Introducing VMware vShield REST API

One of my colleagues asked me about vShield API and pointed me to the vShield API Programming Guide. I have of course heard about the vShield many times, but haven’t tried it out, let alone its API. But that doesn’t mean I cannot read it on demand. In fact, such questions motivate me to learn more beyond vSphere API. So keep your questions coming if you have one.

Here is what I found out after reading the programming guide. I have to admit I haven’t written any code connecting to a vShield test-bed, so I just share some basics of the API. Overall I found it’s similar to the vCloud API that I had worked with before in format and protocol.

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

Somehow the API does not, but I think should, have an explicit version number. Reading further, I found the URL like the following and am convinced that API version is 1.0.

POST <vshield_manager-uri>/api/1.0/global/config

What Products It Manages?

According to the guide, the API manages four products: vShield manager 4.1, vShield App 1.0, vShield Edge 1.0, and vShield Endpoint 1.0. All of them are in the vShield security product family.

If you have been reading my blog, you should be getting tired of me saying that an API is just a “view” of the product it interfaces with the MVC (Model-View-Controller) metaphor. The corollary is that you’d better know a product before trying its API. Here are vShield Administrative Guide and vShield Quick Start Guide if you are not yet familiar with the products.

On the other hand, you can deepen your understand of a product by reading its APIs. The GUI of a product does not nearly reveal as much as its API does.

What You Can Do?

The vShield API is based REST with about 100 URLs defined. Each URL represents an operation with a vShield server. By saying operation, I don’t necessarily mean changing things on server side. It can be just retrieving information from a server.

As with a typical REST API, you will need to login the system with HTTP basic authorization. After that you can issue any URL with or without additional information. Although you can manage 4 different products with the API, the URL you connect to is always the vShield Manager.

Because the vShield closely relates to vSphere, quite some of the operations especially provisioning part requires MOR values of managed objects like datastore, network group, etc. You can grab them using VI Java API.

While reading the API guide, you may be buried with these URLs and in particular XML schemas, which seems to me a big drawback of using REST by developers. Next section is a high level overview of things you can do with the API. While browsing them, I was a little surprised to know vShield Edge supports load balancer feature.

List of Operations With the API

vShield Manager Management (4)

  • Synchronize the vShield Manager with vCenter Server and DNS
  • Retrieving Tech Support Logs
  • Get the vShield Manager Technical Support Log File Path
  • Get the vShield Edge Technical Support Log File Path

ESX Host Preparation for vShield App, Endpoint, and Isolation (4)

  • Install the Licenses for vShield Edge, vShield App, and vShield Endpoint
  • Install vShield App, vShield Endpoint, and Port Group Isolation Services on an ESX Host
  • Get the Installation Status of vShield Services on an ESX Host
  • Uninstalling vShield Services from an ESX Host

vNetwork Preparation and vShield Edge Installation (7)

  • Enabling Port Group Isolation
  • Enable Port Group Isolation on a vDS
  • Get the Port Group Isolation Debug Statistics from an ESX Host
  • Disable Port Group Isolation on a vDS
  • Installing a vShield Edge
  • Get the Install Parameters of a vShield Edge
  • Uninstall a vShield Edge

vShield Edge Management (64)

