NSX API Guide

NSX API Guide

NSX 9.0.1

Overview
API Methods
API Types
API Type Schemas
API Errors
Deprecated Types and Methods

Overview

Introduction

NSX provides a programmatic API to automate management activities. The API follows a resource-oriented Representational State Transfer (REST) architecture, using JSON object encoding. Clients interact with the API using RESTful web service calls over the HTTPS protocol.

Each API method is identified by a request method and URI. Method parameters are specified as key-value pairs appended to the URI. Unless otherwise noted, request and response bodies are encoded using JSON, and must conform to the JSON schema associated with each method. The content type of each request and reply is "application/json" unless otherwise specified. Each request that can be made is documented in the API Methods section. The associated request and response body schemas are documented in the API Schemas section.

If you provide URL-encoded UTF-8 characters in the URL of your API request, you must include the header "Content-Type:charset=UTF-8" in your request.

API Data Types and Allowed Ranges

The NSX API uses JSON to represent API request and response payloads, and uses JSONSchema to describe the schema of these payloads. The data types are:

string: a sequence of UTF-8 characters. If a particular string property has a maximum length, it is represented in the documentation with a maxLength property.

integer: a signed 64-bit value. Unless a minimum or maximum value is shown in the documentation, integer values may take on values in the range -9,223,372,036,854,775,808 to 9,223,372,036,854,775,807.

unsigned_integer: an unsigned 64-bit value. Unless a minimum or maximum value is shown in the documentation, integer values may take on values in the range 0 to 9,223,372,036,854,775,807.

int: a signed 32-bit value. Unless a minimum or maximum value is shown in the documentation, int values may take on values in the range -2,147,483,648 to 2,147,483,647.

number: a 64-bit floating point number. Unless a minimum or maximum value is shown in the documentation, number values may take on values in the range 4.9406564584124654 x 10^-324 to 1.7976931348623157 x 10³⁰⁸.

boolean: the values true or false. Do not use quotes when sending boolean values in payloads.

object: a nested JSON object.

array: an array of one of the above types.

Formats

Some API types have a required format, and payloads that do not conform to the required format will be rejected. If a property has a required format, it is listed in the "Notes" section in this API Guide. The following formats are used in NSX:

ipv4: Must be a valid Internet Protocol version 4 address, in dotted-quad notation. For example, "192.168.1.232".

ipv6: Must be a valid Internet Protocol version 6 address, as described in RFC 1924. For example, "2001:0db8:85a3:0000:0000:8a2e:0370:7334". Abbreviations are supported.

ip: Either an ipv4 or ipv6 address.

hostname: An internet hostname, as described in RFC 1123. For example, "example.com"

ipv4-cidr-block: An ipv4 Classless Inter-Domain Routing (CIDR) block, expressed as a base ipv4 address, a slash, and the number of bits in the subnet mask. For example, "10.1.0.1/24".

ipv6-cidr-block: An ipv6 Classless Inter-Domain Routing (CIDR) block, expressed as a base ipv6 address, a slash, and the number of bits in the subnet mask. For example, "2001:db8::/32".

ip-cidr-block: Either an ipv4-cidr-block or an ip-v6-cidr-block.

ipv4-address-range: A range of ipv4 addresses, expressed as a lower-bound ipv4 address, a dash, and an upper-bound ipv4 address. For example, "192.168.1.0-192.168.1.255"

ipv6-address-range: A range of ipv6 addresses, expressed as a lower-bound ipv6 address, a dash, and an upper-bound ipv6 address. For example, "fe80::0202:b3ff:fe1e:8329-fe80::0202:b3ff:fe1e:832a"

address-or-block-or-range: Either an ip address, an ip-cidr-block, an ipv4-address-range, or an ipv6-address-range.

port-or-range: A port number (an integer in the range 0 to 65535) or a range of port numbers, expressed as a lower and upper port number, separated by a dash. Examples: "80" or "997-1023".

hostname-or-ip: Either a hostname or an ip address.

hostname-or-ipv4: Either a hostname or an ipv4 address.

list-of-address-or-block-or-range: A comma-separated list address-or-block-or-range.

mac-address: A Media Access Control (MAC) address. MAC addresses are six hexadecimal numbers, separated by either colons ":" or dashes "-". Case is not significant. Examples: "20:f3:75:5e:47:f0" or "20-F3-75-5E-47-F0".

Request Failures

It is possible for any request to fail. Errors are reported using standard HTTP response codes. It should be assumed the following errors could be returned by any API method: 301 Moved Permanently, 307 Temporary Redirect, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 412 Precondition Failed, 429 Too Many Requests, 500 Internal Server Error, 503 Service Unavailable. Where other errors may be returned, the type of error is indicated in the API method description. All errors are documented in the API Errors section. API requests may fail due to concurrent updates, where an API request collides with another API request, and NSX cannot reconcile the two operations. In that case, the client must re-fetch the resource, apply the changes, and re-submit the operation.

Request Authentication

Most API calls require authentication. This API supports several different authentication schemes, which are documented in this section. Multiple authentication schemes may not be used concurrently.

HTTP Basic Authentication

To authenticate a request using HTTP Basic authentication, the caller's credentials are passed using the 'Authorization' header. The header content should consist of a base64-encoded string containing the username and password separated by a single colon (":") character, as specified in RFC 1945 section 11.1.

For example, to authenticate a request using the credentials of user admin with password admin, include the following header with the request:

Authorization: Basic YWRtaW46YWRtaW4=

The following cURL command will authenticate to the manager using basic authentication and will issue a GET request for logical ports:

curl -k -u USERNAME:PASSWORD https://MANAGER/api/v1/logical-ports

where:
USERNAME is the user to authenticate as,
PASSWORD is the password to provide, and
MANAGER is the IP address or host name of the NSX manager

For example:

curl -k -u admin:secretPw99 https://MANAGER/api/v1/logical-ports

Note: the -k argument instructs cURL to skip verifying the manager's self-signed X.509 certificate. It is more secure to verify that the server's certificate is signed by a Certificate Authority (CA) that you trust. To do that, omit the -k argument and use the --cacert <ca-file> option, where <ca-file> is a PEM-formatted file containing the CA certificate to trust.

For example:

curl --cacert /home/me/certs/rootca.crt  -u admin:secretPw99 https://MANAGER/api/v1/logical-ports

Additional cURL examples below use the -k flag, but you can always substitute the --rootca <ca-file> argument for additional security.

In the above examples, USERNAME may be:

A local user name. For example, "admin".
A remote user name, of the form "user@domain", for example, "[email protected]". The domain must match a domain for a configured VIDM identity source or a configured LDAP identity source.

Note: in earlier versions of NSX, in order to authenticate to VIDM, it was required that you provide an authentication header of the form "Authorization: Remote base64-encoded-username-and-password". This is no longer required, but still functions for backward compatibility.

Session-Based Authentication

Session-based authentication is used by calling the /api/session/create authentication API to manage a session cookie. The session cookie returned in the result of a successful login must be provided in subsequent requests in order to associate those requests with the session.

Session state is local to the server responding to the API request. Idle sessions will automatically time-out, or can be terminated immediately using the POST /api/session/destroy API.

To obtain a session cookie, POST form data to the server using the application/x-ww-form-urlencoded media type, with fields "j_username" and "j_password" containing the username and password separated by an ampersand. Since an ampersand is a UNIX shell metacharacter, you may need to surround the argument with single quotes.

If the user is a remote user, append "@domain" to the username, for example, "[email protected]". The domain must match a domain for a configured VIDM identity source or a configured LDAP identity source.

The following cURL command will authenticate to the server, will deposit the session cookie in the file "cookies.txt", and will write all HTTP response headers to the file headers.txt. One of these headers is the X-XSRF-TOKEN header that you will need to provide in subsequent requests.

curl -k -c cookies.txt -D headers.txt -X POST     -d 'j_username=USERNAME&j_password=PASSWORD'     https://MANAGER/api/session/create

For example:

curl -k -c cookies.txt -D headers.txt -X POST     -d 'j_username=admin&j_password=secretPw99'     https://MANAGER/api/session/create

The manager will respond with the roles and permissions granted to the user, and cURL will deposit the session cookie into the file "cookies.txt".

In subsequent cURL requests, use the -b argument to specify the cookie file. You also need to pass the X-XSRF-TOKEN header that was saved to the headers.txt file, using cURL's -H option:

curl -k -b cookies.txt -H "`grep -i X-XSRF-TOKEN headers.txt | tr -d '\r\n'`"     https://MANAGER/api/v1/logical-ports

When the session expires, the manager will respond with a 403 Forbidden HTTP response, at which point you must obtain a new session cookie and X-XSRF-TOKEN.

Session cookies can be destroyed by using the /api/session/destroy API:

curl -k -b cookies.txt -H "`grep -i X-XSRF-TOKEN headers.txt | tr -d '\r\n'`"     -X POST https://MANAGER/api/session/destroy

Authentication using an X.509 certificate and a Principal Identity

NSX supports using an X.509 client certificate for authentication. The certificate is associated with a principal identity (a short name, similar to a username), and that principal identity can be bound to an NSX role. This is useful for automated processes or scripts that perform NSX API calls, and has the advantage that a user password does not need to be stored with the script.

For information on how to import a certificate and set up a principal identity, see the section "Add a Role Assignment or Principal Identity" in the NSX Administration Guide.

To use the client certificate to authenticate, your client must have access to the certificate and its associated private key. How to specify client authentication depends on the client you are using. For example, with curl, you use the --key argument to give the filename containing the private key and the --cert argument to give the filename containg the public certificate.

Authentication in VMware Cloud on AWS (VMC)

To make API calls to an NSX Manager in the VMware Cloud on AWS service (VMC), you need to gather a few pieces of information:

Your VMC Organization ID
Your Software Defined Data Center (SDDC) ID
Your API token

All of this information is available in the VMC web console, https://console.cloud.vmware.com

In VMC, you always exchange your API token for a limited-duration authentication token, which you then pass in a header with your API calls. This authentication token is valid for 30 minutes. After that time, you must obtain a new authentication token using your API token. If you use an expired authentication token, the API call will be rejected.

To obtain an authentication token, you issue a POST request to the URL https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize, passing your API token in a form. To do this with cURL:

curl https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize -d refresh_token=<token>

For example, if your refresh token is aB1jtC5yk2rDL6A1KPxzM0W4D7OeHFUNuXFHZidufYS3fIwn60ZRag0Y9dvX15Qv, the command will be:

curl https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize -d refresh_token=aB1jtC5yk2rDL6A1KPxzM0W4D7OeHFUNuXFHZidufYS3fIwn60ZRag0Y9dvX15Qv

You will receive a JSON response with several properties. The "access_token" property contains the token you will need to provide with your API requests. An easy way to parse this token out of the response is to use the "jq" utility. For example:

curl https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize -d refresh_token=aB1jtC5yk2rDL6A1KPxzM0W4D7OeHFUNuXFHZidufYS3fIwn60ZRag0Y9dvX15Qv | jq --raw-output '.access_token'

produces just the access token. You can set an environment variable with the correct authentication header with:

export AUTH_HDR="csp-auth-token: `curl https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize -d refresh_token=aB1jtC5yk2rDL6A1KPxzM0W4D7OeHFUNuXFHZidufYS3fIwn60ZRag0Y9dvX15Qv | jq --raw-output '.access_token'`"

The AUTH_HDR environment variable now contains the authentication header. The token itself will be a long string of characters and digits.

Once you have your authentication token, you need to determine the URL for accessing the NSX manager in your SDDC. To do that, you issue a GET request to the endpoint https://vmc.vmware.com/vmc/api/orgs/<org-id>/sddcs/<sddc-id>, where <org-id> is your organization's ID and <sddc-id> is your SDDC's ID. The URL of the NSX manager will be in the resource_config.nsx_api_public_endpoint_url property. For example, if your organizations's ID is a003c3a5-3f68-4a8c-a74f-f79a0625da17 and your SDDC is 449369c7-7936-4f7f-b46e-624cdb2a0a99:

curl -H "$AUTH_HDR" https://vmc.vmware.com/vmc/api/orgs/a003c3a5-3f68-4a8c-a74f-f79a0625da17/sddcs/449369c7-7936-4f7f-b46e-624cdb2a0a99 | jq --raw-output ".resource_config.nsx_api_public_endpoint_url"

The output will look like:

https://nsx-52-41-15-143.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/a003c3a5-3f68-4a8c-a74f-f79a0625da17/sddcs/449369c7-7936-4f7f-b46e-624cdb2a0a99/sks-nsxt-manager

This is the URL you should use to access your NSX manager from the internet. Append the particular API's URL to this base URL. For example, to list all domains, the API is "/policy/api/v1/infra/domains", so the full request will look like the following:

curl -q -H "$AUTH_HDR" https://nsx-52-41-15-143.rp.vmwarevmc.com/vmc/reverse-proxy/api/orgs/a003c3a5-3f68-4a8c-a74f-f79a0625da17/sddcs/449369c7-7936-4f7f-b46e-624cdb2a0a99/sks-nsxt-manager/policy/api/v1/infra/domains

API Pagination

When responding to operations that return a ListResult type, NSX may limit the number of results returned. By default, the limit is 1000 results, but some APIs with large result payloads may return fewer results, even if a large number of results is requested by the client. Clients must be prepared to handle paginated results.

NSX indicates that it has returned fewer than the total number of results by including a "cursor" property in the response to the list operation. For example:

curl -k -u admin:SecretPw99 -H accept: application/json https://NSX_MANAGER/global-manager/api/v1/infra/services {

  "results" : [
    .... 1000 results omitted for clarity
  ],
  "result_count" : 1322,
  "sort_by" : "display_name",
  "sort_ascending" : true,
  "cursor" : "28de76e5-c7c2-4fa0-9a3e-0be891818d35"
}

The response indicates that there are a total of 1,322 results, but not all results are present in this response.

To get the next page of results, repeat the same list operation, but pass the returned cursor value. For example:

curl -k -u admin:SecretPw99 -H accept: application/json     https://NSX_MANAGER/global-manager/api/v1/infra/services?cursor=28de76e5-c7c2-4fa0-9a3e-0be891818d35

The response will return the next page of results. If there are more pages of results, the response will include a new cursor which can be used to get the next page of results. If this is the last page, then no cursor will be returned, as show below.

{
  "results" : [
    .... 322 results omitted for clarity
  ],
  "sort_by" : "display_name",
  "sort_ascending" : true,
}

The format of the "cursor" property is not meaningful to the client, and the client should not attempt to interpret the cursor's value. The format of the cursor may be different, depending on which API is called.

Example Requests and Responses

Example requests and responses are provided for most of the API calls below. Your actual response might differ from the example in the number of fields returned because optional empty fields are not returned when you make an API call.

Restrictions on Certain Fields in a Request

When configuring layer 2 switching, the following fields can contain any character except semicolon (;), vertical bar (|), equal sign (=), comma (,), tilde (~), and the "at" sign (@). They also have a length limitation as specified below:

Logical switch display name. Maximum length: 80 bytes.
Host switch name in TransportZone. Maximum length: 80 bytes.
Uplink name in UplinkHostSwitchProfile. Maximum length: 47 bytes.

Collection List Pagination

A call to the NSX API may return many thousands of results when the system is operating at scale. In such scenarios, the system performs pagination of response objects. All queries to the API must be capable of handling ListResults objects that contain partial results. Pagination in API works as follows:

The API will respond with a ListResult object that has at most page_size results. Note, that the client must always be ready to handle a paginated result, even if the client did not specify page_size.

The default page size is 1000. In case the result size exceeds the page size, the first page will be returned. You need to retrieve the remaining with cursor.

When doing an API call against the NSX-T API, there are a variety of objects which have limits on the number of returned items allowed. The limits themselves are different depending on the objects.

The way you can tell if pagination is being activated is by looking for an attribute called 'cursor'. For example, here is the end of a call for all firewall rule sections:

curl -k -s -X GET -u 'admin:*****' https://manager_ip/api/v1/firewall/sections

End of the results:

"section_type": "LAYER3",
"stateful": true,
"rule_count": 2,
"is_default": false,
"_create_user": "admin",
"_create_time": 1574438858340,
"_last_modified_user": ""****************",
"_last_modified_time": 1671726034024,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 96
}
],
"result_count": 1448,
"sort_by": "position",
"cursor": "0036588a382d-c679-480a-ab95-67aa0022ae04RmlyZXdhbGxTZWN0aW9u"
}

So, looking at our result attributes we can see the overall result count is 1448 and we can tell pagination was activated, because we have a 'cursor' attribute. If you have a 'cursor' attribute returned in your overall results, pagination is activating and truncating those results. You need to retrieve the remaining with cursor.

You pass the cursor attribute in standard URL options with the value specified to the exact same call until you no longer have a cursor attribute returned, for example:

curl -k -s -X GET -u 'admin:*****' https://manager_ip/api/v1/firewall/sections?cursor=0036588a382d-c679-480a-ab95-67aa0022ae04RmlyZXdhbGxTZWN0aW9u

which will return the 2nd page of results.

Optimistic Concurrency Control and the _revision property

Overview

In order to prevent one client from overwriting another client's updates, NSX employs a technique called optimistic concurrency control.

All REST payloads contain a property named "_revision". This is an integer that is incremented each time an existing resource is updated. Clients must provide this property in PUT requests and it must match the current _revision or the update will be rejected. This guards against the following situation:

Client 1 reads resource A.

Client 2 reads resource A.

Client 1 replaces the display_name property of resource A and does a PUT to replace the resource.

Client 2 replaces is different property of resource A and attempts to perform a PUT operation.

Without optimistic concurrency control, Client 2's update would overwrite Client 1's update to the display_name property. Instead, Client 2 receives a 409 Conflict error. To recover, Client 2 must fetch the resource again, apply the change, and perform a PUT.

Exceptions for /policy APIs

APIs whose URI begins with /policy have slightly different behavior. For those APIs, the _revision property must not be set when PUT is used to create a new resource. Once the resource is created, however, the _revision property must be provided with PUT operations.

PATCH and _revision for /policy APIs

APIs whose URI begins with /policy support the PATCH operation. Those APIs do not require that the _revision property be provided. A client can, however, request that the _revision property be checked when it is performing a PATCH in the /infra path. To do this, the client should pass the query parameter enforce_revision_check, e.g. PATCH /infra?enforce_revision_check=true.

Partial PATCH

Partial patching of objects is a feature supported by NSX that allows patching a subset of properties of any object. This behavior needs to be explicitly activated. When partial patching is disabled (default behavior), the entire payload of object is expected to be provided in both PUT and PATCH operations for the /policy APIs.

In order to perform partial patching of existing objects using PATCH operation, partial patching should be activated using either one of the following approach:

System-wide partial patch configuration
Partial patch can be activated/deactivated in the system by using the Partial Patch Config api (i.e. PATCH /policy/api/v1/system-config/nsx-partial-patch-config) with sample request payload.

{ "enable_partial_patch": "true" }
Default is 'false'.
Note: If the API request header has 'nsx-enable-partial-patch' parameter, then the header takes precedence over this system-wide configuration.
Header parameter (request level configuration)
Partial patch can also be activated/deactivated using API request header parameter. This will override the system-wide configuration for a particular request.
To activate partial patch, use 'nsx-enable-partial-patch=true'
To deactivate partial patch, use 'nsx-enable-partial-patch=false'
If this parameter is not passed in header, the system level configuration will be considered for Partial Patch operation. This header parameter will be considered only for PATCH requests. For other requests (e.g. PUT, POST etc.), this header parameter will be ignored.

Some important considerations/notes on Partial Patch:

Array properties will be replaced entirely in partial patch.
If PATCH api is executed on a non-existing object, a new object will be created after performing all applicable validations.
There are cases where properties of an object are inter-dependent on each other e.g. username and password, IP address and thumbprint etc. In such cases, the partial patch request expects all such inter-dependent fields to be provided (either all or none).
Partial patch is not supported for 'Infra' object.
Certain types like Labels, Security Policies (for the 'rules' attribute) and Services have special handling for certain attributes in PATCH request. This behavior will not be overridden by Partial Patch.
For instance, specifying rules on Security policies as a part of the PATCH invocation merges the specified rules with the existing rules. For full replacement of rules, PUT operation needs to be performed on the Security Policy.
Partial patch will not work for properties accepting polymorphic types if the specified value has a type that is different from that of the existing value.

PUT Operations

NSX conforms to REST and HTTP standards regarding the operation of PUT operations. A PUT is always a full replace of a resource, and if any properties are omitted from the payload, those properties will be reset to default values. It is suggested that API clients retrieve the existing resource, apply any desired changes to the copy of the resource, and PUT the entire modified resource.

API Rate Limiting

The NSX API service has three settings that control the rate of incoming API requests:

1) A per-client rate limit, in requests per second. If a client makes more requests than this limit in one second, the API server will refuse to service the API request and will return an HTTP 429 Too Many Requests Error. By default, this limit is 100 requests per second.

2) A per-client concurrency limit. This is the maximum number of outstanding requests that a client can have. For example, a client can open multiple connections to NSX and submit operations on each connection. When this limit is exceeded, the server returns a 503 Server Unavailable error to the client. By default, this limit is 40 concurrent requests.

3) An overall maximum number of concurrent requests. This is the maximum number of API requests that can be in process on the server. If the server is at this limit, additional requests will be refused and the HTTP error 503 Service Unavailable will be returned to the client. By default, this limit is 199 concurrent requests.

The first two limits exist to provide some level of fairness across multiple clients of NSX, and are intended to prevent one greedy client from preventing other clients from making API requests.

The last limit is the server's way of protecting itself against an unintentional (or intentional) denial of service attack.

While it is possible to configure these rate limits using the /api/v1/node/services/http API, it is not recommended. Instead, you should design your API client to gracefully deal with situations where limits are exceeded.

Designing API client code to work gracefully with rate limits

One approach is to build in throttling into the client code so that it never sends more than 100 requests in a given second and that it never has more than 40 concurrent requests in flight.

However, there isn't any way to ensure that the overall concurrency limits are never hit. That is because there may be other clients calling APIs, driving up the load on the server. API clients need to check for the HTTP error 503 Service Unavailable. In the event a 503 error is received, the simplest strategy is to insert a delay, possibly with an exponential backoff in the event that server load is high.

There are open-source libraries than can help you implement this retry/backoff behavior, such as Google's Retry helper in its Python google-api-core library. For an example of using this library with the NSX APIs, see https://github.com/vmware-samples/nsx-t/blob/master/python/basics/rate-limits.py

OpenAPI Specification of NSX APIs

You can download OpenAPI specifications for the various NSX APIs at the following URLs:

NSX Manager API:
APIs for NSX administration; node and cluster management APIs and fabric management APIs for on-premise customers.

GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_api.yaml
GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_api.json

NSX Policy Manager API:
APIs for managing logical networking in NSX for on-premise customers.

GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_policy_api.yaml
GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_policy_api.json

NSX VMC Policy API:
APIs for managing logical networking in NSX for VMware Cloud customers.

GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_vmc_policy_api.yaml
GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_vmc_policy_api.json

NSX VMC AWS Integration API:
APIs for managing AWS underlay networking for VMware Cloud customers.

GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_vmc_aws_integration_api.yaml
GET https://<nsx-mgr>/api/v1/spec/openapi/nsx_vmc_aws_integration_api.json

API Methods

Toggle all tables +

API Usage

API Usage: User Authentication

Associated URIs:

POST /api/session/create
POST /api/session/destroy

Authenticate and create a session

Authenticates using the given username and password. If successful, the HTTP response headers will contain a Set-Cookie header and an X-XSRF-TOKEN header. Both of these headers should be sent with subsequent API requests. Request:

Method:

POST

URI Path(s):

/api/session/create

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

SessionAuthenticationCredentials+

Example Request: POST /api/session/create Content-Type: application/x-www-form-urlencoded j_username=admin&j_password=my-password Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: set-cookie: JSESSIONID=57021338F5FDB766121F51BB5E1B82C3; Path=/; Secure; HttpOnly; SameSite=Lax x-xsrf-token: 8bf06253-c246-4e4b-a379-f218dd0a193c 200 OK Required Permissions: none Feature: none Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Destroy an authenticated session

Unauthenticates and makes the provided session cookie invalid. The set-cookie and x-xsrf-token headers obtained from an earlier call to /api/session/create should be provided in the HTTP headers of this request. Request:

Method:

POST

URI Path(s):

/api/session/destroy

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST /api/session/destroy set-cookie: JSESSIONID=57021338F5FDB766121F51BB5E1B82C3; Path=/; Secure; HttpOnly; SameSite=Lax x-xsrf-token: 8bf06253-c246-4e4b-a379-f218dd0a193c Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: none Feature: none Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation

Federation: Federation Configuration

Associated URIs:

GET /policy/api/v1/infra/federation-config
GET /policy/api/v1/global-infra/federation-config
GET /policy/api/v1/global-infra/global-manager-config?action=show-sensitive-data

Read federation config

Read a federation config from Global Manager. This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/federation-config

/policy/api/v1/global-infra/federation-config

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/federation-config GET https://<global-mgr>/global-manager/api/v1/global-infra/federation-config Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FederationConfig+

Example Response: { "site_config" : [ { "site_id": "59ee0369-3d2b-4b2a-9221-594344f6ca4c", "rtep_ips": [ "10.192.201.163", "10.192.201.164" ], "site_index": 1, "site_path": "/global-infra/sites/paris" } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read Global Manager config along with sensitive data

Read a Global Manager config along with sensitive data.
For example - rtep_config.ibgp_password
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/global-manager-config?action=show-sensitive-data

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<pglobal-mgr>/global-manager/api/v1/global-infra/global-manager-config?action=show-sensitive-data GET https://<policy-mgr>/policy/api/v1/global-infra/global-manager-config?action=show-sensitive-data Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GlobalManagerConfig+

GlobalManagerConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GlobalManagerConfig	string
rtep_config	Global Manager federation RTEP configuration Global Manager federation RTEP configuration. This configuration is distributed to all Sites participating in federation.	GmRtepConfig
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "GlobalManagerConfig", "rtep_config" : { "ibgp_password": "secureme" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1 } Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Full Synchronization

Associated URIs:

POST /policy/api/v1/infra/full-sync-action
GET /policy/api/v1/infra/full-sync-states
GET /policy/api/v1/global-infra/full-sync-states
GET /policy/api/v1/infra/full-sync-states/{full-sync-id}
GET /policy/api/v1/global-infra/full-sync-states/{full-sync-id}

Performs realized object actions specified in the action.

Performs realized object actions specified in the action. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/full-sync-action

Request Headers:

n/a

Query Parameters:

PolicyFullSyncActionParameters+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/full-sync-action?action=request_full_sync POST https://policy.nsx.vmware.com/global-manager/api/v1/orgs/256d811c-168c-41b6-9c5c-e1672a84dcb7/projects/default--nsx-dev-test/infra/full-sync-action?action=request_notifications_full_sync&site=site1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: { "fullsync_action_response": "requested full sync", } Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List full sync states

List full sync state. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/full-sync-states

/policy/api/v1/global-infra/full-sync-states

Request Headers:

n/a

Query Parameters:

PolicyListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/full-sync-states Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FullSyncStateListResult+

Example Response: { "result_count" : 1, "results" : [ "resource_type": "FullSyncState", "id": "1234", "full_sync_id": "1234", "last_completed_stage": "PROCESSED_DELTAS", "path": "/infra/fullsync-states/1234", "parent_path": "/infra", "relative_path": "1234", "_create_user": "SYSTEM", "_create_time": 1517262573524, "_last_modified_user": "SYSTEM", "_last_modified_time": 1517262573524, "_system_owned": true, "_revision": 2 ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get full sync state

Get full sync state. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/full-sync-states/{full-sync-id}

/policy/api/v1/global-infra/full-sync-states/{full-sync-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/full-sync-states/1234 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

FullSyncState+

FullSyncState (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
errors	Errors occurred during full sync Errors occurred during full sync.	array of string	Readonly
full_sync_id	Full sync id Full sync id generated by Async Replicator (AR) service.	string	Readonly
id	Unique identifier of this resource	string	Sortable
last_completed_stage	Full sync stage that is last completed for this request. The current stage of full sync completion for ongoing sync. When Local Manager (LM) receives full sync data from AR, LM starts with workflow to prserve the state and restore the full sync from where it has left off in case of change of leadership of the service to different NSX node or LM is restarted. LM starts the full sync workflow with state INITIAL capturing the AR full sync id and data location details. The stage/state transition follows the order given below INITIAL - Full sync started PROCESSED_FULLSYNC_DATA - Compelted processing the full state data provided by AR PRCESSED_DELTAS - Completed processing pending delta changes provided by AR. DELETED_STALE_ENTITIES - Completed deletion of all global entities on LM that are not in GM anymore COMPLETED - Full sync handling is completed on LM ERROR - Full sync failed with errors on LM, in which case AR will re-attempt full sync later point in time for the LM ABORTED - Indicates that the full sync cancelled as per user request	string	Readonly Enum: INITIAL, PAUSE_DCNS, DELETED_STALE_ENTITIES, PROCESSED_FULLSYNC_DATA, PROCESSED_DELTAS, UNPAUSE_DCNS, COMPLETED, ERROR, ABORTED
last_upate_time	Deprecated, refer to last_update_time for the last update time stamp.	EpochMsTimestamp	Deprecated Readonly Sortable
last_update_time	Timestamp of last update, could be progress or success or error.	EpochMsTimestamp	Readonly Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value FullSyncState	string
start_time	Timestamp of Full Sync start.	EpochMsTimestamp	Readonly Sortable
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "FullSyncState", "id": "1234", "full_sync_id": "1234", "last_completed_stage": "PROCESSED_DELTAS", "path": "/infra/fullsync-states/1234", "parent_path": "/infra", "relative_path": "1234", "_create_user": "SYSTEM", "_create_time": 1517262573524, "_last_modified_user": "SYSTEM", "_last_modified_time": 1517262573524, "_system_owned": true, "_revision": 2 } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Global Managers

Associated URIs:

GET /policy/api/v1/global-infra/global-managers
GET /policy/api/v1/global-infra/global-managers/{global-manager-id}

List Global Managers

List Global Managers under Infra.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/global-managers

Request Headers:

n/a

Query Parameters:

GlobalManagerListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/global-manager/api/v1/global-infra/global-managers Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GlobalManagerListResult+

Example Response: { "result_count" : 2, "results" : [ { "resource_type": "GlobalManager", "id": "london", "gm_id": "aad93dd9-ea71-41d7-be0d-1b1fca616660", "display_name": "London GM", "path": "/infra/global-managers/london", "parent_path": "/infra/global-managers/london", "relative_path": "london", "mode": "ACTIVE", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 }, { "resource_type": "GlobalManager", "id": "Paris", "gm_id": "dfd93dd9-ea71-41d7-be0d-1b1fca616660", "display_name": "Paris GM", "path": "/infra/global-managers/Paris", "parent_path": "/infra/global-managers/Paris", "relative_path": "Paris", "mode": "STANDBY", "connection_info": [{ "fqdn": "10.190.201.163" }], "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1 } ] } Required Permissions: read Feature: standby_site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read a Global Manager

Retrieve information about a particular configured global manager.
Global Manager id 'self' is reserved and can be used for referring to local
logged in Global Manager.
Example - /infra/global-managers/self
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/global-managers/{global-manager-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/global-manager/api/v1/global-infra/global-managers/london Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GlobalManager+

GlobalManager (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
connection_info	Connection information To create a standby GM, the connection information (username, password, and API thumbprint) for at least one NSX manager node in the remote site must be provided. Once the GM has been successfully onboarded, the connection_info is discarded and authentication to the standby GM occurs using an X.509 client certificate.	array of SiteNodeConnectionInfo	Maximum items: 3
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
fail_if_rtt_exceeded	Fail onboarding if maximum RTT exceeded Fail onboarding if maximum RTT exceeded.	boolean	Default: "True"
federation_id	Global manager federation UUID Internally generated UUID to the federation of Global Manager.	string	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
maximum_rtt	Maximum acceptable packet round trip time (RTT) If provided and fail_if_rtt_exceeded is true, onboarding of the site will fail if measured RTT is greater than this value.	integer	Minimum: 0 Maximum: 1000 Default: "250"
mode	Mode of the global manager There can be at most one ACTIVE global manager and one STANDBY global manager. In order to add a STANDBY manager, there must be an ACTIVE manager defined.	string	Required Enum: ACTIVE, STANDBY
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GlobalManager	string
site_id	UUID of the site where Global manager is running UUID of the site where Global manager is running. This is the Site Manager generated UUID for every NSX deployment.	string	Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "GlobalManager", "id": "london", "gm_id": "dfd93dd9-ea71-41d7-be0d-1b1fca616660", "display_name": "London GM", "path": "/infra/global-managers/london", "parent_path": "/infra/global-managers/london", "relative_path": "london", "mode": "ACTIVE", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: standby_site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Inter-Sites

Associated URIs:

GET /api/v1/edge-clusters/{edge-cluster-id}/inter-site/status
GET /policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/site-span-info
GET /policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/statistics
GET /policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/status (Deprecated)
GET /policy/api/v1/global-infra/tier-0s/{tier-0-id}/locale-services/{locale-services-id}/inter-site/bgp-summary
GET /policy/api/v1/global-infra/tier-0s/{tier-0-id}/locale-services/{locale-services-id}/inter-site/status
GET /policy/api/v1/global-infra/tier-1s/{tier-1-id}/locale-services/{locale-services-id}/inter-site-forwarder/status
GET /policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/site-span-info
GET /policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/statistics
GET /policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/status (Deprecated)
GET /api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/site-span-info (Experimental)
GET /api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/statistics (Experimental)
GET /api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/status (Experimental) (Deprecated)
GET /api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors
GET /api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors/{neighbor-id}/advertised-routes
GET /api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors/{neighbor-id}/routes
GET /api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/summary (Deprecated)
GET /api/v1/transport-nodes/{edge-node-id}/inter-site/statistics

Get inter-site status of the edge cluster

Returns the aggregated status for the Edge cluster along with status of
all edge nodes in the cluster. It always returns cached response.
Request:

Method:

GET

URI Path(s):

/api/v1/edge-clusters/{edge-cluster-id}/inter-site/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/edge-clusters/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EdgeClusterInterSiteStatus+

Example Response: { "edge_cluster_id": "875381be-a4c5-4173-8aa7-ab71695a8129", "edge_cluster_name": "Federation edge cluster", "member_status": [ { "transport_node": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "Edge node 1", "is_valid": true }, "total_bgp_sessions": 2, "established_bgp_sessions": 2, "neighbor_status": [ { "source_address": "192.100.20.10", "neighbor_address": "192.200.20.10", "connection_state": "ESTABLISHED", "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true } }, { "source_address": "192.300.20.10", "neighbor_address": "192.400.20.10", "connection_state": "ESTABLISHED", "remote_site": { "target_id": "235c52a2-c960-4005-4512-451dc54fa542", "target_display_name": "PA Site", "is_valid": true } } ] "status": "UP" }, { "transport_node": { "target_id": "77eead22-3bb9-4586-8de3-9412941f9116", "target_display_name": "Edge node 2", "is_valid": true }, "total_bgp_sessions": 1, "established_bgp_sessions": 0, "neighbor_status": [ { "source_address": "192.100.20.10", "neighbor_address": "192.200.20.10", "connection_state": "IDLE", "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true } } ] "status": "DOWN" } ], "overall_status": "DEGRADED", "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: nodes_edge_clusters Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get infra segment cross site forwarder placement and HA status

Get infra segment cross site forwarder placement and HA statuss.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/site-span-info

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/segments/tier0-ls/inter-site-forwarder/site-span-info?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentL2ForwarderSiteSpanInfo+

Example Response: { "segment_path": "/global-infra/segments/tier0-ls", "remote_macs_per_site": [ { "rtep_group_id": 2001, "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true }, "remote_mac_addresses": [ "02:00:17:00:12:D3", "02:00:17:00:13:13" ], "remote_active_ips": [ "10.10.10.1" ], "remote_standby_ips": [ "20.20.20.1" ] } ], "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: policy_segment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get infra segment cross site traffic statistics

Get infra segment cross site traffic statistics.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/statistics

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/segments/tier0-ls/inter-site-forwarder/stats?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentCrossSiteTrafficStats+

Example Response: { "segment_path": "/global-infra/segments/tier0-ls", "rx": { "total_bytes": 56646, "total_packets": 342, "dropped_packets": 103 }, "tx": { "total_bytes": 1125548, "total_packets": 2235, "dropped_packets": 0 }, "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: policy_segment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get infra segment cross site traffic statistics (Deprecated)

Get infra segment cross site traffic statistics.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/segments/{segment-id}/inter-site-forwarder/status

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/segments/tier0-ls/inter-site-forwarder/status?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentCrossSiteTrafficStats+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get RTEP span and mac address-table

Get RTEP span and mac address-table.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-0s/{tier-0-id}/locale-services/{locale-services-id}/inter-site/bgp-summary

Request Headers:

n/a

Query Parameters:

ListByOptionalTransportNodeParameters+

Request Body:

n/a

Example Request: GET https://policy-mgr/policy/api/v1/global-infra/tier-0s/tier0/locale-services/tier0localeservices/inter-site/bgp-summary Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterInterSiteBgpSummary+

PolicyEdgeClusterInterSiteBgpSummary (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string	Readonly
edge_cluster_path	Edge node path Edge cluster path whose status is being reported.	string	Required Readonly
edge_nodes	Individual edge nodes status Status of all edge nodes within cluster.	array of PolicyEdgeNodeInterSiteBgpSummary	Readonly
result_count	Count of results found (across all pages), set only on first page	integer	Readonly
sort_ascending	If true, results are sorted in ascending order	boolean	Readonly
sort_by	Field by which records are sorted	string	Readonly

Example Response: { "edge_cluster_path": "/infra/sites/default/enforcement-points/default/edge-clusters/b051d3f9-3ad8-4831-9d67-8ae1cd3f5a1e/edge-nodes/875381be-a4c5-4173-8aa7-ab71695a8129", "edge_nodes": [ { "edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/b051d3f9-3ad8-4831-9d67-8ae1cd3f5a1e/edge-nodes/875381be-a4c5-4173-8aa7-ab71695a8129", "neighbor_status": [ { "source_address": "10.1.1.1", "neighbor_address": "10.1.2.1", "remote_as_number": "1", "remote_port": 179, "local_port": 179, "connection_state": "ESTABLISHED", "time_since_established": 45628, "messages_received": 12, "messages_sent": 10, "connection_drop_count": 0, "established_connection_count": 1, "hold_time": 180, "keep_alive_interval": 30, "graceful_restart": true, "graceful_restart_mode": "HELPER_ONLY", "total_in_prefix_count": 2, "total_out_prefix_count": 1, "address_families": [ { "type": "IPV4_UNICAST", "in_prefix_count": 2, "out_prefix_count": 1 } ], "remote_site": { "target_id": "cfaec4c7-45c2-439b-b7c6-2c3aeabd9976", "target_display_name": "PA Site", "is_valid": true } } ], "last_update_timestamp": 1457117071089 }, { "source_address": "10.1.1.1", "neighbor_address": "10.1.2.1", "remote_as_number": "1", "remote_port": 179, "local_port": 179, "connection_state": "ESTABLISHED", "time_since_established": 45628, "messages_received": 12, "messages_sent": 10, "connection_drop_count": 0, "established_connection_count": 1, "hold_time": 180, "keep_alive_interval": 30, "graceful_restart": true, "graceful_restart_mode": "HELPER_ONLY", "total_in_prefix_count": 2, "total_out_prefix_count": 1, "address_families": [ { "type": "IPV4_UNICAST", "in_prefix_count": 2, "out_prefix_count": 1 } ], "remote_site": { "target_id": "cfaec4c7-45c2-439b-b7c6-2c3aeabd9976", "target_display_name": "PA Site", "is_valid": true } } ], "last_update_timestamp": 1457117071089 } ], } Required Permissions: read Feature: policy_connectivity Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get RTEP mesh connectivity status

Get RTEP mesh connectivity status.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-0s/{tier-0-id}/locale-services/{locale-services-id}/inter-site/status

Request Headers:

n/a

Query Parameters:

ListByOptionalTransportNodeParameters+

Request Body:

n/a

Example Request: GET https://policy-mgr/policy/api/v1/global-infra/tier-0s/tier0/locale-services/tier0localeservices/inter-site/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterInterSiteStatus+

Example Response: { "gateway_path": "/global-infra/tier-0s/tier0", "edge_cluster_path": "/global-infra/sites/default/enforcement-points/default/edge-clusters/875381be-a4c5-4173-8aa7-ab71695a8129", "edge_cluster_name": "Federation edge cluster", "member_status": [ { "edge_node": { "edge_node_path": "/global-infra/sites/default/enforcement-points/default/edge-clusters/b051d3f9-3ad8-4831-9d67-8ae1cd3f5a1e/edge-nodes/258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "Edge node 1", "is_valid": true }, "total_bgp_sessions": 2, "established_bgp_sessions": 2, "neighbor_status": [ { "source_address": "192.100.20.10", "neighbor_address": "192.200.20.10", "connection_state": "ESTABLISHED", "remote_site": { "target_edge_node": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true } }, { "source_address": "192.300.20.10", "neighbor_address": "192.400.20.10", "connection_state": "ESTABLISHED", "remote_site": { "target_id": "235c52a2-c960-4005-4512-451dc54fa542", "target_display_name": "PA Site", "is_valid": true } } ] "status": "UP" }, { "edge_node": { "edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/b051d3f9-3ad8-4831-9d67-8ae1cd3f5a1e/edge-nodes/77eead22-3bb9-4586-8de3-9412941f9116", "target_display_name": "Edge node 2", "is_valid": true }, "total_bgp_sessions": 1, "established_bgp_sessions": 0, "neighbor_status": [ { "source_address": "192.100.20.10", "neighbor_address": "192.200.20.10", "connection_state": "IDLE", "remote_site": { "target_edge_node": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true } } ] "status": "DOWN" } ], "overall_status": "DEGRADED", "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: policy_connectivity Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get inter-site L2 forwarder status for Tier1 gateway

Get inter-site L2 forwarder status for Tier1 gateway.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-1s/{tier-1-id}/locale-services/{locale-services-id}/inter-site-forwarder/status

Request Headers:

n/a

Query Parameters:

ListByOptionalTransportNodeParameters+

Request Body:

n/a

Example Request: GET https://policy-mgr/policy/api/v1/global-infra/tier-1s/tier1/locale-services/tier1localeservices/inter-site-forwarder/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GatewayL2ForwarderSiteSpanInfo+

Example Response: { } Required Permissions: read Feature: policy_connectivity Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get segment cross site forwarder placement and HA status

Get segment cross site forwarder placement and HA statuss.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/site-span-info

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/tier-1s/tier1/segments/tier1-ls/inter-site-forwarder/site-span-info?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentL2ForwarderSiteSpanInfo+

Example Response: { "segment_path": "/global-infra/tier-1s/tier1/segments/tier1-ls", "remote_macs_per_site": [ { "rtep_group_id": 2001, "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true }, "remote_mac_addresses": [ "02:00:17:00:12:D3", "02:00:17:00:13:13" ], "remote_active_ips": [ "10.10.10.1" ], "remote_standby_ips": [ "20.20.20.1" ] } ], "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: policy_segment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get segment cross site traffic statistics

Get segment cross site traffic statistics.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/statistics

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/tier-1s/tier1/segments/tier1-ls/inter-site-forwarder/stats?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentCrossSiteTrafficStats+

Example Response: { "segment_path": "/global-infra/tier-1s/tier1/segments/tier1-ls", "rx": { "total_bytes": 56646, "total_packets": 342, "dropped_packets": 103 }, "tx": { "total_bytes": 1125548, "total_packets": 2235, "dropped_packets": 0 }, "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: policy_segment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get segment cross site traffic statistics (Deprecated)

Get segment cross site traffic statistics.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/tier-1s/{tier-1-id}/segments/{segment-id}/inter-site-forwarder/status

Request Headers:

n/a

Query Parameters:

L2L3RuntimeRequestParameters+

L2L3RuntimeRequestParameters (schema)

Name	Description	Type	Notes
bgp_neighbor_type	Bgp neighbor type Bgp neighbor type that can be used as filter for T0 bgp neighbor status filter.	string	Enum: INTER_SR, USER
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
edge_path	Policy path of edge node Policy path of edge node. Edge should be member of enforcement point.	string
enforcement_point_path	String Path of the enforcement point Enforcement point path.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source of statistics data The data source can be either realtime or cached. If not provided, cached data is returned.	DataSourceType	Experimental
stats_type	Segment statistics type This indicates the type of statistics being requested. We support statistics from the data plane.	string	Experimental Enum: DATAPATH_STATS
transport_node_id	Transport Node Id Identifer of the transport node. This is a UUID.	string	Experimental

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/global-infra/tier-1s/tier1/segments/tier1-ls/inter-site-forwarder/status?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SegmentCrossSiteTrafficStats+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get L2 forwarder remote mac addresses (Experimental)

Returns remote mac addresses of the l2 forwarder on logical switch.
It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/site-span-info

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/logical-switches/7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c/inter-site-forwarder/site-span-info Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L2ForwarderRemoteMacs+

Example Response: { "logical_switch_id": "7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c", "remote_macs_per_site": [ { "rtep_group_id": 2001, "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true }, "remote_mac_addresses": [ "02:00:17:00:12:D3", "02:00:17:00:13:13" ], "remote_active_ips": [ "10.10.10.1" ], "remote_standby_ips": [ "20.20.20.1" ] } ], "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get L2 forwarder statistics (Experimental)

Returns statistics of the l2 forwarder on logical switch.
It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/statistics

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/logical-switches/7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c/inter-site-forwarder/statistics Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L2ForwarderStatistics+

Example Response: { "logical_switch_id": "7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c", "rx": { "total_bytes": 56646, "total_packets": 342, "dropped_packets": 103 }, "tx": { "total_bytes": 1125548, "total_packets": 2235, "dropped_packets": 0 }, "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get L2 forwarder status (Experimental) (Deprecated)

Returns status per transport node of the l2 forwarder on logical switch.
Request:

Method:

GET

URI Path(s):

/api/v1/logical-switches/{logical-switch-id}/inter-site-forwarder/status

Request Headers:

n/a

Query Parameters:

DataSourceParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/logical-switches/7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c/inter-site-forwarder/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L2ForwarderStatus+

Example Response: { "logical_switch_id": "7a62a0c5-1ea1-4b25-9d43-dce1c0fa4b8c", "status_per_node": [ { "transport_node": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "Edge node 1", "is_valid": true }, "high_availability_status": "STANDBY" }, { "transport_node": { "target_id": "56eead22-3bb9-4586-8de3-9412941f9116", "target_display_name": "Edge node 2", "is_valid": true }, "high_availability_status": "ACTIVE" } ] "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Paginated list of BGP Neighbors on edge transport node

Paginated list of BGP Neighbors on edge transport node.
Request:

Method:

GET

URI Path(s):

/api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors

Request Headers:

n/a

Query Parameters:

ListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/transport-nodes/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/bgp/neighbors Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BgpNeighborListResult+

Example Response: { "cursor": "0036640912b0-4820-46f0-b7c2-7a9e2cb57505neighbor2", "result_count": 2, "neighbors": [ { "id": "a9478c1d-d7ab-47c5-9e05-548920f4d88c", "display_name": "neighbor2", "resource_type": "BgpNeighbor", "hold_down_timer": 180, "neighbor_address": "1.1.1.1", "keep_alive_timer": 60, "remote_as_num": "300", "address_families": [ { "type" : "IPV4_UNICAST", "enabled" : true } ], "_last_modified_time": 1433948850593, "_create_time": 1433948850593, "_create_user": "admin", "_last_modified_user": "admin", "_revision": 0 }, { "id": "640912b0-4820-46f0-b7c2-7a9e2cb57505", "display_name": "neighbor1", "resource_type": "BgpNeighbor", "hold_down_timer": 180, "neighbor_address": "2.2.2.2", "keep_alive_timer": 60, "remote_as_num": "200", "address_families": [ { "type" : "IPV4_UNICAST", "enabled" : true, "in_filter_ipprefixlist_id" : "ad879413-dbc3-4952-b77d-28386c3a5363" } ], "_last_modified_time": 1433960878203, "_create_time": 1433949148014, "_create_user": "admin", "_last_modified_user": "admin", "_revision": 4 } ] } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get BGP neighbor advertised routes on edge transport node

Returns routes advertised by BGP neighbor from the given edge transport node.
It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors/{neighbor-id}/advertised-routes

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/transport-nodes/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/bgp/neighbors/f8431964-f400-4da5-8c18-4ce4e6bd5fa5/advertised-routes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BgpNeighborRouteDetails+

Example Response: { "logical_router_id": "4cca3156-bcc0-4c77-9a6a-141cb33a3844", "neighbor_address": "40.40.40.10", "per_transport_node_routes": [{ "transport_node_id": "6c9e2815-ad34-4b9c-bb95-8af87990cf5a", "source_address": "10.10.10.1", "routes": [{ "network": "2.1.4.0/24", "next_hop": "40.40.40.10", "local_pref": 0, "weight": 0, "med": 1, "as_path": 1000 }, { "network": "40.40.40.0/24", "next_hop": "40.40.40.10", "local_pref": 0, "weight": 0, "med": 1, "as_path": 1000 }] }, { "transport_node_id": "7980e91e-ba6d-11e8-9bda-020009ead346", "source_address": "50.50.50.1", "routes": [{ "network": "2.1.4.0/24", "next_hop": "40.40.40.10", "local_pref": 0, "weight": 0, "med": 1, "as_path": 1000 }, { "network": "40.40.40.0/24", "next_hop": "40.40.40.10", "local_pref": 0, "weight": 0, "med": 1, "as_path": 1000 }] }] } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get BGP neighbor learned routes on edge transport node

Returns routes learned by BGP neighbor from the given edge transport node.
It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/neighbors/{neighbor-id}/routes

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/transport-nodes/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/bgp/neighbors/f8431964-f400-4da5-8c18-4ce4e6bd5fa5/routes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BgpNeighborRouteDetails+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get inter-site BGP summary of edge node (Deprecated)

