Unable to associate security group with L7 HTTP Load Balancer when large number of security groups are present.
search cancel

Unable to associate security group with L7 HTTP Load Balancer when large number of security groups are present.

book

Article ID: 377185

calendar_today

Updated On:

Products

VMware NSX VMware NSX-T Data Center

Issue/Introduction

  • Unable to associate security group with L7 HTTP Load Balancer when more than 1000 security groups are present within the environment.
  • During editing of the HTTP Access Phase rule for a load balancer, accessed via HTTP Access Phase > HTTP Phase > Groups, are not selectable. The group will appear selectable as normal but once selected the group selected will clear itself and leave no group set. 
  • Creating a new rule with the same condition will give the same un-selectable group as it is a group issue and not a rule.
  • No errors are presented on the GUI or in the logs.

 

 

Environment

  • VMware NSX (All versions)
  • VMware NSX-T Data Center (All versions)

Cause

Due to the way the group selection is handled within the UI issues can occur when more than 1000 groups are present in the environment. If a group is not within the first 1000 groups found by the UI request then selection of the group will fail and the selection will be cleared and not able to be saved from UI.

Resolution

Feature will be enhanced in a future release.

Workaround: 

  • Option #1 - If an existing group is un-selectable. Edit the group from the inventory page to add a description. Once a description has been added, readd the group to the access phase rule. It will now be selectable and usable as normal.

  • Option #2  - You can manually set the rules group selection to the rule by selecting any group as a placeholder and then editing the rule via API. this can be done by doing the following.

    Run - GET policy/api/v1/infra/lb-virtual-servers/<LB-VS-Name>

Copy the entire response body, it will look similar to the below, the <Example-Group> will be the working group used as a placeholder. The only field that will be changed for the below is the group_path. All other values are exemplary only to demonstrate the API body.

{
    "enabled": true,
    "ip_address": "10.10.10.10",
    "ports": [
        "324"
    ],
    "access_log_enabled": false,
    "application_profile_path": "/infra/lb-app-profiles/default-http-lb-app-profile",
    "rules": [
        {
            "match_conditions": [
                {
                    "group_path": "/infra/domains/default/groups/<Example-Group>",
                    "type": "LBIpHeaderCondition",
                    "inverse": false
                }
            ],
            "match_strategy": "ALL",
            "phase": "HTTP_ACCESS",
            "actions": [
                {
                    "pass_jwt_to_pool": false,
                    "type": "LBJwtAuthAction"
                }
            ]
        }
    ],
    "log_significant_event_only": false,
    "resource_type": "LBVirtualServer",
    "id": "test-1",
    "display_name": "test-1",
    "path": "/infra/lb-virtual-servers/test-1",
    "relative_path": "test-1",
    "parent_path": "/infra",
    "remote_path": "",
    "unique_id": "########-####-####-####-############",
    "realization_id": "########-####-####-####-############",
    "owner_id": "########-####-####-####-############",
    "marked_for_delete": false,
    "overridden": false,
    "_system_owned": false,
    "_protection": "NOT_PROTECTED",
    "_create_time": 1724387832578,
    "_create_user": "admin",
    "_last_modified_time": 1724387832578,
    "_last_modified_user": "admin",
    "_revision": 0
}

Step2# Copy the response in full and update the rule's condition with intended group path that was not selectable.

PUT policy/api/v1/infra/lb-virtual-servers/<LB-VS-Name>


Payload
{
    "enabled": true,
    "ip_address": "10.10.10.10",
    "ports": [
        "324"
    ],
    "access_log_enabled": false,
    "application_profile_path": "/infra/lb-app-profiles/default-http-lb-app-profile",
    "rules": [
        {
            "match_conditions": [
                {
                    "group_path": "/infra/domains/default/groups/<Final-Group-Name>", ===> Update the group path
                    "type": "LBIpHeaderCondition",
                    "inverse": false
                }
            ],
            "match_strategy": "ALL",
            "phase": "HTTP_ACCESS",
            "actions": [
                {
                    "pass_jwt_to_pool": false,
                    "type": "LBJwtAuthAction"
                }
            ]
        }
    ],
    "log_significant_event_only": false,
    "resource_type": "LBVirtualServer",
    "id": "test-1",
    "display_name": "test-1",
    "path": "/infra/lb-virtual-servers/test-1",
    "relative_path": "test-1",
    "parent_path": "/infra",
    "remote_path": "",
    "unique_id": "########-####-####-####-############",
    "realization_id": "########-####-####-####-############",
    "owner_id": "########-####-####-####-############",
    "marked_for_delete": false,
    "overridden": false,
    "_system_owned": false,
    "_protection": "NOT_PROTECTED",
    "_create_time": 1724387832578,
    "_create_user": "admin",
    "_last_modified_time": 1724387832578,
    "_last_modified_user": "admin",
    "_revision": 0
}

 

This will manually update the group to the desired one, with the placeholder being assigned within the GUI then amended via API. 

Powered by Wolken Software