  • Force a vShield Edge to Synchronize with the vShield Manager
  • Manage CLI Credentials on a vShield Edge
  • Managing DHCP (8)
  • Get the DHCP Server Status
  • Start, Stop, or Restart the DHCP Service
  • Post a DHCP Configuration
  • Get the Configuration for All DHCP Hosts and Pools
  • Get Timestamps of Last 10 DHCP Configurations
  • Get a DHCP Configuration by Timestamp
    Revert to a DHCP Configuration by Timestamp
    Delete the DHCP Configuration on a vShield Edge 29
  • Managing NAT (12)
  • Managing SNAT Rules (6)
  • Get the SNAT Rule Set
  • Post an SNAT Rule Set
  • Get Timestamps of Last 10 SNAT Rule Configurations for a vShield Edge
  • Get SNAT Configuration by Snapshot Timestamp
  • Revert to an SNAT Configuration by Snapshot Timestamp
  • Delete All SNAT Rules on a vShield Edge
  • Managing DNAT Rules (6)
  • Get the DNAT Rule Set
  • Post a DNAT Rule Set
  • Get Timestamps of Last 10 DNAT Rule Configurations for a vShield Edge
  • Get DNAT Configuration by Snapshot Timestamp
  • Revert to an DNAT Configuration by Snapshot Timestamp
  • Delete All DNAT Rules
  • Configuring the vShield Edge Firewall (9)
  • Get the Firewall Rule Set for a vShield Edge
  • Post a Firewall Rule Set
  • Get the Status of the Default Policy for a vShield Edge
  • Change the Default Firewall Policy Action
  • Get Details of a Specific Firewall Rule
  • Get Timestamps of Last 10 Firewall Rule Sets for a vShield Edge
  • Get Firewall Rule Set by Timestamp
  • Revert to a Firewall Rule Set by Timestamp
  • Delete All Firewall Rules on a vShield Edge
  • Configuring VPNs (15)
  • Get the Status of VPN Service
  • Start or Stop the VPN Service on a vShield Edge
  • Configure VPN Parameters on a vShield Edge
  • Add a Remote Site
  • Add Tunnels for a VPN Site
  • Get the Detailed IPSec Configurations for a Network
  • Get the Detailed Configuration for a VPN Site
  • Get the Detailed Tunnel Configuration
  • Delete a Tunnel for a VPN Site
  • Delete a Remote Site
  • Get the Current VPN Configuration on a vShield Edge
  • Get Timestamps of Last 10 VPN Configurations
  • Get a VPN Configuration by Timestamp
  • Revert to a VPN Configuration by Timestamp
  • Delete the VPN Configuration on a vShield Edge
  • Load Balancer (9)
  • Get the Status of Load Balancer Service on a vShield Edge
    Start or Stop the Load Balancer Service on a vShield Edge
    Add a Listener for Load Balancing Service
    Get the Current Load Balancer Configuration on a vShield Edge
    Get the Configuration of a Specific Load Balancing Server
    Get Timestamps of Last 10 Load Balancer Configurations
    Get a Load Balancer Configuration by Timestamp
    Revert to a Load Balancer Configuration by Timestamp
    Delete the Load Balancer Configuration on a vShield Edge
    Managing the MTU Threshold for a vShield Edge
    View Traffic Statistics
    Debug vShield Edge Services Using Service Statistics

Managing the Connection to a Syslog Server (6)

  • Post a Syslog Server Configuration
  • Get the Current Syslog Server Configuration
  • Get Timestamps of Last 10 Syslog Server Configurations
  • Get a Syslog Server Configuration by Timestamp
  • Revert to a Syslog Server Configuration by Timestamp
  • Delete the Current Syslog Server Configuration

vShield App Management  (16)

  • Configuring Firewall Rules for a vCenter Container
  • View All Firewall Rules for a Container
  • Post an App Firewall Rule Set for a Container
  • View a List of Timestamps Identifying App Firewall Rule Set Changes
  • View a Previous Firewall Rule Set by Timestamp
  • Revert to a Previous Firewall Rule Set
  • Delete All Firewall Rules under a Container
  • Managing Security Groups
  • Add a Security Group
  • Add a Virtual Machine to a Security Group
  • Get the List of All Security Groups under a Base Node
  • Get the Details for a Single Security Group under a Base Node
  • Get IP Addresses for the Virtual Machines in a Security Group
  • Get the Properties from a Virtual Machine
  • Delete a Virtual Machine from a Security Group
  • Delete a Single Security Group
  • Delete All Security Groups under a Base Node
  • Configuring Syslog Service for a vShield App

vShield Endpoint Management (5)

  • Register an SVM with the vShield Endpoint Service on an ESX Host
  • Retrieve SVM‐Specific Network Information
  • Retrieve vShield Endpoint Service Status on an ESX Host
  • Uninstalling the vShield Endpoint Service from an ESX Host
  • Unregister an SVM from vShield Endpoint
  • Uninstall vShield Endpoint from the vShield Manager

This entry was posted in Virtualization and tagged , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. Carter Shanklin
    Posted February 22, 2011 at 1:43 am | Permalink

    A list of relative URIs is a start but where are the client bindings? (Question for the vShield team obviously!) Hopefully we’ll see some.

  2. Posted February 22, 2011 at 1:24 pm | Permalink

    Great question Carter, the open source community may take the challenge to implement client bindings.

  3. Saz
    Posted September 9, 2012 at 12:52 pm | Permalink

    I am using vijava in my application to provision VMs. Now planing to use Vshield/VEdge as firewall/network isolator/load balance… How can I leverage VIJAVA for this purpose? Does Vijava supports vShield/vEdge API?

  4. Posted September 9, 2012 at 2:20 pm | Permalink

    Thanks for choosing vijava Saz!
    Unfortunately you cannot use vijava for this purpose. I currently do not have plan to support vShield/vEdge APIs in vijava unless I am convinced about its popularity has reached a point in par with vSphere. It may be an issue of time.
    Steve

  5. Script kiddie
    Posted March 20, 2014 at 5:34 am | Permalink

    It would be great if VMWare would actually include this precise preface in their API documentation. Good Job

  6. Posted March 20, 2014 at 10:43 am | Permalink

    Agree. :)

    Steve

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • NEED HELP?


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__ doublecloud.org.

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.