Returns BGP summary for all configured neighbors in tunnel VRF
on the given egde node. It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/transport-nodes/{edge-node-id}/inter-site/bgp/summary

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/transport-nodes/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/bgp/summary Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

InterSiteBgpSummary+

Example Response: { "transport_node_id": "875381be-a4c5-4173-8aa7-ab71695a8129", "neighbor_status": [ { "source_address": "10.1.1.1", "neighbor_address": "10.1.2.1", "remote_as_number": "1", "remote_port": 179, "local_port": 179, "connection_state": "ESTABLISHED", "time_since_established": 45628, "messages_received": 12, "messages_sent": 10, "connection_drop_count": 0, "established_connection_count": 1, "hold_time": 180, "keep_alive_interval": 30, "graceful_restart": true, "graceful_restart_mode": "HELPER_ONLY", "total_in_prefix_count": 2, "total_out_prefix_count": 1, "address_families": [ { "type": "IPV4_UNICAST", "in_prefix_count": 2, "out_prefix_count": 1 } ], "remote_site": { "target_id": "cfaec4c7-45c2-439b-b7c6-2c3aeabd9976", "target_display_name": "PA Site", "is_valid": true } } ], "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get inter-site statistics of edge node

Returns RTEP to RTEP tunnel port statistics of the given edge node.
It always returns realtime response.
Request:

Method:

GET

URI Path(s):

/api/v1/transport-nodes/{edge-node-id}/inter-site/statistics

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/transport-nodes/875381be-a4c5-4173-8aa7-ab71695a8129/inter-site/statistics Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

NodeInterSiteStatistics+

Example Response: { "transport_node_id": "875381be-a4c5-4173-8aa7-ab71695a8129", "stats_per_site": [ { "remote_site": { "target_id": "258c50b4-c960-4005-9023-f7946e302162", "target_display_name": "India Site", "is_valid": true }, "stats_per_tunnel": [ { "tunnel_source_address": "100.10.10.1", "tunnel_destination_address": "200.20.20.1", "rx": { "total_bytes": 1000, "total_packets": 100, "dropped_packets": 20 }, "tx": { "total_bytes": 2000, "total_packets": 300, "dropped_packets": 0 } }, { "tunnel_source_address": "300.30.30.1", "tunnel_destination_address": "400.40.40.1", "rx": { "total_bytes": 1500, "total_packets": 120, "dropped_packets": 50 }, "tx": { "total_bytes": 3000, "total_packets": 320, "dropped_packets": 10 } } ], "rx": { "total_bytes": 2500, "total_packets": 220, "dropped_packets": 70 }, "tx": { "total_bytes": 4500, "total_packets": 440, "dropped_packets": 60 } }, { "remote_site": { "target_id": "cfaec4c7-45c2-439b-b7c6-2c3aeabd9976", "target_display_name": "PA Site", "is_valid": true }, "stats_per_tunnel": [ { "tunnel_source_address": "100.10.10.1", "tunnel_destination_address": "200.20.20.1", "rx": { "total_bytes": 1000, "total_packets": 100, "dropped_packets": 20 }, "tx": { "total_bytes": 2000, "total_packets": 300, "dropped_packets": 0 } } ], "rx": { "total_bytes": 1000, "total_packets": 100, "dropped_packets": 20 }, "tx": { "total_bytes": 2000, "total_packets": 300, "dropped_packets": 0 } } ], "last_update_timestamp": 1457117071089 } Required Permissions: read Feature: aggregation_service_health_monitoring Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Observability

Associated URIs:

GET /policy/api/v1/observability/flow-details

Get monitoring info

Provides federation monitoring information, which includes all
config flows originating from the site where API is invoked.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/observability/flow-details

Request Headers:

n/a

Query Parameters:

SiteRequestParameter+

Request Body:

n/a

Example Request: GET https://<global-manager>/global-manager/api/v1/observability/flow-details GET https://<local-manager>/policy/api/v1/observability/flow-details Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

MonitoringInfo+

Example Response: On Global Manager { "monitoring_info": [{ "id": "rrrrrr-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"GM_TO_LM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "gm2lm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "gm2lm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "36021bd5-9ebc-46e0-9d7a-5a4fa8bb3802", "to_site_path": "/global-infra/sites/Newyork", "from_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "from_site_path": "/global-infra/global-managers/LondonGM", "latency_millis": 123, "latency_measured_ts": 1590336614947, "last_full_sync": { "status": "COMPLETED", "id": "f6fda71a-d5f2-4000-8677-deaafd80641e", "reason_code": "10010", "reason": "Site onboarded", "stage": "COMPLETED", "data_streaming_from_source_progress": "Sending resources of type COMMUNICATION_MAP", "data_streaming_from_source_start_time": 1590335604947, "data_streaming_from_source_end_time": 1590336604947, "receiver_state": "COMPLETED", "receiver_start_time": 1590336614947, "receiver_end_time": 1590336714947, "start_time": 1590335604947, "end_time": 1590435604947, "errors": {}, "warnings": {} } } }, { "id": "asarrr-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"GM_TO_LM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "gm2lm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "gm2lm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "aa021bd5-9ebc-46e0-9d7a-5a4fa8bb3111", "to_site_path": "/global-infra/sites/Paris", "from_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "from_site_path": "/global-infra/global-managers/LondonGM", "latency_millis": 123, "latency_measured_ts": 1590336614947, "last_full_sync": { "status": "COMPLETED", "id": "f6fda71a-d5f2-4000-8677-deaafd80641e", "reason_code": "10010", "reason": "Site onboarded", "stage": "COMPLETED", "data_streaming_from_source_progress": "Sending resources of type COMMUNICATION_MAP", "data_streaming_from_source_start_time": 1590335604947, "data_streaming_from_source_end_time": 1590336604947, "receiver_state": "COMPLETED", "receiver_start_time": 1590336614947, "receiver_end_time": 1590336714947, "start_time": 1590335604947, "end_time": 1590435604947, "errors": {}, "warnings": {} } } }, { "id": "rrbbr-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"LM_TO_GM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "lm2gm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "lm2gm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "to_site_path": "/global-infra/global-managers/LondonGM", "from_site_id": "aa021bd5-9ebc-46e0-9d7a-5a4fa8bb3111", "from_site_path": "/global-infra/sites/Paris", "latency_millis": 125 } }, { "id": "ca00-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"LM_TO_GM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "lm2gm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "lm2gm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "to_site_path": "/global-infra/global-managers/NewyorkGM", "from_site_id": "BB021bd5-9ebc-46e0-9d7a-5a4fa8bb3155", "from_site_path": "/global-infra/sites/Newyork", "latency_millis": 120 "latency_measured_ts": 1590336614947, } }, { "id": "cab10-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"GM_WORK_QUEUE", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "gm-work-queue", "namespace": "gm" } ] }, { "id": "dea0-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"GM_DELETE_QUEUE", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "gm-delete-queue-1", "namespace": "gm" } ] } ] } On Local Manager { "monitoring_info": [ { "id": "we11-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"GM_TO_LM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "gm2lm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "gm2lm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "aa021bd5-9ebc-46e0-9d7a-5a4fa8bb3111", "to_site_path": "/global-infra/sites/Paris", "from_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "from_site_path": "/global-infra/global-managers/LondonGM", "latency_millis": 123, "latency_measured_ts": 1590336614947, "last_full_sync": { "status": "COMPLETED", "id": "f6fda71a-d5f2-4000-8677-deaafd80641e", "reason_code": "10010", "reason": "Site onboarded", "stage": "COMPLETED", "data_streaming_from_source_progress": "Sending resources of type COMMUNICATION_MAP", "data_streaming_from_source_start_time": 1590335604947, "data_streaming_from_source_end_time": 1590336604947, "receiver_state": "COMPLETED", "receiver_start_time": 1590336614947, "receiver_end_time": 1590336714947, "start_time": 1590335604947, "end_time": 1590435604947, "errors": {}, "warnings": {} } } }, { "id": "fg12-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"LM_TO_GM", "queue_info": [ { "max_size": 1000, "current_size": 100, "name": "lm2gm.transmitter.delta", "namespace": "ar-queues" }, { "max_size": 1000, "current_size": 200, "name": "lm2gm.receiver.delta", "namespace": "ar-queues" }, ], "cross_site_flow_info": { "status": "GOOD", "to_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "to_site_path": "/global-infra/global-managers/LondonGM", "from_site_id": "aa021bd5-9ebc-46e0-9d7a-5a4fa8bb3111", "from_site_path": "/global-infra/sites/Paris", "latency_millis": 125, "latency_measured_ts": 1590336614947, } }, { "id": "ff10-9ebc-46e0-9d7a-5a4fa8bb3802", "flow_type":"LM_TO_LM", "cross_site_flow_info": { "status": "GOOD", "to_site_id": "aa021bd5-9ebc-46e0-9d7a-5a4fa8bb3111", // To NewYork (LM doesn't have site paths) "from_site_id": "ececa019-3601-47dc-b92e-f21f52b34f6f", "latency_millis": 123, "latency_measured_ts": 1590336614947, } } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Security: East West Security: Distributed Firewall: Settings

Federation: Security: East West Security: Distributed Firewall: Settings: Distributed Firewall Settings

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/settings/firewall/security
GET /policy/api/v1/global-infra/sites/{site-id}/settings/firewall/security
GET /policy/api/v1/infra/sites/settings/firewall/security
GET /policy/api/v1/global-infra/sites/settings/firewall/security

Get global distributed firewall configuration for the specified site

Get global distributed firewall configuration for the specified site. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/settings/firewall/security

/policy/api/v1/global-infra/sites/{site-id}/settings/firewall/security

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/global-manager/api/v1/global-infra/sites/london/settings/firewall/security Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GlobalDfwConfiguration+

GlobalDfwConfiguration (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enable_firewall	Distributed firewall enable flag If set to true, distributed firewall is enabled on a specified site.	boolean	Default: "True"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GlobalDfwConfiguration	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "GlobalDfwConfiguration", "id": "security", "display_name": "security", "path": "/global-infra/sites/london/settings/firewall/security", "relative_path": "security", "marked_for_delete": false, "enable_firewall": true, "_create_user": "system", "_create_time": 1554274751846, "_last_modified_user": "admin", "_last_modified_time": 1554274751846, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get global distributed firewall configurations for all the sites

Get global distributed firewall configurations for all the sites. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/settings/firewall/security

/policy/api/v1/global-infra/sites/settings/firewall/security

Request Headers:

n/a

Query Parameters:

PolicyListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/global-manager/api/v1/global-infra/sites/settings/firewall/security Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GlobalDfwConfigurationListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "GlobalDfwConfiguration", "id": "security", "display_name": "security", "path": "/global-infra/sites/london/settings/firewall/security", "relative_path": "security", "marked_for_delete": false, "enable_firewall": true, "_create_user": "system", "_create_time": 1554274751846, "_last_modified_user": "admin", "_last_modified_time": 1554274751846, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Sites

Associated URIs:

GET /policy/api/v1/infra/site/offboarding-status
GET /policy/api/v1/infra/sites
GET /policy/api/v1/global-infra/sites
DELETE /policy/api/v1/infra/sites/{site-id}
GET /policy/api/v1/infra/sites/{site-id}
GET /policy/api/v1/global-infra/sites/{site-id}
PATCH /policy/api/v1/infra/sites/{site-id}
PUT /policy/api/v1/infra/sites/{site-id}
GET /policy/api/v1/infra/sites/listener_certificate
GET /policy/api/v1/global-infra/sites/listener_certificate
GET /policy/api/v1/infra/span
GET /policy/api/v1/global-infra/span
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/span

Get site offboarding status.

Get site offboarding status. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/site/offboarding-status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy>/policy/api/v1/infra/site/offboarding-status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SiteOffBoardingState+

SiteOffBoardingState (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message	Message about the status. Captures message associated with status. If FAILED, can contain folowing errors local site configuration is null internal server error with detail	string	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
previousErrorMessage	Previous failure message. Contains previus failed message in case, state machine is stuck in a state	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value SiteOffBoardingState	string
status	Status of site. Represents site offboarding status.	string	Readonly Enum: INITIALIZE_INPROGRESS, INITIALIZE_FAILED, INITIALIZE_SUCCESSFUL, CLEANUP_INPROGRESS, CLEANUP_FAILED, CLEANUP_SUCCESSFUL, REALIZATION_INPROGRESS, REALIZATION_FAILED, REALIZATION_SUCCESSFUL, TERMINAL_INPROGRESS, TERMINAL_FAILED, FAILED, SUCCESSFUL
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "SiteOffBoardingState", "status": "INITIALIZE_INPROGRESS", "is_local": true, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Sites

List Sites under Infra.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites

/policy/api/v1/global-infra/sites

Request Headers:

n/a

Query Parameters:

SiteListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SiteListResult+

Example Response: { "result_count" : 3, "results" : [ { "resource_type": "Site", "id": "casablanca", "display_name": "Casablanca, Morocco Site", "description" : "Site managing call center workloads in North Africa", "path": "/infra/sites/casablanca", "parent_path": "/infra/sites/casablanca", "relative_path": "casablanca", "site_connection_info": [{ "fqdn": "10.192.201.163" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_mismatch_rteps": true "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 }, { "resource_type": "Site", "id": "tokyo", "display_name": "Tokyo, Japan Site", "description" : "Active Site managing production workloads in East Asia", "path": "/infra/sites/tokyo", "parent_path": "/infra/sites/tokyo", "relative_path": "tokyo", "site_connection_info": [{ "fqdn": "10.199.201.163" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_mismatch_rteps": true "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 }, { "resource_type": "Site", "id": "paris", "display_name": "Paris, France Site", "description" : "StandBy Site managing business workloads in Central Europe", "path": "/infra/sites/paris", "parent_path": "/infra/sites/paris", "relative_path": "paris", "site_connection_info": [{ "fqdn": "10.190.201.163" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_mismatch_rteps": true "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or fully replace a Site under infra

Create or fully replace a Site under Infra.
Revision is optional for creation and required for update.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Site+

Site (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildEnforcementPoint ChildSiteSecuritySetting
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
fail_if_rtep_misconfigured	Fail onboarding if RTEPs misconfigured Both the local site and the remote site must have edge clusters correctly configured and remote tunnel endpoint (RTEP) interfaces must be defined, or onboarding will fail.	boolean	Default: "True"
fail_if_rtt_exceeded	Fail onboarding if maximum RTT exceeded Fail onboarding if maximum RTT exceeded.	boolean	Default: "True"
federation_config	Federation releated config System managed federation config.	GmFederationSiteConfig	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
maximum_rtt	Maximum acceptable packet round trip time (RTT) If provided and fail_if_rtt_exceeded is true, onboarding of the site will fail if measured RTT is greater than this value.	integer	Minimum: 0 Maximum: 1000 Default: "250"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Site	string
site_connection_info	Connection information To onboard a site, the connection information (username, password, and API thumbprint) for at least one NSX manager node in the remote site must be provided. Once the site has been successfully onboarded, the site_connection_info is discarded and authentication to the remote site occurs using an X.509 client certificate.	array of SiteNodeConnectionInfo	Maximum items: 3
site_number	12-bit system generated site number	integer	Readonly
site_type	Persistent Site Type The site_type property identifies type of current site.	string	Enum: ONPREM_LM, SDDC_LM
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/Paris { "site_connection_info": [{ "fqdn": "10.192.201.163", "username": "admin", "password": "Admin!23Admin", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_rtep_misconfigured": true "display_name": "Paris, EU Site", "description" : "Site managing call center workloads in western Europe", "_revision" : 1 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Site+

Site (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildEnforcementPoint ChildSiteSecuritySetting
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
fail_if_rtep_misconfigured	Fail onboarding if RTEPs misconfigured Both the local site and the remote site must have edge clusters correctly configured and remote tunnel endpoint (RTEP) interfaces must be defined, or onboarding will fail.	boolean	Default: "True"
fail_if_rtt_exceeded	Fail onboarding if maximum RTT exceeded Fail onboarding if maximum RTT exceeded.	boolean	Default: "True"
federation_config	Federation releated config System managed federation config.	GmFederationSiteConfig	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
maximum_rtt	Maximum acceptable packet round trip time (RTT) If provided and fail_if_rtt_exceeded is true, onboarding of the site will fail if measured RTT is greater than this value.	integer	Minimum: 0 Maximum: 1000 Default: "250"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Site	string
site_connection_info	Connection information To onboard a site, the connection information (username, password, and API thumbprint) for at least one NSX manager node in the remote site must be provided. Once the site has been successfully onboarded, the site_connection_info is discarded and authentication to the remote site occurs using an X.509 client certificate.	array of SiteNodeConnectionInfo	Maximum items: 3
site_number	12-bit system generated site number	integer	Readonly
site_type	Persistent Site Type The site_type property identifies type of current site.	string	Enum: ONPREM_LM, SDDC_LM
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Site", "id": "Paris", "display_name": "Paris, EU Site", "description" : "Site managing call center workloads in western Europe", "path": "/infra/sites/Paris", "parent_path": "/infra/sites/Paris", "relative_path": "Paris", "site_connection_info": [{ "fqdn": "10.192.201.163" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_rtep_misconfigured": true "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or patch Site

Create or patch Site under Infra.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Site+

Site (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildEnforcementPoint ChildSiteSecuritySetting
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
fail_if_rtep_misconfigured	Fail onboarding if RTEPs misconfigured Both the local site and the remote site must have edge clusters correctly configured and remote tunnel endpoint (RTEP) interfaces must be defined, or onboarding will fail.	boolean	Default: "True"
fail_if_rtt_exceeded	Fail onboarding if maximum RTT exceeded Fail onboarding if maximum RTT exceeded.	boolean	Default: "True"
federation_config	Federation releated config System managed federation config.	GmFederationSiteConfig	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
maximum_rtt	Maximum acceptable packet round trip time (RTT) If provided and fail_if_rtt_exceeded is true, onboarding of the site will fail if measured RTT is greater than this value.	integer	Minimum: 0 Maximum: 1000 Default: "250"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Site	string
site_connection_info	Connection information To onboard a site, the connection information (username, password, and API thumbprint) for at least one NSX manager node in the remote site must be provided. Once the site has been successfully onboarded, the site_connection_info is discarded and authentication to the remote site occurs using an X.509 client certificate.	array of SiteNodeConnectionInfo	Maximum items: 3
site_number	12-bit system generated site number	integer	Readonly
site_type	Persistent Site Type The site_type property identifies type of current site.	string	Enum: ONPREM_LM, SDDC_LM
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/Paris { "site_connection_info": [{ "fqdn": "10.192.201.163", "username": "admin", "password": "Admin!23Admin", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_rtep_misconfigured": true "display_name": "Paris, EU Site", "description" : "Site managing call center workloads in western Europe", } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete a site

Delete a site under Infra.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}

Request Headers:

n/a

Query Parameters:

SiteActionParameters+

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/sites/Paris Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read a site

Read a site under Infra.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}

/policy/api/v1/global-infra/sites/{site-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/casablanca Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Site+

Site (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildEnforcementPoint ChildSiteSecuritySetting
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
fail_if_rtep_misconfigured	Fail onboarding if RTEPs misconfigured Both the local site and the remote site must have edge clusters correctly configured and remote tunnel endpoint (RTEP) interfaces must be defined, or onboarding will fail.	boolean	Default: "True"
fail_if_rtt_exceeded	Fail onboarding if maximum RTT exceeded Fail onboarding if maximum RTT exceeded.	boolean	Default: "True"
federation_config	Federation releated config System managed federation config.	GmFederationSiteConfig	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
maximum_rtt	Maximum acceptable packet round trip time (RTT) If provided and fail_if_rtt_exceeded is true, onboarding of the site will fail if measured RTT is greater than this value.	integer	Minimum: 0 Maximum: 1000 Default: "250"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Site	string
site_connection_info	Connection information To onboard a site, the connection information (username, password, and API thumbprint) for at least one NSX manager node in the remote site must be provided. Once the site has been successfully onboarded, the site_connection_info is discarded and authentication to the remote site occurs using an X.509 client certificate.	array of SiteNodeConnectionInfo	Maximum items: 3
site_number	12-bit system generated site number	integer	Readonly
site_type	Persistent Site Type The site_type property identifies type of current site.	string	Enum: ONPREM_LM, SDDC_LM
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Site", "id": "casablanca", "display_name": "Casablanca, Morocco Site", "description" : "Site managing call center workloads in North Africa", "path": "/infra/sites/casablanca", "parent_path": "/infra/sites/casablanca", "relative_path": "casablanca", "site_connection_info": [{ "fqdn": "10.192.201.163" }], "maximum_rtt": 250, "fail_if_rtt_exceeded": true, "fail_if_mismatch_rteps": true "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns the certificate of the listener

Connects to the given IP and port, and, if an SSL listener is present, returns
the certificate of the listener.
Intent of this API is "Do you trust this certificate?".
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/listener_certificate

/policy/api/v1/global-infra/sites/listener_certificate

Request Headers:

n/a

Query Parameters:

TlsListenerEndpointAddressRequestParameters+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/global-policy/api/v1/infra/sites/listener_certificate?address=10.22.122.7&port=443 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsListenerCertificate+

Example Response: { "result": "SUCCESS", "certificate": { "issuer_cn": "vSM Test Certificate", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "is_ca": false, "subject_cn": "vSM Test Certificate", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" }, "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get span for an entity with specified path

Get span for an entity with specified path. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/span

/policy/api/v1/global-infra/span

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/span

Request Headers:

n/a

Query Parameters:

IntentPathRequestParameter+

Request Body:

n/a

Example Request: GET https://<global-manager>/global-manager/api/v1/global-infra/span?intent_path=/global-infra/tier-0s/t0 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Span+

Span (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Span	string
sites	List of SpanSiteInfos List of SpanSiteInfos representing the strech of the entity.	array of SpanSiteInfo	Readonly
span_leader	Policy resource type of span leader Represents Policy resource type streached entity's span leader.	string	Readonly
span_resource	Policy resource path Represents Policy resource path of streached entity.	string	Readonly
span_resource_type	Policy resource type Policy resource type of the streached entity.	string	Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "SPAN", "span_resource_type": "PROVIDER", "span_resource": "/global-infra/tier-0s/t0", "span_leader": "/global-infra/tier-0s/t0", "site_ids": [ "51a1294a-b1d5-40a9-a382-2b1aeb62c41a", "3d497d3f-2f9a-4983-9db0-d1f5f7cbc3d0" ], "marked_for_delete": false, "overridden": false } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Federation: Sites: Security

Federation: Sites: Security: Setting

Associated URIs:

GET /policy/api/v1/global-infra/sites/{site-id}/security-setting

This routine will get site security setting

This routine will get site security setting
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/sites/{site-id}/security-setting

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/global-manager/api/v1/global-infra/sites/London/security-setting { "air_gapped": true, "resource_type": "SiteSecuritySetting", "id": "security-setting", "display_name": "security-setting", "path": "/global-infra/sites/LM/security-setting", "relative_path": "security-setting", "parent_path": "/global-infra/sites/LM", "unique_id": "ffaca9ae-4a90-4f9f-ba88-4369e02bf3e3", "owner_id": "6c5b2358-5862-49d8-952e-611b8cd32bf1", "marked_for_delete": false, "overridden": false, "_create_time": 1718858458723, "_create_user": "admin", "_last_modified_time": 1718858458723, "_last_modified_user": "admin", "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SiteSecuritySetting+

SiteSecuritySetting (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
air_gapped	Flag to indicate air gapped deployments If true, deployment is marked as air gapped deployment and operations that requires internet connectivity are expected to be supported through Global Manager.	boolean	Default: "False"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value SiteSecuritySetting	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: policy_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Management Plane API

Management Plane API: Associations

Associated URIs:

Management Plane API: Grouping Objects

Management Plane API: Grouping Objects: IP Sets

Associated URIs:

Management Plane API: Grouping Objects: MAC Sets

Associated URIs:

Management Plane API: Grouping Objects: NS Groups

Associated URIs:

Management Plane API: Grouping Objects: NS Profiles

Associated URIs:

Management Plane API: Grouping Objects: NS Service Groups

Associated URIs:

Management Plane API: Grouping Objects: NS Services

Associated URIs:

Management Plane API: Networking: Logical Bridging

Management Plane API: Networking: Logical Bridging: Bridge Endpoint Profiles

Associated URIs:

Management Plane API: Networking: Logical Bridging: Bridge Endpoints

Associated URIs:

Management Plane API: Networking: Logical Routing And Services

Management Plane API: Networking: Logical Routing And Services: BFD Peers

Associated URIs:

Management Plane API: Networking: Logical Routing And Services: Logical Router Ports

Associated URIs:

Management Plane API: Networking: Logical Routing And Services: Logical Routers

Associated URIs:

Management Plane API: Networking: Logical Routing And Services: NAT

Associated URIs:

Management Plane API: Networking: Logical Routing And Services: Routing BFD Configuration

Associated URIs:

Management Plane API: Networking: Logical Routing And Services: Routing Configuration

Associated URIs:

Management Plane API: Networking: Logical Switching

Management Plane API: Networking: Logical Switching: Logical Switch Ports

Associated URIs:

Management Plane API: Networking: Logical Switching: Logical Switches

Associated URIs:

Management Plane API: Networking: Services

Management Plane API: Networking: Services: DHCP

Associated URIs:

Management Plane API: Networking: Services: DHCP Relay

Associated URIs:

Management Plane API: Networking: Services: DHCP Relay Profiles

Associated URIs:

Management Plane API: Networking: Services: DNS

Associated URIs:

Management Plane API: Networking: Services: Loadbalancer

Associated URIs:

Management Plane API: Networking: Services: Metadata Proxy

Associated URIs:

Management Plane API: Networking: VPN: IPSEC

Management Plane API: Networking: VPN: IPSEC: DPD Profiles

Associated URIs:

Management Plane API: Networking: VPN: IPSEC: IKE Profiles

Associated URIs:

Management Plane API: Networking: VPN: IPSEC: Peer Endpoints

Associated URIs:

Management Plane API: Networking: VPN: IPSEC: Services

Associated URIs:

Management Plane API: Networking: VPN: IPSEC: Sessions

Associated URIs:

Management Plane API: Networking: VPN: IPSEC: Tunnel Profiles

Associated URIs:

Management Plane API: Networking: VPN: L2VPN

Management Plane API: Networking: VPN: L2VPN: Services

Associated URIs:

Management Plane API: Networking: VPN: L2VPN: Sessions

Associated URIs:

Management Plane API: Networking: VPN: Statistics

Management Plane API: Networking: VPN: Statistics: IKE Service

Associated URIs:

Management Plane API: Networking: VPN: Statistics: IKE Sessions Status

Associated URIs:

Management Plane API: Networking: VPN: Statistics: IPSEC Reset Sessions Statistics

Associated URIs:

Management Plane API: Networking: VPN: Statistics: IPSEC Sessions Statistics

Associated URIs:

Management Plane API: Networking: VPN: Statistics: IPSEC Sessions Summary

Associated URIs:

Management Plane API: Networking: VPN: Statistics: L2VPN Remote MACS

Associated URIs:

Management Plane API: Networking: VPN: Statistics: L2VPN Session Statistics

Associated URIs:

Management Plane API: Networking: VPN: Statistics: L2VPN Session Status

Associated URIs:

Management Plane API: Networking: VPN: Statistics: L2VPN Sessions Summary

Associated URIs:

Management Plane API: Normalization

Associated URIs:

Management Plane API: Security: Identity Firewall

Management Plane API: Security: Identity Firewall: Configuration

Associated URIs:

Management Plane API: Security: Identity Firewall: Monitoring

Associated URIs:

Management Plane API: Security: Identity Firewall: Realization Data

Associated URIs:

Management Plane API: Security: Intrusion Services

Management Plane API: Security: Intrusion Services: Dashboard

Associated URIs:

Management Plane API: Security: Intrusion Services: IDS Profiles

Associated URIs:

Management Plane API: Security

Management Plane API: Security: Service Configuration

Associated URIs:

Management Plane API: Security: Services

Management Plane API: Security: Services: Firewall

Associated URIs:

Management Plane API: Troubleshooting And Monitoring

Management Plane API: Troubleshooting And Monitoring: IPFIX

Associated URIs:

Management Plane API: Troubleshooting And Monitoring: Livetrace

Associated URIs:

Management Plane API: Troubleshooting And Monitoring: Port Connection

Associated URIs:

Management Plane API: Troubleshooting And Monitoring: Traceflow

Associated URIs:

NSX Application Platform: Deployment: Bundle

NSX Application Platform: Deployment: Bundle: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload/status/{bundle-id}

Get progress status of kubernetes tools bundle upload

Get the progress of uploading kubernetes tools bundle from the remote location.
This API will also verify the kubernetes tools bundle, before marking upload as a success.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload/status/{bundle-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/tools/upload/status/22000123456 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UploadBundleStatus+

UploadBundleStatus (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Detail about bundle upload More detail about tools bundle file upload.	string
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
percent	Upload percentage for bundle Upload percentage for tools bundle file.	number
port	Server port Remote server port.	string
protocol	Protocol Protocol used HTTP or HTTPS.	string	Required Enum: HTTP, HTTPS
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value UploadBundleStatus	string
server	Server IP or FQDN Remote server IP or FQDN.	string	Required Format: hostname-or-ip
status	Current state of bundle upload Current state of bundle upload. UPLOADING - Upload in progress. DOWNLOADING - Download in progress. EXTRACTING - Extract in progress. VERIFYING - Verifying signature of uploaded bundle. SUCCESS - Upload complete. FAILED - Upload failed.	string	Enum: UPLOADING, DOWNLOADING, EXTRACTING, VERIFYING, SUCCESS, FAILED
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
uri	Relative path to download file Relative path to download file from remote server.	string	Required

Example Response: { "resource_type": "UploadBundleStatus", "port" : 80, "server": "192.168.120.151", "uri" : "/custom/path/container_tools_22000123456.tar.gz", "protocol" : "https" "percent" : 80, "status" : "VERIFYING", "detailed_status": "Checking Signature of the Upgrade Bundle" } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Platform

NSX Application Platform: Deployment: Platform: Config

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform
PATCH /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform

Get NSX Application Platform deployment configuration

Get input parameters required to deploy NSX Application Platform. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PlatformDeploymentConfig+

PlatformDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
form_factor	Deployment form factor From factor is use for deployment.	FormFactorType
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PlatformDeploymentConfig	string
service_config		AdvanceServiceConfig
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Response: { "resource_type": "PlatformDeploymentConfig", "id": "platform-deployment-config", "platform_version" : "2.0", "form_factor" : "advanced", "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "test", "cluster": "cluster1", "namespace" : "nsxi" }, service_config : { "kubectl_tool" : "kubectltool.tgz", "ca_cerficiate": { "public_key": "xxxxxx", "private_key" : "xxxxxx" }, "service_name": "fqdn.of.service", } "parent_path" : "/infra/sites//napp/deployment/platform", "relative_path" : "registry", "cluster_id" : "232412-2342-2hd124-23h212", "_create_time" : 1524826554351, "_last_modified_user" : "admin", "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_last_modified_time" : 1524826554351, "_create_user" : "admin", "_revision" : 0 } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update platform configuration

Update input parameters required to deploy platform related pods.
The UI has option to deploy kubernetes tools.
You need to get this file from VMware website.
File contains kubectl binary, helm binary and signature to verify them.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PlatformDeploymentConfig+

PlatformDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
form_factor	Deployment form factor From factor is use for deployment.	FormFactorType
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PlatformDeploymentConfig	string
service_config		AdvanceServiceConfig
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform { "platform_version" : "2.0", "deployment_action" : "deploy/undeploy/redeploy/update" "form_factor" : "advanced", "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "user1", "current_context": "context1", "namespace": "ns1", "cluster": "cluster1", "expiry": "n days" }, service_config : { "kubectl_tool" : "kubectltool.tgz", "service_name": "fqdn.of.service", } } } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PlatformDeploymentConfig+

PlatformDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
form_factor	Deployment form factor From factor is use for deployment.	FormFactorType
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PlatformDeploymentConfig	string
service_config		AdvanceServiceConfig
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Response: { "resource_type": "PlatformDeploymentConfig", "id": "platform-deployment-config", "platform_version" : "2.0", "form_factor" : "advanced", "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "user1", "current_context": "context1", "namespace": "ns1", "cluster": "cluster1", "expiry": "n days" }, service_config : { "kubectl_tool" : "kubectltool.tgz", "service_name": "fqdn.of.service", } "parent_path" : "/infra/sites//napp/deployment/platform", "relative_path" : "platform", "_create_time" : 1524826554351, "_last_modified_user" : "admin", "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_last_modified_time" : 1524826554351, "_create_user" : "admin", "_revision" : 0 } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Platform: Form Factors

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/form-factors

Get available deployment form factors for NSX Application Platform

Get available deployment form factors for NSX Application Platform. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/form-factors

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/form-factors Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PlatformFormFactors+

Example Response: { "available_form_factors":{ "standard": { "node": { "cpu": 4, "ram": 16 "disk": "200" }, "supported_features": ["NDR", "Antimalware", "Rule Analysis", "Metrics"] }, "advanced": { "node": { "cpu": 32, "ram": 64 "disk": "1000" }, "supported_features": ["NDR", "Antimalware", "Rule Analysis", "Metrics", "NSX Intelligence"] }, "evaluation": { "node": { "cpu": 32, "ram": 64 "disk": "1000" }, "supported_features": ["NDR", "Antimalware", "Rule Analysis", "Metrics", "NSX-Intelligence"] } } } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Platform: Status

Associated URIs:

PUT /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks
GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks/execution/required
GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks/status
GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/status

Run pre/post checks for NSX Application Platform

Run pre/post checks for NSX Application Platform
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PlatformDeploymentChecksAction+

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/checks Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

n/a

Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get NSX Application Platform pre/post checks execution required

Get NSX Application Platform pre/post checks execution required. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks/execution/required

Request Headers:

n/a

Query Parameters:

DeploymentChecksExecutionRequired+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/checks/execution/required Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentChecksExecutionRequiredResult+

Example Response: { "is_required": true } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get NSX Application Platform pre/post checks progress status

Get NSX Application Platform pre/post checks progress status. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/checks/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/checks/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentChecksStatusResult+

Example Response: { "results": [ { "name": "Version Compatibility Precheck", "description": "Check NSX Application Platform version compatibility", "status": "NOT_STARTED" }, { "name": "Kubernetes Cluster Connection Precheck", "description": "Check connectivity between NSX manager and kubernetes cluster", "status": "NOT_STARTED" }, { "name": "Kubernetes Tools Sync Precheck", "description": "Check whether kubernetes tools are compatible and sync with all managers", "status": "NOT_STARTED" }, { "name": "Existing Namespaces Precheck", "description": "Check existing namespaces in kubernetes cluster", "status": "NOT_STARTED" }, { "name": "Service Name/FQDN Validation Precheck", "description": "Check service name/fqdn", "status": "NOT_STARTED" }, { "name": "Kubernetes Cluster DNS Domain Precheck", "description": "Check Kubernetes cluster dns domain", "status": "NOT_STARTED" }, { "name": "Time Synchronization Precheck", "description": "Kubernetes cluster and NSX time sync", "status": "NOT_STARTED" }, { "name": "Kubernetes Cluster Available Resources Precheck", "description": "Check Kubernetes cluster node resources", "status": "NOT_STARTED" } ] } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get platform deployment or undeployment progress status

Get platform deployment or undeployment progress status. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentProgressStatus+

Example Response: { "resource_type": "DeploymentProgressStatus", "overall_status" : "DEPLOYMENT_IN_PROGRESS", "percentage": "10", "progress_message" : "Registering cluster", } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Platform: Storageclass

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/storage-classes

Get list of Kubernetes storage classes

Get the list of Kubernetes storage classes.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/storage-classes

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/storage-classes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

StorageClasses+

Example Response: { "name" : [ "local-sc" ] } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Platform: Versions

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/versions

Get NSX Application Platform versions

Get NSX Application Platform versions. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/platform/versions

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/platform/versions Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentVersions+

Example Response: { "versions":[ { "version": "2.0", "chart_name": "platform" } ] } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment

NSX Application Platform: Deployment: Registry

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/registry
PUT /policy/api/v1/infra/sites/{site-id}/napp/deployment/registry
PUT /policy/api/v1/infra/sites/{site-id}/napp/deployment/registry/reset

Get helm repo and docker registry url

Get helm repo and docker registry url for chart deployment. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/registry

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/registry Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentRegistry+

DeploymentRegistry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificate_id	Private CA or Self Signed Certificate ID. Helm repo certificate to access locally hosted helm repository	string
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDeploymentRegistry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
docker_registry	Docker registry url Docker registry url to access docker images.	string	Required
helm_repo	Helm repo url Helm repo url to access helm charts.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DeploymentRegistry	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "DeploymentRegistry", "id": "deployment-registry", "docker_registry": "docker.io", "helm_repository":"https://kubernetes-charts.storage.googleapis.com", "_create_time" : 1524826554351, "_last_modified_user" : "admin", "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_last_modified_time" : 1524826554351, "_create_user" : "admin", "_revision" : 0 } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update Docker registry and helm repository url.

In case of helm chart present in private repository and containers
are hosted in private hub. You can change docker and helm url to use these
private URL instead of default public one.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/registry

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

DeploymentRegistry+

DeploymentRegistry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificate_id	Private CA or Self Signed Certificate ID. Helm repo certificate to access locally hosted helm repository	string
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDeploymentRegistry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
docker_registry	Docker registry url Docker registry url to access docker images.	string	Required
helm_repo	Helm repo url Helm repo url to access helm charts.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DeploymentRegistry	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/registry { "resource_type": "DeploymentRegistry", "description": "Udated Registry urls", "docker_registry": "docker.io", "helm_repository":"https://kubernetes-charts.storage.googleapis.com", "_revision" : 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentRegistry+

DeploymentRegistry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificate_id	Private CA or Self Signed Certificate ID. Helm repo certificate to access locally hosted helm repository	string
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDeploymentRegistry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
docker_registry	Docker registry url Docker registry url to access docker images.	string	Required
helm_repo	Helm repo url Helm repo url to access helm charts.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DeploymentRegistry	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Reset helm and docker url to default one

This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/registry/reset

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/registry/reset Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentRegistry+

DeploymentRegistry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificate_id	Private CA or Self Signed Certificate ID. Helm repo certificate to access locally hosted helm repository	string
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDeploymentRegistry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
docker_registry	Docker registry url Docker registry url to access docker images.	string	Required
helm_repo	Helm repo url Helm repo url to access helm charts.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DeploymentRegistry	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Tools: Bundle

NSX Application Platform: Deployment: Tools: Bundle: Upload

Associated URIs:

POST /policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload_from_remote_server

Upload the Kubernetes tools on NSX Manager via remote URL

Upload the Kubernetes tools on NSX Manager via remote url.
You need to get this file from VMware website.
File contains kubectl binary, helm binary and signature to verify them.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload_from_remote_server

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

UploadBundleRemoteServer+

UploadBundleRemoteServer (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
port	Server port Remote server port.	string
protocol	Protocol Protocol used HTTP or HTTPS.	string	Required Enum: HTTP, HTTPS
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value UploadBundleRemoteServer	string
server	Server IP or FQDN Remote server IP or FQDN.	string	Required Format: hostname-or-ip
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
uri	Relative path to download file Relative path to download file from remote server.	string	Required

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/tools/upload_from_remote_server { "port" : 80, "server": "192.168.120.151", "uri" : "/custom/path/container_tools_22000123456.tar.gz", "protocol" : "https" } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UploadBundleId+

Example Response: { "bundle_id" : "22000123456" } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Upgrade: Coordinator

NSX Application Platform: Deployment: Upgrade: Coordinator: Check

Associated URIs:

PUT /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/checks

Run pre/post checks for NSX Application Platform upgrade-coordinator

Run pre/post checks for NSX Application Platform upgrade-coordinator.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/checks

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

DeploymentChecksAction+

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator/checks Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

n/a

Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Upgrade: Coordinator: Check: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/checks/status

Get NSX Application Platform upgrade-coordinator pre/post checks progress status.

Get NSX Application Platform upgrade-coordinator pre/post checks progress status. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/checks/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator/checks/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentChecksStatusResult+

Example Response: { "resource_type": "DeploymentChecksStatusResult", "result" : [ {"name": "check1", "desc": "...", "status": "SUCCESS", "reason": ""} {"name": "check2", "desc": "...", "status": "FAILED", "reason": "Reason for failure"} ] } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Deployment: Upgrade: Coordinator: Versions

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/versions

Get NSX Application Platform upgrade-coordinator versions

Get NSX Application Platform upgrade-coordinator versions. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/versions

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator/versions Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentVersions+

Example Response: { "versions":[ { "version": "2.0", "chart_name": "platform" } ] } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform

NSX Application Platform: Kubeconfig

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/kubeconfig
POST /policy/api/v1/infra/sites/{site-id}/napp/deployment/kubeconfig

Upload kubeconfig file

Synchronous call to upload kubeconfig file on orchestrator node.
This will be used to connect with Kubernetes cluster.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/kubeconfig

Request Headers:

n/a

Query Parameters:

CommonUploadFile+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/kubeconfig Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UploadBundleId+

Example Response: { "bundle_id" : "22000123456" } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get information about kubeconfig file

To get more information about kubeconfig file like
user, cluster, context, namespace etc.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/kubeconfig

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/kubeconfig Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

KubeconfigInfo+

KubeconfigInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
bundle_id	Bundle id Bundle id of uploaded file.	string
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster	Kubernetes cluster Kubernetes cluster to be used for deployment.	string
connection_status	Kubernetes connection status Show whether connection to Kubernetes cluster is available or not.	boolean	Default: "False"
current_context	Kubernetes cluster current context Kubernetes cluster current context to be used for NSX Application Platform deployment.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
expiry	Expiry of Kubernetes cluster user token Date and time when Kubernetes cluster user token is going to expire.	EpochMsTimestamp
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
name	Kubeconfig file name Kubernetes cluster kubeconfig file name	string
namespace	Kubernetes cluster namespace Kubernetes cluster namespace to be used for NSX Application Platform deployment.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value KubeconfigInfo	string
server	Server url Kubernetes api server url.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
user	User name User name to access Kubernetes cluster.	string

Example Response: { "bundle_id" : "22000123456", "name": "kubeconfigfile.xyz", "user": "user1", "current_context": "context1", "namespace": "ns1", "cluster": "cluster1", "expiry": "n days", "server": "https://10.161.72.163:6443", "connection_status": True } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Kubernetes

NSX Application Platform: Kubernetes: Tools

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/kubernetes-tools

Get information about Kubernetes tools

To show information about Kubernetes tools version. It will list kubectl
client version, kube-apiserver version. Also show, whether kubectl client
version is compatible with kube-apiserver version.kubectl is supported
within one minor version (older or newer) of kube-apiserver.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/kubernetes-tools

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/kubernetes-tools Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

KubernetesToolsInfo+

KubernetesToolsInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
client_version	Client version kubectl client version.	string
compatible	Kubectl compatibility Show compatibility flag, whether kubectl client version is compatible with Kubernetes api server version. kubectl is supported within one minor version (older or newer) of kube-apiserver.	boolean	Default: "True"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value KubernetesToolsInfo	string
server_version	Server version Kubernetes api server version.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "client_version": "v1.19.3", "server_version": "v1.17.8", "compatible": False } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Platform

NSX Application Platform: Platform: Host Agent

Associated URIs:

GET /policy/api/v1/infra/napp/common-agent/host-config
PATCH /policy/api/v1/infra/napp/common-agent/host-config
POST /policy/api/v1/infra/napp/common-agent/host-config?action=reset

Get NSX Application Platform Common Agent host configuration

Get the current NSX Application Platform Common Agent host configuration.
Recommend to keep the value same for flow_data_collection_interval
and context_data_collection_interval.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/napp/common-agent/host-config

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgt>/api/v1/infra/napp/common-agent/host-config Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CommonAgentHostConfigurationInfo+

CommonAgentHostConfigurationInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ingress_certificate	Broker certificate A ingress certificate to verify the identity of brokers.	string
ingress_endpoint	List of NSX Application Platform ingress endpoints List of NSX Application Platform ingress endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
kafka_certificate	Broker certificate A Kafka broker certificate to verify the identity of brokers.	string
kafka_endpoint	List of NSX Application Platform Kafka broker endpoints List of NSX Application Platform broker endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
nsx_cluster_id	Cluster id of the NSX Manager cluster Cluster id of the NSX Manager cluster.	string
private_ip_range	List of private IP prefix List of private IP prefix that NSX Application Platform Common Agent network flow is collected from.	array of CommonAgentPrivateIpRangeInfo
resource_type	Must be set to the value CommonAgentHostConfigurationInfo	string
site_id	Site id of the local manager Site id of the local manager.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
truststore	truststore A truststore to establish the trust between NSX and NSX Application Platform.	string

Example Response: { "kafka_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "kafka_certificate": "pem-encoded-cert-value", "ingress_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "ingress_certificate": "pem-encoded-cert-value", "truststore": "pem-encoded-cert-value", "nsx_cluster_id": "cluster-id-string", "private_ip_range": [ { "address_type": "IPV4", "address": "10.0.0.0", "prefix_length": 8 }, { "address_type": "IPV4", "address": "172.16.0.0", "prefix_length": 12 }, { "address_type": "IPV4", "address": "192.168.0.0", "prefix_length": 16 } ], } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch NSX Application Platform Common Agent host configuration

Patch the current NSX Application Platform Common Agent host configuration.
Return error if NSX Application Platform Common Agent is not registered with NSX.
"private_ip_range" is the only field allowed to patch.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/napp/common-agent/host-config

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

CommonAgentHostConfigurationInfo+

CommonAgentHostConfigurationInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ingress_certificate	Broker certificate A ingress certificate to verify the identity of brokers.	string
ingress_endpoint	List of NSX Application Platform ingress endpoints List of NSX Application Platform ingress endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
kafka_certificate	Broker certificate A Kafka broker certificate to verify the identity of brokers.	string
kafka_endpoint	List of NSX Application Platform Kafka broker endpoints List of NSX Application Platform broker endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
nsx_cluster_id	Cluster id of the NSX Manager cluster Cluster id of the NSX Manager cluster.	string
private_ip_range	List of private IP prefix List of private IP prefix that NSX Application Platform Common Agent network flow is collected from.	array of CommonAgentPrivateIpRangeInfo
resource_type	Must be set to the value CommonAgentHostConfigurationInfo	string
site_id	Site id of the local manager Site id of the local manager.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
truststore	truststore A truststore to establish the trust between NSX and NSX Application Platform.	string

Example Request: PATCH https://<policy-mgt>/api/v1/infra/napp/common-agent/host-config { "private_ip_range": [ { "address_type": "IPV4", "address": "10.10.0.0", "prefix_length": 8 }, { "address_type": "IPV4", "address": "172.18.0.0", "prefix_length": 12 }, { "address_type": "IPV4", "address": "192.169.0.0", "prefix_length": 16 } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CommonAgentHostConfigurationInfo+

CommonAgentHostConfigurationInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ingress_certificate	Broker certificate A ingress certificate to verify the identity of brokers.	string
ingress_endpoint	List of NSX Application Platform ingress endpoints List of NSX Application Platform ingress endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
kafka_certificate	Broker certificate A Kafka broker certificate to verify the identity of brokers.	string
kafka_endpoint	List of NSX Application Platform Kafka broker endpoints List of NSX Application Platform broker endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
nsx_cluster_id	Cluster id of the NSX Manager cluster Cluster id of the NSX Manager cluster.	string
private_ip_range	List of private IP prefix List of private IP prefix that NSX Application Platform Common Agent network flow is collected from.	array of CommonAgentPrivateIpRangeInfo
resource_type	Must be set to the value CommonAgentHostConfigurationInfo	string
site_id	Site id of the local manager Site id of the local manager.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
truststore	truststore A truststore to establish the trust between NSX and NSX Application Platform.	string

Example Response: { "kafka_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "kafka_certificate": "pem-encoded-cert-value", "ingress_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "ingress_certificate": "pem-encoded-cert-value", "truststore": "pem-encoded-cert-value", "nsx_cluster_id": "cluster-id-string", "private_ip_range": [ { "address_type": "IPV4", "address": "10.10.0.0", "prefix_length": 8 }, { "address_type": "IPV4", "address": "172.18.0.0", "prefix_length": 12 }, { "address_type": "IPV4", "address": "192.169.0.0", "prefix_length": 16 } ] } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Reset NSX Application Platform Common Agent host configuration

Reset NSX Application Platform Common Agent host configuration to the default setting.
Clear NSX Application Platform Common Agent host configuration if NSX Application Platform Common Agent is not registered with NSX.
Return the NSX Application Platform Common Agent host configuration after reset operation.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/napp/common-agent/host-config?action=reset

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgt>/api/v1/infra/napp/common-agent/host-config?action=reset Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CommonAgentHostConfigurationInfo+

CommonAgentHostConfigurationInfo (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ingress_certificate	Broker certificate A ingress certificate to verify the identity of brokers.	string
ingress_endpoint	List of NSX Application Platform ingress endpoints List of NSX Application Platform ingress endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
kafka_certificate	Broker certificate A Kafka broker certificate to verify the identity of brokers.	string
kafka_endpoint	List of NSX Application Platform Kafka broker endpoints List of NSX Application Platform broker endpoints that host nodes contact initially.	array of CommonAgentEndpointInfo
nsx_cluster_id	Cluster id of the NSX Manager cluster Cluster id of the NSX Manager cluster.	string
private_ip_range	List of private IP prefix List of private IP prefix that NSX Application Platform Common Agent network flow is collected from.	array of CommonAgentPrivateIpRangeInfo
resource_type	Must be set to the value CommonAgentHostConfigurationInfo	string
site_id	Site id of the local manager Site id of the local manager.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
truststore	truststore A truststore to establish the trust between NSX and NSX Application Platform.	string

Example Response: { "kafka_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "kafka_certificate": "pem-encoded-cert-value", "ingress_endpoint": [ { "address": "127.0.0.1", "port": 9092 } ], "ingress_certificate": "pem-encoded-cert-value", "truststore": "pem-encoded-cert-value", "nsx_cluster_id": "cluster-id-string", "private_ip_range": [ { "address_type": "IPV4", "address": "10.0.0.0", "prefix_length": 8 }, { "address_type": "IPV4", "address": "172.16.0.0", "prefix_length": 12 }, { "address_type": "IPV4", "address": "192.168.0.0", "prefix_length": 16 } ] } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Platform: Tools: Bundle

NSX Application Platform: Platform: Tools: Bundle: Upload

Associated URIs:

POST /policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload

Upload the Kubernetes tools on NSX Manager via File

Synchronous call to upload the Kubernetes tools on NSX Manager via File.
You need to get this file from VMware website.
File will contains kubectl binary, helm binary and signature to verify them.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/tools/upload

Request Headers:

n/a

Query Parameters:

CommonUploadFile+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/tools/upload Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UploadBundleId+

Example Response: { "bundle_id" : "22000123456" } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Registration

Associated URIs:

GET /policy/api/v1/infra/sites/napp/registration
GET /policy/api/v1/infra/sites/napp/registration/{cluster-id}

Get all registered NSX Application Platforms

Get all registered NSX Application Platforms.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/napp/registration

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/sites/napp/registration Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

NappRegistrationList+

Example Response: { "napp_registration_results": [ { "cluster_id": "12f563af-af9f-48f3-848e-e9257c8740b0", "cluster_name": "NSX Application Platform", "message_bus_ip_address": "10.33.76.94", "ingress_ip_address": "10.33.76.80", "status": "DEPLOYMENT_SUCCESSFUL" } ] } Required Permissions: read Feature: nsx_intelligence_cluster_node_deployment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get a registered NSX Application Platform as specified

Get the registered NSX Application Platform as specified.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/napp/registration/{cluster-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/sites/napp/registration/12f563af-af9f-48f3-848e-e9257c8740b0 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

NappRegistration+

NappRegistration (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	UUID of NSX Application Platform UUID of the cluster maintained internally.	string	Required Readonly
cluster_name	Name of NSX Application Platform Name of NSX Application Platform.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ingress_ip_address	Ingress IP address of NSX Application Platform IP of NSX Application Platform for Ingress HTTP connection.	string	Format: hostname-or-ip
is_intelligence_enabled	Is Intelligence enabled on NSX Application Platform Whether Intelligence is enabled on NSX Application Platform.	boolean
is_malware_prevention_enabled	Is Malware Prevention enabled on NSX Application Platform Whether Malware Prevention is enabled on NSX Application Platform.	boolean
is_metric_enabled	Is Metric enabled on NSX Application Platform Whether Metric is enabled on NSX Application Platform.	boolean
kafka_topic_context	Context Kafka topic name Context kafka topic name.	string
kafka_topic_flow	Flow Kafka topic name Flow Kafka Topic name.	string
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message_bus_ip_address	Message bus IP address of NSX Application Platform IP of NSX Application Platform for Message bus.	string	Format: hostname-or-ip
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value NappRegistration	string
status	Status of NSX Application Platform Status of NSX Application Platform.	string	Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "cluster_id": "12f563af-af9f-48f3-848e-e9257c8740b0", "cluster_name": "NSX Application Platform", "message_bus_ip_address": "10.33.76.94", "ingress_ip_address": "10.33.76.80", "status": "DEPLOYMENT_SUCCESSFUL" } Required Permissions: read Feature: nsx_intelligence_cluster_node_deployment Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Upgrade: Coordinator

NSX Application Platform: Upgrade: Coordinator: Config

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator
PATCH /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator

Get upgrade coordinator deployment configuration

Get input parameters required to deploy upgrade-coordinator. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UpgradeCoordinatorDeploymentConfig+

UpgradeCoordinatorDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value UpgradeCoordinatorDeploymentConfig	string
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Response: { "resource_type": "UpgradeCoordinatorDeploymentConfig", "id": "upgrade-coordinator-deployment-config", "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "test", "cluster": "cluster1", "namespace" : "nsxi" }, "parent_path" : "/infra/sites//napp/upgrade-coordinator", "relative_path" : "registry", "_create_time" : 1524826554351, "_last_modified_user" : "admin", "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_last_modified_time" : 1524826554351, "_create_user" : "admin", "_revision" : 0 } Required Permissions: read Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update upgrade-coordinator configuration

Update input parameter require to deploy upgrade-coordinator related pods.
Advanced configuraion option on UI has option to deploy kubernetes tools.
You need to get this file from VMware website.
File contains kubectl binary, helm binary and signature to verify them.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

UpgradeCoordinatorDeploymentConfig+

UpgradeCoordinatorDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value UpgradeCoordinatorDeploymentConfig	string
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator { "deployment_action" : "DEPLOY" "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "user1", "current_context": "context1", "namespace": "ns1", "cluster": "cluster1", "expiry": "n days" } } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

UpgradeCoordinatorDeploymentConfig+

UpgradeCoordinatorDeploymentConfig (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
cluster_id	Kubernetes cluster id Unique id to identify kubernetes guest cluster.	string
deployment_action	Deployment action	CloudNativeDeploymentAction
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
kubeconf_info	Kubeconfig info Information about kubeconfig file.	KubeconfigInfo
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value UpgradeCoordinatorDeploymentConfig	string
storage_class	Storage class Kubernetes cluster storage class	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Deployment version Deployment version in use.	string

Example Response: { "resource_type": "UpgradeCoordinatorDeploymentConfig", "id": "upgrade-coordinator-deployment-config", "kubeconfig_info" : { "name": "kubeconfigfile.xyz", "user": "user1", "current_context": "context1", "namespace": "ns1", "cluster": "cluster1", "expiry": "n days" }, "parent_path" : "/infra/sites//napp/deployment/upgrade-coordinator", "relative_path" : "upgrade-coordinator", "_create_time" : 1524826554351, "_last_modified_user" : "admin", "_system_owned" : false, "_protection" : "NOT_PROTECTED", "_last_modified_time" : 1524826554351, "_create_user" : "admin", "_revision" : 0 } Required Permissions: crud Feature: policy_napp Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

NSX Application Platform: Upgrade: Coordinator: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/status

Get deployment or undeployment progress status

Get deployment or undeployment progress status. This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/napp/deployment/upgrade-coordinator/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/napp/deployment/upgrade-coordinator/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentProgressStatus+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy

Associated URIs:

GET /policy/api/v1/infra/group-service-associations
GET /policy/api/v1/global-infra/group-service-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/group-service-associations

Get the list of services where the given group is consumed.

