NSX Cloud. Part 2 : Working with CSM

After successful installation, now there is time for CSM configurations. There are two integrations that needs to take place: one is with on-prem NSX-T Manager and another is with public cloud accounts. Let’s get started on this

1). Login to CSM and navigate to settings and click configure .Enter NSX Manager hostname (FQDN is preffered) or IP address, credentials and thumbprint. Click Connect

  Once connectivity is successful, this part is over and we can move on to the next piece to integrate public cloud accounts. Click Finish.

Before actually adding any public account (Azure or AWS), we will need to make some preparations and run scripts that are available on [downloads.vmware.com] under Drivers & Tools section


Once you unpack it there will be two folders : one for AWS and one for Azure

Let’s start with AWS side, since i found it a bit easier to implement.  Script will generate IAM profile and role required by PCG. You will need Linux box and have the following installed there :




Below guide will help you to install AWS CLI on your machine


1). Connect to your Linux machine and install pip**

[root@ns1 ~]# curl -O https://bootstrap.pypa.io/get-pip.py
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1659k 100 1659k 0 0 2157k 0 –:–:– –:–:– –:–:– 2157k
[root@ns1 ~]# python get-pip.py –user
Collecting pip
Downloading https://files.pythonhosted.org/packages/d8/f3/413bab4ff08e1fc4828dfc59996d721917df8e8583ea85385d51125dceff/pip-19.0.3-py2.py3-none-any.whl (1.4MB)
100% |████████████████████████████████| 1.4MB 5.0MB/s
Collecting wheel
Downloading https://files.pythonhosted.org/packages/96/ba/a4702cbb6a3a485239fbe9525443446203f00771af9ac000fa3ef2788201/wheel-0.33.1-py2.py3-none-any.whl
Installing collected packages: pip, wheel
The script wheel is installed in ‘/root/.local/bin’ which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location.
Successfully installed pip-19.0.3 wheel-0.33.1

2). Install AWS CLI**

[root@ns1 ~]# pip install awscli –upgrade –user
Collecting awscli
Downloading https://files.pythonhosted.org/packages/aa/ea/cb62728e9b38f9d8c620d60815f8dd54ca015f6b9af8f5a3d03d9b2e3c64/awscli-1.16.115-py2.py3-none-any.whl (1.4MB)
100% |████████████████████████████████| 1.5MB 12.1MB/s
Collecting botocore==1.12.105 (from awscli)
Downloading https://files.pythonhosted.org/packages/cf/ce/acc9013dee20fc94c9b9ae121f5b7b342a206f0d577be1e5c6129811194a/botocore-1.12.105-py2.py3-none-any.whl (5.3MB)
100% |████████████████████████████████| 5.3MB 597kB/s
Collecting colorama<=0.3.9,>=0.2.5 (from awscli)
Downloading https://files.pythonhosted.org/packages/db/c8/7dcf9dbcb22429512708fe3a547f8b6101c0d02137acbd892505aee57adf/colorama-0.3.9-py2.py3-none-any.whl
Collecting rsa<=3.5.0,>=3.1.2 (from awscli)
Downloading https://files.pythonhosted.org/packages/e1/ae/baedc9cb175552e95f3395c43055a6a5e125ae4d48a1d7a924baca83e92e/rsa-3.4.2-py2.py3-none-any.whl (46kB)
100% |████████████████████████████████| 51kB 21.2MB/s
Collecting docutils>=0.10 (from awscli)
Downloading https://files.pythonhosted.org/packages/50/09/c53398e0005b11f7ffb27b7aa720c617aba53be4fb4f4f3f06b9b5c60f28/docutils-0.14-py2-none-any.whl (543kB)
100% |████████████████████████████████| 552kB 6.2MB/s
Collecting s3transfer<0.3.0,>=0.2.0 (from awscli)
Downloading https://files.pythonhosted.org/packages/d7/de/5737f602e22073ecbded7a0c590707085e154e32b68d86545dcc31004c02/s3transfer-0.2.0-py2.py3-none-any.whl (69kB)
100% |████████████████████████████████| 71kB 4.5MB/s
Requirement already satisfied, skipping upgrade: PyYAML<=3.13,>=3.10 in /usr/lib64/python2.7/site-packages (from awscli) (3.12)
Collecting jmespath<1.0.0,>=0.7.1 (from botocore==1.12.105->awscli)
Downloading https://files.pythonhosted.org/packages/83/94/7179c3832a6d45b266ddb2aac329e101367fbdb11f425f13771d27f225bb/jmespath-0.9.4-py2.py3-none-any.whl
Collecting python-dateutil<3.0.0,>=2.1; python_version >= “2.7” (from botocore==1.12.105->awscli)
Downloading https://files.pythonhosted.org/packages/41/17/c62faccbfbd163c7f57f3844689e3a78bae1f403648a6afb1d0866d87fbb/python_dateutil-2.8.0-py2.py3-none-any.whl (226kB)
100% |████████████████████████████████| 235kB 32.6MB/s
Requirement already satisfied, skipping upgrade: urllib3<1.25,>=1.20; python_version == “2.7” in /usr/lib/python2.7/site-packages (from botocore==1.12.105->awscli) (1.22)
Requirement already satisfied, skipping upgrade: pyasn1>=0.1.3 in /usr/lib/python2.7/site-packages (from rsa<=3.5.0,>=3.1.2->awscli) (0.4.3)
Collecting futures<4.0.0,>=2.2.0; python_version == “2.6” or python_version == “2.7” (from s3transfer<0.3.0,>=0.2.0->awscli)
Downloading https://files.pythonhosted.org/packages/2d/99/b2c4e9d5a30f6471e410a146232b4118e697fa3ffc06d6a65efde84debd0/futures-3.2.0-py2-none-any.whl
Requirement already satisfied, skipping upgrade: six>=1.5 in /usr/lib/python2.7/site-packages (from python-dateutil<3.0.0,>=2.1; python_version >= “2.7”->botocore==1.12.105->awscli) (1.11.0)
Installing collected packages: jmespath, docutils, python-dateutil, botocore, colorama, rsa, futures, s3transfer, awscli
The scripts pyrsa-decrypt, pyrsa-decrypt-bigfile, pyrsa-encrypt, pyrsa-encrypt-bigfile, pyrsa-keygen, pyrsa-priv2pub, pyrsa-sign and pyrsa-verify are installed in ‘/root/.local/bin’ which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use –no-warn-script-location.
Successfully installed awscli-1.16.115 botocore-1.12.105 colorama-0.3.9 docutils-0.14 futures-3.2.0 jmespath-0.9.4 python-dateutil-2.8.0 rsa-3.4.2 s3transfer-0.2.0

