Using the vRNI API through PowerShell

I've been plugging away with vRNI and the NSX Distributed firewall a lot, but that hasn't generally leant itself well to writing blog posts... until recently!  We are working on an auditing process to help us decommission NSX firewall rules in favor of policies.  Typically, when retiring a firewall rule, you would just change its priority so that it's below the newer Allow rules but still above the Deny rules, then wait a while and see if it still gets any hits.  In this situation, we're looking to retire some manually created firewall rules in favor of our new set of policy-driven rules, and you can't put manual rules in the middle of your policy rules... so the typical firewall procedure won't work here!

So, we've been working on a process to use vRNI to look at all traffic that's hitting a given firewall rule, then check on the policy-based rules and ensure that it will all be allowed by those rules.  The process itself is pretty simple, and looks like this:

1) Get all of the network traffic that is hitting the rule that needs to be retired:
flows where firewall rule id = <rule to be retired>

2) For each of those flows, find a policy-based rule that matches its source/destination/port:
firewall rule where source vm = <source> and destination vm = <destination> and port = <port> and Appliedto != DISTRIBUTED_FIREWALL and action = allow
The challenge there being that little "for each" part of step 2, since each firewall rule is likely to return dozens or hundreds of flows.  Of course, we all know an easy way to deal with "for each" situations, which just means that we need a programmatic way of talking to vRNI... and fortunately, there's an API!

I've never used an API directly before though, so there's a bit of a learning curve.  There's really good documentation about how to use the API, but sometimes I need a bit of a "dummy's guide" for these things.  And, since I wasn't able to find a simple set of instructions, I figured that I'd better put that together as I figure things out!

So, using the API basically requires two parts.  First, you need to authenticate to vRNI, and then you can actually do stuff with the API.  When you authenticate to vRNI, the system will give you back an authentication token that'll be good for several hours.  You'll then need to use that token every time you want to do something with the API.  So, let's look at how that works.

First, I want to prep some variables to make my life easier (I'm using local authentication on our system here, so if you're using this snippet, make sure that you do too!):
$numResults = 10000 #the max the system supports is 10000
$vrniServer = "my VRNI Server"
$creds = get-credential

Then, I want to use that stuff to make the web request and store the results in a variable:
$auth = Invoke-WebRequest -Method Post -Uri "https://$vrniServer/api/ni/auth/token" -ContentType "application/json" -body "{
 ""username"": ""$($creds.username)"",
 ""password"": ""$($creds.GetNetworkCredential().password)"",
 ""domain"": {
 ""domain_type"": ""LOCAL""
 }
}"

Yeah, that's a lot of quotes.  When you use two sets of double-quotes in a row, that's basically telling PowerShell to ignore the special meaning of those quotes, so that you can have quotes show up inside the string of the body.  Importantly, notice that the results of that web request are getting stored in the $auth variable, which we'll now use to build out an authenticated header that we can use in future api calls:
$token = ($auth.content | ConvertFrom-Json).token
$headers = @{Authorization = "NetworkInsight $token"}

And that's authentication, congrats!  Of course, that doesn't do us much good without a query to run, so let's look at that, too.  Let's put together a request for all network flows from the past 30 days that come from a specific source IP address.  First, let's prep some more variables:
$startTime =[Math]::Floor([decimal](Get-Date((Get-Date).adddays(-30)).ToUniversalTime()-uformat "%s"))
$endTime = [Math]::Floor([decimal](Get-Date(Get-Date).ToUniversalTime()-uformat "%s"))
$entity_type = "flow"
$sourceIP = "IP Address of Interest"

Make sure that you put something valid in that $sourceIP variable!  The rest of that should be pretty static - it's just getting the current date and the date 30 days ago (in decimal seconds) and setting up the kind of objects that we expect vRNI to give us (flow in this case).