The API by default returns all the DFW services associated with the given Group.
The API returns DFW or IPFIX services based on the service_type parameter.
It also returns the services associated with the parent groups of
the given group.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/group-service-associations

/policy/api/v1/global-infra/group-service-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/group-service-associations

Request Headers:

n/a

Query Parameters:

PolicyGroupServiceAssociationsRequestParameters+

PolicyGroupServiceAssociationsRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
intent_path	Path of the entity Path of the entity for which associated services are to be fetched.	string	Required
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
service_type		string	Enum: firewall, ipfix
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://10.193.41.70/policy/api/v1/infra/group-service-associations?intent_path=/infra/domains/default/groups/ChildGroup Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceListResult+

Example Response: { "results": [ { "path": "/infra/domains/default/security-policies/91e2b990-feed-11e9-be9e-b16debafe148/rules/bc9cd5d0-feed-11e9-be9e-b16debafe148", "target_id": "bc9cd5d0-feed-11e9-be9e-b16debafe148", "target_display_name": "Policy1", "target_type": "CommunicationEntry" }, { "path": "/infra/domains/default/security-policies/91e2b990-feed-11e9-be9e-b16debafe148/rules/bc496930-feee-11e9-be9e-b16debafe148", "target_id": "bc496930-feee-11e9-be9e-b16debafe148", "target_display_name": "Policy2", "target_type": "CommunicationEntry" }, { "path": "/infra/domains/default/security-policies/91e2b990-feed-11e9-be9e-b16debafe148/rules/b8c65fe0-ff91-11e9-9a36-cbe55de635f8", "target_id": "b8c65fe0-ff91-11e9-9a36-cbe55de635f8", "target_display_name": "Policy3", "target_type": "CommunicationEntry" } ], "result_count": 3, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Feature Flag

Policy: Feature Flag: Aggregated Feature State

Associated URIs:

GET /policy/api/v1/infra/features

Read Aggregated Feature State

Paginated list of all Aggregated Feature State This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/features

Request Headers:

n/a

Query Parameters:

FeatureFlagGetRequestParam+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/features?site_path=/infra/site/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

AggregatedFeatureListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Feature Flag: Aggregated Feature State Details

Associated URIs:

GET /policy/api/v1/infra/features/detailed-view

Read Aggregated Feature State with details

Paginated list of all Aggregated Feature State with details This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/features/detailed-view

Request Headers:

n/a

Query Parameters:

FeatureFlagGetRequestParam+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/features/detailed-view?site_path=/infra/site/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

AggregatedFeatureDetailListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Certificates

Policy: Infra: Certificates: CSR

Associated URIs:

GET /policy/api/v1/infra/csrs
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs
POST /policy/api/v1/infra/csrs?action=self_sign
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs?action=self_sign
DELETE /policy/api/v1/infra/csrs/{csr-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}
GET /policy/api/v1/infra/csrs/{csr-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}
POST /policy/api/v1/infra/csrs/{csr-id}?action=create
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=create
POST /policy/api/v1/infra/csrs/{csr-id}?action=import
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=import
POST /policy/api/v1/infra/csrs/{csr-id}?action=upload
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=upload
POST /policy/api/v1/infra/csrs/{csr-id}?action=self_sign
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=self_sign
GET /policy/api/v1/infra/csrs/{csr-id}/pem-file
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}/pem-file

Return All the Generated CSRs

Returns information about all of the CSRs that have been created. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/csrs

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs

Request Headers:

n/a

Query Parameters:

ListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/csrs Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCsrListResult+

Example Response: { "result_count": 1, "results": [ { "resource_type": "Csr", "id": "example-csr-id", "display_name": "example-csr-id", "path": "/infra/csrs/example-csr-id", "parent_path": "/infra/csrs/example-csr-id", "relative_path": "example-csr-id", "pem_encoded": "-----BEGIN CERTIFICATE REQUEST----------END CERTIFICATE REQUEST-----\n", "key_size": 2048, "subject": { "attributes": [ { "value": "Jane", "key": "CN" }, { "value": "VMware", "key": "O" }, { "value": "NSBU", "key": "OU" }, { "value": "US", "key": "C" }, { "value": "CA", "key": "ST" }, { "value": "PA", "key": "L" } ] }, "algorithm": "RSA", "is_ca": false, "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Show CSR Data for the Given CSR ID

Returns information about the specified CSR. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCsr+

TlsCsr (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
algorithm	Cryptographic algorithm (asymmetric) used by the public key for data encryption.	string	Enum: RSA, EC Default: "RSA"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extensions	X509 extensions to add X509 v3 extensions to be added to a CSR.	CsrExtensions	Readonly
id	Unique identifier of this resource	string	Sortable
is_ca	Whether the CSR is for a CA certificate.	boolean	Default: "False"
key_size	Size measured in bits of the public key used in a cryptographic algorithm.	integer	Default: "4096"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM encoded certificate data.	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCsr	string
subject	The certificate owner's information. (CN, O, OU, C, ST, L)	Principal	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Csr", "id": "example-csr-id", "display_name": "example-csr-id", "path": "/infra/csrs/example-csr-id", "parent_path": "/infra/csrs/example-csr-id", "relative_path": "example-csr-id", "pem_encoded": "-----BEGIN CERTIFICATE REQUEST----------END CERTIFICATE REQUEST-----\n", "key_size": 2048, "subject": { "attributes": [ { "value": "Jane", "key": "CN" }, { "value": "VMware", "key": "O" }, { "value": "NSBU", "key": "OU" }, { "value": "US", "key": "C" }, { "value": "CA", "key": "ST" }, { "value": "PA", "key": "L" } ] }, "algorithm": "RSA", "is_ca": false, "extensions": { "subject_alt_names": { "dns_names": [ "www.vmware.com", "*.vmware.com" ] } }, "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete a CSR

Removes a specified CSR. If a CSR is not used for verification, you can
delete it. Note that the CSR import and upload POST actions automatically
delete the associated CSR.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get CSR PEM File for the Given CSR ID

Downloads the CSR PEM file for a specified CSR. Clients must include an Accept: text/plain request header. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}/pem-file

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}/pem-file

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id/pem-file Accept: text/plain Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: text/plain;charset=UTF-8

Response Body:

string

Example Response: -----BEGIN CERTIFICATE REQUEST----------END CERTIFICATE REQUEST----- Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Generate a New Certificate Signing Request

Creates a new certificate signing request (CSR). A CSR is encrypted text that
contains information about your organization (organization name, country,
and so on) and your Web server's public key, which is a public certificate
the is generated on the server that can be used to forward this request to a
certificate authority (CA). A private key is also usually created at the
same time as the CSR.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}?action=create

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=create

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsCsr+

TlsCsr (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
algorithm	Cryptographic algorithm (asymmetric) used by the public key for data encryption.	string	Enum: RSA, EC Default: "RSA"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extensions	X509 extensions to add X509 v3 extensions to be added to a CSR.	CsrExtensions	Readonly
id	Unique identifier of this resource	string	Sortable
is_ca	Whether the CSR is for a CA certificate.	boolean	Default: "False"
key_size	Size measured in bits of the public key used in a cryptographic algorithm.	integer	Default: "4096"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM encoded certificate data.	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCsr	string
subject	The certificate owner's information. (CN, O, OU, C, ST, L)	Principal	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id?action=create { "subject": { "attributes": [ {"key":"CN","value":"Jane"}, {"key":"O","value":"VMware"}, {"key":"OU","value":"NSBU"}, {"key":"C","value":"US"}, {"key":"ST","value":"CA"}, {"key":"L","value":"PA"} ] }, "key_size": "2048", "algorithm": "RSA", "is_ca": false } Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCsr+

TlsCsr (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
algorithm	Cryptographic algorithm (asymmetric) used by the public key for data encryption.	string	Enum: RSA, EC Default: "RSA"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extensions	X509 extensions to add X509 v3 extensions to be added to a CSR.	CsrExtensions	Readonly
id	Unique identifier of this resource	string	Sortable
is_ca	Whether the CSR is for a CA certificate.	boolean	Default: "False"
key_size	Size measured in bits of the public key used in a cryptographic algorithm.	integer	Default: "4096"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM encoded certificate data.	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCsr	string
subject	The certificate owner's information. (CN, O, OU, C, ST, L)	Principal	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCsr", "id": "example-csr-id", "display_name": "example-csr-id", "path": "/infra/csrs/example-csr-id", "parent_path": "/infra/csrs", "relative_path": "example-csr-id", "pem_encoded": "-----BEGIN CERTIFICATE REQUEST----------END CERTIFICATE REQUEST-----\n", "key_size": 2048, "subject": { "attributes": [ { "value": "Jane", "key": "CN" }, { "value": "VMware", "key": "O" }, { "value": "NSBU", "key": "OU" }, { "value": "US", "key": "C" }, { "value": "CA", "key": "ST" }, { "value": "PA", "key": "L" } ] }, "algorithm": "RSA", "is_ca": false, "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Import a Certificate Associated with an Approved CSR

Imports a certificate authority (CA)-signed certificate for a CSR. This
action links the certificate to the private key created by the CSR. The
pem_encoded string in the request body is the signed certificate provided by
your CA in response to the CSR that you provide to them. The import POST
action automatically deletes the associated CSR.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}?action=import

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=import

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsTrustData+

TlsTrustData (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
key_algo	Key algorithm contained in this certificate.	string
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
passphrase	Password for private key encryption.	secure_string
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
private_key	private key data	secure_string
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsTrustData	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id?action=import { "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n" } Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCertificate", "id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "display_name": "example-csr-id", "path": "/infra/certificates/669f4e8f-061e-4c73-8cfb-1044181eb365", "parent_path": "/infra", "relative_path": "example-csr-id", "details": [ { "issuer_cn": "vSM Test Certificate", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "CN=Jane,O=VMware,OU=NSBU,ST=CA,C=US,PA=L", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "is_ca": false, "subject_cn": "Jane", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "realization_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "marked_for_delete": false, "overridden": false, "has_private_key": true, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Self-Sign the CSR

Self-signs the previously generated CSR. This action is similar to the
import certificate action, but instead of using a public certificate signed
by a CA, the self_sign POST action uses a certificate that is signed with
NSX's own private key. The maximum validity limit for non-CA certificates
is 825 days, except that values of 3,650 and 36,500 days are allowed.
No limit is set for CA certificates.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}?action=self_sign

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=self_sign

Request Headers:

n/a

Query Parameters:

SelfSignedActionParameter+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id?action=self_sign&days_valid=365 Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCertificate", "id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "display_name": "example-csr-id", "path": "/infra/certificates/669f4e8f-061e-4c73-8cfb-1044181eb365", "parent_path": "/infra", "relative_path": "669f4e8f-061e-4c73-8cfb-1044181eb365", "details": [ { "issuer_cn": "Jane", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "CN=Jane,O=VMware,OU=NSBU,ST=CA,C=US,PA=L", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "CN=Jane,O=VMware,OU=NSBU,ST=CA,C=US,PA=L", "is_ca": false, "subject_cn": "Jane", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": true, "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "realization_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Upload the Certificate PEM File Signed by the CA Associated with a CSR

Uploads the certificate authority (CA)-signed certificate. After you send
the certificate request to the CA of your choice, and the CA sends back the
signed certificate, you can use the upload POST action to upload the signed
certificate. The upload action is similar to the import action, but the
upload action allows you to directly upload the PEM-encoded file (signed
certificate) provided by the CA. Like the import POST action, the upload
POST action automatically deletes the associated CSR.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/csrs/{csr-id}?action=upload

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs/{csr-id}?action=upload

Request Headers:

n/a

Query Parameters:

UploadFileRequestParameters+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/csrs/example-csr-id?action=upload Content-Type: multipart/form-data; boundary=2a8ae6ad-f4ad-4d9a-a92c-6d217011fe0f --2a8ae6ad-f4ad-4d9a-a92c-6d217011fe0f Content-Disposition: form-data; name="file"; filename="mycert.pem" -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Generate a new self-signed certificate

Creates a new self-signed certificate. A private key is also created at the
same time. This is convenience call that will generate a CSR and then self-sign it.
The maximum validity limit for non-CA certificates is 825 days, except that values
of 3,650 and 36,500 days are allowed. No limit is set for CA certificates.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/csrs?action=self_sign

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/csrs?action=self_sign

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsCsrWithDaysValid+

TlsCsrWithDaysValid (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
algorithm	Cryptographic algorithm (asymmetric) used by the public key for data encryption.	string	Enum: RSA, EC Default: "RSA"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
days_valid	Number of days the certificate will be valid, default 825 days	integer	Default: "825"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
extensions	X509 extensions to add X509 v3 extensions to be added to a CSR.	CsrExtensions	Readonly
id	Unique identifier of this resource	string	Sortable
is_ca	Whether the CSR is for a CA certificate.	boolean	Default: "False"
key_size	Size measured in bits of the public key used in a cryptographic algorithm.	integer	Default: "4096"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM encoded certificate data.	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCsrWithDaysValid	string
subject	The certificate owner's information. (CN, O, OU, C, ST, L)	Principal	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/csrs?action=self_sign { "subject": { "attributes": [ {"key":"CN","value":"Jane"}, {"key":"O","value":"VMware"}, {"key":"OU","value":"NSBU"}, {"key":"C","value":"US"}, {"key":"ST","value":"CA"}, {"key":"L","value":"PA"} ] }, "key_size": "2048", "algorithm": "RSA", "days_valid": 365, } Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCertificate", "id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "display_name": "example-csr-id", "path": "/infra/certificates/669f4e8f-061e-4c73-8cfb-1044181eb365", "parent_path": "/infra", "relative_path": "669f4e8f-061e-4c73-8cfb-1044181eb365", "details": [ { "issuer_cn": "Jane", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "CN=Jane,O=VMware,OU=NSBU,ST=CA,C=US,PA=L", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "CN=Jane,O=VMware,OU=NSBU,ST=CA,C=US,PA=L", "is_ca": false, "subject_cn": "Jane", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": true, "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "realization_id": "669f4e8f-061e-4c73-8cfb-1044181eb365", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Certificates: Certificates

Associated URIs:

GET /policy/api/v1/infra/cabundles
DELETE /policy/api/v1/infra/cabundles/{cabundle-id}
GET /policy/api/v1/infra/cabundles/{cabundle-id}
PATCH /policy/api/v1/infra/cabundles/{cabundle-id}
POST /policy/api/v1/infra/cabundles/{cabundle-id}
PUT /policy/api/v1/infra/cabundles/{cabundle-id}
GET /policy/api/v1/infra/cabundles/{cabundle-id}/pem-file
GET /policy/api/v1/infra/certificates
GET /policy/api/v1/global-infra/certificates
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates
DELETE /policy/api/v1/infra/certificates/{certificate-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}
GET /policy/api/v1/infra/certificates/{certificate-id}
GET /policy/api/v1/global-infra/certificates/{certificate-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}
PATCH /policy/api/v1/infra/certificates/{certificate-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}
PUT /policy/api/v1/infra/certificates/{certificate-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}

Returns information about all the CA bundles

Returns information about all the bundles of trusted CA certificates.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/cabundles

Request Headers:

n/a

Query Parameters:

ListCertParameter+

ListCertParameter (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
details	whether to expand the pem data and show all its details	boolean	Default: "False"
fmt		CertificateFormatParameter
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
node_id	Node ID of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular node ID.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
type	Type of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular usage. Passing cluster_certificate will return the certificate used for the cluster wide API service.	string	Enum: cluster_api_certificate, api_certificate

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/cabundles Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CaBundleListResult+

Example Response: { "result_count": 2, "results": [ { "_create_time": 0, "_create_user": "unknown", "_last_modified_time": 0, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": false, "display_name": "example-cabundle-id", "earliest_not_after": 1688688782000, "id": "example-cabundle-id", "marked_for_delete": false, "not_after_list": [1688688782000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/example-cabundle-id", "relative_path": "example-cabundle-id", "resource_type": "CaBundle", "unique_id": "b829537a-fcdb-4349-b5e1-53fb40f69a8c" }, { "_create_time": 1611941474997, "_create_user": "unknown", "_last_modified_time": 1611941474997, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": true, "display_name": "default_trusted_public_ca_bundle", "earliest_not_after": 1616006013000, "id": "default_trusted_public_ca_bundle", "marked_for_delete": false, "not_after_list": [2289338164000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/default_trusted_public_ca_bundle", "relative_path": "default_trusted_public_ca_bundle", "resource_type": "CaBundle", "unique_id": "293185d4-07e5-4a5e-b7b8-bd3a86fa270e"}], } ] } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Adds or replaces a CA bundle

Adds or replaces a new bundle of trusted CA certificates.
The bundle must be a concatenation of one or more
PEM-encoded certificates.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id { "pem_encoded": "-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----", } Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "_create_time": 0, "_create_user": "unknown", "_last_modified_time": 0, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": false, "display_name": "example-cabundle-id", "earliest_not_after": 1688688782000, "id": "example-cabundle-id", "marked_for_delete": false, "not_after_list": [1688688782000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/example-cabundle-id", "relative_path": "example-cabundle-id", "resource_type": "CaBundle", "unique_id": "b829537a-fcdb-4349-b5e1-53fb40f69a8c" } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Adds or updates a CA bundle

Adds or updates a new bundle of trusted CA certificates.
The bundle must be a concatenation of one or more
PEM-encoded certificates. The PEM-encoded bundle is replaced
with the one provided in the request.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id { "pem_encoded": "-----BEGIN CERTIFICATE-----\n[...]\n-----END CERTIFICATE-----", } Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "_create_time": 0, "_create_user": "unknown", "_last_modified_time": 0, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 1, "_system_owned": false, "display_name": "example-cabundle-id", "earliest_not_after": 1688688782000, "id": "example-cabundle-id", "marked_for_delete": false, "not_after_list": [1688688782000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/example-cabundle-id", "relative_path": "example-cabundle-id", "resource_type": "CaBundle", "unique_id": "b829537a-fcdb-4349-b5e1-53fb40f69a8c" } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Adds or replaces a CA bundle

Adds or replaces a new bundle of trusted CA certificates.
The multipart-uploaded file must be a concatenation of one or more
PEM-encoded certificates.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}

Request Headers:

n/a

Query Parameters:

UploadFileRequestParameters+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id Content-Type: multipart/form-data; boundary=243332e4709e58a3bd679ef3c7b1259a --243332e4709e58a3bd679ef3c7b1259a Content-Disposition: form-data; name="file"; filename="example-cabundle.pem" -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- [...] --243332e4709e58a3bd679ef3c7b1259a-- Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "_create_time": 0, "_create_user": "unknown", "_last_modified_time": 0, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": false, "display_name": "example-cabundle-id", "earliest_not_after": 1688688782000, "id": "example-cabundle-id", "marked_for_delete": false, "not_after_list": [1688688782000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/example-cabundle-id", "relative_path": "example-cabundle-id", "resource_type": "CaBundle", "unique_id": "b829537a-fcdb-4349-b5e1-53fb40f69a8c" } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Deletes CA bundle

Deletes the specified bundle of trusted CA certificates.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns information about a CA bundle

Returns information about the specified bundle of trusted CA
certificates.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

CaBundle+

CaBundle (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
certificates	X509Certificates in the bundle	array of X509Certificate	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
earliest_not_after	The earliest time in epoch milliseconds at which a certificate becomes invalid.	EpochMsTimestamp	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
not_after_list	Times for each certificate in the bundle at which the certificate becomes invalid.	array of EpochMsTimestamp	Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	PEM-encoded CA bundle certificates.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value CaBundle	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "_create_time": 0, "_create_user": "unknown", "_last_modified_time": 0, "_last_modified_user": "unknown", "_protection": "NOT_PROTECTED", "_revision": 0, "_system_owned": false, "certificates": [ { "is_ca": true, "is_valid": true, "issuer": "CN=test.local,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU", "issuer_cn": "test.local", "not_after": 1688688782000, "not_before": 1602202382000, "public_key_algo": "RSA", "public_key_length": 2048, "rsa_public_key_exponent": "10001", "rsa_public_key_modulus": "00 cf ...", "serial_number": "abffbac5ca0a1934357be127156f6615cc14400", "signature": "1e 81 ...", "signature_algorithm": "SHA256WITHRSA", "subject": "CN=test.local,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU", "subject_cn": "test.local", "version": "3", }, ... ], "display_name": "example-cabundle-id", "earliest_not_after": 1688688782000, "id": "example-cabundle-id", "marked_for_delete": false, "not_after_list": [1688688782000, ...], "overridden": false, "parent_path": "/infra", "path": "/infra/cabundles/example-cabundle-id", "relative_path": "example-cabundle-id", "resource_type": "CaBundle", "unique_id": "b829537a-fcdb-4349-b5e1-53fb40f69a8c" } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Downloads a CA bundle

Downloads the specified PEM-encoded bundle of trusted CA certificates.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/cabundles/{cabundle-id}/pem-file

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/cabundles/example-cabundle-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: text/plain;charset=UTF-8

Response Body:

string

Example Response: -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- [...] Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return All the User-Facing Components' Certificates

Returns all certificate information viewable by the user, including each
certificate's id; pem_encoded data; and history of the
certificate (who created or modified it and when). For additional
information, include the ?details=true modifier at the end of the request
URI.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/certificates

/policy/api/v1/global-infra/certificates

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates

Request Headers:

n/a

Query Parameters:

ListCertParameter+

ListCertParameter (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
details	whether to expand the pem data and show all its details	boolean	Default: "False"
fmt		CertificateFormatParameter
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
node_id	Node ID of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular node ID.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
type	Type of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular usage. Passing cluster_certificate will return the certificate used for the cluster wide API service.	string	Enum: cluster_api_certificate, api_certificate

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/certificates Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCertificateList+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 2, "results": [ { "resource_type": "TlsCertificate", "id": "caCert", "display_name": "caCert", "path": "/infra/certificates/caCert", "parent_path": "/infra", "relative_path": "caCert", "details": [ ... ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": false, "tls_certificate_type": "CERTIFICATE_CA", "_create_user": "admin", "_create_time": 1516329725649, "_last_modified_user": "admin", "_last_modified_time": 1516329725649, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "resource_type": "TlsCertificate", "id": "selfSignedCert", "display_name": "selfSignedCert", "path": "/infra/certificates/selfSignedCert", "parent_path": "/infra", "relative_path": "selfSignedCert", "details": [ { "issuer_cn": "vSM Test Certificate", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "is_ca": false, "subject_cn": "vSM Test Certificate", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": true, "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "realization_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add a New Certificate

Adds a new private-public certificate and, optionally, a private key that
can be applied to one of the user-facing components (appliance management
or edge). The certificate and the key should be stored in PEM format. If
no private key is provided, the certificate is used as a client
certificate in the trust store.
A private key can be uploaded for a CA certificate only if the "purpose"
parameter is set to "signing-ca".
A certificate chain will not be expanded
into separate certificate instances for reference, but would be pushed to
the enforcement point as a single certificate. This PUT method does
not modify an existing certificate.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/certificates/{certificate-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsTrustData+

TlsTrustData (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
key_algo	Key algorithm contained in this certificate.	string
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
passphrase	Password for private key encryption.	secure_string
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
private_key	private key data	secure_string
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsTrustData	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/certificates/selfSignedCert { "_revision":"0", "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "private_key": "-----BEGIN RSA PRIVATE KEY----------END RSA PRIVATE KEY-----\n", "passphrase": "1234" } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCertificate", "id": "selfSignedCert", "display_name": "selfSignedCert", "path": "/infra/certificates/selfSignedCert", "parent_path": "/infra", "relative_path": "selfSignedCert", "details": [ { "issuer_cn": "vSM Test Certificate", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "is_ca": false, "subject_cn": "vSM Test Certificate", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": true, "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "realization_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add a New Certificate

Adds a new private-public certificate and, optionally, a private key that
can be applied to one of the user-facing components (appliance management
or edge). The certificate and the key should be stored in PEM format. If
no private key is provided, the certificate is used as a client
certificate in the trust store.
A private key can be uploaded for a CA certificate only if the "purpose"
parameter is set to "signing-ca".
A certificate chain will not be expanded
into separate certificate instances for reference, but would be pushed to
the enforcement point as a single certificate. This patch method does
not modify an existing certificate.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/certificates/{certificate-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsTrustData+

TlsTrustData (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
key_algo	Key algorithm contained in this certificate.	string
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
passphrase	Password for private key encryption.	secure_string
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
private_key	private key data	secure_string
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsTrustData	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/certificates/certificate-1 { "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "private_key": "-----BEGIN RSA PRIVATE KEY----------END RSA PRIVATE KEY-----\n", "passphrase": "1234" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Show Certificate Data for the Given Certificate ID

Returns information for the specified certificate ID, including the
certificate's id; pem_encoded data; and history of the
certificate (who created or modified it and when). For additional
information, include the ?details=true modifier at the end of the request
URI.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/certificates/{certificate-id}

/policy/api/v1/global-infra/certificates/{certificate-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}

Request Headers:

n/a

Query Parameters:

GetCertParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/certificates/selfSignedCertificate Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCertificate+

TlsCertificate (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
category	Category Category of certificate. This certificate is used to connect to services only.	string	Readonly Enum: SERVICE_CERTIFICATE
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
details	list of X509Certificates.	array of X509Certificate	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
has_private_key	whether we have the private key for this certificate.	boolean	Required Readonly Default: "False"
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	pem encoded certificate data.	string	Required
purpose	Purpose of this certificate. Can be empty or set to "signing-ca".	string	Readonly Enum: signing-ca
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCertificate	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
tls_certificate_type	Classification of the TlsCertificate helps differentiate how a TlsCertificate could be used for various components either as a client trust certificate; CERTIFICATE_CA, or as a server identity certificate; CERTIFICATE_SIGNED,or CERTIFICATE_SELF_SIGNED.	string	Readonly Enum: CERTIFICATE_CA, CERTIFICATE_SIGNED, CERTIFICATE_SELF_SIGNED
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCertificate", "id": "selfSignedCert", "display_name": "selfSignedCert", "path": "/infra/certificates/selfSignedCert", "parent_path": "/infra", "relative_path": "selfSignedCert", "details": [ { "issuer_cn": "vSM Test Certificate", "public_key_length": 1024, "signature": "4e cf ff 36 ac a1", "not_before": 1323772715000, "subject": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "serial_number": "ca55f5e21a0b2dd2", "public_key_algo": "RSA", "version": "1", "issuer": "1.2.840.113549.1.9.1=#16076140622e636f6d,CN=vSM Test Certificate,OU=vShield,O=VMware,L=Pune,ST=Maharashtra,C=IN", "is_ca": false, "subject_cn": "vSM Test Certificate", "not_after": 1355308715000, "is_valid": false, "rsa_public_key_exponent": "10001", "signature_algorithm": "SHA1WITHRSA", "rsa_public_key_modulus": "00 b7 8f 79 e4" } ], "pem_encoded": "-----BEGIN CERTIFICATE----------END CERTIFICATE-----\n", "has_private_key": true, "tls_certificate_type": "CERTIFICATE_SELF_SIGNED", "unique_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "realization_id": "e523b4c0-c3c5-4656-80a1-36dd0fab38cb", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1516338671237, "_last_modified_user": "admin", "_last_modified_time": 1516338671237, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Certificate for the Given Certificate ID

Removes the specified certificate. The private key associated with the
certificate is also deleted.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/certificates/{certificate-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/certificates/{certificate-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/certificates/signedDigitalCert Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Certificates: Certification Revocation List

Associated URIs:

GET /policy/api/v1/infra/crls
GET /policy/api/v1/global-infra/crls
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls
DELETE /policy/api/v1/infra/crls/{crl-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}
GET /policy/api/v1/infra/crls/{crl-id}
GET /policy/api/v1/global-infra/crls/{crl-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}
PATCH /policy/api/v1/infra/crls/{crl-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}
POST /policy/api/v1/infra/crls/{crl-id}?action=import
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}?action=import
POST /policy/api/v1/infra/crls/{crl-id}?action=upload
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}?action=upload
PUT /policy/api/v1/infra/crls/{crl-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}

Return All Added CRLs

Returns information about all CRLs. For additional information, include the
?details=true modifier at the end of the request URI.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/crls

/policy/api/v1/global-infra/crls

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls

Request Headers:

n/a

Query Parameters:

ListCertParameter+

ListCertParameter (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
details	whether to expand the pem data and show all its details	boolean	Default: "False"
fmt		CertificateFormatParameter
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
node_id	Node ID of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular node ID.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
type	Type of certificate to return Provide this parameter to limit the list of returned certificates to those matching a particular usage. Passing cluster_certificate will return the certificate used for the cluster wide API service.	string	Enum: cluster_api_certificate, api_certificate

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/crls?details=true Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCrlListResult+

Example Response: { "result_count": 1, "results": [ { "resource_type": "TlsCrl", "display_name": "revoked certificates", "path": "/infra/crls/revokedCerts", "parent_path": "/infra", "relative_path": "revokedCerts", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "details": { "next_update": "945220365000", "issuer": "1.2.840.113549.1.9.1=#161d726f6f744069676c6f6f2e6974732e756e696d656c622e6564752e6175,CN=igloo Certificate Authority,OU=Certificates Administration,O=igloo CA,L=Melbourne,ST=Victoria,C=AU", "version": "1" }, "crl_type": "X509", "unique_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "realization_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1, "_last_modified_user": "admin", "_last_modified_time": 1413387436438, "_create_time": 1413386249116, "_create_user": "admin" }, { "crl_type": "OneCRL", "one_crl": "{\"data\":[ <...> ]}", "details_revoked_by_issuer_and_serial_number": [ <...> ], "details_revoked_by_subject_and_public_key_hash": [ <...> ], "resource_type": "TlsCrl", "id": "default_public_crl", "display_name": "default_public_crl", "path": "/infra/crls/default_public_crl", "relative_path": "default_public_crl", "parent_path": "/infra", "unique_id": "91503436-5215-4d13-93e0-094c7473e30d", "realization_id": "91503436-5215-4d13-93e0-094c7473e30d", "marked_for_delete": false, "overridden": false, "_system_owned": true, "_create_user": "system", "_create_time": 1630097138768, "_last_modified_user": "admin", "_last_modified_time": 1630107914252, "_protection": "NOT_PROTECTED", "_revision": 1 }, ] } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or patch a Certificate Revocation List

Create or patch a Certificate Revocation List for the given id. The CRL is used to
verify the client certificate status against the revocation lists published by the CA.
For this reason, the administrator needs to add the CRL in certificate repository as well.
The CRL must contain PEM data for a single CRL.
A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL
(crl_type=OneCRL).
If crl_type is not specified, it is auto-detected based on the presence of
fields pem_encoded or one_crl.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/crls/revokedCertsb { "display_name": "Revoked Certificates", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "crl_type": "X509" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 Ok Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or fully replace a Certificate Revocation List

Create or replace a Certificate Revocation List for the given id. The CRL is used to
verify the client certificate status against the revocation lists published by the CA.
For this reason, the administrator needs to add the CRL in certificate repository as well.
The CRL must contain PEM data for a single CRL. Revision is required.
A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL
(crl_type=OneCRL).
If crl_type is not specified, it is auto-detected based on the presence of
fields pem_encoded or one_crl.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/crls/revokedCerts { "display_name": "Revoked Certificates", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "_revision": 1, "crl_type": "X509" } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCrl", "display_name": "revoked certificates", "path": "/infra/crls/revokedCerts", "parent_path": "/infra", "relative_path": "revokedCerts", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "details": { "next_update": "945220365000", "issuer": "1.2.840.113549.1.9.1=#161d726f6f744069676c6f6f2e6974732e756e696d656c622e6564752e6175,CN=igloo Certificate Authority,OU=Certificates Administration,O=igloo CA,L=Melbourne,ST=Victoria,C=AU", "version": "1" }, "crl_type": "X509", "unique_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "realization_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1, "_last_modified_time": 1413386249116, "_create_time": 1413386249116, "_create_user": "admin", "_last_modified_user": "admin" } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete a CRL

Deletes an existing CRL. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/crls/revokedCerts Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Show CRL Data for the Given CRL id.

Returns information about the specified CRL. For additional information,
include the ?details=true modifier at the end of the request URI.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}

/policy/api/v1/global-infra/crls/{crl-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}

Request Headers:

n/a

Query Parameters:

GetCertParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/crls/revokedCerts?details=true Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "TlsCrl", "display_name": "revoked certificates", "path": "/infra/crls/revokedCerts", "parent_path": "/infra", "relative_path": "revokedCerts", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "details": { "next_update": "945220365000", "issuer": "1.2.840.113549.1.9.1=#161d726f6f744069676c6f6f2e6974732e756e696d656c622e6564752e6175,CN=igloo Certificate Authority,OU=Certificates Administration,O=igloo CA,L=Melbourne,ST=Victoria,C=AU", "version": "1" }, "crl_type": "X509", "unique_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "realization_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1, "_last_modified_user": "admin", "_last_modified_time": 1413387436438, "_create_time": 1413386249116, "_create_user": "admin" } Required Permissions: read Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create a new Certificate Revocation List

Adds a new certificate revocation list (CRLs). The CRL is used to verify the client
certificate status against the revocation lists published by the CA. For this reason,
the administrator needs to add the CRL in certificate repository as well.
A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL
(crl_type=OneCRL).
If crl_type is not specified, it is auto-detected based on the presence of
fields pem_encoded or one_crl.
An X.509 CRL can contain a single CRL or multiple CRLs depending on the PEM data.
- Single CRL: a single CRL is created with the given id.
- Composite CRL: multiple CRLs are generated. Each of the CRL is created with an id
generated based on the given id. First CRL is created with crl-id, second with crl-id-1,
third with crl-id-2, etc.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}?action=import

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}?action=import

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCrlListResult+

Example Response: { "results": [{ "resource_type": "TlsCrl", "display_name": "revoked certificates", "path": "/infra/crls/revokedCerts", "parent_path": "/infra", "relative_path": "revokedCerts", "pem_encoded": "-----BEGIN X509 CRL----------END X509 CRL-----\n", "crl_type": "X509", "unique_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "realization_id": "511cf9cd-448b-4fa5-9bdf-a24a9dcba853", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0, "_last_modified_user": "admin", "_last_modified_time": 1413387436438, "_create_time": 1413386249116, "_create_user": "admin" }] } Required Permissions: crud Feature: policy_certificate Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Upload a new or updated Certificate Revocation List

Adds or replaces a certificate revocation list (CRLs). The CRL is used to verify the client
certificate status against the revocation lists published by the CA. For this reason,
the administrator needs to add the CRL in certificate repository as well.
A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL
(crl_type=OneCRL).
If crl_type is not specified, it is auto-detected based on the upload content.
An X.509 CRL can contain a single CRL or multiple CRLs depending on the PEM data.
- Single CRL: a single CRL is created with the given id.
- Composite CRL: multiple CRLs are generated. Each of the CRL is created with an id
generated based on the given id. First CRL is created with crl-id, second with crl-id-1,
third with crl-id-2, etc.
Differently from action=import, this method allows multi-part upload of the CRL(s).
The TlsCrl resource returned in the body of the response will have an empty pem_encoded
field, as it may be large. Use a GET request to retrieve the PEM-encoded CRL.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/crls/{crl-id}?action=upload

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/crls/{crl-id}?action=upload

Request Headers:

n/a

Query Parameters:

UploadTlsCrlRequestParameters+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/crls/revokedCerts?action=import Content-Type: multipart/form-data; boundary=2a8ae6ad-f4ad-4d9a-a92c-6d217011fe0f --2a8ae6ad-f4ad-4d9a-a92c-6d217011fe0f Content-Disposition: form-data; name="file"; filename="mycrl.pem" -----BEGIN X509 CRL----- -----END X509 CRL----- Successful Response:

Response Code:

201 Created

Response Headers:

Content-type: application/json

Response Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TlsCrl+

TlsCrl (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
crl_type	Type of CRL The type of the CRL. It can be "OneCRL" or "X509" (default).	string	Enum: OneCRL, X509 Default: "X509"
description	Description of this resource	string	Maximum length: 1024 Sortable
details	Details of the X509Crl object Details of the X509Crl object.	X509Crl	Readonly
details_revoked_by_issuer_and_serial_number	Certificates revoked by issuer and serial number	array of IssuerSerialNumber	Readonly
details_revoked_by_subject_and_public_key_hash	Certificates revoked by subject and public key hash	array of SubjectPublicKeyHash	Readonly
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
one_crl	JSON-encoded OneCRL-like object	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
pem_encoded	Pem encoded crl data Pem encoded crl data.	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value TlsCrl	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra

Policy: Infra: Constraints

Associated URIs:

GET /policy/api/v1/infra/constraints
GET /policy/api/v1/global-infra/constraints
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints
DELETE /policy/api/v1/infra/constraints/{constraint-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}
GET /policy/api/v1/infra/constraints/{constraint-id}
GET /policy/api/v1/global-infra/constraints/{constraint-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}
PATCH /policy/api/v1/infra/constraints/{constraint-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}
PUT /policy/api/v1/infra/constraints/{constraint-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}

List tenant Constraints.

List tenant constraints. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/constraints

/policy/api/v1/global-infra/constraints

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints

Request Headers:

n/a

Query Parameters:

PolicyListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>policy/api/v1/infra/constraints Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ConstraintListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 3, "results": [ { "constraint_expression": { "resource_type": "RelatedAttributeConditionalExpression", "condition": { "value_constraint": { "resource_type": "ValueConstraintExpression", "values": [ "/infra/services/HTTP", "/infra/services/HTTPS" ], "operator": "INCLUDES", "_protection": "NOT_PROTECTED" }, "rhs_value": [ "/infra/domains/mgw/groups/VCENTER" ], "operator": "INCLUDES" }, "related_attribute": { "attribute": "destinationGroups" }, "_protection": "NOT_PROTECTED" }, "target": { "target_resource_type": "CommunicationEntry", "attribute": "services", "path_prefix": "/infra/domains/amar/edge-communication-maps/default/communication-entries/" }, "_protection": "NOT_PROTECTED" }, { "constraint_expression": { "resource_type": "ValueConstraintExpression", "values": [ "ALLOW" ], "operator": "EQUALS", "_protection": "NOT_PROTECTED" }, "target": { "target_resource_type": "CommunicationEntry", "attribute": "action", "path_prefix": "/infra/domains/amar/edge-communication-maps/default/communication-entries/" }, "_protection": "NOT_PROTECTED" }, { "constraint_expression": { "resource_type": "ValueConstraintExpression", "values": [ "/infra/domains/amar/groups/VCENTER" ], "operator": "INCLUDES", "_protection": "NOT_PROTECTED" }, "target": { "target_resource_type": "CommunicationEntry", "attribute": "destinationGroups", "path_prefix": "/infra/domains/amar/edge-communication-maps/default/communication-entries/" }, "_protection": "NOT_PROTECTED" }, { "constraint_expressions": [{ "resource_type": "EntityCountConstraintExpression", "target_resource_type": "Group", "operator": "<", "count" : 2 }, { "resource_type": "EntityCountConstraintExpression", "target_resource_type": "Vpc", "operator": "<", "count" : 2 }] "targets": [{ "path_prefix": "/orgs/org1/projects/project1/" }, { "path_prefix": "/orgs/org1/projects/project2/" }] "_protection": "NOT_PROTECTED" } ] } Required Permissions: read Feature: policy_constraints Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update tenant Constraint

Create tenant constraint if it does not exist,
otherwise replace the existing constraint.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/constraints/{constraint-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Constraint+

Constraint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
constraint_expression	Expression to constrain the target attribute value. This property is deprecated. Please use the "constraint_expressions" property instead to specify one or more constraint expressions. If this property is populated, then the "constraint_expressions" value is ignored.	ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression	Deprecated
constraint_expressions	Expressions to constrain the target attribute value.	array of ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message	User friendly message to be shown to users upon violation.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Constraint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
target	Target resource attribute details. This property is deprecated. Please use the "targets" property instead to specify one or more targets. If this property is populated, then the "targets" value is ignored.	ConstraintTarget	Deprecated
target_owner_type	Constraint target's owner type	string	Enum: GM, LM, ALL
targets	Collection of target resources attribute details.	array of ConstraintTarget
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>policy/api/v1/infra/constraints/value-constraint { "target":{ "target_resource_type":"CommunicationEntry", "attribute":"services", "path_prefix":"/infra/domains/{{DOMAIN}}/edge-communication-maps/default/communication-entries/" }, "constraint_expression":{ "resource_type":"RelatedAttributeConditionalExpression", "related_attribute":{ "attribute":"destinationGroups" }, "condition":{ "operator":"INCLUDES", "rhs_value":["/infra/domains/mgw/groups/VCENTER"], "value_constraint":{ "resource_type": "ValueConstraintExpression", "operator":"INCLUDES", "values":["/infra/services/HTTP", "/infra/services/HTTPS"] } } } } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Constraint+

Constraint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
constraint_expression	Expression to constrain the target attribute value. This property is deprecated. Please use the "constraint_expressions" property instead to specify one or more constraint expressions. If this property is populated, then the "constraint_expressions" value is ignored.	ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression	Deprecated
constraint_expressions	Expressions to constrain the target attribute value.	array of ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message	User friendly message to be shown to users upon violation.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Constraint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
target	Target resource attribute details. This property is deprecated. Please use the "targets" property instead to specify one or more targets. If this property is populated, then the "targets" value is ignored.	ConstraintTarget	Deprecated
target_owner_type	Constraint target's owner type	string	Enum: GM, LM, ALL
targets	Collection of target resources attribute details.	array of ConstraintTarget
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "constraint_expressions": [{ "resource_type": "RelatedAttributeConditionalExpression", "condition": { "value_constraint": { "resource_type": "ValueConstraintExpression", "values": [ "/infra/services/HTTP", "/infra/services/HTTPS" ], "operator": "INCLUDES", "_protection": "NOT_PROTECTED" }, "rhs_value": [ "/infra/domains/mgw/groups/VCENTER" ], "operator": "INCLUDES" }, "related_attribute": { "attribute": "destinationGroups" }, "_protection": "NOT_PROTECTED" }], "targets": [{ "target_resource_type": "CommunicationEntry", "attribute": "services", "path_prefix": "/infra/domains/amar/edge-communication-maps/default/communication-entries/" }], "_protection": "NOT_PROTECTED" } Required Permissions: crud Feature: policy_constraints Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update tenant Constraint

Create tenant constraint if not exists, otherwise update the existing constraint.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/constraints/{constraint-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Constraint+

Constraint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
constraint_expression	Expression to constrain the target attribute value. This property is deprecated. Please use the "constraint_expressions" property instead to specify one or more constraint expressions. If this property is populated, then the "constraint_expressions" value is ignored.	ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression	Deprecated
constraint_expressions	Expressions to constrain the target attribute value.	array of ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message	User friendly message to be shown to users upon violation.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Constraint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
target	Target resource attribute details. This property is deprecated. Please use the "targets" property instead to specify one or more targets. If this property is populated, then the "targets" value is ignored.	ConstraintTarget	Deprecated
target_owner_type	Constraint target's owner type	string	Enum: GM, LM, ALL
targets	Collection of target resources attribute details.	array of ConstraintTarget
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: 1. PATCH https://<policy-mgr>policy/api/v1/infra/constraints/related-attribute-constraint { "targets":[{ "target_resource_type":"CommunicationEntry", "attribute":"services", "path_prefix": "/infra/domains/{{DOMAIN}}/edge-communication-maps/default/communication-entries/" }], "constraint_expressions": [{ "resource_type": "RelatedAttributeConditionalExpression", "related_attribute":{ "attribute":"destinationGroups" }, "condition" : { "operator":"INCLUDES", "rhs_value": ["/infra/domains/mgw/groups/VCENTER"], "value_constraint": { "resource_type": "ValueConstraintExpression", "operator":"INCLUDES", "values":["/infra/services/HTTP", "/infra/services/HTTPS"] } } }] } 2. PATCH https://<policy-mgr>policy/api/v1/infra/constraints/sanity { "targets": [{ "target_resource_type": "DnsForwarderZone", "attribute": "upstreamServers", "path_prefix": "/infra/dns-forwarder-zones/" }], "constraint_expressions": [{ "resource_type": "FieldSanityConstraintExpression", "operator": "OR", "checks": ["ALL_PUBLIC_IPS", "ALL_PRIVATE_IPS"] }] } 3. PATCH https://<policy-mgr>policy/api/v1/orgs/default/projects/project-1/infra/constraints/vpc-1-quota { "display_name": "Vpc-1 Quota", "constraint_expressions": [{ "resource_type": "EntityInstanceCountConstraintExpression", "target_resource_type": "Group", "count": 100, "operator": "<=" }, { "resource_type": "EntityInstanceCountConstraintExpression", "target_resource_type": "VpcSubnet", "count": 10, "operator": "<=" }], "targets": [{ "path_prefix": "/orgs/default/projects/project-1/vpcs/vpc-1/" }] } 4. PATCH https://<policy-mgr>policy/api/v1/infra/constraints/related-attribute-constraint { "targets":[{ "target_resource_type":"SecurityPolicy.Rule", "attribute":"services", "path_prefix": "/infra/domains/{{DOMAIN}}/security-policies/default/rules/rule1" }], "constraint_expressions": [{ "resource_type": "RelatedAttributeConditionalExpression", "related_attribute":{ "attribute":"destinationGroups" }, "condition" : { "operator":"INCLUDES", "rhs_value": ["/infra/domains/mgw/groups/VCENTER"], "value_constraint": { "resource_type": "ValueConstraintExpression", "operator":"INCLUDES", "values":["/infra/services/HTTP", "/infra/services/HTTPS"] } } }] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_constraints Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read tenant Constraint.

