NSX_Manager_IP>/api/2.0/services/securitytags/tag
- Example GET
- Run a POST API to add the VM to the universal security tag.
- Example
POST https://<Primary_NSX_Manager_IP>/api/2.0/services/securitytags/tag/{tag-id}/vm?action=attach - Add the body with the key and value parameters matching the Unique ID selection Criteria and the VM identifier.
- Example
<securityTagAssignment> <tagParameter> <key>{unique identifier criteria key here}</key> <value>{VM unique identifier}</value> </tagParameter></securityTagAssignment>- The VM should now be listed in the VM count of the universal security tag in the secondary NSX manager.
Case 2:
1. When “Unique ID Selection Criteria” is Set to all 3 options as mentioned below:
Use Virtual Machine instance UUID (recommended)
Use Virtual Machine BIOS UUID
Use Virtual Machine Name
2. Run a GET API call to acquire the Tag ID of the universal security tag the VM will be added to. Please see the "Working with security tags" section of the NSX API guide.
GET :
https://<NSX manager IP>/api/2.0/services/securitytags/tagOutput should look similar to following:
<objectId>securitytag-#########-####-####-####</objectId>
<name>VM name</name>
3. Run a POST API to add the VM from Secondary NSX to the universal security tag.
POST : https://<NSX Manager IP>/api/2.0/services/securitytags/tag/securitytag-####-#####-######-########/vm?action=attach
Body:
<securityTagAssignment>
<tagParameter>
<key>instance_uuid</key>
<value>####-#####-######-########</value>
</tagParameter>
<tagParameter>
<key>bios_uuid</key>
<value>####-#####-######-########</value>
</tagParameter>
<tagParameter>
<key>vmname</key>
<value>vm-A</value>
</tagParameter>
</securityTagAssignment>
NOTE: Also the UUID format should be in form of 8-4-4-4-12 - all lower case.
NOTE: You can get the BIOS UUID and Instance UUID from, ESXi host/vmfs/volumes - then the respective VM name
4. The VM should now be listed in the VM count of the universal security tag in the secondary NSX manager.
Additional Information
Impact/Risks:
DFW rules associated with the universal security tag being added would be enforced.
DFW rules associated with the universal security tag being added would be enforced.
Feedback
Yes
No
Powered by