3). Install JQ and OpenSSL. In my case i already had OpenSSL installed**

[root@ns1 ~]# yum install jq
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: repos-lax.psychz.net
* epel: mirror.prgmr.com
* extras: mirrors.ocf.berkeley.edu
* updates: mirrors.ocf.berkeley.edu
Resolving Dependencies
–> Running transaction check
—> Package jq.x86_64 0:1.5-1.el7 will be installed
–> Processing Dependency: libonig.so.2()(64bit) for package: jq-1.5-1.el7.x86_64
–> Running transaction check
—> Package oniguruma.x86_64 0:5.9.5-3.el7 will be installed
–> Finished Dependency Resolution

Dependencies Resolved


Package Arch Version Repository Size


jq x86_64 1.5-1.el7 epel 153 k
Installing for dependencies:
oniguruma x86_64 5.9.5-3.el7 epel 129 k

Transaction Summary


Install 1 Package (+1 Dependent package)

Total download size: 282 k
Installed size: 906 k
Is this ok [y/d/N]: y
Downloading packages:
(12): jq-1.5-1.el7.x86_64.rpm | 153 kB 00:00
(22): oniguruma-5.9.5-3.el7.x86_64.rpm | 129 kB 00:01
Total 208 kB/s | 282 kB 00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : oniguruma-5.9.5-3.el7.x86_64 12
Installing : jq-1.5-1.el7.x86_64 22
Verifying : oniguruma-5.9.5-3.el7.x86_64 12
Verifying : jq-1.5-1.el7.x86_64 22

jq.x86_64 0:1.5-1.el7

Dependency Installed:
oniguruma.x86_64 0:5.9.5-3.el7


For openssl, do ” yum install openssl”


4). Configure your AWS to get authenticated . You will need to have your access key and secret key ID ready for your AWS account**

[root@ns1 bin]# ./aws configure
AWS Access Key ID [None]: ******
AWS Secret Access Key [None]: *******
Default region name [None]: us-west-1
Default output format [None]: json

5).  Once authenticated, issue some test commands like listing your S3 buckets to make sure that you can interact with your account using AWS CLI**

[root@ns1 bin]# ./aws s3 ls
2017-09-25 14:08:16 nizami-bucket1

6).  Move file from your previously downloaded script folder nsx_csm_iam_script.sh into Linux machine and run it**

[root@ns1 ~]#bash nsx_csm_iam_script.sh
AWS Profile is set as default
AWS CLI configuration verified successfully.
openssl installation verified successfully.
JSON parser ‘jq’ installation verified successfully.

If you get errors in above output, verify your dependency installations (Openssl and jq) and your AWS credentials)


Do you want to create an IAM user for CSM and an IAM role for PCG? [yes/no] yes

We will be creating IAM user for CSM and respective role for PCG

What do you want to name the IAM User?

Creating IAM user nsx-csm and IAM role nsx_pcg_service

Note role name as we will need to later for integration with CSM

IAM user and role creation successful. Please check file ./aws_details.txt for user credentials and role name information.
Do you want add trust relationship for any Transit VPC account? [yes/no] no
Script execution successful! Detailed script logs are generated in file ./nsx_csm_iam_script.log

Look now for aws_details.txt file that should look like this

[root@ns1 ~]# more aws_details.txt

“AccessKeyId”: *******
“SecretAccessKey”: ****
“RoleName”: “nsx_pcg_service”,

you will need values of those keys and rolename during integration

7). Go back to CSM and navigate to Clouds–>AWS and click ADD**

Fill in information from file above : Access Key, Secret Key and Gateway Role name and click ADD

8). Once account gets added successfully you should see the something similar to this


Azure preparations

To run the scripts on Azure side, we will need the following

PowerShell 5 or higher

AzureRM Module

Let’s start

1). Launch Windows PowerShell and check version

2). Install AzureRM Module

3). Log in to your Azure account. Pop-up window will appear to enter your credentials

4). Navigate to your account in Azure portal and search “Subscription”. We will need this to run our script

5). Navigate to the folder where script was copied over and launch 

/.CreateNSXRoles.ps1 -subscriptionID _YourSubscriptionID_

This will result in generation of Service Principal and identity roles for CSM and PCG. Output will be written in text file. We will need that later when adding Azure account into CSM

6). Login to CSM and navigate to Clouds–>Azure and click ADD

Fill in information stored in text file. Default PCG role name is “nsx-pcg-role”. Click ADD

7). Once account gets added successfully you should see the something similar to this

This concludes CSM preparations. Next part will be dedicated to routing configurations. Stay tuned…