Read tenant constraint. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/constraints/{constraint-id}

/policy/api/v1/global-infra/constraints/{constraint-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>policy/api/v1/infra/constraints/related-attribute-constraint Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Constraint+

Constraint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
constraint_expression	Expression to constrain the target attribute value. This property is deprecated. Please use the "constraint_expressions" property instead to specify one or more constraint expressions. If this property is populated, then the "constraint_expressions" value is ignored.	ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression	Deprecated
constraint_expressions	Expressions to constrain the target attribute value.	array of ConstraintExpression (Abstract type: pass one of the following concrete types) EntityInstanceCountConstraintExpression FieldSanityConstraintExpression RelatedAttributeConditionalExpression ValueConstraintExpression
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
message	User friendly message to be shown to users upon violation.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Constraint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
target	Target resource attribute details. This property is deprecated. Please use the "targets" property instead to specify one or more targets. If this property is populated, then the "targets" value is ignored.	ConstraintTarget	Deprecated
target_owner_type	Constraint target's owner type	string	Enum: GM, LM, ALL
targets	Collection of target resources attribute details.	array of ConstraintTarget
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "constraint_expressions": [{ "resource_type": "RelatedAttributeConditionalExpression", "condition": { "value_constraint": { "resource_type": "ValueConstraintExpression", "values": [ "/infra/services/HTTP", "/infra/services/HTTPS" ], "operator": "INCLUDES", "_protection": "NOT_PROTECTED" }, "rhs_value": [ "/infra/domains/mgw/groups/VCENTER" ], "operator": "INCLUDES" }, "related_attribute": { "attribute": "destinationGroups" }, "_protection": "NOT_PROTECTED" }], "targets": [{ "target_resource_type": "CommunicationEntry", "attribute": "services", "path_prefix": "/infra/domains/amar/edge-communication-maps/default/communication-entries/" }], "_protection": "NOT_PROTECTED" } Required Permissions: read Feature: policy_constraints Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete tenant Constraint.

Delete tenant constraint. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/constraints/{constraint-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/constraints/{constraint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>policy/api/v1/infra/constraints/related-attribute-constraint Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_constraints Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Deployment Zones

Associated URIs:

GET /policy/api/v1/infra/deployment-zones (Deprecated)
GET /policy/api/v1/infra/deployment-zones/{deployment-zone-id} (Deprecated)

List Deployment Zones for infra (Deprecated)

Paginated list of all Deployment zones for infra.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/deployment-zones

Request Headers:

n/a

Query Parameters:

DeploymentZoneListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentZoneListResult+

Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read a DeploymentZone (Deprecated)

Read a Deployment Zone.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DeploymentZone+

DeploymentZone (schema) (Deprecated)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildEnforcementPoint
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_points	Logical grouping of enforcement points	array of EnforcementPoint
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DeploymentZone	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Domains

Policy: Infra: Domains: Domain

Associated URIs:

GET /policy/api/v1/infra/domains
GET /policy/api/v1/global-infra/domains
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains
DELETE /policy/api/v1/infra/domains/{domain-id}
GET /policy/api/v1/infra/domains/{domain-id}
GET /policy/api/v1/global-infra/domains/{domain-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}
PATCH /policy/api/v1/infra/domains/{domain-id}
PUT /policy/api/v1/infra/domains/{domain-id}

List domains for infra

Paginated list of all domains for infra.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains

/policy/api/v1/global-infra/domains

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains

Request Headers:

n/a

Query Parameters:

DomainListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DomainListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "Domain", "description": "VMC Domain", "id": "vmc", "display_name": "VMC domain", "path": "/infra/domains/vmc", "parent_path": "/infra/domains/vmc", "relative_path": "vmc", "_create_user": "admin", "_create_time": 1517307910473, "_last_modified_user": "admin", "_last_modified_time": 1517307910473, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update a domain

If a domain with the domain-id is not already present, create a new
domain. If it already exists, update the domain including the nested
groups. This is a full replace
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Domain+

Domain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBridgeFirewallPolicy ChildCommunicationMap ChildDomainDeploymentMap ChildEndpointPolicy ChildGatewayPolicy ChildGroup ChildIdsGatewayPolicy ChildIdsSecurityPolicy ChildRedirectionPolicy ChildSecurityPolicy
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Domain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/domains/vmc { "description": "VMC Domain", "display_name": "VMC domain", "_revision":0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Domain+

Domain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBridgeFirewallPolicy ChildCommunicationMap ChildDomainDeploymentMap ChildEndpointPolicy ChildGatewayPolicy ChildGroup ChildIdsGatewayPolicy ChildIdsSecurityPolicy ChildRedirectionPolicy ChildSecurityPolicy
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Domain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Domain", "description": "VMC Domain", "id": "vmc", "display_name": "VMC domain", "path": "/infra/domains/vmc", "parent_path": "/infra/domains/vmc", "relative_path": "vmc", "_create_user": "admin", "_create_time": 1517307910473, "_last_modified_user": "admin", "_last_modified_time": 1517307910473, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a domain

If a domain with the domain-id is not already present, create a new
domain. If it already exists, patch the domain
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Domain+

Domain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBridgeFirewallPolicy ChildCommunicationMap ChildDomainDeploymentMap ChildEndpointPolicy ChildGatewayPolicy ChildGroup ChildIdsGatewayPolicy ChildIdsSecurityPolicy ChildRedirectionPolicy ChildSecurityPolicy
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Domain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc { "description": "VMC Domain Patched", "display_name": "VMC domain", "_revision":0 } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read domain

Read a domain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}

/policy/api/v1/global-infra/domains/{domain-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/vmc Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Domain+

Domain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBridgeFirewallPolicy ChildCommunicationMap ChildDomainDeploymentMap ChildEndpointPolicy ChildGatewayPolicy ChildGroup ChildIdsGatewayPolicy ChildIdsSecurityPolicy ChildRedirectionPolicy ChildSecurityPolicy
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Domain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Domain and all the entities contained by this domain

Delete the domain along with all the entities contained by this domain.
The groups that are a part of this domain are also deleted along with
the domain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Domains: Domain Deployment Maps

Associated URIs:

GET /policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps
GET /policy/api/v1/global-infra/domains/{domain-id}/domain-deployment-maps
DELETE /policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}
GET /policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}
GET /policy/api/v1/global-infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}
PUT /policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

List Domain Deployment maps for infra

Paginated list of all Domain Deployment Entries for infra.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps

/policy/api/v1/global-infra/domains/{domain-id}/domain-deployment-maps

Request Headers:

n/a

Query Parameters:

DomainDeploymentMapListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains//domain-deployment-maps Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DomainDeploymentMapListResult+

Example Response: { "results": [ { "enforcement_point_path": "/infra/sites/default/enforcement-points/default", "resource_type": "DomainDeploymentMap", "id": "ddm5", "display_name": "ddm5", "path": "/infra/domains/SecureWorkload/domain-deployment-maps/ddm5", "relative_path": "ddm5", "parent_path": "/infra/domains/SecureWorkload", "unique_id": "f7aef601-4e4b-420f-8fe2-a3d1ab709ae7", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1604097081666, "_last_modified_user": "admin", "_last_modified_time": 1604097081669, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create a new Domain Deployment Map under infra

If the passed Domain Deployment Map does not already exist, create a new Domain Deployment Map.
If it already exist, replace it.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

DomainDeploymentMap+

DomainDeploymentMap (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Absolute path of enforcement point Path of enforcement point on which domain shall be enforced.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DomainDeploymentMap	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/domains//domain-deployment-maps/ { "enforcement_point":"/infra/deployment-zones/default/enforcement-points/nsxt-ep", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DomainDeploymentMap+

DomainDeploymentMap (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Absolute path of enforcement point Path of enforcement point on which domain shall be enforced.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DomainDeploymentMap	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "enforcement_point_path": "/infra/sites/default/enforcement-points/default", "resource_type": "DomainDeploymentMap", "id": "ddm1", "display_name": "ddm1", "path": "/infra/domains/SecureWorkload/domain-deployment-maps/ddm1", "relative_path": "ddm1", "parent_path": "/infra/domains/SecureWorkload", "unique_id": "bc9a38cf-7807-4f53-9bf3-d1140d1fc5db", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1604096029230, "_last_modified_user": "admin", "_last_modified_time": 1604096029236, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch Domain Deployment Map under infra

If the passed Domain Deployment Map does not already exist, create a new Domain Deployment Map.
If it already exist, patch it.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

DomainDeploymentMap+

DomainDeploymentMap (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Absolute path of enforcement point Path of enforcement point on which domain shall be enforced.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DomainDeploymentMap	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains//domain-deployment-maps/ { "enforcement_point":"/infra/deployment-zones/default/enforcement-points/nsxt-ep", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: { "enforcement_point_path": "/infra/sites/default/enforcement-points/default", "resource_type": "DomainDeploymentMap", "id": "ddm5", "display_name": "ddm5", "path": "/infra/domains/SecureWorkload/domain-deployment-maps/ddm5", "relative_path": "ddm5", "parent_path": "/infra/domains/SecureWorkload", "unique_id": "f7aef601-4e4b-420f-8fe2-a3d1ab709ae7", "marked_for_delete": false, "overridden": false, "_create_user": "admin", "_create_time": 1604097081666, "_last_modified_user": "admin", "_last_modified_time": 1604097081669, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read a DomainDeploymentMap

Read a Domain Deployment Map
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

/policy/api/v1/global-infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains//domain-deployment-maps/ Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DomainDeploymentMap+

DomainDeploymentMap (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Absolute path of enforcement point Path of enforcement point on which domain shall be enforced.	string	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value DomainDeploymentMap	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Domain Deployment Map

Delete Domain Deployment Map Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/domain-deployment-maps/{domain-deployment-map-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains//domain-deployment-maps/ Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: domain_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points

Associated URIs:

GET /policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points (Deprecated)
DELETE /policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id} (Deprecated)
GET /policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id} (Deprecated)
PATCH /policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id} (Deprecated)
PUT /policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id} (Deprecated)
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}?action=full-sync
DELETE /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}?action=reload
PUT /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

List enforcementpoints for infra (Deprecated)

Paginated list of all enforcementpoints for infra.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points

Request Headers:

n/a

Query Parameters:

EnforcementPointListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/deployment-zones/default/enforcement-points Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPointListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "path": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "parent_path": "/infra/deployment-zones/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "transport_zone_ids": [ "992759f9-434a-45ea-9347-2ff45fba1f31" ], "edge_cluster_ids": [ "ad79b022-69bd-4bd9-969a-273627690bd9" ], "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create/update a new Enforcement Point under infra (Deprecated)

If the passed Enforcement Point does not already exist, create a new Enforcement Point.
If it already exists, replace it.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/deployment-zones/default/enforcement-points/nsxt-ep { "connection_info": { "enforcement_point_address":"10.192.201.163", "resource_type":"NSXTConnectionInfo", "username":"admin", "password":"Admin!23Admin", "thumbprint":"f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4", "transport_zone_ids": [ "992759f9-434a-45ea-9347-2ff45fba1f31" ], "edge_cluster_ids": [ "ad79b022-69bd-4bd9-969a-273627690bd9" ] }, "_revision" : 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Response: { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "path": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "parent_path": "/infra/deployment-zones/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "transport_zone_ids": [ "992759f9-434a-45ea-9347-2ff45fba1f31" ], "edge_cluster_ids": [ "ad79b022-69bd-4bd9-969a-273627690bd9" ], "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a new Enforcement Point under infra (Deprecated)

If the passed Enforcement Point does not already exist, create a new Enforcement Point.
If it already exists, patch it.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/deployment-zones/default/enforcement-points/nsxt-ep { "connection_info": { "enforcement_point_address":"10.192.201.163", "resource_type":"NSXTConnectionInfo", "username":"admin", "password":"Admin!23Admin", "thumbprint":"f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4", "transport_zone_ids": [ "992759f9-434a-45ea-9347-2ff45fba1f31" ], "edge_cluster_ids": [ "ad79b022-69bd-4bd9-969a-273627690bd9" ] } } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read an Enforcement Point (Deprecated)

Read an Enforcement Point.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/deployment-zones/default/enforcement-points/nsxt-ep Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Response: { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "path": "/infra/deployment-zones/default/enforcement-points/nsxt-ep", "parent_path": "/infra/deployment-zones/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "transport_zone_ids": [ "992759f9-434a-45ea-9347-2ff45fba1f31" ], "edge_cluster_ids": [ "ad79b022-69bd-4bd9-969a-273627690bd9" ], "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete EnforcementPoint (Deprecated)

Delete EnforcementPoint.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/deployment-zones/{deployment-zone-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/deployment-zones/default/enforcement-points/nsxt-ep Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List enforcementpoints under Site

Paginated list of all enforcementpoints under Site.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points

Request Headers:

n/a

Query Parameters:

EnforcementPointListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPointListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep", "path": "/infra/sites/default/enforcement-points/nsxt-ep", "parent_path": "/infra/sites/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Full sync EnforcementPoint from Site

Full sync EnforcementPoint from Site Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}?action=full-sync

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/external-ep?action=full-sync Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create/update a new Enforcement Point under Site

If the passed Enforcement Point does not already exist, create a new Enforcement Point.
If it already exists, replace it.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep { "connection_info": { "enforcement_point_address":"10.192.201.163", "resource_type":"NSXTConnectionInfo", "username":"admin", "password":"Admin!23Admin", "thumbprint":"f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_revision" : 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Response: { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep", "path": "/infra/sites/default/enforcement-points/nsxt-ep", "parent_path": "/infra/sites/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262573524, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a new Enforcement Point under Site

If the passed Enforcement Point does not already exist, create a new Enforcement Point.
If it already exists, patch it.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep { "connection_info": { "enforcement_point_address":"10.192.201.163", "resource_type":"NSXTConnectionInfo", "username":"admin", "password":"Admin!23Admin", "thumbprint":"f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" } } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read an Enforcement Point under Infra/Site

Read an Enforcement Point under Infra/Site
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Response: { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep", "path": "/infra/sites/default/enforcement-points/nsxt-ep", "parent_path": "/infra/sites/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete EnforcementPoint from Site

Delete EnforcementPoint from Site Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Edge Clusters under an Enforcement Point

Paginated list of all Edge Clusters under an Enforcement Point
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters

Request Headers:

n/a

Query Parameters:

PolicyEdgeClusterListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "PolicyEdgeCluster", "id": "ec", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec", "path": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec", "parent_path": "/infra/sites/default/enforcement-points/nsxt-ep", "relative_path": "ec", "policy_edge_nodes": [ { "id": "my-policy-edge-node-id", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id", "member_index": 0 }, { "id": "my-policy-edge-node-id-1", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id-1", "member_index": 1 } ] "nsx_id": "8ce97b79-e2da-4d73-bc3b-4723ccab0600", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_ep_edge Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read an Edge Cluster under an Enforcement Point

Read an Edge Cluster under an Enforcement Point
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeCluster+

PolicyEdgeCluster (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allocation_rules	Allocation rules for auto placement Set of allocation rules to auto-allocate nodes for Tier0/Tier1 Gateways, and DHCP on edge cluster members.	array of AllocationRule
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildPolicyEdgeNode
deployment_type	Edge cluster deployment type This field is a readonly field which shows the deployment_type of members. It returns UNKNOWN if there are no members, and returns VIRTUAL_MACHINE\| PHYSICAL_MACHINE if all edge members are VIRTUAL_MACHINE\|PHYSICAL_MACHINE.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_cluster_profile	Path of edge cluster high availability profile. This field is optional and if not provided, default profile path will be considered.	string
id	Unique identifier of this resource	string	Sortable
inter_site_forwarding_enabled	Inter site forwarding is enabled if true Flag indicates that edge cluster has inter-site forwarding enabled and remote tunnel points is configured for all the members. This is required to deploy stretch gateways.	boolean	Readonly
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_node_type	Node type of the cluster members This field contains the info of type of transport nodes. Edge cluster is homogenous collection of transport nodes. Hence all transport nodes of the cluster must be of same type.	EdgeClusterNodeType	Readonly
nsx_id	Edge Cluster UUID on NSX-T Enforcement Point This field is deprecated.Refer policy edge cluster unique_id to get the policy edge cluster uuid.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
password_managed_by_vcf	VCF managed password flag Setting to true enables VCF password management for all edge nodes in the cluster.	boolean	Default: "False"
path	Absolute path of this object Absolute path of this object	string	Readonly
policy_edge_nodes	Policy Edge Cluster Member This field contains the list of edge cluster members. Using this field, multiple members can be add and remove.	array of PolicyEdgeClusterMember
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeCluster	string
rtep_ips	Remote tunnel endpoint IP addresses. This field is deprecated, Refer the /infra/sites//enforcement-points//edge-transport-nodes//state API for rtep ips.	array of IPAddress	Deprecated Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "PolicyEdgeCluster", "id": "ec", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec", "path": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec", "parent_path": "/infra/sites/default/enforcement-points/nsxt-ep", "policy_edge_nodes": [ { "id": "my-policy-edge-node-id", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id", "member_index": 0 }, { "id": "my-policy-edge-node-id-1", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id-1", "member_index": 1 } ] "relative_path": "ec", "nsx_id": "8ce97b79-e2da-4d73-bc3b-4723ccab0600", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_ep_edge Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Reload an Enforcement Point under Site

Reload an Enforcement Point under Site. This will read and update
fabric configs from enforcement point.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}?action=reload

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep?action=reload Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EnforcementPoint+

EnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
auto_enforce	Auto Enforce Flag Auto enforce flag suggests whether the policy objects shall be automatically enforced on this enforcement point or not. When this flag is set to true, all policy objects will be automatically enforced on this enforcement point. If this flag is set to false, user shall rely on the usual means of realization, i.e., deployment maps.	boolean	Default: "True"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildClusterControlPlane ChildHostTransportNode ChildHostTransportNodeCollection ChildPolicyEdgeCluster ChildPolicyEdgeHighAvailabilityProfile ChildPolicyEdgeTransportNode ChildPolicyFailureDomain ChildPolicyTransportZone ChildSubCluster
connection_info	Enforcement Point Connection Info Connection Info of the Enforcement Point.	EnforcementPointConnectionInfo (Abstract type: pass one of the following concrete types) AviConnectionInfo CvxConnectionInfo NSXTConnectionInfo NSXVConnectionInfo	Required
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EnforcementPoint	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
version	Enforcement point Version Version of the Enforcement point.	string	Readonly

Example Response: { "resource_type": "EnforcementPoint", "id": "nsxt-ep", "display_name": "/infra/sites/default/enforcement-points/nsxt-ep", "path": "/infra/sites/default/enforcement-points/nsxt-ep", "parent_path": "/infra/sites/default", "relative_path": "nsxt-ep", "connection_info": { "resource_type": "NSXTConnectionInfo", "enforcement_point_address": "10.192.201.163", "thumbprint": "f53d7052535613b3032a41d555631228cb4d0d8b584a8225b94fbf0ba83eb9a4" }, "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Clusters

Associated URIs:

DELETE /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}
PUT /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/action/relocate-and-remove-edge-transport-node
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/action/replace-edge-transport-node
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes

Patch a Policy Edge Cluster

Patch a policy edge cluster.
It only supports homogeneous members.
The Edge Transport Nodes are only allowed in cluster members.
DeploymentType (VIRTUAL_MACHINE|PHYSICAL_MACHINE) of these Edge Nodes is
recommended to be the same.
Any update operation on members of edge cluster is not permitted,
To replace the edge transport node for an existing member, refer
/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/
/action/replace-policy-edge-node api.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeCluster+

PolicyEdgeCluster (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allocation_rules	Allocation rules for auto placement Set of allocation rules to auto-allocate nodes for Tier0/Tier1 Gateways, and DHCP on edge cluster members.	array of AllocationRule
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildPolicyEdgeNode
deployment_type	Edge cluster deployment type This field is a readonly field which shows the deployment_type of members. It returns UNKNOWN if there are no members, and returns VIRTUAL_MACHINE\| PHYSICAL_MACHINE if all edge members are VIRTUAL_MACHINE\|PHYSICAL_MACHINE.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_cluster_profile	Path of edge cluster high availability profile. This field is optional and if not provided, default profile path will be considered.	string
id	Unique identifier of this resource	string	Sortable
inter_site_forwarding_enabled	Inter site forwarding is enabled if true Flag indicates that edge cluster has inter-site forwarding enabled and remote tunnel points is configured for all the members. This is required to deploy stretch gateways.	boolean	Readonly
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_node_type	Node type of the cluster members This field contains the info of type of transport nodes. Edge cluster is homogenous collection of transport nodes. Hence all transport nodes of the cluster must be of same type.	EdgeClusterNodeType	Readonly
nsx_id	Edge Cluster UUID on NSX-T Enforcement Point This field is deprecated.Refer policy edge cluster unique_id to get the policy edge cluster uuid.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
password_managed_by_vcf	VCF managed password flag Setting to true enables VCF password management for all edge nodes in the cluster.	boolean	Default: "False"
path	Absolute path of this object Absolute path of this object	string	Readonly
policy_edge_nodes	Policy Edge Cluster Member This field contains the list of edge cluster members. Using this field, multiple members can be add and remove.	array of PolicyEdgeClusterMember
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeCluster	string
rtep_ips	Remote tunnel endpoint IP addresses. This field is deprecated, Refer the /infra/sites//enforcement-points//edge-transport-nodes//state API for rtep ips.	array of IPAddress	Deprecated Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id { "edge_cluster_profile": "/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/91bcaa06-47a1-11e4-8316-17ffc770799b", "member_node_type": "UNKNOWN", "policy_edge_nodes": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create Or Update a Policy Edge Cluster

Edge Cluster only supports homogeneous members. The Edge Transport Nodes are
only allowed in cluster members. DeploymentType of these edge nodes can be VIRTUAL_MACHINE or PHYSICAL_MACHINE.
Any update operation on members of edge cluster is not permitted,
To replace the edge transport node for an existing member, refer
/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/
/action/replace-policy-edge-node API.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeCluster+

PolicyEdgeCluster (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allocation_rules	Allocation rules for auto placement Set of allocation rules to auto-allocate nodes for Tier0/Tier1 Gateways, and DHCP on edge cluster members.	array of AllocationRule
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildPolicyEdgeNode
deployment_type	Edge cluster deployment type This field is a readonly field which shows the deployment_type of members. It returns UNKNOWN if there are no members, and returns VIRTUAL_MACHINE\| PHYSICAL_MACHINE if all edge members are VIRTUAL_MACHINE\|PHYSICAL_MACHINE.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_cluster_profile	Path of edge cluster high availability profile. This field is optional and if not provided, default profile path will be considered.	string
id	Unique identifier of this resource	string	Sortable
inter_site_forwarding_enabled	Inter site forwarding is enabled if true Flag indicates that edge cluster has inter-site forwarding enabled and remote tunnel points is configured for all the members. This is required to deploy stretch gateways.	boolean	Readonly
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_node_type	Node type of the cluster members This field contains the info of type of transport nodes. Edge cluster is homogenous collection of transport nodes. Hence all transport nodes of the cluster must be of same type.	EdgeClusterNodeType	Readonly
nsx_id	Edge Cluster UUID on NSX-T Enforcement Point This field is deprecated.Refer policy edge cluster unique_id to get the policy edge cluster uuid.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
password_managed_by_vcf	VCF managed password flag Setting to true enables VCF password management for all edge nodes in the cluster.	boolean	Default: "False"
path	Absolute path of this object Absolute path of this object	string	Readonly
policy_edge_nodes	Policy Edge Cluster Member This field contains the list of edge cluster members. Using this field, multiple members can be add and remove.	array of PolicyEdgeClusterMember
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeCluster	string
rtep_ips	Remote tunnel endpoint IP addresses. This field is deprecated, Refer the /infra/sites//enforcement-points//edge-transport-nodes//state API for rtep ips.	array of IPAddress	Deprecated Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id { "nsx_id": "78b5b323-76ec-4596-91e5-0054026c7eb0", "inter_site_forwarding_enabled": false, "deployment_type": "VIRTUAL_MACHINE", "edge_cluster_profile": "/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/91bcaa06-47a1-11e4-8316-17ffc770799b", "member_node_type": "EDGE_NODE", "policy_edge_nodes": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "member_index": 0, "id": "0", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/0" } ], "resource_type": "PolicyEdgeCluster", "id": "my-edge-cluster-id", "display_name": "my-edge-cluster-id", "path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id", "relative_path": "my-edge-cluster-id", "parent_path": "/infra/sites/default/enforcement-points/default", "remote_path": "", "unique_id": "78b5b323-76ec-4596-91e5-0054026c7eb0", "realization_id": "78b5b323-76ec-4596-91e5-0054026c7eb0", "owner_id": "fb73074c-f134-4fa2-9a8c-98d0fc9484c6", "marked_for_delete": false, "overridden": false, "_create_time": 1724411408458, "_system_owned": false, "_create_user": "admin", "_last_modified_time": 1724411521423, "_last_modified_user": "admin", "_protection": "NOT_PROTECTED", "_revision": 1 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeCluster+

PolicyEdgeCluster (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allocation_rules	Allocation rules for auto placement Set of allocation rules to auto-allocate nodes for Tier0/Tier1 Gateways, and DHCP on edge cluster members.	array of AllocationRule
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildPolicyEdgeNode
deployment_type	Edge cluster deployment type This field is a readonly field which shows the deployment_type of members. It returns UNKNOWN if there are no members, and returns VIRTUAL_MACHINE\| PHYSICAL_MACHINE if all edge members are VIRTUAL_MACHINE\|PHYSICAL_MACHINE.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_cluster_profile	Path of edge cluster high availability profile. This field is optional and if not provided, default profile path will be considered.	string
id	Unique identifier of this resource	string	Sortable
inter_site_forwarding_enabled	Inter site forwarding is enabled if true Flag indicates that edge cluster has inter-site forwarding enabled and remote tunnel points is configured for all the members. This is required to deploy stretch gateways.	boolean	Readonly
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_node_type	Node type of the cluster members This field contains the info of type of transport nodes. Edge cluster is homogenous collection of transport nodes. Hence all transport nodes of the cluster must be of same type.	EdgeClusterNodeType	Readonly
nsx_id	Edge Cluster UUID on NSX-T Enforcement Point This field is deprecated.Refer policy edge cluster unique_id to get the policy edge cluster uuid.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
password_managed_by_vcf	VCF managed password flag Setting to true enables VCF password management for all edge nodes in the cluster.	boolean	Default: "False"
path	Absolute path of this object Absolute path of this object	string	Readonly
policy_edge_nodes	Policy Edge Cluster Member This field contains the list of edge cluster members. Using this field, multiple members can be add and remove.	array of PolicyEdgeClusterMember
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeCluster	string
rtep_ips	Remote tunnel endpoint IP addresses. This field is deprecated, Refer the /infra/sites//enforcement-points//edge-transport-nodes//state API for rtep ips.	array of IPAddress	Deprecated Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete the specified edge cluster.

Delete the specified edge cluster.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}

Request Headers:

n/a

Query Parameters:

PolicyEdgeClusterDeleteRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Relocate service contexts from policy edge node and remove policy edge node from the edge-cluster

Relocate auto allocated service contexts from policy edge node at given id.
For API to perform relocate and remove action the edge node at given id must only have auto allocated service contexts.
If any manually allocated service context is present on the edge cluster member, then the task will not be performed.
Also, it is recommended to move the edge node for which relocate and remove action is being performed into maintenance mode,before executing the API.
If edge is not moved into maintenance mode, then API will move edge node into maintenance
mode before performing the actual relocate and remove task.To maintain high availability, Edge cluster should have at
least two healthy edge nodes for relocation and removal.
Once relocate action is performed successfully, the policy edge node will be removed from the edge cluster.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/action/relocate-and-remove-edge-transport-node

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeNodeRelocateAndRemoveMember+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/action/relocate-and-remove-edge-transport-node { "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node-id" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Replace the policy edge node at the specified member-index in the edge-cluster

Replace the Policy Edge Node present at the specified member-index in the edge-cluster.
This is a disruptive action. This will move all the Interfaces(uplink and routerLink)
hosted on the old Policy Edge Node to the new Policy Edge Node. The same Policy Edge Node cannot be
present as a member of any edge cluster.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/action/replace-edge-transport-node

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeNodeReplaceMember+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/action/replace-edge-transport-node { "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node-id", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-transport-node-id" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

PolicyEdgeCluster+

PolicyEdgeCluster (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
allocation_rules	Allocation rules for auto placement Set of allocation rules to auto-allocate nodes for Tier0/Tier1 Gateways, and DHCP on edge cluster members.	array of AllocationRule
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildPolicyEdgeNode
deployment_type	Edge cluster deployment type This field is a readonly field which shows the deployment_type of members. It returns UNKNOWN if there are no members, and returns VIRTUAL_MACHINE\| PHYSICAL_MACHINE if all edge members are VIRTUAL_MACHINE\|PHYSICAL_MACHINE.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_cluster_profile	Path of edge cluster high availability profile. This field is optional and if not provided, default profile path will be considered.	string
id	Unique identifier of this resource	string	Sortable
inter_site_forwarding_enabled	Inter site forwarding is enabled if true Flag indicates that edge cluster has inter-site forwarding enabled and remote tunnel points is configured for all the members. This is required to deploy stretch gateways.	boolean	Readonly
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_node_type	Node type of the cluster members This field contains the info of type of transport nodes. Edge cluster is homogenous collection of transport nodes. Hence all transport nodes of the cluster must be of same type.	EdgeClusterNodeType	Readonly
nsx_id	Edge Cluster UUID on NSX-T Enforcement Point This field is deprecated.Refer policy edge cluster unique_id to get the policy edge cluster uuid.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
password_managed_by_vcf	VCF managed password flag Setting to true enables VCF password management for all edge nodes in the cluster.	boolean	Default: "False"
path	Absolute path of this object Absolute path of this object	string	Readonly
policy_edge_nodes	Policy Edge Cluster Member This field contains the list of edge cluster members. Using this field, multiple members can be add and remove.	array of PolicyEdgeClusterMember
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeCluster	string
rtep_ips	Remote tunnel endpoint IP addresses. This field is deprecated, Refer the /infra/sites//enforcement-points//edge-transport-nodes//state API for rtep ips.	array of IPAddress	Deprecated Readonly
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Edge Nodes under an Enforcement Point, Edge Cluster

Paginated list of all Edge Nodes under an Enforcement Point, Edge Cluster
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes

Request Headers:

n/a

Query Parameters:

PolicyEdgeNodeListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec/edge-nodes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeNodeListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "id": "my-policy-edge-node-id", "relative_path": "my-policy-edge-node-id", "edge_transport_node_uuid": "f535adb4-f326-11ed-a534-02010974ce86", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id", "member_index": 0, "resource_type": "PolicyEdgeNode", "display_name": "my-policy-edge-transport-node-display-name", "path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node-id", "parent_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_ep_edge Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Clusters: Policy Edge Node

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes/{edge-node-id}
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes/{edge-node-id}

Read an Edge Node under an Enforcement Point, Edge Cluster

Read an Edge Node under an Enforcement Point, Edge Cluster
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes/{edge-node-id}

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/edge-nodes/{edge-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeNode+

PolicyEdgeNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
edge_transport_node_path	Edge Transport Node Path Path of edge transport Node.	string
edge_transport_node_uuid	Edge Node UUID UUID of edge transport node.	string	Readonly
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_index	Member Index The numerical value of the member index in the edge cluster that this object represents and to which the edge node connects.	integer	Readonly
nsx_id	Edge Node UUID on NSX-T Enforcement Point This field is deprecated.Consuming services can refer edge_transport_node_uuid edge_transport_node_path property to get the unique id/path of the policy edge transport node referred by the policy edge node.	string	Deprecated Readonly
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeNode	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "id": "my-policy-edge-node-id", "relative_path": "my-policy-edge-node-id", "edge_transport_node_uuid": "f535adb4-f326-11ed-a534-02010974ce86", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-policy-edge-tn-id", "member_index": 0, "resource_type": "PolicyEdgeNode", "display_name": "my-policy-edge-transport-node-display-name", "path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node-id", "parent_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_ep_edge Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Clusters: Profiles

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles
DELETE /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}
PUT /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}

List Policy Edge Cluster High Availability Profiles

List edge cluster high availability profiles.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles

Request Headers:

n/a

Query Parameters:

PolicyEdgeClusterProfileListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

EdgeClusterHighAvailabilityProfileListResult+

Example Response: [ { "resource_type": "EdgeClusterHighAvailabilityProfile", "display_name": "edge-cluster-profile-East", "bfd_probe_interval": 1000, "bfd_declare_dead_multiple": 3, "bfd_allowed_hops": 1, "standby_relocation_config": { "standby_relocation_threshold": 40 } } ] Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a Policy EdgeCluster High Availability Profile

Patch a policy edge cluster high availability profile.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeHighAvailabilityProfile+

PolicyEdgeHighAvailabilityProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
bfd_allowed_hops	BFD allowed hops Value of BFD allowed hops	integer	Minimum: 1 Maximum: 255 Default: "255"
bfd_declare_dead_multiple	Bfd declared dead multiple Number of times a packet is missed before BFD declares the neighbor down.	integer	Minimum: 2 Maximum: 16 Default: "3"
bfd_probe_interval	Bfd probe interval The time interval (in millisec) between probe packets for heartbeat purpose	integer	Minimum: 50 Maximum: 60000 Default: "500"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeHighAvailabilityProfile	string
standby_relocation_config	Stand by relocation flag The time interval (in minutes) to wait before starting the standby service context relocation process. In some cases, the standby relocation trigger may take more time than what is set in threshold because of multiple different reasons, as listed below A. Standby relocation process runs as a background task which poll edge clusters at pre-defined interval of 5 minutes, to check for standby relocation. If during one cycle of standby relocation, an edge is found to be down, and the time remaining to threshold expiry in less then 5 minutes (for example 2 minute), than this relocation will be picked up in next cycle of standby relocation after 5 minutes, and not after 2 minutes. B. If edge becomes down at X time, then edge might take few seconds or minutes for all services to completely go down and report that they are down. So actual time when unified appliance knows edge is down may be X + delta. This delta time adds to the actual standby relocation threshold expiry, and once the [standby relocation threshold time + delta time] is complete for an edge node, and the edge is still down, then the standby relocation task will be performed for this edge node in the next cycle, that may be due to run anytime within next 5 minutes.	StandbyRelocationConfig
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/edge-cluster-high-availability-profile-id { "resource_type": "EdgeClusterHighAvailabilityProfile", "display_name": "edge-cluster-profile-East", "bfd_probe_interval": 1000, "bfd_declare_dead_multiple": 3, "bfd_allowed_hops": 1, "standby_relocation_config": { "standby_relocation_threshold": 40 } } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or Update a Policy Edge Cluster High Availability Profile

Create or Update a policy edge cluster high availability profile.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeHighAvailabilityProfile+

PolicyEdgeHighAvailabilityProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
bfd_allowed_hops	BFD allowed hops Value of BFD allowed hops	integer	Minimum: 1 Maximum: 255 Default: "255"
bfd_declare_dead_multiple	Bfd declared dead multiple Number of times a packet is missed before BFD declares the neighbor down.	integer	Minimum: 2 Maximum: 16 Default: "3"
bfd_probe_interval	Bfd probe interval The time interval (in millisec) between probe packets for heartbeat purpose	integer	Minimum: 50 Maximum: 60000 Default: "500"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeHighAvailabilityProfile	string
standby_relocation_config	Stand by relocation flag The time interval (in minutes) to wait before starting the standby service context relocation process. In some cases, the standby relocation trigger may take more time than what is set in threshold because of multiple different reasons, as listed below A. Standby relocation process runs as a background task which poll edge clusters at pre-defined interval of 5 minutes, to check for standby relocation. If during one cycle of standby relocation, an edge is found to be down, and the time remaining to threshold expiry in less then 5 minutes (for example 2 minute), than this relocation will be picked up in next cycle of standby relocation after 5 minutes, and not after 2 minutes. B. If edge becomes down at X time, then edge might take few seconds or minutes for all services to completely go down and report that they are down. So actual time when unified appliance knows edge is down may be X + delta. This delta time adds to the actual standby relocation threshold expiry, and once the [standby relocation threshold time + delta time] is complete for an edge node, and the edge is still down, then the standby relocation task will be performed for this edge node in the next cycle, that may be due to run anytime within next 5 minutes.	StandbyRelocationConfig
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/edge-cluster-high-availability-profile-id { "resource_type": "EdgeClusterHighAvailabilityProfile", "display_name": "edge-cluster-profile-East", "bfd_probe_interval": 1000, "bfd_declare_dead_multiple": 3, "bfd_allowed_hops": 1, "standby_relocation_config": { "standby_relocation_threshold": 40 } } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeHighAvailabilityProfile+

PolicyEdgeHighAvailabilityProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
bfd_allowed_hops	BFD allowed hops Value of BFD allowed hops	integer	Minimum: 1 Maximum: 255 Default: "255"
bfd_declare_dead_multiple	Bfd declared dead multiple Number of times a packet is missed before BFD declares the neighbor down.	integer	Minimum: 2 Maximum: 16 Default: "3"
bfd_probe_interval	Bfd probe interval The time interval (in millisec) between probe packets for heartbeat purpose	integer	Minimum: 50 Maximum: 60000 Default: "500"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeHighAvailabilityProfile	string
standby_relocation_config	Stand by relocation flag The time interval (in minutes) to wait before starting the standby service context relocation process. In some cases, the standby relocation trigger may take more time than what is set in threshold because of multiple different reasons, as listed below A. Standby relocation process runs as a background task which poll edge clusters at pre-defined interval of 5 minutes, to check for standby relocation. If during one cycle of standby relocation, an edge is found to be down, and the time remaining to threshold expiry in less then 5 minutes (for example 2 minute), than this relocation will be picked up in next cycle of standby relocation after 5 minutes, and not after 2 minutes. B. If edge becomes down at X time, then edge might take few seconds or minutes for all services to completely go down and report that they are down. So actual time when unified appliance knows edge is down may be X + delta. This delta time adds to the actual standby relocation threshold expiry, and once the [standby relocation threshold time + delta time] is complete for an edge node, and the edge is still down, then the standby relocation task will be performed for this edge node in the next cycle, that may be due to run anytime within next 5 minutes.	StandbyRelocationConfig
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get a Policy Edge Cluster High Availability Profile

Get a policy edge cluster high availability profile.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/edge-cluster-high-availability-profile-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeHighAvailabilityProfile+

PolicyEdgeHighAvailabilityProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
bfd_allowed_hops	BFD allowed hops Value of BFD allowed hops	integer	Minimum: 1 Maximum: 255 Default: "255"
bfd_declare_dead_multiple	Bfd declared dead multiple Number of times a packet is missed before BFD declares the neighbor down.	integer	Minimum: 2 Maximum: 16 Default: "3"
bfd_probe_interval	Bfd probe interval The time interval (in millisec) between probe packets for heartbeat purpose	integer	Minimum: 50 Maximum: 60000 Default: "500"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeHighAvailabilityProfile	string
standby_relocation_config	Stand by relocation flag The time interval (in minutes) to wait before starting the standby service context relocation process. In some cases, the standby relocation trigger may take more time than what is set in threshold because of multiple different reasons, as listed below A. Standby relocation process runs as a background task which poll edge clusters at pre-defined interval of 5 minutes, to check for standby relocation. If during one cycle of standby relocation, an edge is found to be down, and the time remaining to threshold expiry in less then 5 minutes (for example 2 minute), than this relocation will be picked up in next cycle of standby relocation after 5 minutes, and not after 2 minutes. B. If edge becomes down at X time, then edge might take few seconds or minutes for all services to completely go down and report that they are down. So actual time when unified appliance knows edge is down may be X + delta. This delta time adds to the actual standby relocation threshold expiry, and once the [standby relocation threshold time + delta time] is complete for an edge node, and the edge is still down, then the standby relocation task will be performed for this edge node in the next cycle, that may be due to run anytime within next 5 minutes.	StandbyRelocationConfig
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "EdgeClusterHighAvailabilityProfile", "display_name": "edge-cluster-profile-East", "bfd_probe_interval": 1000, "bfd_declare_dead_multiple": 3, "bfd_allowed_hops": 1, "standby_relocation_config": { "standby_relocation_threshold": 40 } } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete a Policy Edge Cluster High Availability Profile

Delete a policy edge cluster high availability profile.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-cluster-high-availability-profiles/{edge-cluster-high-availability-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-cluster-high-availability-profiles/edge-cluster-high-availability-profile-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Clusters: State

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/state

Get a Policy Edge Cluster State info under an Enforcement Point

Returns information about the current state of the edge cluster.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/state

Request Headers:

n/a

Query Parameters:

RealizationStateQueryParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/state Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterState+

PolicyEdgeClusterState (schema)

Name	Description	Type	Notes
details	Array of configuration state of various sub systems	array of PolicyEdgeClusterMemberState	Readonly
edge_cluster_name	Display name of the edge cluster Display name of the edge cluster whose status is being reported.	string	Readonly
failure_code	Error code	integer	Readonly
failure_message	Error message in case of failure	string	Readonly
pending_change_list	List of pending changes Request identifier of the API which modified the entity.	array of string	Readonly
state	Overall state of desired configuration Gives details of state of desired configuration. Additional enums with more details on progress/success/error states are sent for edge node. The success states are NODE_READY and TRANSPORT_NODE_READY, pending states are {VM_DEPLOYMENT_QUEUED, VM_DEPLOYMENT_IN_PROGRESS, REGISTRATION_PENDING} and other values indicate failures. "in_sync" state indicates that the desired configuration has been received by the host to which it applies, but is not yet in effect. When the configuration is actually in effect, the state will change to "success". Please note, failed state is deprecated.	string	Required Readonly Enum: pending, in_progress, success, failed, partial_success, orphaned, unknown, error, in_sync, NOT_AVAILABLE, VM_DEPLOYMENT_QUEUED, VM_DEPLOYMENT_IN_PROGRESS, VM_DEPLOYMENT_FAILED, VM_POWER_ON_IN_PROGRESS, VM_POWER_ON_FAILED, REGISTRATION_PENDING, NODE_NOT_READY, NODE_READY, VM_POWER_OFF_IN_PROGRESS, VM_POWER_OFF_FAILED, VM_UNDEPLOY_IN_PROGRESS, VM_UNDEPLOY_FAILED, VM_UNDEPLOY_SUCCESSFUL, EDGE_CONFIG_ERROR, VM_DEPLOYMENT_RESTARTED, REGISTRATION_FAILED, TRANSPORT_NODE_SYNC_PENDING, TRANSPORT_NODE_CONFIGURATION_MISSING, EDGE_HARDWARE_NOT_SUPPORTED, MULTIPLE_OVERLAY_TZS_NOT_SUPPORTED, TN_OVERLAY_TZ_IN_USE_BY_EDGE_CLUSTER, VC_VCP_ACTION_PENDING, VC_VCP_ACTION_FAILED, TZ_ENDPOINTS_NOT_SPECIFIED, NO_PNIC_PREPARED_IN_EDGE, APPLIANCE_INTERNAL_ERROR, VTEP_DHCP_NOT_SUPPORTED, UNSUPPORTED_HOST_SWITCH_PROFILE, UPLINK_HOST_SWITCH_PROFILE_NOT_SPECIFIED, HOSTSWITCH_PROFILE_NOT_FOUND, LLDP_SEND_ENABLED_NOT_SUPPORTED, UNSUPPORTED_NAMED_TEAMING_POLICY, LBSRCID_NOT_SUPPORTED_FOR_EDGE_VM, LACP_NOT_SUPPORTED_FOR_EDGE_VM, STANDBY_UPLINKS_NOT_SUPPORTED_FOR_EDGE_VM, MULTIPLE_ACTIVE_UPLINKS_NOT_SUPPORTED_FOR_EDGE, UNSUPPORTED_LACP_LB_ALGO_FOR_NODE, EDGE_NODE_VERSION_NOT_SUPPORTED, NO_PNIC_SPECIFIED_IN_TN, INVALID_PNIC_DEVICE_NAME, TRANSPORT_NODE_READY, VM_NETWORK_EDIT_PENDING, UNSUPPORTED_DEFAULT_TEAMING_POLICY, MPA_DISCONNECTED, VM_RENAME_PENDING, VM_CONFIG_EDIT_PENDING, VM_NETWORK_EDIT_FAILED, VM_RENAME_FAILED, VM_CONFIG_EDIT_FAILED, VM_CONFIG_DISCREPANCY, VM_NODE_REFRESH_FAILED, VM_PLACEMENT_REFRESH_FAILED, REGISTRATION_TIMEDOUT, REPLACE_FAILED, UPLINK_FROM_TEAMING_POLICY_NOT_MAPPED, LOGICAL_SWITCH_NAMED_TEAMING_HAS_NO_PNIC_BACKING, DELETE_VM_IN_REDEPLOY_FAILED, DEPLOY_VM_IN_REDEPLOY_FAILED, INSUFFICIENT_RESOURCES_IN_EDGE_NODE_FOR_SERVICE, VM_RESOURCE_RESERVATION_FAILED, DUPLICATE_PNICS_IN_TEAMINGS_WITH_MULTIPLE_UPLINKS_AND_FAILOVER_ORDER, DUPLICATE_VLANS_SHARING_SAME_PNICMULTIPLE_UPLINKS_IN_NAMED_TEAMING_NOT_SUPPORTED_IF_UPLINK_IN_DEFAULT_TEAMING, EDGE_NODE_SETTINGS_MISMATCH_RESOLVE, EDGE_VM_VSPHERE_SETTINGS_MISMATCH_RESOLVE, EDGE_NODE_SETTINGS_AND_VSPHERE_SETTINGS_ARE_CHANGED_RESOLVE, EDGE_VSPHERE_LOCATION_MISMATCH_RESOLVE, COMPUTE_MANAGER_NOT_FOUND, DELETE_IN_PROGRESS, ADVANCED_CONFIG_EDIT_FAILED, UPT_MODE_REALIZATION_POLL_TIMED_OUT, DATAPATH_CONFIGURATION_EDIT_FAILED, MAINTENANCE_MODE_ENABLED, ERROR_IN_ENABLE_MAINTENANCE_MODE, ERROR_IN_DISABLE_MAINTENANCE_MODE, CONFIGURE_UPT_ON_VM_FAILED, VM_VERSION_IS_UPT_INCOMPATIBLE, DELETE_FAILED_FOR_DIFFERENT_MOREF_ID, DELETE_FAILED_ON_VM_NOT_FOUND, DELETE_FAILED_FOR_NON_LCM_EDGE, ADVANCED_CONFIG_EDIT_PENDING, DUPLICATE_VLANS_SHARING_SAME_PNIC, MULTIPLE_UPLINKS_IN_NAMED_TEAMING_NOT_SUPPORTED_IF_UPLINK_IN_DEFAULT_TEAMING, REDEPLOY_ACTIVITY_FAILED, REDEPLOY_ACTIVITY_IN_PROGRESS, REDEPLOY_ACTIVITY_SCHEDULED, REDEPLOY_ACTIVITY_SUCCESSFUL, REPLACE_ACTIVITY_FAILED, REPLACE_ACTIVITY_IN_PROGRESS, REPLACE_ACTIVITY_SCHEDULED, REPLACE_ACTIVITY_SUCCESSFUL, REPLACED_RPC_CLIENT_OF_TN, RETRYING_REPLACE, UNABLE_TO_DELETE_EDGE_NODE_VM_INTERNAL_ERROR, VM_REDEPLOY_FAILED, VM_RESOURCE_RESERVATION_EDIT_PENDING, REDEPLOYED_VM_REGISTRATION_PENDING

Example Response: Example 1: ---------- # Below Example for policy api created edge cluster GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/state { "edge_cluster_name": "my-edge-cluster-id", "state": "unknown", "details": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "policy_edge_node_path": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec/edge-nodes/en-1", "state": "in_sync" }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/7c0733a6-8e40-4c22-9199-dda7f4813ae1", "policy_edge_node_path": "/infra/sites/default/enforcement-points/nsxt-ep/edge-clusters/ec/edge-nodes/en", "state": "unknown" } ], "failure_message": "Unable to collect status for '2' transport nodes." } Example 2: ---------- # Below Example for mp api created edge cluster GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/8511f1ff-240c-4ca6-b070-e18ef8e69653/state { "edge_cluster_name": "EDGECLUSTER1", "details": [ { "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/8511f1ff-240c-4ca6-b070-e18ef8e69653/edge-nodes/0", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/17365d30-0782-11ef-b9db-020017197055", "state": "in_sync" }, { "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/8511f1ff-240c-4ca6-b070-e18ef8e69653/edge-nodes/1", "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/1a1a61cc-0782-11ef-a114-020017606fb0", "state": "in_sync" } ], "state": "in_sync" } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Clusters: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/allocation/status
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/allocation/status
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/status
GET /policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/status

