My colleague Erik Scholten (vRealize specialist) was building a demo environment for a customer this week. In this environment, he wanted to demonstrate vRealize Automation (vRA) in all its glory and have NSX coupled to it so vRA could use NSX to micro-segment rolled out blueprints using the App Isolation option.

NSX is pretty easy to get off the ground for first use, which he did himself with ease. All that's needed for one to be able to use the distributed firewall to micro-segment, is to deploy NSX Manager, connect it to vCenter and prepare the ESXi hosts. NSX was configured just like that, no VXLAN configuration was there yet. Relatively logical as you don't need VXLAN configuration for micro-segmentation. After that, you need to create an endpoint in vRA to the NSX Manager and link it to the vCenter endpoint where the deployments happen. All good so far.

When it came to enabling App Isolation on a blueprint and deploying it, that's where the trouble started. vRA started by failing the deployment almost instantly and giving this helpful error:

Request [de51fae7-cfcf-4531-9bc4-7525b208eba7]: Failure during dynamic enhancement of blueprint [WindowsServer2016Dev, Windows Server 2016 - Dev]. Internal error processing completion of blueprint [PROVISION] request [de51fae7-cfcf-4531-9bc4-7525b208eba7]. Status so far: [FAILED]

In other words: "It's broken! I'm not going to tell you what's broken. Good luck!"

Digging Deeper

After digging a bit deeper, this was mentioned in the catalina.out (/storage/log/vmware/vcac/catalina.out) log file:

[UTC:2018-07-27 08:19:56,197 Local:2018-07-27 10:19:56,197] vcac: [component="cafe:composition-service" priority="ERROR" thread="queue-pool-executer-2" tenant="cbs" context="82jNOYQp" parent="x1C0vE5i" token="xjqIBYwT"] ResponseErrorHandler.handleRestError:113 - [Rest Error]: {Status code: 400}, {Error code: 10105} , {Error Source: null}, {Error Msg: AppIsolation: invalid blueprint: no endpoints specified across network components.}, {System Msg: null}

vRA was missing a piece of configuration, as it seemed. The vRA documentation doesn't seem to specify specifically what NSX configuration you need to have in place before you can integrate it with vRA. It mostly assumes you're doing full-blown integration, with virtual networks, load balancers, etc.

Full NSX Configuration

Eventually, we configured NSX further to include VXLAN logical settings and a Transport Zone. This was mostly a hail mary to see if that was the network components vRA was missing. After configuring NSX, we added the Transport Zone to the blueprint as well and deploying it again; it deployed!

The lesson of the week:

Using vRealize Automation for App Isolation also requires more NSX configuration than actually needed for only micro-segmentation. Configure VXLAN with the transport zone as well.

Share the wealth!