Next, we get to use those variables to build the body of our API request!  Here's how that looks:
$body = "{
 ""entity_type"": ""$entity_type"",
 ""size"": $numResults,
 ""filter"": ""((source_ip.ip_address = '$sourceIP'))"",
 ""time_range"": {
 ""start_time"": $startTime,
 ""end_time"": $endTime
 }
}"

So, at this point, we've put together a set of headers with our authentication token and a body with our actual request.  That means that we're ready to invoke the API (I feel a bit like I'm shouting "release the Kraken!" whenever I say that):
$theseIDs = (invoke-restmethod -method Post -uri "https://$vrniServer/api/ni/search" -ContentType "application/json" -body $body -headers $headers).results.entity_id

So, there's some stuff in there besides the normal invoke-restMethod junk.  That's because vRNI's search is going to give you back a bunch of internal entity IDs, rather than usable flow results.  So, we're then going to need to go through those IDs and get each one of them so that we can actually get the data that we want:
$objDetails = foreach ($thisID in $theseIDs){
invoke-restmethod -method Get -uri "https://$vrniServer/api/ni/entities/flows/$thisID" -ContentType "application/json" -headers $headers
}

Now, $objDetails has the actual results from our query, which we can browse through by using:
$objDetails | out-gridView

And there's the basics of running a query in vRNI!  If you want to get other data from the system, you'll need to consult the documentation for details about how to change the $body request around (and especially for creating complex filters), but these are the precise steps that I had to go through to get started accessing the vRNI API.  I hope you find this useful (I expect that I will, the next time I have to do this and am wondering, "now how did I do that back at the end of 2019...")!


Comments

Post a Comment

Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,

Popular posts from this blog

PowerShell Sorting by Multiple Columns

PowerShell's Sort-Object cmdlet is super useful, especially when preparing output for human consumption.  A few people have found my blog while looking for more information about its use, specifically while looking for how to sort by multiple columns (well, properties, technically).  I've never done so (much less written about it), so I hope those folks found answers elsewhere.  But, it got me curious... and it turns out that it's really easy. The Technet article on Sort-Object has the answer directly spelled out: just use commas to create a list of properties to sort by (in order to precedence).  Let's look at some examples!  First, prepare a variable with some good sortable data: $myData = get-eventlog System -newest 25 And then we can get to sorting!  Say you want to sort primarily by EntryType (Warning, Information, Error) and then by Source.  Easy-peasy: $myData | sort EntryType,Source How about if you want it to be in descending order?  Yeah, there&
Read more

Clone a Standard vSwitch from one ESXi Host to Another

One of my customers is standardizing the configurations on their HP C7000 enclosures (they've been set up at various sites by various administrators with varying involvement from the architecture team).  As such, we need to stand up some temporary resources so that we can take down the main enclosure for reconfiguration.  That's fine, we can easily ship a smaller enclosure to each site for temporary compute resources.  Some of the sites are using Standard vSwitches, so we need to be able to quickly copy the networking configuration over from their existing blades to these new, slightly different blades.  As I see it, we had 2 good options: 1) Capture a Host Profile with the desired vSwitch configuration.  Delete every other component of the Host Profile so that only the networking section is applied; design the new ESXi hosts so that the vSwitches'll work with the old vmnic-to-vswitch configurations. 2) Write a script to clone the vSwitch from ones ESXi host to another.
Read more

Deleting Orphaned (AKA Zombie) VMDK Files

A problem that most Virtualization Administrators need to deal with is Orphaned VMDK files (or Zombie VMDK files, as some people call them).  These are Virtual Machine hard drive files that are just hanging out, taking up storage, but are attached to no VMs.  How can this happen?  Well, the most common way is when an administrator needs to delete a VMDK but isn't quite ready to commit... so, after pressing "remove", they select "remove from virtual machine" rather than "remove and delete files".  The intent is always good: "I want to be able to restore this if it turns out to be necessary... so I'll just come back and delete it next week if nothing breaks!"  But, of course, next week something else happens and the file doesn't get deleted.  After a little while, it turns into "which files did I rename, again?" and nothing seems to happen. So, how do you deal with these orphaned files?  Well, a few years ago I found a scrip
Read more