Get a Policy Edge Cluster allocation status under an Enforcement Point

Returns the allocation details of cluster and its members. Lists the edge
node members, active and standby services of each node, utilization details
of configured sub-pools. These allocation details can be monitored by
customers to trigger migration of certain service contexts to different
edge nodes, to balance the utilization of edge node resources.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/allocation/status

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/allocation/status

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/allocation/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterAllocationStatus+

Example Response: Example 1: ---------- # Below Example for policy api created edge cluster { "edge_cluster_name": "my-edge-cluster-id", "member_count": 3, "members": [ { "member_index": 0, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "display_name": "my-edge-tn-id", "allocation_pools": [ { "active_service_count": 0, "standby_service_count": 0 } ], "allocated_services": [ { "service_reference": { "path": "fb919eee-8b9f-4847-a051-9fef236b8bb3", "target_display_name": "dhcp-server-my-T1-my-t1-seg" }, "high_availability_status": "UNKNOWN" } ] }, { "member_index": 1, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/1aa23bf4-63d6-46c4-9f70-f7c68c5a33c4", "display_name": "DHCPV4", "allocation_pools": [ { "active_service_count": 1, "standby_service_count": 1 } ], "allocated_services": [ { "service_reference": { "path": "/infra/tier-1s/my-T1", "target_display_name": "my-T1" }, "high_availability_status": "STANDBY" }, { "service_reference": { "path": "fb919eee-8b9f-4847-a051-9fef236b8bb3", "target_display_name": "dhcp-server-my-T1-my-t1-seg" }, "high_availability_status": "ACTIVE" } ] }, { "member_index": 2, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id-1", "display_name": "my-edge-tn-id-1", "allocation_pools": [ { "active_service_count": 1, "standby_service_count": 0 } ], "allocated_services": [ { "service_reference": { "path": "/infra/tier-1s/my-T1", "target_display_name": "my-T1" }, "high_availability_status": "ACTIVE" } ] } ] } Example 2: ---------- # Below Example for mp api created edge cluster { "edge_cluster_name": "EDGECLUSTER1", "member_count": 2, "members": [ { "member_index": 1, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/1a1a61cc-0782-11ef-a114-020017606fb0", "display_name": "mashish-svc-nsxedge-ob-23771564-2-magnus173760", "allocation_pools": [ { "active_service_count": 1, "standby_service_count": 1 } ], "allocated_services": [ { "service_reference": { "path": "ec30c6b2-fa9b-4f1e-a4a2-b7eb1b023504", "target_display_name": "it_t1-dhcp-server" }, "high_availability_status": "STANDBY" }, { "service_reference": { "path": "f66e7e7a-4971-4ad3-892d-688105666825", "target_display_name": "production_t1-dhcp-server" }, "high_availability_status": "ACTIVE" } ] }, { "member_index": 0, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/17365d30-0782-11ef-b9db-020017197055", "display_name": "mashish-svc-nsxedge-ob-23771564-1-magnus173760", "allocation_pools": [ { "active_service_count": 3, "standby_service_count": 1 } ], "allocated_services": [ { "service_reference": { "path": "/infra/tier-1s/production_t1", "target_display_name": "production_t1" }, "high_availability_status": "ACTIVE" }, { "service_reference": { "path": "/infra/tier-1s/it_t1", "target_display_name": "it_t1" }, "high_availability_status": "ACTIVE" }, { "service_reference": { "path": "ec30c6b2-fa9b-4f1e-a4a2-b7eb1b023504", "target_display_name": "it_t1-dhcp-server" }, "high_availability_status": "ACTIVE" }, { "service_reference": { "path": "f66e7e7a-4971-4ad3-892d-688105666825", "target_display_name": "production_t1-dhcp-server" }, "high_availability_status": "STANDBY" } ] } ] } Example 3: ---------- # Below Example for federation edge cluster allocation status api { "edge_cluster_name": "EDGECLUSTER1", "member_count": 2, "members": [ { "member_index": 0, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/ca5a1c20-0ddc-11ef-85e0-0201045807da", "display_name": "TN-200", "allocation_pools": [ { "active_service_count": 2, "standby_service_count": 1 } ], "allocated_services": [ { "service_reference": { "path": "/global-infra/segments/LS-104", "target_display_name": "LS-104" }, "high_availability_status": "ACTIVE", "allocation_details": [ { "key": "l2_forwarder_port", "value": "912507b0-a38a-4a32-8a49-da7005a4f069" } ] }, { "service_reference": { "path": "0108dee9-6b3c-42b3-a94f-67a65287d112", "target_display_name": "inter-site-bp-f2acad28-fa1a-4a10-b703-a5db5a80f14c" }, "high_availability_status": "ACTIVE", "allocation_details": [ { "key": "l2_forwarder_port", "value": "458795aa-ac29-4017-a31d-e3ccab0e82c9" } ] }, { "service_reference": { "path": "/global-infra/segments/LS-103", "target_display_name": "LS-103" }, "high_availability_status": "STANDBY", "allocation_details": [ { "key": "l2_forwarder_port", "value": "725198a5-61f6-43bf-be40-863476187c19" } ] } ] }, { "member_index": 1, "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/fc519104-0ddc-11ef-a758-0201045c2011", "display_name": "TN-201", "allocation_pools": [ { "active_service_count": 2, "standby_service_count": 1 } ], "allocated_services": [ { "service_reference": { "path": "/global-infra/segments/LS-104", "target_display_name": "LS-104" }, "high_availability_status": "STANDBY", "allocation_details": [ { "key": "l2_forwarder_port", "value": "912507b0-a38a-4a32-8a49-da7005a4f069" } ] }, { "service_reference": { "path": "0108dee9-6b3c-42b3-a94f-67a65287d112", "target_display_name": "inter-site-bp-f2acad28-fa1a-4a10-b703-a5db5a80f14c" }, "high_availability_status": "ACTIVE", "allocation_details": [ { "key": "l2_forwarder_port", "value": "458795aa-ac29-4017-a31d-e3ccab0e82c9" } ] }, { "service_reference": { "path": "/global-infra/segments/LS-103", "target_display_name": "LS-103" }, "high_availability_status": "ACTIVE", "allocation_details": [ { "key": "l2_forwarder_port", "value": "725198a5-61f6-43bf-be40-863476187c19" } ] } ] } ] } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get a Policy Edge Cluster real time status under an Enforcement Point

Returns the aggregated status for the Edge cluster along with status of
all edge nodes in the cluster.
Query parameter "source=realtime" is the only supported source.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/status

/policy/api/v1/global-infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-clusters/{edge-cluster-id}/status

Request Headers:

n/a

Query Parameters:

PolicyEdgeClusterStatusRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/status?source=realtime Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeClusterStatus+

Example Response: Example 1: ---------- # Below Example for policy api created edge cluster GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/status?source=realtime { "edge_cluster_name": "my-edge-cluster-id", "member_status": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/0", "status": "DOWN" }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/1aa23bf4-63d6-46c4-9f70-f7c68c5a33c4", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/my-policy-edge-node", "status": "UP" }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id-1", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/my-edge-cluster-id/edge-nodes/2", "status": "UP" } ], "last_update_timestamp": 1715239056405, "edge_cluster_status": "DEGRADED" } Example 2: ---------- # Below Example for mp api created edge cluster GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-clusters/c0e55af1-6ee1-4588-84dc-d8f126bec580?source=realtime { "edge_cluster_name": "EDGECLUSTER2", "member_status": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/179eaf5c-0782-11ef-ad72-020017f1f33d", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/c0e55af1-6ee1-4588-84dc-d8f126bec580/edge-nodes/1", "status": "UP" }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/027b1f48-0782-11ef-acf3-0200176507c1", "policy_edge_node_path": "/infra/sites/default/enforcement-points/default/edge-clusters/c0e55af1-6ee1-4588-84dc-d8f126bec580/edge-nodes/0", "status": "UP" } ], "last_update_timestamp": 1715239172312, "edge_cluster_status": "UP" } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes
DELETE /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}
PUT /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/redeploy

List Edge Transport Node under an Enforcement Point

List Edge Transport Nodes under an Enforcement Point
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes

Request Headers:

n/a

Query Parameters:

PolicyEdgeTransportNodeListRequestParameters+

PolicyEdgeTransportNodeListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
in_maintenance_mode	Maintenance mode flag If the flag is true then edge transport nodes with maintenance mode 'ENABLED' in desired state will be returned, otherwise edge transport nodes in 'DISABLED' desired state will be returned.	boolean
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
management_ip	Edge transport node management IP address Edge transport node with provided management IP address will be returned. This property can only be used alone. It can not be combined with other filtering properties.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
transport_zone_path	Transport zone path Edge transport nodes with provided transport zone path will be returned.	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNodeListResult+

Example Response: { "results": [ { "display_name": "Edge-TN", "description": "Admin!23Admin", "resource_type": "EdgeTransportNode", "id": "my-edge-tn-id", "unique_id": "3bc1e3b0-1cd4-4339-86c8-f76baddbaafb", // MP APIs Flow Support "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/4fc1e3b0-1cd4-4339-86c8-f76baddbaafb", "deployment_type": "VIRTUAL_MACHINE", "form_factor": "SMALL", "tags": [], "hostname": "edge-hostname.com", "vm_deployment_config": { "placement_type": "VsphereDeploymentConfig", "vc_id": "8a54189e-c657-4ab3-9e30-412bb701e4a6", "compute_id": "`resgroup-10", "host_id": "host_id_value", "compute_folder_id": "compute_folder_id_value", "resource_pool_id": "resource_pool_id_value", "storage_id": "datastore-14", "reservation_info": {} }, "appliance_config": {}, "credentials": {}, "management_interface": {}, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "switch_profile_paths": [ { "switch_profile_type": "UplinkHostSwitchProfile", "switch_profile_path": "/infra/host-switch-profiles/uplinkProfile1" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/overlay-tz1" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/vlan-tz1", "/infra/sites/default/enforcement-points/default/transport-zones/vlan-tz2" ], "tunnel_endpoints": [ { "ipv6_assignment_spec": { "resource_type": "StaticIpV6PoolSpec", "ip_pool": "/infra/ip-pools/Ipv6-pool" }, "ipv4_assignment_spec": { "resource_type": "StaticIpPoolSpec", "ip_pool": "/infra/ip-pools/Ipv4-pool" } } ], "remote_tunnel_endpoint": { "named_teaming_policy": "named_teaming_policy_name", "ipv4_assignment_spec": { "ip_pool": "/infra/ip-pools/rtep-Ipv4-pool", "resource_type": "StaticIpPoolSpec" }, "vlan": 500, }, "pnics": [ { "device_name": "fb-eth0", "datapath_network_id": "dvportgroup-59", "uplink_name": "uplink-1", "vif_attachment_path": null } ] } ] } } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a new LCM Edge Transport Node under Enforcement Point

If the passed Edge Transport Node does not already exist, create a new Edge Transport Node.
If it already exists, patch it.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id { "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/my-policy-failure-domain-id", "deployment_type": "VIRTUAL_MACHINE", "node_type": "EDGE_NODE", "form_factor": "SMALL", "hostname": "my-edge-tn-id-host.com", "vm_deployment_config": { "vc_id": "2bab11cd-ee62-407c-948c-1ff3f1e6c397", "compute_id": "domain-c18", "storage_id": "datastore-15", "reservation_info": { "memory_reservation": { "reservation_percentage": 10 }, "cpu_reservation": { "reservation_in_shares": "LOW_PRIORITY", "reservation_in_mhz": 10 } }, "placement_type": "PolicyVsphereDeploymentConfig" }, "appliance_config": { "search_domains": [ "123.1.1.1" ], "ntp_servers": [ "times.com" ], "allow_ssh_root_login": true, "dns_servers": [ "123.23.2.2", "123.4.5.5" ], ], "enable_ssh": true, "enable_upt_mode": false }, "credentials": { "credentials": { "cli_password": "Admin!23Admin", "root_password": "Admin!23Admin", "root_password": "Admin!23Admin", "cli_username": "admin", "audit_username": "audit", "audit_password": "Admin!23Admin" }, "management_interface": { "management_interface": { "ip_assignment_specs": [ { "management_port_subnets": [ { { "ip_addresses": [ "fc7e:f206:db42:0:0:0:0:2" ], "prefix_length": 48 } ], "default_gateway": [ "fc7e:f206:db42:0:0:0:0:1" ], "ip_assignment_type": "StaticIpv6" }, { "ip_assignment_type": "Dhcpv4" } ], "network_id": "dvportgroup-48" }, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "profile_paths": [ { "key": "UplinkHostSwitchProfile", "value": "/infra/host-switch-profiles/my-uplink-profile-id" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-overlay-id" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-vlan-id" ], "pnics": [ { "device_name": "fp-eth0", "uplink_name": "uplink1", "datapath_network_id": "dvportgroup-48" } ], "tunnel_endpoints": [ { { { { { { "ip_assignment_specs": [ { "ip_pool": "/infra/ip-pools/ippool-policy-ipv4", "ip_assignment_type": "StaticIpv4Pool" } ] ] } ] } ] } } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update a LCM Edge Transport Node under Enforcement Point

If the passed Edge Transport Node does not already exist, create a new Edge Transport Node.
If it already exists, update it.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Example Request: Example 1: Update the existing object ---------- PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id { "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/my-policy-failure-domain-id", "deployment_type": "VIRTUAL_MACHINE", "node_type": "EDGE_NODE", "form_factor": "SMALL", "hostname": "my-edge-tn-id-host-updated.com", "vm_deployment_config": { "vc_id": "2bab11cd-ee62-407c-948c-1ff3f1e6c397", "compute_id": "domain-c18", "storage_id": "datastore-15", "reservation_info": { "memory_reservation": { "reservation_percentage": 10 }, "cpu_reservation": { "reservation_in_shares": "LOW_PRIORITY", "reservation_in_mhz": 10 } }, "placement_type": "PolicyVsphereDeploymentConfig" }, "appliance_config": { "search_domains": [ "123.1.1.1" ], "ntp_servers": [ "times.com" ], "allow_ssh_root_login": true, "dns_servers": [ "123.23.2.2", "123.4.5.5" ], ], "enable_ssh": true, "enable_upt_mode": false }, "credentials": { "credentials": { "cli_username": "admin", "audit_username": "audit" }, "management_interface": { "management_interface": { "ip_assignment_specs": [ { "management_port_subnets": [ { { "ip_addresses": [ "fc7e:f206:db42:0:0:0:0:2" ], "prefix_length": 48 } ], "default_gateway": [ "fc7e:f206:db42:0:0:0:0:1" ], "ip_assignment_type": "StaticIpv6" }, { "ip_assignment_type": "Dhcpv4" } ], "network_id": "dvportgroup-48" }, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "profile_paths": [ { "key": "UplinkHostSwitchProfile", "value": "/infra/host-switch-profiles/my-uplink-profile-id" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-overlay-id" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-vlan-id" ], "pnics": [ { "device_name": "fp-eth0", "uplink_name": "uplink1", "datapath_network_id": "dvportgroup-48" } ], "tunnel_endpoints": [ { { { { { { "ip_assignment_specs": [ { "ip_pool": "/infra/ip-pools/ippool-policy-ipv4", "ip_assignment_type": "StaticIpv4Pool" } ] ] } ] } ] }, "resource_type": "PolicyEdgeTransportNode", "id": "my-edge-tn-id", "display_name": "my-edge-tn-id", "path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "relative_path": "my-edge-tn-id", "parent_path": "/infra/sites/default/enforcement-points/default", "remote_path": "", "unique_id": "e38e21e7-f62d-4cc7-8bc7-b42dcad7d002", "realization_id": "e38e21e7-f62d-4cc7-8bc7-b42dcad7d002", "owner_id": "fb73074c-f134-4fa2-9a8c-98d0fc9484c6", "marked_for_delete": false, "overridden": false, "_create_time": 1724410775720, "_system_owned": false, "_create_user": "admin", "_last_modified_time": 1724410775720, "_last_modified_user": "admin", "_last_modified_user": "admin", "_protection": "NOT_PROTECTED", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read an Edge Transport Node under an Enforcement Point

Read an Edge Transport Node under an Enforcement Point
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Example Response: { "display_name": "Edge-TN", "description": "Admin!23Admin", "resource_type": "EdgeTransportNode", "id": "my-edge-tn-id", "unique_id": "3bc1e3b0-1cd4-4339-86c8-f76baddbaafb", "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/4fc1e3b0-1cd4-4339-86c8-f76baddbaafb", "deployment_type": "VIRTUAL_MACHINE", "form_factor": "SMALL", "tags": [], "hostname": "edge-hostname.com", "vm_deployment_config": { "placement_type": "VsphereDeploymentConfig", "vc_id": "8a54189e-c657-4ab3-9e30-412bb701e4a6", "compute_id": "`resgroup-10", "host_id": "host_id_value", "compute_folder_id": "compute_folder_id_value", "resource_pool_id": "resource_pool_id_value", "storage_id": "datastore-14", "reservation_info": { "memory_reservation": { "reservation_percentage": 40 }, "cpu_reservation": { "reservation_in_shares": "EXTRA_HIGH_PRIORITY", "reservation_in_mhz": 75 } } }, "appliance_config": { "search_domains": [ "search-domain.com" ], "ntp_servers": [ "ntp-server.com" ], "dns_servers": [ "10.191.197.65" ], "syslog_servers": [], "enable_ssh": true, "allow_ssh_root_login": true, "enable_upt_mode": true }, "credentials": { "root_password": "Admin!23Admin", "cli_password": "Admin!23Admin", "cli_username": "admin", "audit_username": "root", "audit_password": "Admin!23Admin" }, "management_interface": { "network_id": "network-16", "ip_assignment_specs": [ { "assignment_type": "STATICV4", "management_port_subnet": { "ip_addresses": [ "10.161.128.83" ], "prefix_length": "24" }, "default_gateway": "10.161.159.253" }, { "assignment_type": "STATICV6", "management_port_subnet": { "ip_addresses": [ "fd00::5:e20" ], "prefix_length": "64" }, "default_gateway": "fd00::5:e50" } ] }, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "switch_profile_paths": [ { "type": "UplinkHostSwitchProfile", "path": "/infra/host-switch-profiles/uplinkProfile1" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/overlay-tz1" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/vlan-tz1", "/infra/sites/default/enforcement-points/default/transport-zones/vlan-tz2" ], "tunnel_endpoints": [ { "device_name": "device-name", "ip_assignment_specs": [ { "assignment_type": "STATICV6POOL", "ip_pool": "/infra/ip-pools/Ipv6-pool" }, { "assignment_type": "STATICV4", "static_ips": [ "153.243.242.83" ], "default_gateway": "10.161.159.253", "subnet_mask": "255.255.255.0" } ] } ], "remote_tunnel_endpoint": [ { "named_teaming_policy": "named_teaming_policy_name", "ip_assignment_specs": [ { "assignment_type": "STATICV4POOL", "ip_pool": "/infra/ip-pools/Ipv4-rtep-pool" } ], "vlan": 500, "device_name": "device-name" } ], "pnics": [ { "device_name": "fb-eth0", "datapath_network_id": "dvportgroup-59", "uplink_name": "uplink-1" } ] } ] }, "create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } PUT https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id { "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/my-policy-failure-domain-id", "deployment_type": "VIRTUAL_MACHINE", "node_type": "EDGE_NODE", "form_factor": "SMALL", "hostname": "my-edge-tn-id-host.com", "vm_deployment_config": { "vc_id": "2bab11cd-ee62-407c-948c-1ff3f1e6c397", "compute_id": "domain-c18", "storage_id": "datastore-15", "reservation_info": { "memory_reservation": { "reservation_percentage": 10 }, "cpu_reservation": { "reservation_in_shares": "LOW_PRIORITY", "reservation_in_mhz": 10 } }, "placement_type": "PolicyVsphereDeploymentConfig" }, "appliance_config": { "search_domains": [ "123.1.1.1" ], "ntp_servers": [ "times.com" ], "allow_ssh_root_login": true, "dns_servers": [ "123.23.2.2", "123.4.5.5" ], "enable_ssh": true, "enable_upt_mode": false }, "credentials": { "cli_password": "Admin!23Admin", "root_password": "Admin!23Admin", "cli_username": "admin", "audit_username": "audit", "audit_password": "Admin!23Admin" }, "management_interface": { "ip_assignment_specs": [ { "management_port_subnets": [ { "ip_addresses": [ "fc7e:f206:db42:0:0:0:0:2" ], "prefix_length": 48 } ], "default_gateway": [ "fc7e:f206:db42:0:0:0:0:1" ], "ip_assignment_type": "StaticIpv6" }, { "ip_assignment_type": "Dhcpv4" } ], "network_id": "dvportgroup-48" }, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "profile_paths": [ { "key": "UplinkHostSwitchProfile", "value": "/infra/host-switch-profiles/my-uplink-profile-id" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-overlay-id" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-vlan-id" ], "pnics": [ { "device_name": "fp-eth0", "uplink_name": "uplink1", "datapath_network_id": "dvportgroup-48" } ], "tunnel_endpoints": [ { "ip_assignment_specs": [ { "ip_pool": "/infra/ip-pools/ippool-policy-ipv4", "ip_assignment_type": "StaticIpv4Pool" } ] } ] } ] } } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Edge Transport Node

Delete Edge Transport Node.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Redeploy Edge Transport Node

Redeploys an edge transport node at NSX Manager that replaces the edge transport node with
identifier <node-id>. If NSX Manager can access the specified edge node,
then the node is put into maintenance mode and then the associated VM is
deleted. This is a means to reset all configuration on the edge node.
The communication channel between NSX Manager and edge is established after
this operation.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/redeploy

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/action/redeploy { "failure_domain_path": "/infra/sites/default/enforcement-points/default/failure-domains/my-policy-failure-domain-id", "deployment_type": "VIRTUAL_MACHINE", "node_type": "EDGE_NODE", "form_factor": "SMALL", "hostname": "my-edge-tn-id-host.com", "vm_deployment_config": { "vc_id": "2bab11cd-ee62-407c-948c-1ff3f1e6c397", "compute_id": "domain-c18", "storage_id": "datastore-15", "reservation_info": { "memory_reservation": { "reservation_percentage": 10 }, "cpu_reservation": { "reservation_in_shares": "LOW_PRIORITY", "reservation_in_mhz": 10 } }, "placement_type": "PolicyVsphereDeploymentConfig" }, "appliance_config": { "search_domains": [ "123.1.1.1" ], "ntp_servers": [ "times.com" ], "allow_ssh_root_login": true, "dns_servers": [ "123.23.2.2", "123.4.5.5" ], ], "enable_ssh": true, "enable_upt_mode": false }, "credentials": { "credentials": { "cli_username": "admin", "audit_username": "audit" }, "management_interface": { "management_interface": { "ip_assignment_specs": [ { "management_port_subnets": [ { { "ip_addresses": [ "fc7e:f206:db42:0:0:0:0:2" ], "prefix_length": 48 } ], "default_gateway": [ "fc7e:f206:db42:0:0:0:0:1" ], "ip_assignment_type": "StaticIpv6" }, { "ip_assignment_type": "Dhcpv4" } ], "network_id": "dvportgroup-48" }, "switch_spec": { "switches": [ { "switch_name": "nsxHostSwitch", "profile_paths": [ { "key": "UplinkHostSwitchProfile", "value": "/infra/host-switch-profiles/my-uplink-profile-id" } ], "overlay_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-overlay-id" ], "vlan_transport_zone_paths": [ "/infra/sites/default/enforcement-points/default/transport-zones/my-transport-zone-vlan-id" ], "pnics": [ { "device_name": "fp-eth0", "uplink_name": "uplink1", "datapath_network_id": "dvportgroup-48" } ], "tunnel_endpoints": [ { { { { { { "ip_assignment_specs": [ { "ip_pool": "/infra/ip-pools/ippool-policy-ipv4", "ip_assignment_type": "StaticIpv4Pool" } ] } } ] } ] }, "resource_type": "PolicyEdgeTransportNode", "id": "my-edge-tn-id", "display_name": "my-edge-tn-id", "path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "relative_path": "my-edge-tn-id", "parent_path": "/infra/sites/default/enforcement-points/default", "remote_path": "", "unique_id": "e38e21e7-f62d-4cc7-8bc7-b42dcad7d002", "realization_id": "e38e21e7-f62d-4cc7-8bc7-b42dcad7d002", "owner_id": "fb73074c-f134-4fa2-9a8c-98d0fc9484c6", "marked_for_delete": false, "overridden": false, "_create_time": 1724410775720, "_system_owned": false, "_create_user": "admin", "_last_modified_time": 1724410775720, "_last_modified_user": "admin", "_last_modified_user": "admin", "_last_modified_user": "admin", "_last_modified_user": "admin", "_protection": "NOT_PROTECTED", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNode+

PolicyEdgeTransportNode (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
advanced_configuration	Array of additional specific properties for advanced or cloud-specific deployments in key-value format.	array of KeyValuePair
appliance_config	The settings are used during deployment and consequent update of an edge, unless indicated otherwise.These settings are editable for manually deployed edge nodes as well.	PolicyVmApplianceConfig
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
credentials	Username and password settings for the node. Note - these settings will be honored only during node deployment. Post deployment, CLI must be used for changing the user settings, changes to these parameters will not have any effect. If a password is not provided, then cli and root passwords will get auto-generated. In order to login into a VM, need to reset the password using API https://<nsx-mgr>/api/v1/transport-nodes//node/users/?action=reset_password Note: For audit user, specify either both username and password properties or none. The audit user will be disabled when the username and password are not specified.	PolicyEdgeTransportNodeCredential
deployment_type	The edge node deployment type may be physical or virtual.	EdgeDeploymentType	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
failure_domain_path	Path of the failure domain Set failure domain of edge transport node which will help in auto placement of TIER1 logical routers, DHCP Servers and MDProxies, if failure domain based allocation is enabled in edge cluster API. In case failure domain is not set by user explicitly, it will be always assigned with default system created failure domain.	string
form_factor		EdgeFormFactor	Default: "MEDIUM"
hostname	Host name or FQDN for edge node. Desired host name/FQDN for the VM to be deployed.	string	Required Pattern: "^(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]\|-){0,61}[0-9A-Za-z])?)*?$"
id	Unique identifier of this resource	string	Sortable
management_interface	Applicable For LCM managed Node and contains the management interface info.	PolicyEdgeTransportManagementInterface
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
node_type	Edge transport node type This field contains the info of type of edge transport node.	EdgeTransportNodeType	Default: "EDGE_NODE"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNode	string
switch_spec	Edge Transport node switch specification This property is used to either create edge TN switches or to inform NSX about preconfigured edge TN switches that already exist on the transport node.	PolicyEdgeTransportNodeSwitchSpec
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
vm_deployment_config	VM deployment configuration for LCM nodes	PolicyVmDeploymentConfig (Abstract type: pass one of the following concrete types) PolicyVmDeploymentConfig PolicyVsphereDeploymentConfig

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Maintenance Mode

Associated URIs:

POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/enter-maintenance-mode
POST /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/exit-maintenance-mode

Policy Edge Transport Node Enter Maintenance Mode Action API

Put edge transport node into maintenance mode if there is no VIFs attached.
When EdgeTransportNode is in maintenance mode, no configuration changes are allowed.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/enter-maintenance-mode

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/action/enter-maintenance-mode Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy Edge Transport Node Exit Maintenance Mode Action API

This APi will exit from maintenance mode
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/action/exit-maintenance-mode

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/action/exit-maintenance-mode Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Network

Policy: Infra: Enforcement Points: Edge Transport Nodes: Network: Interface

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/network/interfaces

List the specified edge transport node's network interfaces.

Returns the number of interfaces on the edge transport node and detailed
information about each interface. Interface information includes MTU,
broadcast and host IP addresses, link and admin status, MAC address, network
mask, and the IP configuration method (static or DHCP).
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/network/interfaces

Request Headers:

n/a

Query Parameters:

NetworkInterfaceRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/network/interfaces Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

NodeInterfacePropertiesListResult+

Example Response: { "results": [ { "admin_status": "UP", "interface_id": "eth0", "interface_uuid": "00000000-0000-0000-0000-000000000000", "link_status": "UP", "mtu": 1500, "interface_alias": [ { "broadcast_address": "10.160.247.255", "ip_address": "10.160.243.95", "ip_configuration": "dhcp", "netmask": "255.255.248.0", "physical_address": "00:50:56:ab:c2:66" } ], "source": "cached" }, { "admin_status": "UP", "interface_id": "kni-lrport-0", "interface_uuid": "ba3c1bcf-f4cb-5161-9f7c-9e1356677c99", "link_status": "UP", "mtu": 9190, "interface_alias": [ { "ip_configuration": "not configured", "physical_address": "02:50:56:3f:00:00" } ], "source": "cached" }, { "admin_status": "UP", "interface_id": "fp-eth0", "interface_uuid": "362e57cc-3102-e85c-264e-231325599fec", "link_status": "UP", "mtu": 1700, "interface_alias": [ { "physical_address": "00:50:56:ab:7a:8b" } ], "source": "cached" }, { "admin_status": "UP", "interface_id": "fp-eth1", "interface_uuid": "e1001c4c-4d7f-855b-98dc-3c5ac7eeaeb3", "link_status": "DOWN", "mtu": 1500, "interface_alias": [ { "physical_address": "00:50:56:ab:13:b0" } ], "source": "cached" }, { "admin_status": "UP", "interface_id": "fp-eth2", "interface_uuid": "1f821830-8d56-86c2-090d-37914481f396", "link_status": "DOWN", "mtu": 1500, "interface_alias": [ { "physical_address": "00:50:56:ab:a7:2e" } ], "source": "cached" }, { "admin_status": "UP", "interface_id": "fp-eth3", "interface_uuid": "33db4689-aa8e-7230-9d63-a8e4169f50f4", "link_status": "DOWN", "mtu": 1500, "interface_alias": [ { "physical_address": "00:50:56:ab:b1:66" } ], "source": "cached" } ], "result_count": 6 } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Network: Interface: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/network/interfaces/{interface-id}/statistics

Read counters for edge transport node interfaces.

This API returns the counters of the specified interface. The counters reset on reboot or redeploy
of the appliance or restart of the data plane. NSX Manager polls the edge-transport-node every minute
(by default) to update the data returned on this API. If you need near realtime values, use the query
parameter \"?source=realtime\" to the API and it will make NSX Manager collect the statistics from
the edge transport node and returns the updated counters.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/network/interfaces/{interface-id}/statistics

Request Headers:

n/a

Query Parameters:

PolicyRuntimeRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/network/interfaces/fp-eth2/statistics Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

NodeInterfaceStatisticsProperties+

NodeInterfaceStatisticsProperties (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
interface_id	Interface ID	string
rx_bytes	Bytes in The total number of bytes received on the interface since the uptime. This will be reset on transport node restart.	integer
rx_drop_no_match	Rx drop no match The total number of packets dropped on the edge transport node interface since the uptime due to one of the below reasons. - MAC lookup failure. - If logical service interface receives a packet which is not destined for the service. This will be reset on edge reboot or edge dataplane restart.	integer
rx_dropped	Total packets dropped since the uptime	integer
rx_errors	Rx errors The total number of erroneous incoming packets received on the interface since the uptime. This will be reset on transport node restart.	integer
rx_frame	Total framing error packets since the uptime Total framing error packets since the uptime. Available only for Host Transport Node.	integer
rx_misses	Rx misses The Total number of incoming packets dropped on the edge transport node interface since the uptime.For DPDK interface this could be due to Rx buffer overflow or busy Fast Path(FP) core. This will be reset on edge reboot or edge dataplane restart.	integer
rx_nombufs	Rx no mBufs The total number of incoming packets dropped on the edge transport node interface since the uptime due to Rx mBuf allocation failure. This will be reset on edge reboot or edge dataplane restart.	integer
rx_packets	Packets in The total number of incoming packets on the interface since the uptime. This will be reset on transport node restart.	integer
source	Source of status data.	DataSourceType
tx_bytes	Tx Bytes The total number of bytes transmitted from the interface since the uptime. This will be reset on transport node restart.	integer
tx_carrier	Total packets for carrier losses detected on transmit Total packets for carrier losses detected on transmit. Available only for Host Transport Node.	integer
tx_colls	Total packets for collisions detected on transmit Total packets for collisions detected on transmit. Available only for Host Transport Node.	integer
tx_dropped	Total packets dropped on transmit since the uptime	integer
tx_drops	Tx drops The total number of outgoing packets dropped on the DPDK interface of the edge transport node due to Tx buffer overflow since the uptime. The vmxnet3 backend or physical NIC is not able to process all the packets that edge is attempting to send out. This will be reset on edge reboot or edge dataplane restart.	integer
tx_errors	Tx errors The total number of erroneous packets failed to be transmitted since the uptime. This will be reset on transport node restart.	integer
tx_packets	Packets out The total number of outgoing packets transmitted from the interface since the uptime. This will be reset on transport node restart.	integer

Example Response: { "interface_id": "fp-eth2", "rx_bytes": 0, "rx_errors": 0, "rx_packets": 0, "tx_bytes": 0, "tx_errors": 0, "tx_packets": 0, "rx_misses": 0, "rx_nombufs": 0, "tx_drops": 0, "source": "cached" } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: States

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/state
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/state

Get a Policy EdgeTransport Node's State info under an Enforcement Point

Returns information about the current state of the edge transport node
configuration and information about the associated edge tn switches.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/state

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/state Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNodeState+

PolicyEdgeTransportNodeState (schema)

Name	Description	Type	Notes
appliance_state	Realized VM Appliance Configuration State This field contains the realized config of the vm appliance. If the config changes from CLI/NAPI config, then the same information will be reflected in this field.	VmApplianceState	Readonly
edge_tn_state	Overall Edge Transport Node State This field contains the overall edge transport node deployment state information.	EdgeTnState	Readonly
edge_transport_node_path	Policy Path Of Edge Transport Node	string	Readonly
hardware_version	Edge Node Virtual Machine Hardware Version Hardware version of the edge fabric node virtual machine.	string	Readonly
maintenance_mode_state	Realized Maintenance Mode State	MaintenanceModeState	Readonly
management_interface_state	Realized Management interface endpoint State This field contains the realized information of management interface.	ManagementInterfaceEndpointState	Readonly
switch_states	States of Edge Transport Node Switches.	array of EdgeTransportNodeSwitchState	Readonly
vm_placement_state	The Edge Vm Placement configuration state	VmPlacementState	Readonly

Example Response: { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "switch_states": [ { "tunnel_endpoints": [ { "device_name": "vmk10", "mac": "msc-id", "label": 48129, "datapath_network_id": "network-16", "tep_group_label": false, "realized_ips": [ { "ip": "153.243.242.83", "default_gateway": "10.161.159.253", "subnet_mask": "255.255.255.0" }, { "ip": "fd00::5:e20", "default_gateway": "fd00::5:e50", "prefix_length": "64" } ] } ], "remote_tunnel_endpoints": [ { "device_name": "vmk10", "mac": "msc-id", "label": 48129, "vlan": 200, "realized_ips": [ { "ip": "153.243.242.84", "default_gateway": "10.161.159.253", "subnet_mask": "255.255.255.0" } ] } ] } ], "management_interface_state": [ { "realized_ips": [ { "default_gateway_address": "10.218.138.100", "ipv4_assignment_type": "DHCPV4", "ip": "10.218.138.183" }, { "default_gateway_address": "fd00::5:50", "ipv4_assignment_type": "STATIC", "ip": "fd00::5:41" } ], "managment_network_id": "network-16" } ], "appliance_state": { "search_domains": [ "search-domain.com" ], "ntp_servers": [ "ntp-server.com" ], "dns_servers": [ "10.191.197.65" ], "syslog_servers": [], "enable_ssh": true, "enable_upt_mode": true }, "maintenance_mode_state": "DISABLED", "edge_tn_state": { "edge_deployment_state": "success", "publish_state": "success", "overall_state": "success", "details": [] } } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get a Policy EdgeTransport Node's State info under an Enforcement Point

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/state

Request Headers:

n/a

Query Parameters:

TransportNodeStateParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/state Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNodeStateListResult+

Example Response: { "results": [ { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/d542ad6f-d069-4415-bd0d-27d9588c5e3d", "switch_states": [ { "switch_name": "nsxHostSwitch", "tunnel_endpoints": [ { "device_name": "vtep-0", "mac": "00:50:56:ab:17:c9", "label": 77825, "tep_group_label": 0, "realized_ips": [ { "ip": "172.20.10.17", "subnet_mask": "255.255.255.0" } ] } ] } ], "maintenance_mode_state": "DISABLED", "management_interface_state": { "realized_ips": [ { "ip": "10.160.244.135", "default_gateway": "10.160.240.1", "prefix_length": "21" } ] }, "appliance_state": { "enable_ssh": true, "enable_upt_mode": false }, "vm_placement_state": { "host_moref": "host-14" }, "edge_tn_state": { "deployment_state": { "state": "NODE_READY", "details": [ ], "failure_message": "", "failure_code": 0 }, "transport_node_state": { "state": "success", "failure_code": 0 }, "consolidated_status": "SUCCESS", "progress_state": { "progress": 100, "current_step_title": "Configuration complete" } } }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/5616e1db-1955-49ef-8990-892b213a60e2", "switch_states": [ { "switch_name": "nsxHostSwitch", "tunnel_endpoints": [ { "device_name": "vtep-0", "mac": "00:50:56:ab:ae:a3", "label": 13313, "tep_group_label": 0, "realized_ips": [ { "ip": "172.20.10.19", "subnet_mask": "255.255.255.0" } ] } ] } ], "maintenance_mode_state": "DISABLED", "management_interface_state": { "realized_ips": [ { "ip": "10.160.244.223", "default_gateway": "10.160.240.1", "prefix_length": "21" } ] }, "appliance_state": { "enable_ssh": true, "enable_upt_mode": false }, "vm_placement_state": { "host_moref": "host-14" }, "edge_tn_state": { "deployment_state": { "state": "NODE_READY", "details": [ ], "failure_message": "", "failure_code": 0 }, "transport_node_state": { "state": "success", "failure_code": 0 }, "consolidated_status": "SUCCESS", "progress_state": { "progress": 100, "current_step_title": "Configuration complete" } } }, { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/62684fc2-9704-11ef-8ae2-020037f1d7e5", "switch_states": [ { "switch_name": "nsxvswitch", "tunnel_endpoints": [ { "device_name": "vtep-0", "mac": "02:00:37:e4:fd:ff", "label": 111617, "tep_group_label": 0, "realized_ips": [ { "ip": "172.20.10.14", "subnet_mask": "255.255.255.0" } ] } ], "remote_tunnel_endpoints": [ { "device_name": "fp-eth1", "mac": "02:00:37:e4:fd:ff", "vlan": 500, "realized_ips": [ { "ip": "172.20.10.15", "subnet_mask": "255.255.255.0" } ] } ] } ], "maintenance_mode_state": "DISABLED", "management_interface_state": { "realized_ips": [ { "ip": "10.160.245.160", "default_gateway": "10.160.240.1", "prefix_length": "21" } ] }, "appliance_state": { "ntp_servers": [ "ntp.broadcom.net" ], "enable_ssh": true, "enable_upt_mode": false }, "edge_tn_state": { "deployment_state": { "state": "NODE_READY", "details": [ ] }, "transport_node_state": { "state": "success", "failure_code": 0 }, "consolidated_status": "SUCCESS", "progress_state": { "progress": 100, "current_step_title": "Configuration complete" } } } ], "result_count": 3 } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/status

Get a Policy EdgeTransport Node's status info under an Enforcement Point

Returns information about the current status of the edge transport node.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/{edge-transport-node-id}/status

Request Headers:

n/a

Query Parameters:

DataSourceParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TransportNodeStatus+

TransportNodeStatus (schema)

Name	Description	Type	Notes
agent_status	NSX agents status	AgentStatusCount
control_connection_status	Control connection status	StatusCount
evpn_tunnel_status	EVPN Tunnel Status	TunnelStatusCount
high_availability_status	Edge Node's HA status High Availability status of the edge node.	string	Enum: UNKNOWN, UP, DOWN, ADMIN_DOWN, UNREACHABLE
last_aggsvc_heartbeat	Timestamp of the last agg-service heartbeat, in epoch milliseconds.	EpochMsTimestamp
last_status_changed_time	Timestamp of the last status change, in epoch milliseconds.	EpochMsTimestamp
mgmt_connection_status	Management connection status	string	Enum: UP, DOWN
node_display_name	Display name Transport node display name	string
node_path	Transport node path	string
node_status	Node status	NodeStatus
node_type	Transport node type Transport node type.	string	Enum: HostNode, EdgeNode
node_uuid	Transport node uuid	string
pnic_status	pNIC status	StatusCount
status	Roll-up status of connections Roll-up status of pNIC, management connection, control connection, tunnel status, agent status	string	Enum: UP, DOWN, DEGRADED, UNKNOWN
status_description	Status description Describe what makes the status not UP	string
storage_state	Storage state Edge node storage state.	string	Enum: READ_WRITE, READ_ONLY, UNKNOWN
threat_status	Threat status	ThreatStatus
tier_0s	Edge node tier0 status List of Edge node tier0 statuses.	array of Tier0Status
tunnel_status	Tunnel Status	TunnelStatusCount
vm_uuid	Edge VM UUID Edge node virtual machine unique identifier. This is reported only for Edge Virtual Machine Type deployed on NSX configured host nodes.	string
vtep_state	VTEP state Edge node VTEP state.	string	Enum: UP, DOWN, UNKNOWN

Example Response: { "edge_transport_node_path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/my-edge-tn-id", "edge_transport_node_display_name": "mashish-svc.nsxedge-ob-21766245-1-Issues7", "status": "UP", "pnic_status": { "status": "UP", "up_count": 2, "down_count": 0, "degraded_count": 0, "last_status_changed_time": 1684158497178 }, "mgmt_connection_status": "UP", "control_connection_status": { "status": "UP", "up_count": 1, "down_count": 0, "degraded_count": 0, "last_status_changed_time": 1684158497178 }, "tunnel_status": { "bfd_status": { "bfd_admin_down_count": 0, "bfd_down_count": 0, "bfd_init_count": 0, "bfd_up_count": 2 }, "bfd_diagnostic": { "no_diagnostic_count": 2, "control_detection_time_expired_count": 0, "echo_function_failed_count": 0, "forwarding_plane_reset_count": 0, "path_down_count": 0, "concatenated_path_down_count": 0, "administratively_down_count": 0, "reverse_concatenated_path_down_count": 0, "neighbor_signaled_session_down_count": 0 }, "status": "UP", "up_count": 2, "down_count": 0, "last_status_changed_time": 1684158675848 }, "agent_status": { "status": "UP", "up_count": 1, "down_count": 0, "agents": [ { "status": "UP", "name": "NSX_OPSAGENT", "last_status_changed_time": 1684158586190, "components": [ { "status": "UP", "name": "opsagent-proxy-connection" } ] } ], "last_status_changed_time": 1684158586190, "degraded_count": 0 }, "node_status": { "last_heartbeat_timestamp": 1684158495956, "mpa_connectivity_status": "UP", "mpa_connectivity_status_details": "Client is responding to heartbeats", "lcp_connectivity_status": "UP", "lcp_connectivity_status_details": [ { "control_node_ip": "10.168.197.204", "status": "UP" } ], "host_node_deployment_status": "NODE_READY", "software_version": "4.2.0.0.0.21766255", "system_status": { "cpu_cores": 4, "dpdk_cpu_cores": 2, "non_dpdk_cpu_cores": 2, "disk_space_total": 200809668, "disk_space_used": 11349552, "file_systems": [ { "file_system": "/dev/sda2", "mount": "/", "total": 19509484, "type": "ext4", "used": 6632136 }, { "file_system": "/dev/sda1", "mount": "/boot", "total": 964900, "type": "ext4", "used": 7244 }, { "file_system": "/dev/mapper/nsx-config", "mount": "/config", "total": 19506412, "type": "ext4", "used": 5856 }, { "file_system": "/dev/mapper/nsx-var+log", "mount": "/var/log", "total": 40002896, "type": "ext4", "used": 4704080 }, { "file_system": "/dev/mapper/nsx-tmp", "mount": "/tmp", "total": 3853768, "type": "ext4", "used": 84 }, { "file_system": "/dev/mapper/nsx-image", "mount": "/image", "total": 19506412, "type": "ext4", "used": 80 }, { "file_system": "/dev/mapper/nsx-var+dump", "mount": "/var/dump", "total": 58449900, "type": "ext4", "used": 24 } ], "load_average": [ 2.7699999809265137, 2.440000057220459, 2.140000104904175 ], "cpu_usage": { "highest_cpu_core_usage_dpdk": 0.029999999329447746, "avg_cpu_core_usage_dpdk": 0.019999999552965164, "highest_cpu_core_usage_non_dpdk": 99.52999877929688, "avg_cpu_core_usage_non_dpdk": 68.37999725341797 }, "edge_mem_usage": { "system_mem_usage": 64.32, "swap_usage": 0.0, "cache_usage": 27.46, "datapath_total_usage": 54.53, "datapath_mem_usage_details": { "datapath_heap_usage": 0.0, "highest_datapath_mem_pool_usage": 44.39, "highest_datapath_mem_pool_usage_names": [ "mbuf_pool_socket_0" ], "datapath_mem_pools_usage": [ { "name": "mbuf_pool_socket_0", "description": "Packet Pool on Socket 0", "usage": 44.39 }, { "name": "jumbo_mbuf_pool", "description": "Packet Pool for Jumbo Frame Used by Ipsec Crypto Device", "usage": 0.0 }, { "name": "sess_mp_0", "description": "session private mempool for crypto device used by ipsec", "usage": 0.0 }, { "name": "sess_priv_mp_0", "description": "session mempool for crypto device used by ipsec", "usage": 0.0 }, { "name": "sp_pktmbuf_pool", "description": "Datapath Slowpath Packet Pool", "usage": 0.0 }, { "name": "fw_mon_msg", "description": "Stateful Service Sync Message Pool", "usage": 0.0 }, { "name": "pfstatepl3", "description": "Stateful Service State Pool", "usage": 0.0 }, { "name": "pffqdnippl", "description": "Stateful Service FQDN to IP Map Pool", "usage": 0.0 }, { "name": "pffqdnsyncpl", "description": "Stateful Service FQDN SYNC Pool", "usage": 0.0 }, { "name": "pffqdndnpl", "description": "Stateful Service FQDN Internal Pool", "usage": 0.0 }, { "name": "pfdnsdnpl", "description": "Stateful Service FQDN DNS Pool", "usage": 0.0 }, { "name": "pffrentpl3", "description": "Stateful Service Fragmented Entry Pool", "usage": 0.0 }, { "name": "pfpktpl3", "description": "Stateful Service Fragmented Packet Pool", "usage": 0.0 }, { "name": "pfsyncmbufpl3", "description": "Stateful Service SYNC Pool", "usage": 0.0 }, { "name": "pf_fp_rule_node", "description": "Stateful Service Rule Node Pool", "usage": 0.0 }, { "name": "pf_fp_root_rule_node", "description": "Stateful Service Fastpath Root Rule Node Pool", "usage": 0.0 }, { "name": "pf_tb_root_rule_node", "description": "Stateful Service TB Root Rule Node Pool", "usage": 0.0 }, { "name": "pf_url_node", "description": "URL or SNI request string", "usage": 0.0 }, { "name": "pf_dpi_conn_node", "description": "pf_dpi_conn ", "usage": 0.0 }, { "name": "pfa_intattr_pl3", "description": "Stateful Service Integer Attribute Pool", "usage": 0.0 }, { "name": "pfa_attrconn_pl3", "description": "Stateful Service Attribute Connection Pool", "usage": 0.0 }, { "name": "pf_snat_pl3", "description": "SNAT Port Hash Pool", "usage": 0.0 }, { "name": "pfa_ctx_pl3", "description": "Stateful Service Context Pool", "usage": 0.0 }, { "name": "pfa_key_ace_pl3", "description": "Stateful Service Integer Attribute Key Pool", "usage": 0.0 }, { "name": "pfa_value_ace_pl3", "description": "Stateful Service Integer Attribute Value Pool", "usage": 0.0 }, { "name": "pf_hsid_pl3", "description": "L7 Custom Url HSDB Pool", "usage": 0.0 }, { "name": "lb_pkt_pl3", "description": "Load Balancer Temp Packet Cache Pool", "usage": 0.0 } ] } }, "mem_cache": 2171376, "mem_total": 7907728, "mem_used": 5086612, "source": "cached", "swap_total": 0, "swap_used": 0, "system_time": 1685010084000, "uptime": 853736000, "cpu_sockets": 4 }, "maintenance_mode": "DISABLED" }, "last_aggsvc_heartbeat": 1685010074310, "last_status_changed_time": 1684158586190 } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Transport Node Status

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/status

Get high-level summary of all edge transport nodes. The service layer does not support source = realtime or cached.

