Provisioning vDS VXLAN virtual wires using vCenter Orchestrator

Recently while I was working on vSphere infrastructure automation processes I came up with a need to provision vNetwork Distributed Switch VXLAN virtual wires using vCenter Orchestrator 5.1 (vCO). I learned that there is no VMware vCloud Networking and Security (vCNS) plug-in for vCO 5.1 so I had to come up with a way to tap into vCNS from vCO.

vCenter Orchestrator has REST plug-in which allows easy integration with any RESTful service so I ended up looking at REST API on vCNS. As a first thing I glanced through vShield API Programming Guide and it become clear that it is very easy to command vCNS through a REST API so my disappointment for not having a vCNS plug-in for vCO was quickly forgotten.

For a quick example on how to create a new VXLAN virtual wire using vCNS, just send POST request to https://vcns/api/2.0/vdn/scopes/scopeID/virtualwires with request body of

<name>virtual wire name</name> 
<description>virtual wire description</description> 
<tenantid>virtual wire tenant</tenantid> 

vCenter Orchestrator workflow

I deployed VXLAN using vShield Manager web console and I started to work on my virtual wire provisioning workflow.

Connecting to a vCNS REST API

Before I was able to connect vCO to vCNS I had to install untrusted SSL certificate of vCNS into vCO. This is done by running “Manage SSL certificates” workflow in vCO. I guess this step is not necessary if your vCNS is using trusted SSL certificate.


For some odd reason I had to use vCNS host IP address instead of FQDN in host URL to make vCO to download the certificate. Any time I tried with FQDN I just got an error message about URL being invalid.

Now that SSL certificate was installed I was ready to connect vCO to vCNS REST API, this is done by running a “Add a REST host” workflow in vCO. You have to enter following data for this workflow:

  • Name: vCloud Network and Security (or anything you want)
  • URL: https://vcns-ip-or-fqdn/api/2.0
  • Host’s authentication type: Basic
  • Session mode: Shared session or Per User Session

Adding a REST operation

Next step was to run a “Add a REST operation” workflow


Parent host should be REST host added in previous step. Template URL is URL for this REST operation. Note that I have {scopeId} in this URL, this means that {scopeID} is a parameter which we need to set for this operation.

Creating a workflow

Once REST operation is added we need to create a workflow of it so we can execute this operation. This is done by running a “Generate a new workflow from a REST operation” workflow, for this you need to browse for recently added REST operation for Operation input.


I now had a bare workflow for executing a REST operation on vCNS, this workflow does however require XML request body as string so I had to do some scripting to build  necessary XML request. I created a “Create VXLAN Virtual Wire” workflow and gave it following input parameters:

  • vxlanName: string
  • vxlanDesc: string

and created following attributes

  • scopeId: string: value vdnscope-1
  • tenantId: string: value production
  • content: string

then I dropped in Scriptable task element and “Invoke ‘Create VXLAN Virtual Wire..’” workflow I had previously created in my workflow schema


In Scriptable task element I mapped in vxlanName, vxlanDesc and tenantId input parameters and wrote following code

var xmlContent = <virtualwirecreatespec></virtualwirecreatespec>; = vxlanName;
xmlContent.description = vxlanDesc;
xmlContent.tenantId = tenantId;

// Convert E4X type var to string
content = String(xmlContent);

and I mapped content source attribute to content attribute as output value.

In “Invoke ‘Create VXLAN Virtual Wire..’” element I mapped in scopeID and content attributes and all output parameters to NULL. My workflow was done. I executed this workflow, entered input parameters and watched as VXLAN virtual wire was deployed in vDS.

VDN Scope and Tenant ID

You may have noticed that I had two preset attributes in my workflow, scopeId and tenantId. To find out what your scopeId is you can use any REST client to query this information from vCNS, I used Postman REST Client extension for Chrome web browser, just send GET request to a https://vcns/api/2.0/vdn/scopes.


To find out tenantId I created virtual wire using vShield Manager and sent GET request to https://vcns/api/2.0/vdn/virtualwires, tenantId is returned as part of virtual wires output.

3 Replies to “Provisioning vDS VXLAN virtual wires using vCenter Orchestrator”

  1. Hi,

    Can you help me to deploy vShield Edge from vCenter Orchestrator? If you have sample workflow to deploy vShield Edge, can you share?

    Thanks in advance.

  2. Hi,

    I tried as per your instructions but it is failing with below error:

    “Content as string:
    Invalid token character '<' in token " org1edgeAPI<"100
    HTTPError: status code: 500 (Workflow:Invoke a REST operation / Check status code (item3)#1)”

    Content variable getting build as (it has spaces):

    ” org1edgeAPI datacenter-2 compact resgroup-121 datastore-44 0 internal0 INTERNAL dvportgroup-83 admin test true true high “

Leave a Reply