This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/edge-transport-nodes/status

Request Headers:

n/a

Query Parameters:

TransportNodeStatusParametersWithDataSource+

TransportNodeStatusParametersWithDataSource (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
include_dfw_heap_stats	Include DFW Heap stats information If true, DFW heap stats information will be returned in API	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	The data source, either realtime or cached. If not provided, cached data is returned.	DataSourceType
status	Transport node Rolled-up status of pNIC, management connection, control connection, tunnel status and agent status. UP means all of these are up; DOWN represents the state when pNIC or agent status is down. DEGRADED status here represents the state for a node when its pNIC bond status is DEGRADED, or, its Control connection status is either DEGRADED or DOWN. UNKNOWN is the case when both control connection, tunnel and agent status are unknown. If none of these conditions are true, the node status is considered DOWN.	string	Enum: UP, DOWN, DEGRADED, UNKNOWN

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TransportNodeStatusListResult+

Example Response: { "result_count": 2, "transport_nodes": [ { "node_uuid": "30bf2379-0b83-4951-9347-befcefc17efc", "status": "UNKNOWN", "mgmt_connection_status": "UP", "threat_status": { "status": "NORMAL" }, "agent_status": { "status": "UP", "up_count: 2 "down_count": 0, "agents": [ { "name": "NSX_AGENT", "stauts": "UP" }, { "name": "NSX_NESTDB", "stauts": "UP" } ] }, "node_status": { "last_heartbeat_timestamp": 1446675283540, "lcp_connectivity_status": "UP", "mpa_connectivity_status": "UP", "system_status": { "mem_used": 2551264, "system_time": 1446649452000, "file_systems": [ { "file_system": "root", "total": 32768, "used": 476, "type": "ramdisk", "mount": "/" }, { "file_system": "etc", "total": 28672, "used": 220, "type": "ramdisk", "mount": "/etc" }, { "file_system": "opt", "total": 32768, "used": 1040, "type": "ramdisk", "mount": "/opt" }, { "file_system": "var", "total": 49152, "used": 1196, "type": "ramdisk", "mount": "/var" }, { "file_system": "tmp", "total": 262144, "used": 24136, "type": "ramdisk", "mount": "/tmp" }, { "file_system": "hostdstats", "total": 302080, "used": 2072, "type": "ramdisk", "mount": "/var/lib/vmware/hostd/stats" } ], "load_average": [ 0.17000000178813934, 0.17000000178813934, 0.15000000596046448 ], "swap_total": 0, "mem_cache": 0, "cpu_cores": 16, "source": "cached", "mem_total": 25119208, "swap_used": 0, "uptime": 7213000 }, "last_sync_time": 1473837914408, "mpa_connectivity_status_details": "Client is responding to heartbeats", "software_version": "1.1.0.0.0.3195008", "host_node_deployment_status": "INSTALL_SUCCESSFUL", "lcp_connectivity_status_details": [ { "control_node_ip": "192.168.110.34", "failure_status": "UNKNOWN_FAILURE_STATUS", "status": "UP" } ], "inventory_sync_paused": false } }, { "tunnel_status": { "down_count": 0, "status": "DOWN", "up_count": 1, "bfd_diagnostic": { "reverse_concatenated_path_down_count": 0, "path_down_count": 0, "echo_function_failed_count": 0, "concatenated_path_down_count": 0, "forwarding_plane_reset_count": 0, "no_diagnostic_count": 0, "control_detection_time_expired_count": 0, "administratively_down_count": 0 }, "bfd_status": { "bfd_down_count": 0, "bfd_admin_down_count": 0, "bfd_init_count": 0, "bfd_up_count": 1 } }, "pnic_status": { "down_count": 0, "status": "UP", "up_count": 2 }, "threat_status": { "status": "NORMAL" }, "agent_status": { "status": "UP", "up_count: 2 "down_count": 0, "agents": [ { "name": "NSX_AGENT", "stauts": "UP" }, { "name": "NSX_NESTDB", "stauts": "UP" } ] }, "node_status": { "last_heartbeat_timestamp": 1446675283540, "lcp_connectivity_status": "UP", "mpa_connectivity_status": "UP", "system_status": { "mem_used": 2551264, "system_time": 1446649452000, "file_systems": [ { "file_system": "root", "total": 32768, "used": 476, "type": "ramdisk", "mount": "/" }, { "file_system": "etc", "total": 28672, "used": 220, "type": "ramdisk", "mount": "/etc" }, { "file_system": "opt", "total": 32768, "used": 1040, "type": "ramdisk", "mount": "/opt" }, { "file_system": "var", "total": 49152, "used": 1196, "type": "ramdisk", "mount": "/var" }, { "file_system": "tmp", "total": 262144, "used": 24136, "type": "ramdisk", "mount": "/tmp" }, { "file_system": "hostdstats", "total": 302080, "used": 2072, "type": "ramdisk", "mount": "/var/lib/vmware/hostd/stats" } ], "load_average": [ 0.17000000178813934, 0.17000000178813934, 0.15000000596046448 ], "swap_total": 0, "mem_cache": 0, "cpu_cores": 16, "source": "cached", "mem_total": 25119208, "swap_used": 0, "uptime": 7213000 }, "last_sync_time": 1473837914408, "mpa_connectivity_status_details": "Client is responding to heartbeats", "software_version": "1.1.0.0.0.3195008", "host_node_deployment_status": "INSTALL_SUCCESSFUL", "lcp_connectivity_status_details": [ { "control_node_ip": "192.168.110.34", "failure_status": "UNKNOWN_FAILURE_STATUS", "status": "UP" } ], "inventory_sync_paused": false }, "node_uuid": "f8a7392e-d2e4-4422-b4cd-83b144da515b", "status": "UNKNOWN", "mgmt_connection_status": "UP" } ] } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Edge Transport Nodes: Troubleshoots

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/edge-transport-nodes/troubleshoot/datapath (Experimental)
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/edge-transport-nodes/troubleshoot/datapath (Experimental)

Enable or Disable the datapath troubleshoot config on edge transport nodes (Experimental)

This API is used to enable/disable the control packet drop log config in all edge transport nodes
at the enforcement Point level.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/edge-transport-nodes/troubleshoot/datapath

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyEdgeTransportNodeDatapathTroubleshooting+

PolicyEdgeTransportNodeDatapathTroubleshooting (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
control_pkt_drop_log	Control packet drop logging flag This field will enable/disable the control packet logging features in edge transport nodes.	boolean	Required Default: "True"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNodeDatapathTroubleshooting	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/troubleshoot/datapath { "control_pkt_drop_log" : true } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get datapath troubleshoot config of edge transport nodes (Experimental)

This API is used to fetch the control packet drop log config
at enforcement Point level.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcement-point-id}/edge-transport-nodes/troubleshoot/datapath

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/edge-transport-nodes/troubleshoot/datapath Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyEdgeTransportNodeDatapathTroubleshooting+

PolicyEdgeTransportNodeDatapathTroubleshooting (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
control_pkt_drop_log	Control packet drop logging flag This field will enable/disable the control packet logging features in edge transport nodes.	boolean	Required Default: "True"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyEdgeTransportNodeDatapathTroubleshooting	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "control_pkt_drop_log": true, "resource_type": "PolicyEdgeTransportNodeDatapathTroubleshooting", "id": "datapath-troubleshoot-config", "display_name": "datapath-troubleshoot-config", "path": "/infra/sites/default/enforcement-points/default/edge-transport-nodes/troubleshoot/datapath", "relative_path": "troubleshoot", "parent_path": "/infra/sites/default/enforcement-points/default", "remote_path": "", "unique_id": "7af94b3c-4591-44a8-bd11-9ea5ef43efac", "realization_id": "7af94b3c-4591-44a8-bd11-9ea5ef43efac", "owner_id": "acd4db2b-e3a0-46b7-a74b-84cd792d935c", "marked_for_delete": false, "overridden": false, "_create_time": 1708003753042, "_create_user": "admin", "_last_modified_time": 1708047984607, "_last_modified_user": "admin", "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 1 } Required Permissions: read Feature: nodes_transport_nodes Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Enforcement Points: Failure Domains

Associated URIs:

GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains
DELETE /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}
GET /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}
PATCH /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}
PUT /policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}

List Policy Failure Domains

Creates a new Policy failure domain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains

Request Headers:

n/a

Query Parameters:

PolicyFailureDomainListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/failure-domains Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyFailureDomainListResult+

Example Response: [ { "display_name": "FD1", "description": "failure domain of rack1", "id": "my-failure-domain-id", "preferred_active_edge_services": "false", "resource_type": "PolicyFailureDomain", "relative_path": "my-failure-domain-id", "path": "/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id", "parent_path": "/infra/sites/default/enforcement-points/default", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a Policy FailureDomain

Patch a Policy FailureDomain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyFailureDomain+

PolicyFailureDomain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
preferred_active_edge_services	Set preference for failure domain This attribute is honoured only if failover mode is preemptive. If true then for pre-emptive failover mode auto placement algorithm sets higher preference for edge transport node in this failure domain. Default will be unset. It means no explicit preference.	boolean
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyFailureDomain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<nsx-mgr>/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id { "display_name": "FD1", "description": "failure domain of rack1", "id": "my-failure-domain-id", "preferred_active_edge_services": "true", "resource_type": "PolicyFailureDomain" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update a Failure Domain

Create or Update a failure domain. Modifiable parameters are
display_name, preferred_active_edge_services flag.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyFailureDomain+

PolicyFailureDomain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
preferred_active_edge_services	Set preference for failure domain This attribute is honoured only if failover mode is preemptive. If true then for pre-emptive failover mode auto placement algorithm sets higher preference for edge transport node in this failure domain. Default will be unset. It means no explicit preference.	boolean
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyFailureDomain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id { "display_name": "FD1", "description": "failure domain of rack1", "id": "my-failure-domain-id", "preferred_active_edge_services": "false", "resource_type": "PolicyFailureDomain", "relative_path": "my-failure-domain-id", "path": "/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id", "parent_path": "/infra/sites/default/enforcement-points/default", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyFailureDomain+

PolicyFailureDomain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
preferred_active_edge_services	Set preference for failure domain This attribute is honoured only if failover mode is preemptive. If true then for pre-emptive failover mode auto placement algorithm sets higher preference for edge transport node in this failure domain. Default will be unset. It means no explicit preference.	boolean
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyFailureDomain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "display_name": "FD1", "description": "failure domain of rack1", "id": "my-failure-domain-id", "preferred_active_edge_services": "false", "resource_type": "PolicyFailureDomain", "relative_path": "my-failure-domain-id", "path": "/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id", "parent_path": "/infra/sites/default/enforcement-points/default", "_create_user": "admin", "_create_time": 1517262573524, "_last_modified_user": "admin", "_last_modified_time": 1517262753660, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete a Failure Domain

Deletes an existing failure domain. You can not delete system generated
default failure domain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get a Failure Domain

Creates a new Policy failure domain.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/sites/{site-id}/enforcement-points/{enforcementpoint-id}/failure-domains/{failure-domain-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/sites/default/enforcement-points/default/failure-domains/my-failure-domain-id Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyFailureDomain+

PolicyFailureDomain (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
preferred_active_edge_services	Set preference for failure domain This attribute is honoured only if failover mode is preemptive. If true then for pre-emptive failover mode auto placement algorithm sets higher preference for edge transport node in this failure domain. Default will be unset. It means no explicit preference.	boolean
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyFailureDomain	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Hierarchical API

Associated URIs:

GET /policy/api/v1/infra
GET /policy/api/v1/global-infra
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra
PATCH /policy/api/v1/infra
PATCH /policy/api/v1/global-infra
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra
PUT /policy/api/v1/infra

Update the infra object

Updates only the single infra object. This does not allow hierarchical
updates of entities.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Infra+

Infra (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBfdProfile ChildCaBundle ChildConstraint ChildConstraintGlobalConfig ChildDeploymentZone ChildDhcpRelayConfig ChildDhcpServerConfig ChildDistributedVlanConnection ChildDnsSecurityProfile ChildDomain ChildEnforcementPoint ChildEvpnTenantConfig ChildFloodProtectionProfile ChildFullSyncState ChildGatewayConnection ChildGatewayQosProfile ChildGlobalConfig ChildGlobalManager ChildGlobalManagerConfig ChildIPDiscoveryProfile ChildIPFIXDFWCollectorProfile ChildIPFIXDFWProfile ChildIPFIXL2CollectorProfile ChildIPFIXL2Profile ChildIPReputationSiteMapping ChildIPSecVpnDpdProfile ChildIPSecVpnIkeProfile ChildIPSecVpnTunnelProfile ChildIdentityFirewallStore ChildIpAddressBlock ChildIpAddressPool ChildIpv6DadProfile ChildIpv6NdraProfile ChildL7AccessProfile ChildLBAppProfile ChildLBClientSslProfile ChildLBMonitorProfile ChildLBPersistenceProfile ChildLBPool ChildLBServerSslProfile ChildLBService ChildLBVirtualServer ChildLimit ChildLiveTraceConfig ChildMacDiscoveryProfile ChildMetadataProxyConfig ChildOpsGlobalConfig ChildPolicyBaseHostSwitchProfile ChildPolicyContextProfile ChildPolicyDnsForwarderZone ChildPolicyDraft ChildPolicyFirewallIpReputationConfig ChildPolicyFirewallScheduler ChildPolicyFirewallSessionTimerProfile ChildPolicyHostTransportNodeProfile ChildPolicyIgmpProfile ChildPolicyLabel ChildPolicyLatencyStatProfile ChildPolicyManualHealthCheck ChildPolicyPimProfile ChildPolicyServiceChain ChildPolicyTransportZoneProfile ChildPortMirroringProfile ChildQoSProfile ChildRealTimeEthProfile ChildSegment ChildSegmentSecurityProfile ChildService ChildServiceReference ChildShare ChildSite ChildSpan ChildSpoofGuardProfile ChildStaticMimeContent ChildTier0 ChildTier1 ChildTlsCertificate ChildTlsCrl ChildTlsCsr ChildTlsPolicy ChildTlsProfile ChildTraceflowConfig ChildVMTagReplicationPolicy ChildVniPoolConfig
connectivity_strategy	Connectivity strategy used by this tenant The connectivity strategy is deprecated. Use default layer3 rule, /infra/domains/default/security-policies/default-layer3-security-policy/rules/default-layer3-rule. This field indicates the default connectivity policy for the infra or tenant space WHITELIST - Adds a default drop rule. Administrator can then use "allow" rules (aka whitelist) to allow traffic between groups BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules (aka blacklist) to block traffic between groups WHITELIST_ENABLE_LOGGING - Whitelisting with logging enabled BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled NONE - No default rules are added.	string	Deprecated Enum: WHITELIST, BLACKLIST, WHITELIST_ENABLE_LOGGING, BLACKLIST_ENABLE_LOGGING, NONE
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
domains	Domains for infra This field is used while creating or updating the infra space.	array of Domain
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Infra	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra { "display_name": "infra", "path": "/infra", "relative_path": "infra", "connectivity_strategy": "NONE", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Infra+

Infra (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBfdProfile ChildCaBundle ChildConstraint ChildConstraintGlobalConfig ChildDeploymentZone ChildDhcpRelayConfig ChildDhcpServerConfig ChildDistributedVlanConnection ChildDnsSecurityProfile ChildDomain ChildEnforcementPoint ChildEvpnTenantConfig ChildFloodProtectionProfile ChildFullSyncState ChildGatewayConnection ChildGatewayQosProfile ChildGlobalConfig ChildGlobalManager ChildGlobalManagerConfig ChildIPDiscoveryProfile ChildIPFIXDFWCollectorProfile ChildIPFIXDFWProfile ChildIPFIXL2CollectorProfile ChildIPFIXL2Profile ChildIPReputationSiteMapping ChildIPSecVpnDpdProfile ChildIPSecVpnIkeProfile ChildIPSecVpnTunnelProfile ChildIdentityFirewallStore ChildIpAddressBlock ChildIpAddressPool ChildIpv6DadProfile ChildIpv6NdraProfile ChildL7AccessProfile ChildLBAppProfile ChildLBClientSslProfile ChildLBMonitorProfile ChildLBPersistenceProfile ChildLBPool ChildLBServerSslProfile ChildLBService ChildLBVirtualServer ChildLimit ChildLiveTraceConfig ChildMacDiscoveryProfile ChildMetadataProxyConfig ChildOpsGlobalConfig ChildPolicyBaseHostSwitchProfile ChildPolicyContextProfile ChildPolicyDnsForwarderZone ChildPolicyDraft ChildPolicyFirewallIpReputationConfig ChildPolicyFirewallScheduler ChildPolicyFirewallSessionTimerProfile ChildPolicyHostTransportNodeProfile ChildPolicyIgmpProfile ChildPolicyLabel ChildPolicyLatencyStatProfile ChildPolicyManualHealthCheck ChildPolicyPimProfile ChildPolicyServiceChain ChildPolicyTransportZoneProfile ChildPortMirroringProfile ChildQoSProfile ChildRealTimeEthProfile ChildSegment ChildSegmentSecurityProfile ChildService ChildServiceReference ChildShare ChildSite ChildSpan ChildSpoofGuardProfile ChildStaticMimeContent ChildTier0 ChildTier1 ChildTlsCertificate ChildTlsCrl ChildTlsCsr ChildTlsPolicy ChildTlsProfile ChildTraceflowConfig ChildVMTagReplicationPolicy ChildVniPoolConfig
connectivity_strategy	Connectivity strategy used by this tenant The connectivity strategy is deprecated. Use default layer3 rule, /infra/domains/default/security-policies/default-layer3-security-policy/rules/default-layer3-rule. This field indicates the default connectivity policy for the infra or tenant space WHITELIST - Adds a default drop rule. Administrator can then use "allow" rules (aka whitelist) to allow traffic between groups BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules (aka blacklist) to block traffic between groups WHITELIST_ENABLE_LOGGING - Whitelisting with logging enabled BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled NONE - No default rules are added.	string	Deprecated Enum: WHITELIST, BLACKLIST, WHITELIST_ENABLE_LOGGING, BLACKLIST_ENABLE_LOGGING, NONE
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
domains	Domains for infra This field is used while creating or updating the infra space.	array of Domain
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Infra	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Infra", "id": "infra", "display_name": "infra", "path": "/infra", "relative_path": "infra", "connectivity_strategy": "NONE", "_create_user": "system", "_create_time": 1517296394552, "_last_modified_user": "system", "_last_modified_time": 1517296394552, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update the infra including all the nested entities

Patch API at infra level can be used in two flavours
1. Like a regular API to update Infra object
2. Hierarchical API: To create/update/delete entire or part of intent
hierarchy
Hierarchical API: Provides users a way to create entire or part of
intent in single API invocation. Input is expressed in a tree format.
Each node in tree can have multiple children of different types.
System will resolve the dependencies of nodes within the intent tree
and will create the model. Children for any node can be specified using
ChildResourceReference or ChildPolicyConfigResource.
If a resource is specified using ChildResourceReference then it will
not be updated only its children will be updated. If Object is specified
using ChildPolicyConfigResource, object along with its children will be
updated.
Hierarchical API can also be used to delete any sub-branch of entire tree.
Hierarchical API supports up to 5000 intent creation on LM and 1000 on GM.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra

/policy/api/v1/global-infra

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra

Request Headers:

n/a

Query Parameters:

ForceRevisionCheckRequestParameter+

Request Body:

Infra+

Infra (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBfdProfile ChildCaBundle ChildConstraint ChildConstraintGlobalConfig ChildDeploymentZone ChildDhcpRelayConfig ChildDhcpServerConfig ChildDistributedVlanConnection ChildDnsSecurityProfile ChildDomain ChildEnforcementPoint ChildEvpnTenantConfig ChildFloodProtectionProfile ChildFullSyncState ChildGatewayConnection ChildGatewayQosProfile ChildGlobalConfig ChildGlobalManager ChildGlobalManagerConfig ChildIPDiscoveryProfile ChildIPFIXDFWCollectorProfile ChildIPFIXDFWProfile ChildIPFIXL2CollectorProfile ChildIPFIXL2Profile ChildIPReputationSiteMapping ChildIPSecVpnDpdProfile ChildIPSecVpnIkeProfile ChildIPSecVpnTunnelProfile ChildIdentityFirewallStore ChildIpAddressBlock ChildIpAddressPool ChildIpv6DadProfile ChildIpv6NdraProfile ChildL7AccessProfile ChildLBAppProfile ChildLBClientSslProfile ChildLBMonitorProfile ChildLBPersistenceProfile ChildLBPool ChildLBServerSslProfile ChildLBService ChildLBVirtualServer ChildLimit ChildLiveTraceConfig ChildMacDiscoveryProfile ChildMetadataProxyConfig ChildOpsGlobalConfig ChildPolicyBaseHostSwitchProfile ChildPolicyContextProfile ChildPolicyDnsForwarderZone ChildPolicyDraft ChildPolicyFirewallIpReputationConfig ChildPolicyFirewallScheduler ChildPolicyFirewallSessionTimerProfile ChildPolicyHostTransportNodeProfile ChildPolicyIgmpProfile ChildPolicyLabel ChildPolicyLatencyStatProfile ChildPolicyManualHealthCheck ChildPolicyPimProfile ChildPolicyServiceChain ChildPolicyTransportZoneProfile ChildPortMirroringProfile ChildQoSProfile ChildRealTimeEthProfile ChildSegment ChildSegmentSecurityProfile ChildService ChildServiceReference ChildShare ChildSite ChildSpan ChildSpoofGuardProfile ChildStaticMimeContent ChildTier0 ChildTier1 ChildTlsCertificate ChildTlsCrl ChildTlsCsr ChildTlsPolicy ChildTlsProfile ChildTraceflowConfig ChildVMTagReplicationPolicy ChildVniPoolConfig
connectivity_strategy	Connectivity strategy used by this tenant The connectivity strategy is deprecated. Use default layer3 rule, /infra/domains/default/security-policies/default-layer3-security-policy/rules/default-layer3-rule. This field indicates the default connectivity policy for the infra or tenant space WHITELIST - Adds a default drop rule. Administrator can then use "allow" rules (aka whitelist) to allow traffic between groups BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules (aka blacklist) to block traffic between groups WHITELIST_ENABLE_LOGGING - Whitelisting with logging enabled BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled NONE - No default rules are added.	string	Deprecated Enum: WHITELIST, BLACKLIST, WHITELIST_ENABLE_LOGGING, BLACKLIST_ENABLE_LOGGING, NONE
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
domains	Domains for infra This field is used while creating or updating the infra space.	array of Domain
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Infra	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: Example 1: ---------- PATCH https://<policy-mgr>/policy/api/v1/infra { "display_name": "infra", "path": "/infra", "relative_path": "infra", "connectivity_strategy": "NONE" } Example 2: ---------- # Below sample creates domain, groups, services and and security-policies in one call PATCH https://<policy-mgr>/policy/api/v1/infra { "resource_type":"Infra", "children": [ { "resource_type":"ChildDomain", "Domain": { "id":"domain-test", "resource_type":"Domain", "description":"domain-test", "display_name":"domain-test", "children":[ { "resource_type":"ChildGroup", "Group":{ "resource_type":"Group", "description":"g1", "display_name":"g1", "id":"g1", "expression":[ { "member_type":"VirtualMachine", "value":"webvm", "key":"Tag", "operator":"EQUALS", "resource_type":"Condition" } ] } }, { "resource_type":"ChildGroup", "Group":{ "resource_type":"Group", "description":"g2", "display_name":"g2", "id":"g2", "expression":[ { "member_type":"VirtualMachine", "value":"dbvm", "key":"Tag", "operator":"EQUALS", "resource_type":"Condition" } ] } }, { "resource_type":"ChildSecurityPolicy", "SecurityPolicy":{ "id":"sp1", "resource_type":"SecurityPolicy", "description":"SecurityPolicy", "display_name":"SecurityPolicy", "rules":[ { "resource_type":"Rule", "description":"Rule", "display_name":"r1", "sequence_number":1, "source_groups":[ "/infra/domains/domain-test/groups/g2" ], "destination_groups":[ "/infra/domains/domain-test/groups/g1" ], "services": [ "/infra/services/HTTP", "/infra/services/AD_Server", "/infra/services/CIM-HTTP" ], "action": "ALLOW" } ] } } ] } }, { "resource_type":"ChildService", "Service": { "id":"s1", "resource_type":"Service", "description":"L4Service", "display_name":"L4Service", "service_entries": [ { "resource_type":"L4PortSetServiceEntry", "display_name":"L4ServiceEntry", "destination_ports": [ "464" ], "l4_protocol":"TCP" } ] } } ] } Example 3: ---------- #Hierarchical delete example #Below example deletes domain-test including all its #children(groups, security policies, services) PATCH https://<policy-mgr>/policy/api/v1/infra { "resource_type":"Infra", "children":[ { "resource_type":"ChildDomain", "marked_for_delete": true, "Domain":{ "id":"domain-test", "resource_type":"Domain" } } ] } Example 4: ---------- #Example using ChildResourceReference in hierarchical API #Below example updates group g1 in 'domain-test' without updating domain and without #requiring to populate domain object completely in request payload. PATCH https://<policy-mgr>/policy/api/v1/infra { "resource_type":"Infra", "children":[ { "resource_type":"ChildResourceReference", "id":"domain-test", "target_type":"Domain", "children":[ { "resource_type":"ChildGroup", "Group":{ "resource_type":"Group", "description":"web group update", "display_name":"webgroup", "id":"g1", "expression":[ { "member_type":"VirtualMachine", "value":"web", "key":"Tag", "operator":"EQUALS", "resource_type":"Condition" } ] } } ] } ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: no_rbac Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read infra

Read infra. Returns only the infra related properties. Inner object
are not populated.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra

/policy/api/v1/global-infra

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra

Request Headers:

n/a

Query Parameters:

ChildTypesRequestParameter+

ChildTypesRequestParameter (schema)

Name	Description	Type	Notes
base_path	Base Path for retrieving hierarchical intent Base path of the resource for which user wants to retrieve the hierarchy. This should be the fully qualified path for the resource. - Sample examples - base_path=/infra/domains/default/groups/Group1 base_path=/infra/domains/default/security-policies/SecurityPolicy1/rules/Rule1	string
filter	Filter string as java regex Filter string, can contain multiple or single java regular expressions separated by ';'. By default populates immediate child resources of the resource indicated by the URL. These child resources will be filtered by the type provided in the filter. It is recommended to use type_filter parameter instead of filter parameter. - Sample query string to prevent loading services and deployment zones: filter=Type-^(?!.?(?:Service\|DeploymentZone)).$ - Sample query string to populate all the Group objects under Infra & Domain: filter=Type-Domain%7CGroup - Sample query string to load every policy object under Infra: filter=Type-.*	string
type_filter	Filter string to retrieve hierarchy. Advanced filter string in which user can directly specify the resourceTypes to be filtered. Can be used in conjunction with base_path. - Sample example of type_filter to load all groups - type_filter=Group - Sample example of multiple type_filter - type_filter=Group;SercurityPolicy;RedirectionPolicy - Sample example to load all groups in default domain using base_path in conjunction with type_filter - base_path=/infra/domains/default&type_filter=Group	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Infra+

Infra (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildBfdProfile ChildCaBundle ChildConstraint ChildConstraintGlobalConfig ChildDeploymentZone ChildDhcpRelayConfig ChildDhcpServerConfig ChildDistributedVlanConnection ChildDnsSecurityProfile ChildDomain ChildEnforcementPoint ChildEvpnTenantConfig ChildFloodProtectionProfile ChildFullSyncState ChildGatewayConnection ChildGatewayQosProfile ChildGlobalConfig ChildGlobalManager ChildGlobalManagerConfig ChildIPDiscoveryProfile ChildIPFIXDFWCollectorProfile ChildIPFIXDFWProfile ChildIPFIXL2CollectorProfile ChildIPFIXL2Profile ChildIPReputationSiteMapping ChildIPSecVpnDpdProfile ChildIPSecVpnIkeProfile ChildIPSecVpnTunnelProfile ChildIdentityFirewallStore ChildIpAddressBlock ChildIpAddressPool ChildIpv6DadProfile ChildIpv6NdraProfile ChildL7AccessProfile ChildLBAppProfile ChildLBClientSslProfile ChildLBMonitorProfile ChildLBPersistenceProfile ChildLBPool ChildLBServerSslProfile ChildLBService ChildLBVirtualServer ChildLimit ChildLiveTraceConfig ChildMacDiscoveryProfile ChildMetadataProxyConfig ChildOpsGlobalConfig ChildPolicyBaseHostSwitchProfile ChildPolicyContextProfile ChildPolicyDnsForwarderZone ChildPolicyDraft ChildPolicyFirewallIpReputationConfig ChildPolicyFirewallScheduler ChildPolicyFirewallSessionTimerProfile ChildPolicyHostTransportNodeProfile ChildPolicyIgmpProfile ChildPolicyLabel ChildPolicyLatencyStatProfile ChildPolicyManualHealthCheck ChildPolicyPimProfile ChildPolicyServiceChain ChildPolicyTransportZoneProfile ChildPortMirroringProfile ChildQoSProfile ChildRealTimeEthProfile ChildSegment ChildSegmentSecurityProfile ChildService ChildServiceReference ChildShare ChildSite ChildSpan ChildSpoofGuardProfile ChildStaticMimeContent ChildTier0 ChildTier1 ChildTlsCertificate ChildTlsCrl ChildTlsCsr ChildTlsPolicy ChildTlsProfile ChildTraceflowConfig ChildVMTagReplicationPolicy ChildVniPoolConfig
connectivity_strategy	Connectivity strategy used by this tenant The connectivity strategy is deprecated. Use default layer3 rule, /infra/domains/default/security-policies/default-layer3-security-policy/rules/default-layer3-rule. This field indicates the default connectivity policy for the infra or tenant space WHITELIST - Adds a default drop rule. Administrator can then use "allow" rules (aka whitelist) to allow traffic between groups BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules (aka blacklist) to block traffic between groups WHITELIST_ENABLE_LOGGING - Whitelisting with logging enabled BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled NONE - No default rules are added.	string	Deprecated Enum: WHITELIST, BLACKLIST, WHITELIST_ENABLE_LOGGING, BLACKLIST_ENABLE_LOGGING, NONE
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
domains	Domains for infra This field is used while creating or updating the infra space.	array of Domain
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Infra	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Labels

Associated URIs:

GET /policy/api/v1/infra/labels
GET /policy/api/v1/global-infra/labels
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels
DELETE /policy/api/v1/infra/labels/{label-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}
GET /policy/api/v1/infra/labels/{label-id}
GET /policy/api/v1/global-infra/labels/{label-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}
PATCH /policy/api/v1/infra/labels/{label-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}
PUT /policy/api/v1/infra/labels/{label-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}

List labels for infra

Paginated list of all labels for infra.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/labels

/policy/api/v1/global-infra/labels

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels

Request Headers:

n/a

Query Parameters:

PolicyLabelListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/labels Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyLabelListResult+

Example Response: { "results": [ { "type": "Domain", "refs": [ "/infra/domains/mydomain3", "/infra/domains/mydomain2", "/infra/domains/mydomain1" ], "resource_type": "PolicyLabel", "id": "my-domains-label", "display_name": "my-domains-label", "path": "/infra/labels/my-domains-label", "relative_path": "my-domains-label", "parent_path": "/infra/labels/my-domains-label", "marked_for_delete": false, "_create_user": "admin", "_create_time": 1544641564432, "_last_modified_user": "admin", "_last_modified_time": 1544641564432, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_label Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or replace label

Create label if not exists, otherwise replaces the existing label.
If label already exists then type attribute cannot be changed.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/labels/{label-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyLabel+

PolicyLabel (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
refs	Policy entity paths referred by the label instance Policy entity paths referred by the label instance	array of string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyLabel	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
type	Policy intent entity type from PolicyResourceType Policy intent entity type from PolicyResourceType	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/labels/my-domains-label { "type" : "Domain", "refs" : ["/infra/domains/mydomain1", "/infra/domains/mydomain2", "/infra/domains/mydomain3"] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyLabel+

PolicyLabel (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
refs	Policy entity paths referred by the label instance Policy entity paths referred by the label instance	array of string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyLabel	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
type	Policy intent entity type from PolicyResourceType Policy intent entity type from PolicyResourceType	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "type": "Domain", "refs": [ "/infra/domains/mydomain3", "/infra/domains/mydomain2", "/infra/domains/mydomain1" ], "resource_type": "PolicyLabel", "id": "my-domains-label", "display_name": "my-domains-label", "path": "/infra/labels/my-domains-label", "relative_path": "my-domains-label", "parent_path": "/infra/labels/my-domains-label", "marked_for_delete": false, "_create_user": "admin", "_create_time": 1544641564432, "_last_modified_user": "admin", "_last_modified_time": 1544641564432, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_label Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch an existing label object

Create label if not exists, otherwise take the partial updates.
Note, once the label is created type attribute can not be changed.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/labels/{label-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyLabel+

PolicyLabel (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
refs	Policy entity paths referred by the label instance Policy entity paths referred by the label instance	array of string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyLabel	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
type	Policy intent entity type from PolicyResourceType Policy intent entity type from PolicyResourceType	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/labels/my-domains-label { "type" : "Domain", "refs" : ["/infra/domains/mydomain1", "/infra/domains/mydomain2"] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_label Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read lable

Read a label.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/labels/{label-id}

/policy/api/v1/global-infra/labels/{label-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/labels/my-domains-label Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyLabel+

PolicyLabel (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
refs	Policy entity paths referred by the label instance Policy entity paths referred by the label instance	array of string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyLabel	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
type	Policy intent entity type from PolicyResourceType Policy intent entity type from PolicyResourceType	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete PolicyLabel object

Delete PolicyLabel object This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/labels/{label-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/labels/{label-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/labels/my-domains-label Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_label Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Monitoring

Associated URIs:

POST /policy/api/v1/infra/pktcap/session
DELETE /policy/api/v1/infra/pktcap/session/{session-id}
GET /policy/api/v1/infra/pktcap/session/{session-id}
POST /policy/api/v1/infra/pktcap/session/{session-id}
GET /policy/api/v1/infra/pktcap/session/{session-id}/CapturedFile
DELETE /policy/api/v1/infra/pktcap/sessions
GET /policy/api/v1/infra/pktcap/sessions

Create an new packet capture session

Create an new packet capture session on given node with specified options
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/pktcap/session

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PktCaptureRequest+

PktCaptureRequest (schema)

Name	Description	Type	Notes
capamount	Packet capture amount Define the packet capture amount size.	int
capcore	The CPU core id on Edge node The CPU core id on Edge node.	int
capduration	Packet capture duration time in seconds Define the packet capture duration time. After the capture duration time, the capture process will stop working.	int
capfilesize	Packet capture file size limit Define the packet capture file size limit.	int
capmode	Packet Capture streaming mode Define the capture streaming mode. The STREAM mode will send the data to given stream address and port. And the STANDALONE mode will save the capture file in local folder.	string	Enum: STANDALONE, STREAM
cappoint	Packet capture point Define the point to capture data.	string	Required Enum: VNIC, VMKNIC, VMNIC, VDRPORT, DVFILTER, SEGMENTPORT, FCPORT, VIF, PNIC
caprate	Packet capture rate Define the rate of packet capture process.	int
capsnaplen	Packet capture snapshot length Limit the number of bytes captured from each packet.	int
capsource	Packet capture source type This type is used to differ the incoming request from CLI/UI.	string	Required Enum: CLI, UI
capvalue	Packet capture point value Define the capture value of given capture point.	string
direction	Packet capture direction type Define the capture direction. Support three types INPUT/OUTPUT/DUAL.	string	Enum: INPUT, OUTPUT, DUAL
filtertype	Packet capture dvfilter stage type Define the capture filter type. Support PRE/POST mode.	string	Enum: PRE, POST
node	Packet capture node id Define the transport node to capture data.	string
node_ip	Packet capture node ip Define the transport node to capture data.	IPAddress
options	Packet capture options Define the packet capture additional options to filter the capture data.	PktCaptureOptionList
streamaddress	Packet capture Streaming address Set the stream address to receive the capture packet.	string
streamport	Packet capture Streaming port Set the stream port to receive the capture packet. The STREAM mode is based on GRE-in-UDP Encapsulation(RFC8086). Packets are sent to UDP port 4754.	int

Example Request: POST https://<nsx-mgr>/policy/api/v1/infra/pktcap/session { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "capsource": "CLI", "cappoint": "SEGMENTPORT", "capvalue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "INPUT", "capmode": "STANDALONE", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } } } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSession+

PktCaptureSession (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
endtime	End time in epoch millisecond Timestamp when session was stopped in epoch millisecond.	EpochMsTimestamp
errormsg	Error messasge in capture Error messasge in capture.	string
filelocation	Packet capture file location Packet capture file location.	string
filesize	Packet capture file Size in bytes Packet capture file Size in bytes.	int
id	Unique identifier of this resource	string	Sortable
request	Packet capture request Packet capture request information.	PktCaptureRequest	Required
resource_type	Must be set to the value PktCaptureSession	string
sessionid	Packet capture session id Packet capture session id.	string	Required
sessionname	Packet capture session name Packet capture session name.	string
sessionstatus	Packet capture session status Packet capture session status.	string	Required Enum: CREATED, STARTED, STOPPED, FINISHED, ERROR
starttime	Start time in epoch millisecond Timestamp when session was created in epoch millisecond.	EpochMsTimestamp
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "request": { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "INPUT", "capmode": "STANDALONE", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "a257b981-1a1c-4b95-b16c-8646e85ce8f0", "sessionstatus": "started", "starttime": 1457048893748 } Required Permissions: crud Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get the status of packet capture session

Get the packet capture status information by session id.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/pktcap/session/{session-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/pktcap/session/a257b981-1a1c-4b95-b16c-8646e85ce8f0 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSession+

PktCaptureSession (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
endtime	End time in epoch millisecond Timestamp when session was stopped in epoch millisecond.	EpochMsTimestamp
errormsg	Error messasge in capture Error messasge in capture.	string
filelocation	Packet capture file location Packet capture file location.	string
filesize	Packet capture file Size in bytes Packet capture file Size in bytes.	int
id	Unique identifier of this resource	string	Sortable
request	Packet capture request Packet capture request information.	PktCaptureRequest	Required
resource_type	Must be set to the value PktCaptureSession	string
sessionid	Packet capture session id Packet capture session id.	string	Required
sessionname	Packet capture session name Packet capture session name.	string
sessionstatus	Packet capture session status Packet capture session status.	string	Required Enum: CREATED, STARTED, STOPPED, FINISHED, ERROR
starttime	Start time in epoch millisecond Timestamp when session was created in epoch millisecond.	EpochMsTimestamp
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "request": { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "INPUT", "capmode": "STANDALONE", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "a257b981-1a1c-4b95-b16c-8646e85ce8f0", "sessionstatus": "started", "starttime": 1457048893748 } Required Permissions: read Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Restart the packet capture session

Restart the packet capture session
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/pktcap/session/{session-id}

Request Headers:

n/a

Query Parameters:

SessionActionRequestParameter+

Request Body:

n/a

Example Request: POST https://<nsx-mgr>/policy/api/v1/infra/pktcap/session/a257b981-1a1c-4b95-b16c-8646e85ce8f0?action=restart Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSession+

PktCaptureSession (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
endtime	End time in epoch millisecond Timestamp when session was stopped in epoch millisecond.	EpochMsTimestamp
errormsg	Error messasge in capture Error messasge in capture.	string
filelocation	Packet capture file location Packet capture file location.	string
filesize	Packet capture file Size in bytes Packet capture file Size in bytes.	int
id	Unique identifier of this resource	string	Sortable
request	Packet capture request Packet capture request information.	PktCaptureRequest	Required
resource_type	Must be set to the value PktCaptureSession	string
sessionid	Packet capture session id Packet capture session id.	string	Required
sessionname	Packet capture session name Packet capture session name.	string
sessionstatus	Packet capture session status Packet capture session status.	string	Required Enum: CREATED, STARTED, STOPPED, FINISHED, ERROR
starttime	Start time in epoch millisecond Timestamp when session was created in epoch millisecond.	EpochMsTimestamp
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "request": { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "capsource": "CLI", "cappoint": "SEGMENTPORT", "capvlue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "INPUT", "capmode": "STANDALONE", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "a257b981-1a1c-4b95-b16c-8646e85ce8f0", "sessionstatus": "started", "starttime": 1457048893748 } Required Permissions: read Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete the packet capture session by session id.

Before calling this method, terminate any running capture session.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/pktcap/session/{session-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/pktcap/session/a257b981-1a1c-4b95-b16c-8646e85ce8f0?action=terminate Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSession+

PktCaptureSession (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
endtime	End time in epoch millisecond Timestamp when session was stopped in epoch millisecond.	EpochMsTimestamp
errormsg	Error messasge in capture Error messasge in capture.	string
filelocation	Packet capture file location Packet capture file location.	string
filesize	Packet capture file Size in bytes Packet capture file Size in bytes.	int
id	Unique identifier of this resource	string	Sortable
request	Packet capture request Packet capture request information.	PktCaptureRequest	Required
resource_type	Must be set to the value PktCaptureSession	string
sessionid	Packet capture session id Packet capture session id.	string	Required
sessionname	Packet capture session name Packet capture session name.	string
sessionstatus	Packet capture session status Packet capture session status.	string	Required Enum: CREATED, STARTED, STOPPED, FINISHED, ERROR
starttime	Start time in epoch millisecond Timestamp when session was created in epoch millisecond.	EpochMsTimestamp
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "result":"success", "msg": [ { "request": { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "input", "capmode": "standalone", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "a257b981-1a1c-4b95-b16c-8646e85ce8f0", "sessionstatus": "deleted", "starttime": 1457048893748, "endtime": 1457048893799, }, { "request": { "node": "4489670c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "ei98a1f1-3958-988e-eev3-48d99fa80192.002", "direction": "output", "capmode": "standalone", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "bba7b981-1a1c-4b95-b16c-8646e33ce8f0", "sessionstatus": "started", "starttime": 1457048893987, } ] } Required Permissions: crud Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get packet capture file

You must provide the request header
"Accept:application/octet-stream" when calling this API.
The capture file can only be found in MP which receives the capture request.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/pktcap/session/{session-id}/CapturedFile

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/pktcap/session/a257b981-1a1c-4b95-b16c-8646e85ce8f0/CapturedFile Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/octet-stream

Response Body:

n/a

Required Permissions: read Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete all the packet capture sessions

Delete all the packet capture sessions.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/pktcap/sessions

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/pktcap/sessions Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSessionList+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get the information of all packet capture sessions

Get the information of all packet capture sessions.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/pktcap/sessions

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/pktcap/sessions Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PktCaptureSessionList+

Example Response: { "result_count":2, "results": [ { "request": { "node": "094f370c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "502ca1f1-3958-7d8e-ffc1-48d99fa80192.001", "direction": "input", "capmode": "standalone", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "a257b981-1a1c-4b95-b16c-8646e85ce8f0", "sessionstatus": "deleted", "starttime": 1457048893748, "endtime": 1457048893799, }, { "request": { "hostid": "5568970c-d336-11e7-9776-3ba7f30fcb1f", "cappoint": "SEGMENTPORT", "capvlue": "ei98a1f1-3958-988e-eev3-48d99fa80192.002", "direction": "output", "capmode": "standalone", "options": { "values":[ {"name":"IPPROTO", "value":"0x01"} ] } }, "sessionid": "bba7b981-1a1c-4b95-b16c-8646e33ce8f0", "sessionstatus": "started", "starttime": 1457049714901, } ] } Required Permissions: read Feature: tools_packet_capture Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Infra: Realized State

Associated URIs:

GET /policy/api/v1/infra/realized-state/alarms
GET /policy/api/v1/infra/realized-state/enforcement-points (Experimental)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name} (Experimental)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/firewalls/firewall-sections (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/firewalls/firewall-sections/{firewall-section-id} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/nsgroups (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/nsgroups/{nsgroup-name} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/securitygroups (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/securitygroups/{securitygroup-name} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/ip-sets/ip-sets-nsxt (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/ip-sets/ip-sets-nsxt/{ip-set-name} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/mac-sets/mac-sets-nsxt (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/mac-sets/mac-sets-nsxt/{mac-set-name} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/services/nsservices (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/services/nsservices/{nsservice-name} (Experimental) (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/vifs
GET /policy/api/v1/infra/realized-state/realized-entities
GET /policy/api/v1/global-infra/realized-state/realized-entities
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/realized-entities
GET /policy/api/v1/infra/realized-state/realized-entity
POST /policy/api/v1/infra/realized-state/realized-entity?action=refresh
POST /policy/api/v1/global-infra/realized-state/realized-entity?action=refresh
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/realized-entity?action=refresh
GET /policy/api/v1/infra/realized-state/status
GET /policy/api/v1/global-infra/realized-state/status
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/status

List All alarms in the system

Paginated list of all alarms.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/alarms

Request Headers:

n/a

Query Parameters:

PolicyAlarmResourceListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/alarms Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyAlarmResourceListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "PolicyAlarmResource", "id": "PROVIDER_INVOCATION_FAILURE", "display_name": "e88f4514-fd2d-4e91-b4b7-e8c9f594ae49", "parent_path": "*/alarms/realized-state", "relative_path": "e88f4514-fd2d-4e91-b4b7-e8c9f594ae49", "message": "I/O error on POST request for \"http://127.0.0.1:7440/nsxapi/api/v1/firewall/sections\": Connect to 127.0.0.1:7440 [/127.0.0.1] failed: Connection refused (Connection refused); nested exception is org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:7440 [/127.0.0.1] failed: Connection refused (Connection refused)", "source_reference": "/infra/realized-state/enforcement-points/default/firewalls/firewall-sections/7f4ce9e1-e1d9-11e8-8ce3-f56aad4808c4.38989010-e1db-11e8-8ce3-f56aad4808c4", "_create_user": "system", "_create_time": 1541519266261, "_last_modified_user": "system", "_last_modified_time": 1541519266261, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Enforcement Points (Experimental)

Paginated list of all enforcement points. Returns the populated enforcement points.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points

Request Headers:

n/a

Query Parameters:

RealizedEnforcementPointListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedEnforcementPointListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read Enforcement Point (Experimental)

Read a Enforcement Point and the complete tree underneath. Returns the populated enforcement point object.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedEnforcementPoint+

RealizedEnforcementPoint (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
realized_firewalls	Root of Realized Firewalls	RealizedFirewalls	Readonly
realized_groups	Root of Realized Groups	RealizedGroups	Readonly
realized_services	Root of Realized Services	RealizedServices	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value RealizedEnforcementPoint	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Firewall Sections (Experimental) (Deprecated)

Paginated list of all Firewalls. Returns populated Firewalls.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/firewalls/firewall-sections

Request Headers:

n/a

Query Parameters:

RealizedFirewallSectionListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedFirewallSectionListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read Firewall (Experimental) (Deprecated)

Read a Firewall and the complete tree underneath. Returns the
populated Firewall object.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/firewalls/firewall-sections/{firewall-section-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedFirewallSection+

RealizedFirewallSection (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value RealizedFirewallSection	string	Required Enum: RealizedFirewallSection
rule_count	Rule count Number of rules in this section.	integer	Readonly
rules	List of the firewall rules List of firewall rules in the section.	array of RealizedFirewallRule	Readonly
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
section_type	Section Type Type of the rules which a section can contain.	string	Readonly Enum: LAYER2, LAYER3
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List NS Groups (Experimental) (Deprecated)

Paginated list of all NSGroups. Returns populated NSGroups.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/nsgroups

Request Headers:

n/a

Query Parameters:

RealizedNSGroupListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResourceListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read Group (Experimental) (Deprecated)

Read a NSGroup and the complete tree underneath. Returns the
populated NSgroup object.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/nsgroups/{nsgroup-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResource+

GenericPolicyRealizedResource (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Enforcement Point Path The path of the enforcement point.	string	Readonly
entity_type	Type of realized entity	string	Readonly
extended_attributes	Collection of type specific properties	array of AttributeVal	Readonly
id	Unique identifier of this resource	string	Sortable
intent_paths	Collection of intent paths	array of string	Readonly
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GenericPolicyRealizedResource	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
site_path	Site Path The site where this entity resides.	string	Readonly
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Security Groups (Experimental) (Deprecated)

Paginated list of all Security Groups. Returns populated Security Groups.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/securitygroups

Request Headers:

n/a

Query Parameters:

RealizedSecurityGroupListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedSecurityGroupListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read Group (Experimental) (Deprecated)

Read a Security Group and the complete tree underneath. Returns the
populated Security Group object.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/groups/securitygroups/{securitygroup-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedSecurityGroup+

RealizedSecurityGroup (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
evaluations	Evaluated members of Security Group Reference to the evaluted members of the Security Group.	array of RealizedSecurityGroupMemberEvaluation	Readonly Maximum items: 500
id	Unique identifier of this resource	string	Sortable
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value RealizedSecurityGroup	string	Required Enum: RealizedNSGroup, RealizedSecurityGroup
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List IPSets (Experimental) (Deprecated)

Paginated list of all Realized IPSets
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/ip-sets/ip-sets-nsxt

Request Headers:

n/a

Query Parameters:

RealizedIPSetListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResourceListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read IPSet Realized state (Experimental) (Deprecated)

Read an IPSet
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/ip-sets/ip-sets-nsxt/{ip-set-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResource+

GenericPolicyRealizedResource (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Enforcement Point Path The path of the enforcement point.	string	Readonly
entity_type	Type of realized entity	string	Readonly
extended_attributes	Collection of type specific properties	array of AttributeVal	Readonly
id	Unique identifier of this resource	string	Sortable
intent_paths	Collection of intent paths	array of string	Readonly
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GenericPolicyRealizedResource	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
site_path	Site Path The site where this entity resides.	string	Readonly
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List MACSets (Experimental) (Deprecated)

Paginated list of all Realized MACSets
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/mac-sets/mac-sets-nsxt

Request Headers:

n/a

Query Parameters:

RealizedMACSetListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResourceListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read MACSet Realized state (Experimental) (Deprecated)

Read an MACSet
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/mac-sets/mac-sets-nsxt/{mac-set-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResource+

GenericPolicyRealizedResource (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Enforcement Point Path The path of the enforcement point.	string	Readonly
entity_type	Type of realized entity	string	Readonly
extended_attributes	Collection of type specific properties	array of AttributeVal	Readonly
id	Unique identifier of this resource	string	Sortable
intent_paths	Collection of intent paths	array of string	Readonly
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GenericPolicyRealizedResource	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
site_path	Site Path The site where this entity resides.	string	Readonly
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Realized NSServices (Experimental) (Deprecated)

Paginated list of all Realized NSService.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/services/nsservices

Request Headers:

n/a

Query Parameters:

GenericPolicyRealizedResourceListRequestParameters+

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResourceListResult+

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read NSService (Experimental) (Deprecated)

Read a NSService.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/services/nsservices/{nsservice-name}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResource+

GenericPolicyRealizedResource (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Enforcement Point Path The path of the enforcement point.	string	Readonly
entity_type	Type of realized entity	string	Readonly
extended_attributes	Collection of type specific properties	array of AttributeVal	Readonly
id	Unique identifier of this resource	string	Sortable
intent_paths	Collection of intent paths	array of string	Readonly
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GenericPolicyRealizedResource	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
site_path	Site Path The site where this entity resides.	string	Readonly
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Listing of VIFs on the NSX Manager

This API lists VIFs from the specified NSX Manager.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/vifs

Request Headers:

n/a

Query Parameters:

VifsOnEPListRequestParams+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/enforcement-points/default/vifs Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualNetworkInterfaceListResult+

Example Response: { "cursor": "0036077582cc-1b2e-492b-a546-008e970ddd97nnuullll", "result_count": 23, "results": [ { "resource_type": "VirtualNetworkInterface", "display_name": "Network adapter 1", "device_key": "4000", "device_name": "Network adapter 1", "ip_address_info": [ { "ip_addresses": [ "10.161.65.204", "fd01:0:101:2610:250:56ff:feab:e4be", "fd01:0:101:2610:108e:67da:8759:fffe", "fe80::250:56ff:feab:e4be" ], "source": "VM_TOOLS" } ], "vm_local_id_on_host": "3", "mac_address": "00:50:56:ab:e4:be", "owner_vm_id": "a5732786-a9c1-4139-a4cf-97b97881cb15", "external_id": "a5732786-a9c1-4139-a4cf-97b97881cb15-4000", "host_id": "5875b04c-8e75-11e8-850e-a7ec6eb06bc0", "_last_sync_time": 1532349565124 } ] } Required Permissions: read Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get list of realized objects associated with intent object

Get list of realized entities associated with intent object,
specified by path in query parameter
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/realized-entities

/policy/api/v1/global-infra/realized-state/realized-entities

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/realized-entities

Request Headers:

n/a

Query Parameters:

IntentPathRequestParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/domains/d1/groups/g1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResourceListResult+

Example Response: { "result_count": 1, "results": [ { "resource_type": "GenericPolicyRealizedResource", "id": "DOMAIN-d1-g1", "display_name": "DOMAIN-d1-g1", "path": "/infra/realized-state/enforcement-points/nsx-1/groups/nsgroups/DOMAIN-d1-g1", "parent_path": "/infra/realized-state/enforcement-points/nsx-1", "relative_path": "DOMAIN-d1-g1", "intent_reference": [ "/infra/domains/d1/groups/g1" ], "realization_specific_identifier": "22db5ae1-f1d7-4fa0-aa98-6176a3b80d0d", "alarms": [], "state": "REALIZED", "runtime_status": "UNKNOWN", "publish_status": "UNKNOWN", "operational_status" : "UNKNOWN", "extended_attributes": [ { "values": [ "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d1fb9-f50d-5533-d189-550394ba7252", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d2588-5ccf-7825-32f9-d5e1f344fe40", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d6341-5655-5cdb-2a90-fad1b762789b", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d922d-f3cb-ae5c-3e3d-d76a55990905" ], "data_type": "STRING", "key": "VIRTUAL_MACHINES", "multivalue": true } ], "entity_type": "RealizedGroup", "_create_user": "system", "_create_time": 1519051314478, "_last_modified_user": "admin", "_last_modified_time": 1519057587852, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 5 } ] } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get realized entity uniquely identified by realized path

Get realized entity uniquely identified by realized path,
specified by query parameter
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/realized-entity

Request Headers:

n/a

Query Parameters:

RealizedPathRequestParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/realized-entity?realized_path=/infra/realized-state/enforcement-points/nsx-1/groups/nsgroups/DOMAIN-d1-g1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GenericPolicyRealizedResource+

GenericPolicyRealizedResource (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alarms	Alarm info detail	array of PolicyAlarmResource
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
enforcement_point_path	Enforcement Point Path The path of the enforcement point.	string	Readonly
entity_type	Type of realized entity	string	Readonly
extended_attributes	Collection of type specific properties	array of AttributeVal	Readonly
id	Unique identifier of this resource	string	Sortable
intent_paths	Collection of intent paths	array of string	Readonly
intent_reference	Desire state paths of this object	array of string
operational_status	String representation of operational status Possible values could be UP, DOWN, UNKNOWN, FAILURE This list is not exhaustive.	string
operational_status_error	String representation of operational status error It defines the root cause for operational status error.	string
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
publish_status	String representation of publish status Possible values could be UP, DOWN, UNKNOWN, SUCCESS This list is not exhaustive.	string
publish_status_error	String representation of publish status error It defines the root cause for publish status error.	string
publish_status_error_code	Represents error code for publish status. It defines error code for publish status error.	int
publish_status_error_details	Details for publich status error. Error details for publish status.	array of ConfigurationStateElement
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
realization_api	Realization API of this object on enforcement point	string
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
realization_specific_identifier	Realization id of this object	string
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value GenericPolicyRealizedResource	string
runtime_error	String representation of runtime error It define the root cause for runtime error.	string
runtime_status	String representation of runtime status Possible values could be UP, DOWN, UNKNOWN, DEGRADED This list is not exhaustive.	string	Deprecated
site_path	Site Path The site where this entity resides.	string	Readonly
state	Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization	integer
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "GenericPolicyRealizedResource", "id": "DOMAIN-d1-g1", "display_name": "DOMAIN-d1-g1", "path": "/infra/realized-state/enforcement-points/nsx-1/groups/nsgroups/DOMAIN-d1-g1", "parent_path": "/infra/realized-state/enforcement-points/nsx-1", "relative_path": "DOMAIN-d1-g1", "intent_reference": [ "/infra/domains/d1/groups/g1" ], "realization_specific_identifier": "22db5ae1-f1d7-4fa0-aa98-6176a3b80d0d", "alarms": [], "state": "REALIZED", "runtime_status": "UNKNOWN", "publish_status": "UNKNOWN", "operational_status" : "UNKNOWN", "extended_attributes": [ { "values": [ "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d1fb9-f50d-5533-d189-550394ba7252", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d2588-5ccf-7825-32f9-d5e1f344fe40", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d6341-5655-5cdb-2a90-fad1b762789b", "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564d922d-f3cb-ae5c-3e3d-d76a55990905" ], "data_type": "STRING", "key": "VIRTUAL_MACHINES", "multivalue": true } ], "entity_type": "RealizedGroup", "_create_user": "system", "_create_time": 1519051314478, "_last_modified_user": "admin", "_last_modified_time": 1519057587852, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 5 } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Refresh all realized entities associated with the intent-path

Refresh the status and statistics of all realized entities associated
with given intent path synchronously. The vmw-async: True HTTP header
cannot be used with this API.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/realized-state/realized-entity?action=refresh

/policy/api/v1/global-infra/realized-state/realized-entity?action=refresh

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/realized-entity?action=refresh

Request Headers:

n/a

Query Parameters:

RealizedStateRequestParameter+

Request Body:

n/a

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/realized-state/realized-entity?action=refresh&intent_path=/infra/domains/d1/groups/g1&enforcement_point_path=/infra/deployment-zones/default/enforcement-points/ep1 Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get consolidated status of an intent object

Get Consolidated Status of an intent object (with or without enforcement specific status details).
The request is evaluated as follows:
- <intent_path>: the request is evaluated on all enforcement points for the given intent without
enforcement point specific details.
- <intent_path, include_enforced_status>: the request is evaluated on all enforcement points for
the given intent with enforcement point specific details.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/status

/policy/api/v1/global-infra/realized-state/status

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/status

Request Headers:

n/a

Query Parameters:

IntentStatusRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/status?intent_path=/infra/domains/default/security-policies/block-external&include_enforced_status=true Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ConsolidatedRealizedStatus+

ConsolidatedRealizedStatus (schema)

Name	Description	Type	Notes
consolidated_status	Consolidated Realized Status Consolidated Realized Status across enforcement points.	ConsolidatedStatus	Readonly
consolidated_status_per_enforcement_point	List of Consolidated Realized Status per Enforcement Point List of Consolidated Realized Status per enforcement point.	array of ConsolidatedStatusPerEnforcementPoint	Readonly
intent_path	String Path of the intent object Intent path of object, forward slashes must be escaped using %2F.	string	Required Readonly
intent_version	Intent version for the status Represent highest intent version across all realized objects	string	Readonly
publish_status	Aggregated Realization state of this object	string	Required Enum: UNAVAILABLE, UNREALIZED, REALIZED, ERROR
publish_time	Publish time of the intent This is the time when our system detects that data has been pushed to the transport nodes. This is based on a poll mechanism and hence this is not the accurate time when the intent was published at the data path. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the publish_time will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for publish_time	EpochMsTimestamp	Readonly Sortable
site_uuid	id of Site Site UUID supplied for realized site.	string
time_taken_for_realization	Appoximate time taken in milliseconds for end to end realization. This is an approximate time taken for the realization of the intent to the data path. The actual time taken could be lesser than what is reported here. The value of -1 indicates that either the publishing is still in progress or the runtime status is UNKNOWN and hence not available. The Runtime status can be UNKNOWN if one or more hosts are down and the rules could not be sent to those hosts. When the host comes up, the runtime status will change to SUCCESS but the time taken for realization will show the value of the last realization time. Any new configuration change after this will start reflecting the proper value for time_taken_for_realization.	integer

Example Response: { "consolidated_status": { "consolidated_status": "ERROR" }, "consolidated_status_per_enforcement_point": [ { "enforced_status": { "enforced_status_info": { "enforced_status": { "status": "UNKNOWN" }, "enforced_status_per_scope": [ { "enforced_status_per_transport_node": [ { "path": "/infra/sites/default/enforcement-points/default/edge-clusters/ec/edge-nodes/c578e7ba-5ce5-11e9-acec-41d19997391c", "enforced_status": { "status": "FAILURE", "status_message": "Internal error(1101) occurred on transport node c578e7ba-5ce5-11e9-acec-41d19997391c." } }, { "path": "/infra/sites/default/enforcement-points/default/edge-clusters/ec/edge-nodes/a744cd7e-5ce5-11e9-a24b-df71fdc87f85", "enforced_status": { "status": "SUCCESS" } }, { "path": "/infra/sites/default/enforcement-points/default/edge-clusters/ec/edge-nodes/77af8e10-5ce5-11e9-9149-5bb770f7c6c7", "enforced_status": { "status": "SUCCESS" } }, { "path": "/infra/sites/default/enforcement-points/default/edge-clusters/ec/edge-nodes/93ecd452-5ce5-11e9-8c18-bdce5885e998", "enforced_status": { "status": "SUCCESS" } } ], "resource_type": "TransportNodeSpanEnforcedStatus" } ] }, "pending_changes_info": { "pending_changes_flag": false } }, "enforcement_point_path": "/infra/sites/default/enforcement-points/default", "enforcement_point_id": "default", "consolidated_status": { "consolidated_status": "UNKNOWN" } } ], "intent_path": "/infra/domains/default/security-policies/block-external" } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory

Policy: Inventory: Baremetal Servers

Associated URIs:

GET /api/v1/fabric/baremetal-servers
POST /policy/api/v1/infra/baremetal-servers/tags
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/baremetal-servers/tags

Return the list of all bare metal servers

Returns information about all bare metal servers.
Tags will be populated only if the tags are added on the bare metal server.
Tags will not be listed in case tags are removed or are not added.
Request:

Method:

GET

URI Path(s):

/api/v1/fabric/baremetal-servers

Request Headers:

n/a

Query Parameters:

BareMetalServerListRequestParameters+

BareMetalServerListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
display_name	Display name Optional, valid display name of bare metal server specified as request parameter to filter bare metal server.	string
external_id	External id Optional, valid external id of bare metal server specified as request parameter to filter bare metal server.	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source_id	Source id Optional, valid id of the bare metal controller discovering bare metal server specified as request parameter to filter bare metal server.	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/baremetal-servers Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerListResult+

Example Response: ## For /fabric/baremetal-servers ## { "result_count" : 1, "cursor": "003653b55e00-e5c1-11e5-a549-005056b18ef8", "results" : [ { "external_id" : "74730a28-e52d-11e5-936e-6f061d405a22”, // uuid "display_name" : "BM-1", "resource_type" : "BareMetalServer", "source_id”: "74730a28-e52d-11e5-936e-6f061d405a11”, // ID of BMC "cpu_cores" : 4, "os_info" : { "os_name": "Ubuntu Linux (64-bit)", "os_version" : "20.0", }, "tags": [ { "scope": "os1", "tag": "linux86" } ], "_last_sync_time" : 1493291539130 } ] } ## For fabric/baremetal-servers?external_id=74730a28-e52d-11e5-936e-6f061d405a22 ## { "result_count": 1, "results": [ { "external_id" : "74730a28-e52d-11e5-936e-6f061d405a22”, // uuid "display_name" : "BM-1", "resource_type" : "BareMetalServer", "source_id”: "74730a28-e52d-11e5-936e-6f061d405a11”, // ID of BMC "cpu_cores" : 4, "os_info" : { "os_name": "Ubuntu Linux (64-bit)", "os_version" : "20.0", }, "tags": [ { "scope": "os1", "tag": "linux86" } ], "_last_sync_time" : 1493291539130 } ] } Required Permissions: read Feature: bare_metal_server_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Apply tags on bare metal server

Allows an admin to apply multiple tags to a bare metal server. This operation
does not store the intent on the policy side. This operation will replace the existing
tags on the bare metal server with the ones that have been passed. If the
application of tag fails, then an error is reported. The admin will have to retry the operation again.
Policy framework does not perform a retry. Failure could occur due to multiple
reasons. For e.g constraints like max tags limit exceeded, etc.
This API is only available when using VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/baremetal-servers/tags

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/baremetal-servers/tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

BareMetalServerTagList+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/baremetal-servers/tags { "bms_external_id": "74730a28-e52d-11e5-936e-6f061d405a28", "tags": [ {"scope": "os", "tag": "linux86"}, {"scope": "security", "tag": "PCI"} ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerTagList+

Required Permissions: crud Feature: policy_bare_metal_server_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Baremetal Servers Interfaces

Associated URIs:

POST /policy/api/v1/infra/baremetal-server-interfaces/tags
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/baremetal-server-interfaces/tags

Apply tags on bare metal server interface

Allows an admin to apply multiple tags to a bare metal server interface. This operation
does not store the intent on the policy side. This operation will replace the existing
tags on the bare metal server interface with the ones that have been passed. If the
application of tag fails, then an error is reported. The admin will have to retry the operation again.
Policy framework does not perform a retry. Failure could occur due to multiple
reasons. For e.g constraints like max tags limit exceeded, etc.
This API is only available when using VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/baremetal-server-interfaces/tags

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/baremetal-server-interfaces/tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

BareMetalServerInterfaceTagList+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/baremetal-server-interfaces/tags { "bms_interface_external_id": "74730a28-e52d-11e5-936e-6f061d405a28“, "tags": [ {"scope": "os1”, "tag": "NetworkInterface"}, {"scope": "security", "tag": "storage"} ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerInterfaceTagList+

Required Permissions: crud Feature: policy_bare_metal_server_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Baremetalserver Interfaces

Associated URIs:

GET /api/v1/fabric/baremetal-server-interfaces

Return the List of interfaces for all bare metal servers.

Returns information about all bare metal server interfaces.
Tags will be populated only if the tags are added on the bare metal server interface.
Tags will not be listed in case tags are removed or are not added.
Request:

Method:

GET

URI Path(s):

/api/v1/fabric/baremetal-server-interfaces

Request Headers:

n/a

Query Parameters:

BareMetalServerInterfaceListRequestParameters+

BareMetalServerInterfaceListRequestParameters (schema)

Name	Description	Type	Notes
bms_external_id	Bms external id Optional, valid external id of the bare metal server for which interfaces are to be retrieved specified to filter bare metal server interface.	string
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
display_name	Interface name Optional, valid display name of bare metal server interface as request parameter specified to filter bare metal server interface.	string
external_id	External Id Optional, valid external id of bare metal server interface as request parameter specified to filter bare metal server interface.	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source_id	Source id Optional, valid id of the bare metal controller as request parameter specified to filter bare metal server interface.	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/baremetal-server-interfaces Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerInterfaceListResult+

Example Response: { "result_count": 1, "results": [ { "external_id": "5006d98a-352f-134f-df6b-33e7f8d5de65", "resource_type": "BareMetalServerInterface", "bms_external_id": "5006d98a-352f-134f-df6b-33e7f8d54444", "display_name": "Interface1", "ip_addresses": [ "172.16.20.10", "fe80::250:56ff:fe86:f2b2" ], "mac_address": "00:50:56:86:f2:b2", "source_id": "74730a28-e52d-11e5-936e-6f061d405a28" "is_mgmt_interface": "true", "state": "UP", "tags": [ { "scope": "os1", "tag": "networkInterface" } ] "_last_sync_time" : 1493291539130 } ] } # GET https://<nsx-mgr>/api/v1/fabric/baremetal-server-interfaces?external_id=5006d98a-352f-134f-df6b-33e7f8d5de65 { "result_count": 1, "results": [ { "external_id": "5006d98a-352f-134f-df6b-33e7f8d5de65", "resource_type": "BareMetalServerInterface", "bms_external_id": "5006d98a-352f-134f-df6b-33e7f8d54444", "display_name": "Interface1", "ip_addresses": [ "172.16.20.10", "fe80::250:56ff:fe86:f2b2" ], "mac_address": "00:50:56:86:f2:b2", "source_id": "74730a28-e52d-11e5-936e-6f061d405a28" "is_mgmt_interface": "true", "state": "UP", "tags": [ { "scope": "os1", "tag": "networkInterface" } ] "_last_sync_time" : 1493291539130 } ] } Required Permissions: read Feature: bare_metal_server_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Containers

Policy: Inventory: Containers: Container Applications

Associated URIs:

GET /api/v1/fabric/container-application-instances
GET /api/v1/fabric/container-application-instances/{container-application-instance-id}
GET /api/v1/fabric/container-applications
GET /api/v1/fabric/container-applications/{container-application-id}

Return the list of container application instance

Returns information about all container application instance. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-application-instances

Request Headers:

n/a

Query Parameters:

ContainerApplicationInstanceListRequestParameters+

ContainerApplicationInstanceListRequestParameters (schema)

Name	Description	Type	Notes
container_application_id	Identifier of the container application Identifier of the container application.	string
container_cluster_id	Identifier of the container cluster Identifier of the container cluster.	string
container_project_id	Identifier of the container project Identifier of the container project.	string
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
scope_id	Scope id for container cluster Specifies scope id for container cluster. Default value is same as identifier of the cluster.	string
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-application-instances Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerApplicationInstanceListResult+

Example Response: { "results": [ { "external_id": "a2068f56-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "container_application_ids": [ "a1e60b5a-6026-11e9-980c-dca9048e157d" ], "tags": [ { "scope": "dis:k8s:key0", "tag": "val0" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "UP", "resource_type": "ContainerApplicationInstance", "display_name": "app-instance-1", "_last_sync_time": 1555405475693 }, { "external_id": "a206a4dc-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba31a6-6026-11e9-980c-dca9048e157d", "container_application_ids": [ "a1e6144c-6026-11e9-980c-dca9048e157d" ], "tags": [ { "scope": "dis:k8s:key1", "tag": "val1" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "UNKNOWN", "resource_type": "ContainerApplicationInstance", "display_name": "app-instance-2", "_last_sync_time": 1555405475703 } ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a container application instance

Returns information about a specific container application instance. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-application-instances/{container-application-instance-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-application-instances/a2068f56-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerApplicationInstance+

ContainerApplicationInstance (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cluster_node_id	Cluster node id Cluster node id where application instance is running.	string
container_application_ids	Identifiers of the container application List of identifiers of the container application.	array of string
container_cluster_id	Identifier of the container cluster Identifier of the container cluster this application instance belongs to.	string	Readonly
container_project_id	Identifier of the project Identifier of the container project which this container application instance belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container application instance Identifier of the container application instance on container cluster.	string	Required
network_errors	Network errors List of network errors related to container application instance.	array of NetworkError
network_status	Network status of container application instance Network status of container application instance.	string	Enum: HEALTHY, UNHEALTHY
origin_properties	Origin properties Array of additional specific properties of container application instance in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerApplicationInstance	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
status	Status of the container application instance Status of the container application instance.	string	Enum: UNKNOWN, HEALTHY, UP, DOWN, DEGRADED
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a2068f56-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "container_application_ids": [ "a1e60b5a-6026-11e9-980c-dca9048e157d" ], "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "UP", "resource_type": "ContainerApplicationInstance", "display_name": "app-instance-1", "_last_sync_time": 1555405475693 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container Applications

Returns information about all Container Applications. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-applications

Request Headers:

n/a

Query Parameters:

ContainerObjectsListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-applications Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerApplicationListResult+

Example Response: { "results": [ { "external_id": "a1e60b5a-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key1", "tag": "val1" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "UP", "resource_type": "ContainerApplication", "display_name": "app-1", "_last_sync_time": 1555405471800 }, { "external_id": "a1e623a6-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad644-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba3688-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "DOWN", "resource_type": "ContainerApplication", "display_name": "app-2", "_last_sync_time": 1555405472878 } ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a Container Application within a container project

Returns information about a specific Container Application within a project. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-applications/{container-application-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-applications/a1e60b5a-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerApplication+

ContainerApplication (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cluster_ips	List of cluster IPs The IPv4 and IPv6 clusterIPs of the container application.	array of IPAddress
container_cluster_id	Identifier of the container cluster Identifier of the container cluster this container application belongs to.	string	Readonly
container_project_id	Identifier of the project Identifier of the project which this container application belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container application Identifier of the container application on container cluster e.g. PCF app id, k8s service id.	string	Required
load_balancer_ingress	List of load-balancer ingress points Specifies list of load-balancer ingress points	array of ContainerLoadBalancerIngress
network_errors	Network errors List of network errors related to container application.	array of NetworkError
network_status	Network status of container application Network status of container application.	string	Enum: HEALTHY, UNHEALTHY
node_port_local_endpoints	List of NodePortLocalEndpoint Specifies list of local endpoint, when service is NodePortLocal.	array of NodePortLocalEndpoint
origin_properties	Origin properties Array of additional specific properties of container application in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerApplication	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
service_ports	List of service port Specifies list of service port.	array of ContainerServicePort
status	Status of the container application Status of the container application.	string	Enum: UNKNOWN, HEALTHY, UP, DOWN, DEGRADED
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
type	Type of container application	string	Enum: CLUSTER_IP, NODE_PORT, LOAD_BALANCER, EXTERNAL_NAME

Example Response: { "external_id": "a1e60b5a-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "status": "UP", "resource_type": "ContainerApplication", "display_name": "app-1", "_last_sync_time": 1555405471800 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Containers: Container Clusters

Associated URIs:

GET /api/v1/fabric/container-cluster-nodes
GET /api/v1/fabric/container-cluster-nodes/{container-cluster-node-id}
GET /api/v1/fabric/container-clusters
GET /api/v1/fabric/container-clusters/{container-cluster-id}
GET /api/v1/fabric/container-egress/{egress-id}
GET /api/v1/fabric/container-egresses
GET /api/v1/fabric/container-gateway/{gateway-id}
GET /api/v1/fabric/container-gateways
GET /api/v1/fabric/container-ingress-policies
GET /api/v1/fabric/container-ingress-policies/{ingress-policy-id}
GET /api/v1/fabric/container-ip-pool/{ip-pool-id}
GET /api/v1/fabric/container-ip-pools
GET /api/v1/fabric/container-network-policies
GET /api/v1/fabric/container-network-policies/{network-policy-id}

Return the list of container cluster nodes

Returns information about all container cluster nodes. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-cluster-nodes

Request Headers:

n/a

Query Parameters:

ContainerClusterFilterParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-cluster-nodes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerClusterNodeListResult+

Example Response: { "results": [ { "external_id": "cdd8569c-5934-11e9-b657-000c296a0506", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [], "resource_type": "ContainerClusterNode", "display_name": "sc2-rdops-vm02-dhcp-70-93", "_last_sync_time": 1555666926606 } ], "result_count": 1, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a container cluster node

Returns information about a specific container cluster node. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-cluster-nodes/{container-cluster-node-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-cluster-nodes/cdd8569c-5934-11e9-b657-000c296a0506 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerClusterNode+

ContainerClusterNode (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cni_agent_status	CNI agent status of container cluster node Specifies Container Network Interface agent status of container cluster node.	string	Enum: HEALTHY, UNHEALTHY
container_cluster_id	External identifier of the container cluster External identifier of the container cluster.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container cluster node External identifier of the container cluster node in K8S/PAS.	string	Required
external_ip_addresses	List of external ip address of Node Specifies list of external ip address of Node.	array of IPAddress
ip_addresses	IP Addresses of Node List of IP addresses of container cluster node.	array of IPAddress
network_errors	Network errors List of network errors related to container cluster node.	array of NetworkError
network_status	Network status of container cluster node Network status of container cluster node.	string	Enum: HEALTHY, UNHEALTHY
origin_properties	Origin properties Array of additional specific properties of container cluster node in key-value format.	array of KeyValuePair
pod_cidrs	List of CIDR of container application instance In case of Kubernetes container cluster, it represents the IP ranges assigned to the node for usage by Pod on that node.	array of IPCIDRBlock
provider_id	Provider id of container node Specifies identifier of container cluster node given by infrastructure provider of container cluster. e.g. in case of vSpehere, it will be instance uuid of worker node virtual machine.	string
resource_type	Must be set to the value ContainerClusterNode	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "cdd8569c-5934-11e9-b657-000c296a0506", "container_cluster_id": "b8b0889f-338c-5c65-98bd-a5642ae2aa00", "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [], "resource_type": "ContainerClusterNode", "display_name": "sc2-rdops-vm02-dhcp-70-93", "_last_sync_time": 1555666926606 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container Clusters

Returns information about all Container Clusters. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-clusters

Request Headers:

n/a

Query Parameters:

ContainerClusterPropertiesFilterParameters+

ContainerClusterPropertiesFilterParameters (schema)

Name	Description	Type	Notes
cluster_type	Type of container cluster This is the type of container cluster.	string	Enum: PAS, PKS, Kubernetes, Openshift, WCP, WCP_Guest, AKS, EKS, TKGm, TKGi, GKE, Gardener, Rancher, TAS, Other
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
infra_type	Type of infrastructure This is the type of container's infrastructure.	string	Enum: vSphere, AWS, Azure, Google, VMC, KVM, Baremetal
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
scope_id	Scope id for container cluster Specifies scope id for container cluster. Default value is same as identifier of the cluster.	string
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-clusters Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerClusterListResult+

Example Response: { "results": [ { "external_id": "b8b0889f-338c-5c65-98bd-a5642ae2aa03", "cluster_type": "PKS", "infrastructure": { "infra_type": "AWS" }, "origin_properties": [ { "key": "prop1", "value": "val1" } ], "resource_type": "ContainerCluster", "display_name": "Cluster-1", "_last_sync_time": 1555405468523 }, { "external_id": "b8b0889f-338c-5c65-98bd-a5642ae2aa04", "cluster_type": "Kubernetes", "infrastructure": { "infra_type": "vSphere" }, "origin_properties": [ { "key": "prop2", "value": "val2" } ], "resource_type": "ContainerCluster", "display_name": "Cluster-2", "_last_sync_time": 1555405468659 }, ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a container cluster

Returns information about a specific container cluster Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-clusters/{container-cluster-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-clusters/a19ad270-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerCluster+

ContainerCluster (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
cluster_ip_ranges	List of cluster IP range In case of Kubernetes container cluster, it specifies CIDRs that will be assigned to services created on Kubernetes.	array of IPCIDRBlock	Maximum items: 2
cluster_type	Type of the container cluster Type of the container cluster. In case of creating container cluster first time, it is expected to pass the valid cluster-type. In case of update, if there is no change in cluster-type, then this field can be omitted in the request.	string	Enum: PAS, PKS, Kubernetes, Openshift, WCP, WCP_Guest, AKS, EKS, TKGm, TKGi, GKE, Gardener, Rancher, TAS, SupervisorCluster, WorkloadCluster, Other
cni_type	CNI type for container cluster Specifies Container Network Interface type for container cluster.	string	Enum: NCP, Antrea, Other Default: "Other"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container cluster External identifier of the container cluster.	string
infrastructure	Details of infrastructure for the container cluster Details of underlying infrastructure that hosts the container cluster. In case of creating container cluster first time, it is expected to pass the valid infrastructure. In case of update, if there is no change in cluster-type, then this field can be omitted in the request.	ContainerInfrastructureInfo
network_errors	Network errors List of network errors related to container cluster.	array of NetworkError
network_status	Network status of container cluster Network status of container cluster.	string	Enum: HEALTHY, UNHEALTHY
node_port_local_range	Node port local range Specifies the port range to be used for NodePortLocal services.	string	Format: port-or-range
node_port_range	Node port range In case of Kubernetes container cluster, it specifies port range to be used for Kubernetes services created with the type NodePort.	string	Format: port-or-range
origin_properties	Origin properties Array of additional specific properties of container cluster in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerCluster	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
supervisor_project_id	Supervisor ContainerProject identifier for cluster Specifies supervisor container project identifier for cluster.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a19ad270-6026-11e9-980c-dca9048e157d", "cluster_type": "Kubernetes", "infrastructure": { "infra_type": "vSphere" }, "origin_properties": [], "resource_type": "ContainerCluster", "display_name": "cluster-1", "_last_sync_time": 1555405468523 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns an egress details

Returns information about a specific egress. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-egress/{egress-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-egress/a241768e-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerEgress+

ContainerEgress (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
container_cluster_id	Identifier of the container cluster Identifier of the container cluster this egress belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
egress_ip	Container egress IP Container egress IP.	string	Format: ip
external_id	External identifier of the container egress Identifier of the container egress.	string	Required
origin_properties	Origin properties Array of additional specific properties of container egress in key-value format. e.g. key can be externalIPPool, value is a string	array of KeyValuePair
resource_type	Must be set to the value ContainerEgress	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
spec	Container egress specification This specifies yaml definition of ContainerEgress resource. e.g. yaml definition of kubernetes egress resource.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Egress']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerEgress", "display_name": "egress-1", "_last_sync_time": 1555405484377 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container Egress

Returns information about all egress. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-egresses

Request Headers:

n/a

Query Parameters:

ContainerClusterFilterParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-egress Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerEgressListResult+

Example Response: { "results": [ { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Egress']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerEgress", "display_name": "egress-1", "_last_sync_time": 1555405484377 } ], "result_count": 1, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns an container gateway

Returns information about a specific container gateway. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-gateway/{gateway-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-gateway/a241768e-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerGateway+

ContainerGateway (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
addresses	List of addresses bound to gateway Specifies addresses which lists the IP addresses that have actually been bound to the gateway.	array of ContainerGatewayAddress
container_cluster_id	Identifier of the container cluster Specifies identifier of the container cluster of this container gateway.	string
container_project_id	Identifier of the container project Specifies identifier of the container project of this container gateway.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container gateway Specifies identifier of the container gateway.	string	Required
listeners	List of listener Specifies list of listeners which defines logical endpoints that are bound on this Gateway's addresses.	array of ContainerGatewayListener
origin_properties	Origin properties Array of additional specific properties of container ip pool in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerGateway	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
spec	Container gateway specification This specifies yaml definition of ContainerGateway resource.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a19ad270-6026-11e9-980c-dca9048e157e", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'gateway']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerGateway", "display_name": "gateway-1", "_last_sync_time": 1555405484377 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of container gateway

Returns information about all container gateways. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-gateways

Request Headers:

n/a

Query Parameters:

ContainerObjectsListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-gateway Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerGatewayListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container Ingress Policies

Returns information about all ingress policies. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-ingress-policies

Request Headers:

n/a

Query Parameters:

ContainerObjectsListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-ingress-policies Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerIngressPolicyListResult+

Example Response: { "results": [ { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerIngressPolicy", "display_name": "ingress-1", "_last_sync_time": 1555405484377 }, { "external_id": "a2418f70-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad644-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba3688-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerIngressPolicy", "display_name": "ingress-2", "_last_sync_time": 1555405485742 } ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns an ingress policy spec

Returns information about a specific ingress policy. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-ingress-policies/{ingress-policy-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-ingress-policies/a241768e-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerIngressPolicy+

ContainerIngressPolicy (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
container_application_ids	Identifiers of the container application List of identifiers of the container application , on which ingress policy is applied. e.g. IDs of all services on which the ingress is applied in kubernetes.	array of string
container_cluster_id	Identifier of the container cluster Identifier of the container cluster this ingress policy belongs to.	string
container_project_id	Identifier of the project Identifier of the project which this container ingress belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container ingress policy Identifier of the container ingress policy.	string	Required
load_balance_ingress	List of container loadbalancer ingress Specifies list for ingress points for the load balancer.	array of ContainerLoadBalancerIngress
network_errors	Network errors List of network errors related to container ingress.	array of NetworkError
network_status	Network status of container ingress Network status of container ingress.	string	Enum: HEALTHY, UNHEALTHY
origin_properties	Origin properties Array of additional specific properties of container ingress in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerIngressPolicy	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
spec	Container ingress policy specification Container ingress policy specification.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerIngressPolicy", "display_name": "ingress-1", "_last_sync_time": 1555405484377 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Returns an container ip pool

Returns information about a specific container ip pool. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-ip-pool/{ip-pool-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-ip-pool/a241768e-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerIpPool+

ContainerIpPool (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
container_cluster_id	Identifier of the container cluster Specifies identifier of the container cluster this container ip pool belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container ip pool Specifies identifier of the container ip pool.	string	Required
ip_ranges	List of IP ranges with subnet details Specifies list of SubnetIpRange, which is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs, along with subnet definition.	array of SubnetIpRange
ip_version	IP version of ContainerIpPool Specifies IP version of container IP pool.	integer	Enum: 4, 6
origin_properties	Origin properties Array of additional specific properties of container ip pool in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerIpPool	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
spec	Container ip pool specification This specifies yaml definition of ContainerIpPool resource.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'ip-pool']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerIpPool", "display_name": "ippool-1", "_last_sync_time": 1555405484377 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container ip pool

Returns information about all container ip pools. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-ip-pools

Request Headers:

n/a

Query Parameters:

ContainerClusterFilterParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-ip-pool Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerIpPoolListResult+

Example Response: { "results": [ { "external_id": "a241768e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'IpPool']\n", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerIpPool", "display_name": "ipppol-1", "_last_sync_time": 1555405484377 } ], "result_count": 1, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the List of Container Network Policies

Returns information about all network policies. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-network-policies

Request Headers:

n/a

Query Parameters:

ContainerObjectsListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-network-policies Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerNetworkPolicyListResult+

Example Response: { "results": [ { "external_id": "a2228fbc-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "policy_type": "NETWORK_POLICY", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerNetworkPolicy", "display_name": "policy-1", "_last_sync_time": 1555405480267 }, { "external_id": "a222a89e-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad644-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba3688-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "policy_type": "NETWORK_POLICY", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerNetworkPolicy", "display_name": "policy-2", "_last_sync_time": 1555405481623 } ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a network policy spec

Returns information about a specific network policy. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-network-policies/{network-policy-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-network-policies/a2228fbc-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerNetworkPolicy+

ContainerNetworkPolicy (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
container_cluster_id	Identifier of the container cluster Identifier of the container cluster this network policy belongs to.	string
container_project_id	Identifier of the project Identifier of the project which this network policy belongs to.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container network policy Identifier of the container network policy.	string	Required
network_errors	Network errors List of network errors related to container network policy.	array of NetworkError
network_status	Network status of container network policy Network status of container network policy.	string	Enum: HEALTHY, UNHEALTHY
origin_properties	Origin properties Array of additional specific properties of container network policy in key-value format.	array of KeyValuePair
policy_type	Type Type e.g. Network Policy, ASG.	string	Enum: NETWORK_POLICY, ASG, ACNP, ANP
resource_type	Must be set to the value ContainerNetworkPolicy	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
spec	Container network policy specification Container network policy specification.	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a2228fbc-6026-11e9-980c-dca9048e157d", "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "container_project_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "spec": "!!python/unicode 'podSelector':\n !!python/unicode 'matchLabels': {!!python/unicode 'app': !!python/unicode 'mgmtapp'}\n!!python/unicode 'policyTypes': [!!python/unicode 'Ingress']\n", "policy_type": "NETWORK_POLICY", "origin_properties": [ { "key": "prop0", "value": "val0" } ], "resource_type": "ContainerNetworkPolicy", "display_name": "policy-1", "_last_sync_time": 1555405480267 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Containers: Container Projects

Associated URIs:

GET /api/v1/fabric/container-projects
GET /api/v1/fabric/container-projects/{container-project-id}

Return the list of container projects

Returns information about all container projects Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-projects

Request Headers:

n/a

Query Parameters:

ContainerClusterFilterParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-projects Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerProjectListResult+

Example Response: { "results": [ { "external_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key1", "tag": "val1" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "resource_type": "ContainerProject", "display_name": "project-1", "_last_sync_time": 1555405468523 }, { "external_id": "a1ba31a6-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key2", "tag": "val2" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "resource_type": "ContainerProject", "display_name": "project-2", "_last_sync_time": 1555405468524 } ], "result_count": 2, "sort_by": "displayName", "sort_ascending": true } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return a container project

Returns information about a specific project Request:

Method:

GET

URI Path(s):

/api/v1/fabric/container-projects/{container-project-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/container-projects/a1ba2e72-6026-11e9-980c-dca9048e157d Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ContainerProject+

ContainerProject (schema)

Name	Description	Type	Notes
_last_sync_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
container_cluster_id	Identifier of the container cluster Identifier of the container cluster to which this project/namespace belongs.	string
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_id	External identifier of the container project External identifier of the container project.	string	Required
network_errors	Network errors List of network errors related to container project.	array of NetworkError
network_status	Network status of container project Network status of container project.	string	Enum: HEALTHY, UNHEALTHY
origin_properties	Origin properties Array of additional specific properties of container project in key-value format.	array of KeyValuePair
resource_type	Must be set to the value ContainerProject	string	Required
scope	List of scopes for discovered resource Specifies list of scope of discovered resource. e.g. if VHC path is associated with principal identity, who owns the discovered resource, then scope id will be VHC path and scope type will be VHC.	array of DiscoveredResourceScope
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30

Example Response: { "external_id": "a1ba2e72-6026-11e9-980c-dca9048e157d", "tags": [ { "scope": "dis:k8s:key", "tag": "val" } ], "origin_properties": [ { "key": "prop0", "value": "val0" } ], "container_cluster_id": "a19ad270-6026-11e9-980c-dca9048e157d", "resource_type": "ContainerProject", "display_name": "project-1", "_last_sync_time": 1555405468523 } Required Permissions: read Feature: containers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Groups

Policy: Inventory: Groups: Group Members

Associated URIs:

GET /policy/api/v1/infra/bms-group-associations
GET /policy/api/v1/global-infra/bms-group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/bms-group-associations
GET /policy/api/v1/infra/bmsi-group-associations
GET /policy/api/v1/global-infra/bmsi-group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/bmsi-group-associations
GET /policy/api/v1/infra/cloud-native-service-group-associations
GET /policy/api/v1/global-infra/cloud-native-service-group-associations
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/associated-kubernetes-clusters
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/member-types
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/member-types
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/member-types
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/antrea-egresses
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/antrea-ip-pools
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/bms
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/bms
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/bmsi
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/bmsi
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/cloud-native-service-instances
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/cloud-native-service-instances
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/consolidated-effective-ip-addresses
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/dvpg
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/dvpg
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/dvports
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/dvports
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/identity-groups
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/ip-groups
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/ip-groups
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/ip-groups
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-gateways
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-ingresses
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-node-ips
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-node-pod-cidrs
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-services
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/logical-ports (Deprecated)
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/logical-ports (Deprecated)
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/logical-ports (Deprecated)
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/logical-switches (Deprecated)
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/logical-switches (Deprecated)
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/logical-switches (Deprecated)
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/pods
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/pods
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/pods
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/segment-ports
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/segment-ports
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/segment-ports
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/segments
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/segments
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/segments
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/transport-nodes
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/vifs
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/vifs
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/vifs
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/statistics/virtual-machines (Deprecated)
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/statistics/virtual-machines (Deprecated)
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/tags
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/tags
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/tags
GET /policy/api/v1/infra/group-associations
GET /policy/api/v1/global-infra/group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/group-associations
GET /policy/api/v1/infra/identity-group-associations
GET /policy/api/v1/infra/ip-address-group-associations
GET /policy/api/v1/global-infra/ip-address-group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/ip-address-group-associations
GET /policy/api/v1/infra/pod-group-associations
GET /policy/api/v1/global-infra/pod-group-associations
GET /policy/api/v1/infra/virtual-machine-group-associations
GET /policy/api/v1/global-infra/virtual-machine-group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/virtual-machine-group-associations
GET /policy/api/v1/infra/virtual-network-interface-group-associations
GET /policy/api/v1/global-infra/virtual-network-interface-group-associations
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/virtual-network-interface-group-associations

Get groups for which the given bare metal server (BMS) is a member

Get policy groups for which the given bare metal server (BMS) is a member.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/bms-group-associations

/policy/api/v1/global-infra/bms-group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/bms-group-associations

Request Headers:

n/a

Query Parameters:

BareMetalServerGroupAssociationRequestParams+

BareMetalServerGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
bms_external_id	BMS external ID	string	Required
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/bms-group-associations?bms_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

Example Response: { "result_count": 2, "results": [ { { "path" : "/infra/domains/domain1/groups/g1", "target_id" : "g1", "target_display_name" : "group-1", "target_type" : "DOMAIN_GROUP", "is_valid" : "true", "owner_id": "4c5c5516-087a-47cd-9fba-a7669775d308", "origin_site_id": "4c5c5516-087a-47cd-9fba-a7669775d308" }, { "path" : "/infra/domains/domain1/groups/g2", "target_id" : "g2", "target_display_name" : "group-2", "target_type" : "DOMAIN_GROUP", "is_valid" : "true", "owner_id": "4c5c5516-087a-47cd-9fba-a7669775d308", "origin_site_id": "4c5c5516-087a-47cd-9fba-a7669775d308" } } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given bare metal server interface (BMSI) is a member

Get policy groups for which the given bare metal server interface (BMSI) is a member.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/bmsi-group-associations

/policy/api/v1/global-infra/bmsi-group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/bmsi-group-associations

Request Headers:

n/a

Query Parameters:

BareMetalServerInterfaceGroupAssociationRequestParams+

BareMetalServerInterfaceGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
bmsi_external_id	BMSI external ID	string	Required
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/bmsi-group-associations?bmsi_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given Cloud Native Service Instance is a member

Get policy groups for which the given Cloud Native Service Instance is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/cloud-native-service-group-associations

/policy/api/v1/global-infra/cloud-native-service-group-associations

Request Headers:

n/a

Query Parameters:

CNSGroupAssociationRequestParams+

CNSGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cns_external_id	Cloud Native Service external ID	string	Required
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/cloud-native-service-group-associations?cns_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get associated kubernetes clusters for given group

Get list of clusters associated to this Group. This API is applicable for Groups
containing kubernetes resources. For Groups containing other member types an empty list is returned.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/associated-kubernetes-clusters

Request Headers:

n/a

Query Parameters:

AssociatedKubernetesClusterListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/associated-kubernetes-clusters Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupAssociatedKubernetesClusterListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "tenant1" }, { "external_id": "77r43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "tenant2" } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get member types for a given Group

It retrieves member types for a given group. In case of nested groups, it calculates
member types of child groups as well. Considers member type for members added
via static members and dynamic membership criteria.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/member-types

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/member-types

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/member-types

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/member-types Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GroupMemberTypeListResult+

Example Response: { "resultCount": 1, "results" : ["VirtualMachine"] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get antrea egresses that belong to this Group

Get antrea egresses that belong to this Group. This API is applicable for Groups
containing AntreaEgress member type. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/antrea-egresses

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/antrea-egresses?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupAntreaEgressListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "antrea-egresses": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "egress-prod-web", "egress_ip": "10.10.0.8" }, { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "egress-staging-web", "egress_ip": "192.168.20.1" } ] } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get antrea ippools that belong to this Group

Get antrea ippools that belong to this Group. This API is applicable for Groups
containing AntreaIPPool member type. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/antrea-ip-pools

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/antrea-ip-pools?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupAntreaIPPoolListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "antrea_ip_pools": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "prod-ip-pool", "ip_ranges": [ { "cidr": "10.10.1.0/28", "start": "10.10.1.0", "end": "10.10.1.15", "gateway": "10.10.1.0", "prefix_length": 28, "vlan": 1 } ] } ] } ] } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Effective Bare Metal Servers(BMS) that belong to this group.

Returns Effective Bare metal servers(BMS) that belong to this group.
This API is applicable only for Groups containing BMS member type.
For Groups containing other member types,it returns an empty list.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/bms

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/bms

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/bms?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerListResult+

Example Response: { "cursor" : "00361f148bdc-fe7c-4320-8ef3-594e28d57c87Iws-2", "result_count": 1, "results": [ { "display_name": "BM-1", "tags": [ { "scope": "os", "tag": "linux86" } ], "resource_type": "BareMetalServer", "source_id": "74730a28-e52d-11e5-936e-6f061d405a11", "external_id": "74730a28-e52d-11e5-936e-6f061d405a22", "cpu_cores": 4 "os_info": { "os_name": "Ubuntu Linux (64-bit)", "os_version": "20.0" }, "_last_sync_time": 1493291539130 } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Effective Bare Metal Server Interfaces(BMSI) that belong to this group.

Returns Effective Bare metal server interfaces (BMSI) that belong to this group.
This API is applicable only for Groups containing BMSI member type.
For Groups containing other member types,it returns an empty list.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/bmsi

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/bmsi

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/bmsi?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

BareMetalServerInterfaceListResult+

Example Response: { "cursor" : "00361f148bdc-fe7c-4320-8ef3-594e28d57c87Iws-2", "result_count": 1, "results": [ { "external_id": "5006d98a-352f-134f-df6b-33e7f8d5de65", "tags": [ { "scope": "os", "tag": "linux86" } ], "resource_type": "BareMetalServerInterface", "bms_external_id": "5006d98a-352f-134f-df6b-33e7f8d54444", "display_name": "Interface1", "ip_addresses": [ "172.16.20.10", "fe80::250:56ff:fe86:f2b2" ], "mac_address": "00:50:56:86:f2:b2", "source_id": "74730a28-e52d-11e5-936e-6f061d405a28", "is_mgmt_interface": "true", "state": "UP" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Effective Cloud Native Service Instances that belong to this group.

Returns Effective Cloud Native Service Instances that belong to this group.
This API is applicable only for Groups containing CloudNativeServiceInstance member type.
For Groups containing other member types,it returns an empty list.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/cloud-native-service-instances

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/cloud-native-service-instances

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/cloud-native-service-instances?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "cursor" : "00361f148bdc-fe7c-4320-8ef3-594e28d57c87Iws-2", "result_count" : 1, "results" : [ { "display_name" : "CNS-2", "id" : "420e72c9-55e7-a4f7-81bf-673a2af1a6cf" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get consolidated effective IPAddress translated from this group across site

Returns the consolidated effective IP address members of the specified Group. This is applicable in the case of a
federated environment. The response includes a site-wise list of static and dynamically translated effective IP
address members. If the group evaluation on a site is empty, the response will contain the site-id with empty list.
If a group is a reference group on a site, then its consolidated effective IP response will contain the effective IPs
from other sites, and the response will contain an empty list of IPs for the sites where is it a reference group.

This API is applicable only for Global Groups that contain (either directly or via nesting) VirtualMachine,
VIF, Segment, SegmentPort, or IPSet member types. Please use the cursor value in the response to fetch the next page.
If there is no cursor value in the response, it indicates that it is the last page of results for the query.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/consolidated-effective-ip-addresses

Request Headers:

n/a

Query Parameters:

ConsolidatedEffectiveIPListRequestParameters+

ConsolidatedEffectiveIPListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point on which the API needs to be executed. Forward slashes must be escaped using %2F.	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
ip_filter	An IPAddress or subnet for filtering the results. This filter can be used to verify an ip membership in the effective results	IPElement
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
site_id	UUID of the site from which the effective IP addresses are to be fetched	string
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: Group demo1 have dynamic criteria based on vm name contains 'vm' and 2 static IPs "fd01:0:101:2600:20c:29ff:fe23:eef3","25.1.1.4/30". Request for Group in Federation environment on Paris LM: GET https://{{paris-site-ip}}/policy/api/v1/global-infra/domains/default/groups/demo1/members/consolidated-effective-ip-addresses?enforcement_point_path=/global-infra/sites/Paris/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ConsolidatedEffectiveIPAddressMemberListResult+

Example Response: { "results": [ { "site_id": "e977e929-255e-41c0-a938-a35d12f860ee", "effective_ips": [ "fd01:0:101:2600:20c:29ff:fe23:eef3", "25.1.1.4/30", "10.160.8.45", "10.160.16.77" ] }, { "site_id": "210d7017-5dca-4901-bfcc-c63928215160", "effective_ips": [ "fd01:0:101:2600:20c:29ff:fe23:eef3", "25.1.1.4/30", "10.160.10.118", "10.160.27.172" ] }, { "site_id": "fa8be70f-b592-4cb1-add9-b89ccdfd3ee3", "effective_ips": [ "fd01:0:101:2600:20c:29ff:fe23:eef3", "25.1.1.4/30", "10.160.15.134", "10.160.26.223" ] } ], "cursor": "7806177147493-0" } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Discovered Port Groups that belong to this Group

Get Discovered Port Groups that belong to this Group
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/dvpg

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/dvpg

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/dvpg?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "results": [ { "id": "dvpg-1", "display_name": "segment-1", "path": "/infra/segments/segment-1" } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get discovered ports that belong to this Group

Get discovered ports that belong to this Group
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/dvports

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/dvports

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/segment-ports?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "results": [ { "id": "default:4a5a3cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "nbokare-10.160.129.166-vdtest-97902/VM-1-10.160.129.166-20190505-122351-03783733@b089f7e1-433f-4ecc-9722-ab5f2b66d391", "path": "/infra/segments/segment-1/ports/default:4a5a3cd0-6f0a-40b0-a31a-1f55d51e1824" } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Effective Identity Groups that belong to this group.

Returns Effective Identiy Groups that belong to this group.
This API is applicable only for Groups containing IdentityGroup member type.
For Groups containing other member types,it returns an empty list.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/identity-groups

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/identity-groups?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "cursor": "00361f148bdc-fe7c-4320-8ef3-594e28d57c87Iws-2", "sort_ascending": true, "result_count": 2, "results": [ { "id" : "fcb51d1d-b141-4f5b-a0b9-1063a1470a63", "display_name" : "ADGroup1" }, { "id" : "3eecac54-15e7-4a0d-b418-001052fcfdcd", "display_name" : "ADGroup2" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get IP addresses that belong to this Group

Get IP addresses that belong to this Group.
This API is applicable for Groups containing either VirtualMachine, VIF,
Segment ,Segment Port or IP Address member type.For Groups containing other
member types,an empty list is returned
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/ip-addresses

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/ip-addresses?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupIPMembersListResult+

Example Response: { "result_count": 3, "results": [ "192.168.0.0/24", "192.168.0.1", "192.168.0.1-192.168.0.100" ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Effective IPGroups that belong to this group.

Returns effective IPGroups that belong to this group.
This API is applicable only for Groups containing IPSet member type.
For Groups containing other member types,it returns an empty list.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/ip-groups

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/ip-groups

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/ip-groups

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/ip-groups?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "cursor": "00361f148bdc-fe7c-4320-8ef3-594e28d57c87Iws-2", "sort_ascending": true, "result_count": 2, "results": [ { "target_id" : "fcb51d1d-b141-4f5b-a0b9-1063a1470a63", "target_display_name" : "IPSet1", "target_type" : "IPSet", }, { "id" : "3eecac54-15e7-4a0d-b418-001052fcfdcd", "display_name" : "IPSet2", "target_type" : "IPSet" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get kubernetes gateways that belong to this Group

Get kubernetes gateways that belong to this Group. This API is applicable for Groups
containing KubernetesGateway member type. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-gateways

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/kubernetes-gateways?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupKubernetesGatewayListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "namespaces": [ { "external_id": "e0b2ec27-852d-4cc3-9818-b5869e7589e6", "display_name": "kube-node-lease", "kubernetes_gateways": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "external-http", "gateway_ip_addresses": [ "192.168.1.14" ] }, { "external_id": "3de1ba27-61fe-4f27-b116-11f9ec312fcb", "display_name": "internal-http", "gateway_ip_addresses": [ "192.168.1.15" ] }, { "external_id": "34b5793c-af87-41c4-80fa-f87fff77ef53", "display_name": "internal-named-http", "gateway_ip_addresses": [ "192.168.1.16" ] } ] } ] } ] } ], "result_count": 3, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get kubernetes ingress policies that belong to this Group

Get kubernetes ingress policies that belong to this Group. This API is applicable for Groups
containing KubernetesIngress member type. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-ingresses

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/kubernetes-ingresses?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupKubernetesIngressListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "namespaces": [ { "external_id": "e0b2ec27-852d-4cc3-9818-b5869e7589e6", "display_name": "kube-node-lease", "kubernetes_ingresses": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "nginx-example", "load_balance_ingress_ip_addresses": [ "10.10.1.0", "10.10.2.0", "" ] }, { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "ingress-resource-backend", "load_balance_ingress_ip_addresses": [ "10.10.3.0", "10.10.4.0", "" ] } ] } ] } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get kubernetes nodes that belong to this Group

Get kubernetes nodes that belong to this Group. This API is applicable for Groups
containing KubernetesNode member type with key as IP_ADDRESSES. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-node-ips

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/kubernetes-node-ips?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupKubernetesNodeListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "kubernetes_nodes": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "workload-control-plane-jsz27", "ip_addresses": [ "10.217.161.107" ] }, { "external_id": "0222a09f-f806-4c41-840e-d0970690998c", "display_name": "workload-md-0-d4c86fd4d-kqd56", "ip_addresses": [ "10.217.161.106", "10.217.161.107" ] } ] } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get kubernetes node pod cidrs that belong to this Group

Get kubernetes node pod cidrs that belong to this Group. This API is applicable for Groups
containing KubernetesNode member type with key as POD_CIDRS. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-node-pod-cidrs

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/kubernetes-node-pod-cidrs?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupPodCidrListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "kubernetes_nodes" : [ { "pod_cidrs" : [ "10.221.121.206/32", "FE80::/64" ], "external_id" : "873eee86-8331-4b84-a278-4b132f4cbd17", "display_name" : "workload-control-plane-jsz27" }, { "pod_cidrs" : [ "10.221.121.205/32", "FE80::/64" ], "external_id" : "cc54a04d-0aba-4a24-9e6a-0a7372202242", "display_name" : "workload-md-0-d4c86fd4d-kqd56" } ] } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get kubernetes services that belong to this Group

Get kubernetes services that belong to this Group. This API is applicable for Groups
containing KubernetesService member type. For
Groups containing other member types an empty list is returned
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/kubernetes-services

Request Headers:

n/a

Query Parameters:

PolicyKubernetesListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/kubernetes-services?cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupKubernetesServiceListResult+

Example Response: { "results": [ { "clusters": [ { "external_id": "6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "ANTK01", "namespaces": [ { "external_id": "e0b2ec27-852d-4cc3-9818-b5869e7589e6", "display_name": "kube-node-lease", "kubernetes_services": [ { "external_id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "frontend", "type": "LoadBalancer", "load_balance_ingress_ip_addresses": [ "100.71.35.11", "" ], "node_port_local_endpoints": [ ], "cluster_ips": [ ] }, { "external_id": "34b5793c-af87-41c4-80fa-f87fff77ef53", "display_name": "kubernetes", "type": "ClusterIP", "load_balance_ingress_ip_addresses": [ ], "node_port_local_endpoints": [ { "node_ip": "100.71.35.11", "node_port": "30007" } ], "cluster_ips": [ "100.64.147.218" ] } ] } ] } ] } ], "result_count": 2, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get logical ports that belong to this Group (Deprecated)

Get logical ports that belong to this Group
This API is applicable for Groups containing either VirtualMachine, VIF,
Segment or Segment Port member type.For Groups containing other
member types,an empty list is returned.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/logical-ports

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/logical-ports

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/logical-ports

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/logical-ports?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "result_count": 2, "results": [ { "id" : "20c1ac1f-58b5-4241-a352-f8e82c4a8c65", "display_name" : "LP-HR1" }, { "id" : "c07005fe-4a9a-47f1-9a1e-2db65a285124", "display_name" : "LP-HR2" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get logical switches that belong to this Group (Deprecated)

Get logical switches that belong to this Group.
This API is applicable for Groups containing Segment member type.
For Groups containing other member types, an empty list is returned.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/logical-switches

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/logical-switches

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/logical-switches

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/logical-switches?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "result_count": 2, "results": [ { "id" : "20c1ac1f-58b5-4241-a352-f8e82c4a8c65", "display_name" : "LS-HR1" }, { "id" : "c07005fe-4a9a-47f1-9a1e-2db65a285124", "display_name" : "LS-HR2" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get pods that belong to this Group

Get pods that belong to this Group. This API is applicable for Groups
containing either Pod, Cluster, Namespace, Service member type. For
Groups containing other member types an empty list is returned
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/pods

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/pods

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/pods

Request Headers:

n/a

Query Parameters:

ContainerListRequestParameters+

ContainerListRequestParameters (schema)

Name	Description	Type	Notes
cluster_id	Cluster ID ID of the cluster to query	string
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/pods?enforcement_point_path=/infra/sites/default/enforcement-points/default&cluster_id=6ar43cd0-6f0a-40b0-a31a-1f55d51e1824 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContainerGroupMembersListResult+

Example Response: { "results": [ { "cluster_id":"6ar43cd0-6f0a-40b0-a31a-1f55d51e1824", "pods":[ { "id": "4a5a3cd0-6f0a-40b0-a31a-1f55d51e1824", "display_name": "Container1" }, { "id": "54R3W356-6f0a-40b0-a31a-1f55d51e1824", "display_name": "Container2" } ] } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get segment ports that belong to this Group

Get segment ports that belong to this Group
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/segment-ports

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/segment-ports

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/segment-ports

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/segment-ports?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get segments that belong to this Group

Get segments that belong to this Group
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/segments

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/segments

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/segments

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/segments?enforcement_point_path=/infra/sites/default/enforcement-points/default Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "results": [ { "id": "segment-1", "display_name": "segment-1", "path": "/infra/segments/segment-1" } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get effective transport node members that belong to this group

Get effective transport node members that belong to this Group.
This API is applicable only for Groups containing TransportNode member type.
For Groups containing other member types,an empty list is returned.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/transport-nodes

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/transport-nodes?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyGroupMembersListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "id": "5327b241-7fdd-4d41-9e93-76e006b8a4c2", "display_name" : "TransportNode-1" } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Virtual Network Interface instances that belong to this Group

Get Virtual Network Interface instances that belong to this Group.
This API is applicable for Groups containing VirtualNetworkInterface and VirtualMachine member types.
For Groups containing other member types,an empty list is returned.target_id in response
is external_id of VirtualNetworkInterface or VirtualMachine.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/vifs

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/vifs

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/vifs

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/vifs?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualNetworkInterfaceListResult+

Example Response: { "results": [ { "external_id": "564dda4e-bc05-061c-dac7-7a314e0e0c9c-4000", "owner_vm_id": "1778a2b0-7f9b-4c64-806c-bc13d6d60762", "owner_vm_type": "REGULAR", "host_id": "28477562-ea6f-11e9-9c84-f98983786a98", "vm_local_id_on_host": "1", "device_key": "4000", "device_name": "Network adapter 1", "mac_address": "00:0c:29:0e:0c:9c", "ip_address_info": [ { "source": "VM_TOOLS", "ip_addresses": [ "10.170.66.155", "fd01:3:4:2825:c5dc:25a5:fbb9:6762", "fd01:3:4:2825:2c49:a400:48df:23dd", "fd01:3:4:2825:34ca:5670:96e0:6edf", "fd01:3:4:2825:d9e4:5e51:6df6:c93e", "fd01:3:4:2825:b002:86da:30d4:1030", "fd01:3:4:2825:20c:29ff:fe0e:c9c", "fe80::20c:29ff:fe0e:c9c", "fd01:3:4:2825:eddf:5879:67d5:6293", "fd01:3:4:2825:f027:6316:8de5:3a29" ] } ], "resource_type": "VirtualNetworkInterface", "display_name": "Network adapter 1", "_last_sync_time": 0 } ], "result_count": 1, "sort_by": "display_name", "sort_ascending": true } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Virtual machines that belong to this Group

Get Virtual machines that belong to this Group.
This API is applicable for Groups containing VirtualMachine,member type.
For Groups containing other member types,an empty list is returned.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/members/virtual-machines

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/members/virtual-machines?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedVirtualMachineListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "RealizedVirtualMachine", "id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "1-vm_ubuntu_1404_srv_64-local-586-bb9bbaf4-7f29-4e7a-9216-ef33890bf081", "path": "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564de333-15ac-de52-da90-974fe099a17b", "parent_path": "/infra/realized-state/enforcement-points/nsx-1", "relative_path": "564de333-15ac-de52-da90-974fe099a17b", "intent_reference": [], "realization_specific_identifier": "564de333-15ac-de52-da90-974fe099a17b", "alarms": [], "state": "REALIZED", "runtime_status": "UNKNOWN", "compute_ids": [ "moIdOnHost:1", "hostLocalId:1", "locationId:564de333-15ac-de52-da90-974fe099a17b", "instanceUuid:bb9bbaf4-7f29-4e7a-9216-ef33890bf081", "externalId:564de333-15ac-de52-da90-974fe099a17b", "biosUuid:564de333-15ac-de52-da90-974fe099a17b" ], "power_state": "VM_RUNNING", "_create_user": "system", "_create_time": 1519383616259, "_last_modified_user": "system", "_last_modified_time": 1519383616259, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get effective VMs for the Group (Deprecated)

Get the effective VM membership for the Group. This API also gives some VM
details such as VM name, IDs and the current state of the VMs.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/statistics/virtual-machines

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/statistics/virtual-machines

Request Headers:

n/a

Query Parameters:

RealizedVirtualMachineListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/statistics/virtual-machines?enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

RealizedVirtualMachineListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "RealizedVirtualMachine", "id": "564de333-15ac-de52-da90-974fe099a17b", "display_name": "1-vm_ubuntu_1404_srv_64-local-586-bb9bbaf4-7f29-4e7a-9216-ef33890bf081", "path": "/infra/realized-state/enforcement-points/nsx-1/virtual-machines/564de333-15ac-de52-da90-974fe099a17b", "parent_path": "/infra/realized-state/enforcement-points/nsx-1", "relative_path": "564de333-15ac-de52-da90-974fe099a17b", "intent_reference": [], "realization_specific_identifier": "564de333-15ac-de52-da90-974fe099a17b", "alarms": [], "state": "REALIZED", "runtime_status": "UNKNOWN", "compute_ids": [ "moIdOnHost:1", "hostLocalId:1", "locationId:564de333-15ac-de52-da90-974fe099a17b", "instanceUuid:bb9bbaf4-7f29-4e7a-9216-ef33890bf081", "externalId:564de333-15ac-de52-da90-974fe099a17b", "biosUuid:564de333-15ac-de52-da90-974fe099a17b" ], "power_state": "vm_running", "_create_user": "system", "_create_time": 1519383616259, "_last_modified_user": "system", "_last_modified_time": 1519383616259, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get tags used to define conditions inside a Group

Get tags used to define conditions inside a Group. Also
includes tags inside nested groups.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/tags

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}/tags

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/d1/groups/g1/tags Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GroupTagsList+

Example Response: { "result_count": 2, "results": [ { "member_type" : "IPSet", "tags" : [ "Web", "DB", "App" ] }, { "member_type" : "VirtualMachine", "tags" : [ "Linux", "Windows", "Mac" ] } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given object is a member

Get policy groups for which the given object is a member.
In Federation environment, if the given object is a global entity
(eg: global segment) and if the entity is not stretched to the site
specified in the enforcement_point_path parameter,then the following is returned:-
1)If the entity is a member of any global group and that group is stretched
to the enforcement_point_path site,then the API returns an empty list.
2)If the entity is not a member of any global group,this API returns
an 'invalid path' error message.
3)If both the entity and its corresponding groups are stretched to the
enforcement_point_path site , then the API returns the groups list.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/group-associations

/policy/api/v1/global-infra/group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/group-associations

Request Headers:

n/a

Query Parameters:

IntentEnforcementPointListRequestParams+

IntentEnforcementPointListRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
intent_path	String path of the intent object	string	Required
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/group-associations?intent_path=/infra/segment/s1&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

Example Response: { "result_count": 2, "results": [ { { "path" : "/infra/domains/domain1/groups/g1", "target_id" : "g1", "target_display_name" : "group-1", "target_type" : "DOMAIN_GROUP", "is_valid" : "true", "owner_id": "4c5c5516-087a-47cd-9fba-a7669775d308", "origin_site_id": "4c5c5516-087a-47cd-9fba-a7669775d308" }, { "path" : "/infra/domains/domain1/groups/g2", "target_id" : "g2", "target_display_name" : "group-2", "target_type" : "DOMAIN_GROUP", "is_valid" : "true", "owner_id": "4c5c5516-087a-47cd-9fba-a7669775d308", "origin_site_id": "4c5c5516-087a-47cd-9fba-a7669775d308", } } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given Identity Group is a member

Get policy groups for which the given Identity Group is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/identity-group-associations

Request Headers:

n/a

Query Parameters:

IdentityGroupAssociationRequestParams+

IdentityGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
identity_group_external_id	Identity Group external ID	string	Required
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/identity-group-associations?identity_group_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given IP address is a member

Get policy groups for which the given IP address is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/ip-address-group-associations

/policy/api/v1/global-infra/ip-address-group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/ip-address-group-associations

Request Headers:

n/a

Query Parameters:

IPAddressGroupAssociationRequestParams+

IPAddressGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
ip_address	IPAddress	string	Required
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/ip-address-group-associations?ip_address=10.1.19.10&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given pod is a member

Get policy groups for which the given pod is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/pod-group-associations

/policy/api/v1/global-infra/pod-group-associations

Request Headers:

n/a

Query Parameters:

ContainerApplicationInstanceGroupAssociationRequestParams+

ContainerApplicationInstanceGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
pod_id	ContainerApplicationInstance	string	Required
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/pod-group-associations?pod_id=64dde333-15ac-de52-da90-974de459a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given VM is a member

Get policy groups for which the given VM is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/virtual-machine-group-associations

/policy/api/v1/global-infra/virtual-machine-group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/virtual-machine-group-associations

Request Headers:

n/a

Query Parameters:

VMGroupAssociationRequestParams+

VMGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
vm_external_id	Virtual machine external ID	string	Required

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/virtual-machine-group-associations?vm_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get groups for which the given VIF is a member

Get policy groups for which the given VIF is a member.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/virtual-network-interface-group-associations

/policy/api/v1/global-infra/virtual-network-interface-group-associations

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/virtual-network-interface-group-associations

Request Headers:

n/a

Query Parameters:

VIFGroupAssociationRequestParams+

VIFGroupAssociationRequestParams (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of groups needs to be fetched. Forward slashes must be escaped using %2F. If no enforcement point path is specified, the default enforcement point is considered	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
vif_external_id	Virtual network interface external ID	string	Required

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/virtual-network-interface-group-associations?vif_external_id=564de333-15ac-de52-da90-974fe099a17b&enforcement_point_path=/infra/sites/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceForEPListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Groups: Groups

Associated URIs:

GET /policy/api/v1/infra/domains/{domain-id}/groups
GET /policy/api/v1/global-infra/domains/{domain-id}/groups
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups
DELETE /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}
GET /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}
GET /policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}
PUT /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}
DELETE /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}
DELETE /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}
DELETE /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}
DELETE /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}
PATCH /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}
POST /policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

List Groups for a domain

List Groups for a domain. Groups can be filtered using member_types query parameter,
which returns the groups that contains the specified member types. Multiple member types
can be provided as comma separated values. The API also return groups having member
type that are subset of provided member_types.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups

/policy/api/v1/global-infra/domains/{domain-id}/groups

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups

Request Headers:

n/a

Query Parameters:

GroupListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

GroupListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "Group", "description": "web group", "id": "webgroup", "display_name": "web group", "path": "/infra/domains/vmc/groups/webgroup", "parent_path": "/infra/domains/vmc", "relative_path": "webgroup", "expression": [ { "resource_type": "Condition", "member_type": "VirtualMachine", "value": "webvm", "key": "Tag", "operator": "EQUALS", "_protection": "NOT_PROTECTED" } ], "_create_user": "admin", "_create_time": 1517308749250, "_last_modified_user": "admin", "_last_modified_time": 1517308749250, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a group

If a group with the group-id is not already present, create a new group.
If it already exists, patch the group.
Group created with Kubernetes membership criteria includes only Antrea reported inventory as its members.
Once created, Groups with Identity (Directory) Group members should be updated with the new Distinguished Name in case it is changed on AD Server.
Maximum of 500 malicious IP Groups (i.e Group with criteria having IPAddress equals All MALICIOUS_IP) should be created.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Group+

Group (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDnsSecurityProfileBindingMap ChildGroupDiscoveryProfileBindingMap ChildGroupMonitoringProfileBindingMap ChildPolicyFirewallFloodProtectionProfileBindingMap ChildPolicyFirewallSessionTimerProfileBindingMap
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
expression	Expression The expression list must follow below criteria: 1. A non-empty expression list, must be of odd size. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices, separated by a conjunction expression at odd indices. 2. The total of ConditionExpression and NestedExpression in a list should not exceed 5. 3. The total of IPAddressExpression, MACAddressExpression, external IDs in an ExternalIDExpression and paths in a PathExpression must not exceed the defined Config Max limit for the form-factor of Manager nodes. 4. Each expression must be a valid Expression. See the definition of the Expression type for more information.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression
extended_expression	Extended Expression Extended Expression allows additional higher level context to be specified for grouping criteria. (e.g. user AD group) This field allow users to specified user context as the source of a firewall rule for IDFW feature. Current version only support a single IdentityGroupExpression. In the future, this might expand to support other conjunction and non-conjunction expression. The extended expression list must follow below criteria: 1. Contains a single IdentityGroupExpression. No conjunction expression is supported. 2. No other non-conjunction expression is supported, except for IdentityGroupExpression. 3. Each expression must be a valid Expression. See the definition of the Expression type for more information. 4. Extended expression are implicitly AND with expression. 5. No nesting can be supported if this value is used. 6. If a Group is using extended expression, this group must be the only member in the source field of an communication map.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression	Maximum items: 1
group_type	Indicates the group type. Group type can be specified during create and update of a group. Empty group type indicates a 'generic' group, ie group can include any entity from the valid GroupMemberType.	array of GroupTypes	Maximum items: 1
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
reference	Indicates if the group is a reference. If true, indicates that this is a remote reference group. Such group will have span different from the its parent domain. Default value is false.	boolean	Readonly Default: "False"
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Group	string
state	Realization state of this group	string	Readonly Enum: IN_PROGRESS, SUCCESS, FAILURE
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup { "expression": [ { "member_type": "VirtualMachine", "value": "webvm", "key": "Tag", "operator": "EQUALS", "resource_type": "Condition" } ], "description": "web group", "display_name": "web group" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update a group

If a group with the group-id is not already present, create a new group.
If it already exists, update the group.
Avoid creating groups with multiple MACAddressExpression and IPAddressExpression.
In future releases, group will be restricted to contain a single
MACAddressExpression and IPAddressExpression along with other expressions.
To group IPAddresses or MACAddresses, use nested groups instead of multiple
IPAddressExpressions/MACAddressExpression.
Group created with Kubernetes membership criteria includes only Antrea reported inventory as its members.
Once created, Groups with Identity (Directory) Group members should be updated with the new Distinguished Name in case it is changed on AD Server.
Maximum of 500 malicious IP Groups (i.e Group with criteria having IPAddress equals All MALICIOUS_IP) should be created.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Group+

Group (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDnsSecurityProfileBindingMap ChildGroupDiscoveryProfileBindingMap ChildGroupMonitoringProfileBindingMap ChildPolicyFirewallFloodProtectionProfileBindingMap ChildPolicyFirewallSessionTimerProfileBindingMap
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
expression	Expression The expression list must follow below criteria: 1. A non-empty expression list, must be of odd size. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices, separated by a conjunction expression at odd indices. 2. The total of ConditionExpression and NestedExpression in a list should not exceed 5. 3. The total of IPAddressExpression, MACAddressExpression, external IDs in an ExternalIDExpression and paths in a PathExpression must not exceed the defined Config Max limit for the form-factor of Manager nodes. 4. Each expression must be a valid Expression. See the definition of the Expression type for more information.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression
extended_expression	Extended Expression Extended Expression allows additional higher level context to be specified for grouping criteria. (e.g. user AD group) This field allow users to specified user context as the source of a firewall rule for IDFW feature. Current version only support a single IdentityGroupExpression. In the future, this might expand to support other conjunction and non-conjunction expression. The extended expression list must follow below criteria: 1. Contains a single IdentityGroupExpression. No conjunction expression is supported. 2. No other non-conjunction expression is supported, except for IdentityGroupExpression. 3. Each expression must be a valid Expression. See the definition of the Expression type for more information. 4. Extended expression are implicitly AND with expression. 5. No nesting can be supported if this value is used. 6. If a Group is using extended expression, this group must be the only member in the source field of an communication map.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression	Maximum items: 1
group_type	Indicates the group type. Group type can be specified during create and update of a group. Empty group type indicates a 'generic' group, ie group can include any entity from the valid GroupMemberType.	array of GroupTypes	Maximum items: 1
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
reference	Indicates if the group is a reference. If true, indicates that this is a remote reference group. Such group will have span different from the its parent domain. Default value is false.	boolean	Readonly Default: "False"
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Group	string
state	Realization state of this group	string	Readonly Enum: IN_PROGRESS, SUCCESS, FAILURE
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup { "expression": [ { "member_type": "VirtualMachine", "value": "webvm", "key": "Tag", "operator": "EQUALS", "resource_type": "Condition" } ], "description": "web group", "display_name": "web group", "_revision":0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Group+

Group (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDnsSecurityProfileBindingMap ChildGroupDiscoveryProfileBindingMap ChildGroupMonitoringProfileBindingMap ChildPolicyFirewallFloodProtectionProfileBindingMap ChildPolicyFirewallSessionTimerProfileBindingMap
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
expression	Expression The expression list must follow below criteria: 1. A non-empty expression list, must be of odd size. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices, separated by a conjunction expression at odd indices. 2. The total of ConditionExpression and NestedExpression in a list should not exceed 5. 3. The total of IPAddressExpression, MACAddressExpression, external IDs in an ExternalIDExpression and paths in a PathExpression must not exceed the defined Config Max limit for the form-factor of Manager nodes. 4. Each expression must be a valid Expression. See the definition of the Expression type for more information.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression
extended_expression	Extended Expression Extended Expression allows additional higher level context to be specified for grouping criteria. (e.g. user AD group) This field allow users to specified user context as the source of a firewall rule for IDFW feature. Current version only support a single IdentityGroupExpression. In the future, this might expand to support other conjunction and non-conjunction expression. The extended expression list must follow below criteria: 1. Contains a single IdentityGroupExpression. No conjunction expression is supported. 2. No other non-conjunction expression is supported, except for IdentityGroupExpression. 3. Each expression must be a valid Expression. See the definition of the Expression type for more information. 4. Extended expression are implicitly AND with expression. 5. No nesting can be supported if this value is used. 6. If a Group is using extended expression, this group must be the only member in the source field of an communication map.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression	Maximum items: 1
group_type	Indicates the group type. Group type can be specified during create and update of a group. Empty group type indicates a 'generic' group, ie group can include any entity from the valid GroupMemberType.	array of GroupTypes	Maximum items: 1
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
reference	Indicates if the group is a reference. If true, indicates that this is a remote reference group. Such group will have span different from the its parent domain. Default value is false.	boolean	Readonly Default: "False"
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Group	string
state	Realization state of this group	string	Readonly Enum: IN_PROGRESS, SUCCESS, FAILURE
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Group", "description": "web group", "id": "webgroup", "display_name": "web group", "path": "/infra/domains/vmc/groups/webgroup", "parent_path": "/infra/domains/vmc", "relative_path": "webgroup", "expression": [ { "resource_type": "Condition", "member_type": "VirtualMachine", "value": "webvm", "key": "Tag", "operator": "EQUALS", "_protection": "NOT_PROTECTED" } ], "_create_user": "admin", "_create_time": 1517308749250, "_last_modified_user": "admin", "_last_modified_time": 1517308749250, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read group

Read group This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}

/policy/api/v1/global-infra/domains/{domain-id}/groups/{group-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Group+

Group (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildDnsSecurityProfileBindingMap ChildGroupDiscoveryProfileBindingMap ChildGroupMonitoringProfileBindingMap ChildPolicyFirewallFloodProtectionProfileBindingMap ChildPolicyFirewallSessionTimerProfileBindingMap
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
expression	Expression The expression list must follow below criteria: 1. A non-empty expression list, must be of odd size. In a list, with indices starting from 0, all non-conjunction expressions must be at even indices, separated by a conjunction expression at odd indices. 2. The total of ConditionExpression and NestedExpression in a list should not exceed 5. 3. The total of IPAddressExpression, MACAddressExpression, external IDs in an ExternalIDExpression and paths in a PathExpression must not exceed the defined Config Max limit for the form-factor of Manager nodes. 4. Each expression must be a valid Expression. See the definition of the Expression type for more information.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression
extended_expression	Extended Expression Extended Expression allows additional higher level context to be specified for grouping criteria. (e.g. user AD group) This field allow users to specified user context as the source of a firewall rule for IDFW feature. Current version only support a single IdentityGroupExpression. In the future, this might expand to support other conjunction and non-conjunction expression. The extended expression list must follow below criteria: 1. Contains a single IdentityGroupExpression. No conjunction expression is supported. 2. No other non-conjunction expression is supported, except for IdentityGroupExpression. 3. Each expression must be a valid Expression. See the definition of the Expression type for more information. 4. Extended expression are implicitly AND with expression. 5. No nesting can be supported if this value is used. 6. If a Group is using extended expression, this group must be the only member in the source field of an communication map.	array of Expression (Abstract type: pass one of the following concrete types) Condition ConjunctionOperator ExternalIDExpression GeoLocationExpression GroupScopeExpression IPAddressExpression IdentityGroupExpression MACAddressExpression NestedExpression PathExpression	Maximum items: 1
group_type	Indicates the group type. Group type can be specified during create and update of a group. Empty group type indicates a 'generic' group, ie group can include any entity from the valid GroupMemberType.	array of GroupTypes	Maximum items: 1
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
reference	Indicates if the group is a reference. If true, indicates that this is a remote reference group. Such group will have span different from the its parent domain. Default value is false.	boolean	Readonly Default: "False"
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Group	string
state	Realization state of this group	string	Readonly Enum: IN_PROGRESS, SUCCESS, FAILURE
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Group

Delete the group with group_id under domain domain_id. The force query parameter supported on the
API is deprecated. Usage of the force query parameter does not alter the behaviour of the API. The
API just ignores the force parameter.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}

Request Headers:

n/a

Query Parameters:

GroupDeleteRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a group external ID expression

If a group ExternalIDexpression with the expression-id is not already present, create a new ExternalIDexpresison.
If it already exists, replace the existing ExternalIDexpression.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

ExternalIDExpression+

ExternalIDExpression (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
external_ids	Array of external IDs for the specified member type This array can consist of one or more external IDs for the specified member type.	array of string	Required Minimum items: 1
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
member_type	External ID member type	string	Required Enum: VirtualMachine, VirtualNetworkInterface, CloudNativeServiceInstance, BareMetalServer, BareMetalServerInterface
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ExternalIDExpression	string	Required Enum: Condition, ConjunctionOperator, NestedExpression, IPAddressExpression, MACAddressExpression, ExternalIDExpression, PathExpression, IdentityGroupExpression, GeoLocationExpression
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/external-id-expressions/exp1 { "member_type": "VirtualMachine", "external_ids": [ "00989582-0920-459e-a8a6-ebf65a140aa9" ], "resource_type": "ExternalIDExpression", "id": "exp1" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Group External ID Expression

Delete Group External ID Expression This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/external-id-expressions/exp1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add or Remove external id based members from/to a Group

It will add or remove the specified members having external ID for a given expression of a group.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/external-id-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

GroupMemberActionParameters+

Request Body:

GroupMemberList+

Example Request: ## For adding external id based members to a Group POST /infra/domains/default/groups/VMGroup/external-id-expressions/vmexp?action=add { "members": [ "527ef6f5-0fea-b910-1efb-0991e41e44cd", "527ef6f5-0fea-b910-1efb-0991e41e44ce" ] } ## For removing external id based members from a Group POST /infra/domains/default/groups/VMGroup/external-id-expressions/vmexp?action=remove { "members": [ "527ef6f5-0fea-b910-1efb-0991e41e44cd", "527ef6f5-0fea-b910-1efb-0991e41e44ce" ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a group IP Address expression

If a group IPAddressExpression with the expression-id is not already present, create a new IPAddressExpression.
If it already exists, replace the existing IPAddressExpression.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

IPAddressExpression+

IPAddressExpression (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
ip_addresses	Array of IP addresses This array can consist of a single IP address, IP address range or a subnet. Its type can be of either IPv4 or IPv6. Both IPv4 and IPv6 addresses within one expression is not allowed. Supported list of formats are, "192.168.1.1", "192.168.1.1-192.168.1.100", "192.168.0.0/24", "fe80::250:56ff:fe83:318c", "fe80::250:56ff:fe83:3181-fe80::250:56ff:fe83:318c", "fe80::250:56ff:fe83:318c/64". The max limit for number of IP addresses applies across all expressions in a group. Please refer to Config Max limits specification document for a given environment.	array of IPElement	Required Minimum items: 1 Maximum items: 25000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IPAddressExpression	string	Required Enum: Condition, ConjunctionOperator, NestedExpression, IPAddressExpression, MACAddressExpression, ExternalIDExpression, PathExpression, IdentityGroupExpression, GeoLocationExpression
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/ip-address-expressions/exp1 { "ip_addresses": [ "10.110.9.21", "10.112.9.22" ], "resource_type": "IPAddressExpression", "id" : "exp1" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Group IPAddressExpression

Delete Group IPAddressExpression This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/ip-address-expressions/exp1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add or Remove IP Addresses from/to a Group

It will add or remove the specified IP Addresses from a given expression of a group.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/ip-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

GroupMemberActionParameters+

Request Body:

IPAddressList+

Example Request: ## For adding ip addresses to a Group POST /infra/domains/default/groups/IPGroup/ip-address-expressions/ipaddressexp?action=add { "ip_addresses": [ "10.110.9.4-10.110.9.10", "10.110.9.3/24" ] } ## For removing ip addresses from a Group POST /infra/domains/default/groups/IPGroup/ip-address-expressions/ipaddressexp?action=remove { "ip_addresses": [ "10.110.9.4-10.110.9.10", "10.110.9.3/24" ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a group MAC Address expression

If a group MACAddressExpression with the expression-id is not already present, create a new MACAddressExpression.
If it already exists, replace the existing MACAddressExpression.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

MACAddressExpression+

MACAddressExpression (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
mac_addresses	Array of MAC addresses This array can consist of one or more MAC addresses. Max limit of 4000 MAC addresses applies across all the expressions.	array of MACAddress	Required Minimum items: 1 Maximum items: 4000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value MACAddressExpression	string	Required Enum: Condition, ConjunctionOperator, NestedExpression, IPAddressExpression, MACAddressExpression, ExternalIDExpression, PathExpression, IdentityGroupExpression, GeoLocationExpression
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/mac-address-expressions/exp1 { "mac_addresses": [ "00:0a:95:9d:68:21", "00:0a:95:9d:68:22" ], "resource_type": "MACAddressExpression", "id" : "exp1" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Group MACAddressExpression

Delete Group MACAddressExpression This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/mac-address-expressions/exp1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add or Remove MAC Addresses from/to a Group

It will add or remove the specified MAC Addresses from a given expression of a group.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/mac-address-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

GroupMemberActionParameters+

Request Body:

MACAddressList+

Example Request: ## For adding mac addresses to a Group POST /infra/domains/default/groups/MACGroup/mac-address-expressions/macaddressexp?action=add { "mac_addresses": [ "00:0a:95:9d:68:16", "00:0a:95:9d:68:17" ] } ## For removing mac addresses from a Group POST /infra/domains/default/groups/MACGroup/mac-address-expressions/macaddressexp?action=remove { "mac_addresses": [ "00:0a:95:9d:68:16", "00:0a:95:9d:68:17" ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a group path expression

If a group path_expression with the expression-id is not already present, create a new pathexpresison.
If it already exists, replace the existing pathexpression.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PathExpression+

PathExpression (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
paths	Array of policy paths This array can consist of one or more policy paths. Only policy paths of groups, segments and policy logical ports are allowed.	array of string	Required Minimum items: 1
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PathExpression	string	Required Enum: Condition, ConjunctionOperator, NestedExpression, IPAddressExpression, MACAddressExpression, ExternalIDExpression, PathExpression, IdentityGroupExpression, GeoLocationExpression
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/path-expression/exp1 { "paths": [ "/infra/domains/default/groups/childgroup8" ], "resource_type": "PathExpression", "id": "exp1" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Group Path Expression

Delete Group Path Expression This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/domains/vmc/groups/webgroup/path-expressions/exp1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Add or Remove path based members from/to a Group

It will add or remove the specified members having path for a given expression of a group.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/domains/{domain-id}/groups/{group-id}/path-expressions/{expression-id}

Request Headers:

n/a

Query Parameters:

GroupMemberActionParameters+

Request Body:

GroupMemberList+

Example Request: ## For adding path based members to a Group POST /infra/domains/default/groups/NestedGroup/path-expressions/pathexp?action=add { "members": [ "/infra/domains/default/groups/GroupTag", "/infra/domains/default/groups/VMGroup" ] } ## For removing path based members from a Group POST /infra/domains/default/groups/NestedGroup/path-expressions/pathexp?action=remove { "members": [ "/infra/domains/default/groups/GroupTag", "/infra/domains/default/groups/VMGroup" ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_grouping Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Profiles

Policy: Inventory: Profiles: Context Profiles

Associated URIs:

GET /policy/api/v1/infra/context-profiles
GET /policy/api/v1/global-infra/context-profiles
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles
DELETE /policy/api/v1/infra/context-profiles/{context-profile-id}
DELETE /policy/api/v1/global-infra/context-profiles/{context-profile-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}
GET /policy/api/v1/infra/context-profiles/{context-profile-id}
GET /policy/api/v1/global-infra/context-profiles/{context-profile-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}
PATCH /policy/api/v1/infra/context-profiles/{context-profile-id}
PATCH /policy/api/v1/global-infra/context-profiles/{context-profile-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}
PUT /policy/api/v1/infra/context-profiles/{context-profile-id}
PUT /policy/api/v1/global-infra/context-profiles/{context-profile-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}
GET /policy/api/v1/infra/context-profiles/attribute-types
GET /policy/api/v1/infra/context-profiles/attributes
GET /policy/api/v1/global-infra/context-profiles/attributes
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/attributes
PATCH /policy/api/v1/infra/context-profiles/custom-attributes (Deprecated)
PATCH /policy/api/v1/global-infra/context-profiles/custom-attributes (Deprecated)
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes (Deprecated)
POST /policy/api/v1/infra/context-profiles/custom-attributes (Deprecated)
POST /policy/api/v1/global-infra/context-profiles/custom-attributes (Deprecated)
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes (Deprecated)
GET /policy/api/v1/infra/context-profiles/custom-attributes/default
GET /policy/api/v1/global-infra/context-profiles/custom-attributes/default
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default
PATCH /policy/api/v1/infra/context-profiles/custom-attributes/default
PATCH /policy/api/v1/global-infra/context-profiles/custom-attributes/default
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default
POST /policy/api/v1/infra/context-profiles/custom-attributes/default
POST /policy/api/v1/global-infra/context-profiles/custom-attributes/default
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default

Get PolicyContextProfiles

Get all PolicyContextProfiles
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/context-profiles

/policy/api/v1/global-infra/context-profiles

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles

Request Headers:

n/a

Query Parameters:

PolicyContextProfileListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/ { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type":"PolicyContextProfile", "display_name":"testPolicyContextProfile", "description":"Test Policy Context Profile", "attributes":[ { "key":"APP_ID", "value":[ "TLS" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V13" ], "datatype":"STRING" }, { "key":"ENCRYPTION_ALGORITHM", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ], }, { "key":"DOMAIN_NAME", "value": [ "*.office365.com" ], "datatype":"STRING" } ] } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfileListResult+

Required Permissions: read Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create PolicyContextProfile

Creates/Updates a PolicyContextProfile, which encapsulates attribute and
sub-attributes of network services.
Rules for using attributes and sub-attributes in single PolicyContextProfile
1. One type of attribute can't have multiple occurrences. ( Eg. -
Attribute type APP_ID can be used only once per PolicyContextProfile.)
2. For specifying multiple values for an attribute, provide them in an array.
3. If sub-attribtes are mentioned for an attribute, then only single
value is allowed for that attribute.
4. To get a list of supported attributes and sub-attributes fire the following REST API
GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/attributes
5. Do not create context profile with "custom_attributes" id
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/context-profiles/{context-profile-id}

/policy/api/v1/global-infra/context-profiles/{context-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

PolicyContextProfile+

PolicyContextProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attributes	Array of Policy Context Profile attributes Property containing attributes/sub-attributes for Policy Context Profile.	array of PolicyAttributes	Required
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyContextProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/context-profiles/testPolicyContextProfile { "resource_type":"PolicyContextProfile", "display_name":"testPolicyContextProfile", "description":"Test Policy Context Profile", "attributes":[ { "key":"APP_ID", "value":[ "SSL" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value":[ "TLS_V13" ], "datatype":"STRING" }, { "key":"TLS_CIPHER_SUITE", "value":[ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ] }, { "key":"DOMAIN_NAME", "value":[ "*.office365.com" ], "datatype":"STRING" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create PolicyContextProfile

Method:

PUT

URI Path(s):

/policy/api/v1/infra/context-profiles/{context-profile-id}

/policy/api/v1/global-infra/context-profiles/{context-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

PolicyContextProfile+

PolicyContextProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attributes	Array of Policy Context Profile attributes Property containing attributes/sub-attributes for Policy Context Profile.	array of PolicyAttributes	Required
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyContextProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/context-profiles/testPolicyContextProfile { "resource_type":"PolicyContextProfile", "display_name":"testPolicyContextProfile", "description":"Test Policy Context Profile", "attributes":[ { "key":"APP_ID", "value":[ "SSL" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V13" ], "datatype":"STRING" }, { "key":"TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ] }, { "key":"DOMAIN_NAME", "value": [ "*.office365.com" ], "datatype":"STRING" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfile+

PolicyContextProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attributes	Array of Policy Context Profile attributes Property containing attributes/sub-attributes for Policy Context Profile.	array of PolicyAttributes	Required
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyContextProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get PolicyContextProfile

Get a single PolicyContextProfile by id
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/context-profiles/{context-profile-id}

/policy/api/v1/global-infra/context-profiles/{context-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/testPolicyContextProfile { "resource_type":"PolicyContextProfile", "display_name":"testPolicyContextProfile", "description":"Test Policy Context Profile", "attributes":[ { "key":"APP_ID", "value":[ "TLS" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V13" ], "datatype":"STRING" }, { "key":"ENCRYPTION_ALGORITHM", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ], }, { "key":"DOMAIN_NAME", "value": [ "*.office365.com" ], "datatype":"STRING" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfile+

PolicyContextProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attributes	Array of Policy Context Profile attributes Property containing attributes/sub-attributes for Policy Context Profile.	array of PolicyAttributes	Required
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyContextProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Required Permissions: read Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Policy Context Profile

Deletes the specified Policy Context Profile. If the Policy Context
Profile is consumed in a firewall rule, it won't get deleted.
Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/context-profiles/{context-profile-id}

/policy/api/v1/global-infra/context-profiles/{context-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/{context-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideDeleteRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/context-profiles/testPolicyContextProfile Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Context Profile supported attribute types

Returns supported attribute type strings for Context Profile.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/context-profiles/attribute-types

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/context-profiles/attribute-types Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ProfileSupportedAttributeTypesResult+

Example Response: { "attribute_types": [ "APP_ID", "DOMAIN_NAME", "URL_CATEGORY", "URL_REPUTATION", "CUSTOM_URL" ] } Required Permissions: read Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Policy Context Profile supported attributes and sub-attributes

Returns supported attribute and sub-attributes for specified
attribute key with their supported values, if provided in query/request
parameter, else will fetch all supported attributes and sub-attributes for
all supported attribute keys.
Alternatively, to get a list of supported attributes and sub-attributes fire the following REST API
GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/attributes
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/context-profiles/attributes

/policy/api/v1/global-infra/context-profiles/attributes

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/attributes

Request Headers:

n/a

Query Parameters:

ProfileSupportedAttributesListRequestParameters+

ProfileSupportedAttributesListRequestParameters (schema)

Name	Description	Type	Notes
attribute_key	Fetch attributes and sub-attributes for the given attribute key It fetches attributes and subattributes for the given attribute key supported in the system which can be used for Policy Context Profile creation.	string
attribute_source	Source of the attribute, System Defined or custom It fetches attributes and sub attributes for the given attribute key based on the source of attribute which can be used for Policy Context Profile creation.	string	Enum: ALL, CUSTOM, SYSTEM Default: "SYSTEM"
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/attributes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfileListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "attributes":[ { "key":"APP_ID", "value": [ "SSL" ], "datatype":"STRING", "description":"SSL (Secure Sockets Layer) is a cryptographic protocol that provides security over the Internet.", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V10", "TLS_V11", "TLS_V12", "TLS_V13" ], "datatype":"STRING" }, { "key":"TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", ] "datatype":"STRING" } ], }, { "key":"DOMAIN_NAME", "value": [ "*.office365.com" ], "datatype":"STRING", "description":"Office 365 url" } ] } ] } Required Permissions: read Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update custom object attribute value list for given attribute key (Deprecated)

This API updates custom attribute value list for given key.
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/context-profiles/custom-attributes

/policy/api/v1/global-infra/context-profiles/custom-attributes

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyAttributes+

PolicyAttributes (schema)

Name	Description	Type	Notes
attribute_source	Source of attribute value i.e whether system defined or custom value	string	Enum: SYSTEM, CUSTOM Default: "SYSTEM"
custom_url_partial_match	true value would be treated as a partial match for custom url True value for this flag will be treated as a partial match for custom url	boolean
datatype	Datatype for attribute	string	Required Enum: STRING
description	Description for attribute value	string
isALGType	Is the value ALG type Describes whether the APP_ID value is ALG type or not.	boolean
key	Key for attribute Policy Attribute Key - Denotes the type of attribute we are adding to the context profile or the L7 access profile. The keys has to be one of the enums defined for this field.	string	Required Enum: APP_ID, DOMAIN_NAME, URL_CATEGORY, URL_REPUTATION, CUSTOM_URL
metadata	Provide additional meta information about key/values This is optional part that can hold additional data about the attribute key/values. Example - For URL CATEGORY key , it specified super category for url category value. This is generic array and can hold multiple meta information about key/values in future	array of ContextProfileAttributesMetadata
sub_attributes	Reference to sub attributes for the attribute	array of PolicySubAttributes
value	Value for attribute key Multiple attribute values can be specified as elements of array.	array of string	Required Minimum items: 1

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/context-profiles/custom-attributes Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: { "key":"DOMAIN_NAME", "value":[ "*.office365.com", "*.azure.com" ], "datatype":"STRING" } Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Adds/Removes custom attribute values from list (Deprecated)

This API adds/removes custom attribute values from list for a given attribute key.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/context-profiles/custom-attributes

/policy/api/v1/global-infra/context-profiles/custom-attributes

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes

Request Headers:

n/a

Query Parameters:

CustomAttributeAction+

Request Body:

PolicyAttributes+

PolicyAttributes (schema)

Name	Description	Type	Notes
attribute_source	Source of attribute value i.e whether system defined or custom value	string	Enum: SYSTEM, CUSTOM Default: "SYSTEM"
custom_url_partial_match	true value would be treated as a partial match for custom url True value for this flag will be treated as a partial match for custom url	boolean
datatype	Datatype for attribute	string	Required Enum: STRING
description	Description for attribute value	string
isALGType	Is the value ALG type Describes whether the APP_ID value is ALG type or not.	boolean
key	Key for attribute Policy Attribute Key - Denotes the type of attribute we are adding to the context profile or the L7 access profile. The keys has to be one of the enums defined for this field.	string	Required Enum: APP_ID, DOMAIN_NAME, URL_CATEGORY, URL_REPUTATION, CUSTOM_URL
metadata	Provide additional meta information about key/values This is optional part that can hold additional data about the attribute key/values. Example - For URL CATEGORY key , it specified super category for url category value. This is generic array and can hold multiple meta information about key/values in future	array of ContextProfileAttributesMetadata
sub_attributes	Reference to sub attributes for the attribute	array of PolicySubAttributes
value	Value for attribute key Multiple attribute values can be specified as elements of array.	array of string	Required Minimum items: 1

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/context-profiles/custom-attributes?action=add Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: { "key":"DOMAIN_NAME", "value":[ "*.office365.com", "*.azure.com" ], "datatype":"STRING" } Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update custom attribute value list for given attribute key.

This API updates custom attribute value list for given key in the request. This replaces the
existing list with the list provided in the request
Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/context-profiles/custom-attributes/default

/policy/api/v1/global-infra/context-profiles/custom-attributes/default

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

PolicyCustomAttributes+

PolicyCustomAttributes (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attribute_source	Source of attribute value i.e whether system defined or custom value	string	Enum: CUSTOM, SYSTEM Default: "CUSTOM"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
datatype	Datatype for attribute	string	Required Enum: STRING
description	Description for attribute value	string
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
key	Key for attribute Policy Custom Attribute Key	string	Required Enum: DOMAIN_NAME, CUSTOM_URL
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
metadata	Provide additional meta information about key/values This is optional part that can hold additional data about the attribute key/values. Example - For Custom URL key , it specified url type for url value. This is generic array and can hold multiple meta information about key/values in future	array of ContextProfileAttributesMetadata
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyCustomAttributes	string
sub_attributes	Reference to sub attributes for the attribute	array of PolicySubAttributes
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
value	Value for attribute key Multiple attribute values can be specified as elements of array.	array of string	Required Minimum items: 1

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/context-profiles/custom-attributes/default { "key":"DOMAIN_NAME", "value":[ "*.customdomainname1.com", "*.customdomainname2.com" ], "datatype":"STRING" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Retrieves custom attribute values for given attribute key

This API lists all the custom attribute values defined in the system for the attribute_key
mentioned as part of the url.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/context-profiles/custom-attributes/default

/policy/api/v1/global-infra/context-profiles/custom-attributes/default

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default

Request Headers:

n/a

Query Parameters:

ProfileSupportedAttributesListRequestParameters+

ProfileSupportedAttributesListRequestParameters (schema)

Name	Description	Type	Notes
attribute_key	Fetch attributes and sub-attributes for the given attribute key It fetches attributes and subattributes for the given attribute key supported in the system which can be used for Policy Context Profile creation.	string
attribute_source	Source of the attribute, System Defined or custom It fetches attributes and sub attributes for the given attribute key based on the source of attribute which can be used for Policy Context Profile creation.	string	Enum: ALL, CUSTOM, SYSTEM Default: "SYSTEM"
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/context-profiles/custom-attributes/default?attribute_key=DOMAIN_NAME Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfileListResult+

Example Response: { "key":"DOMAIN_NAME", "value":[ "*.office365.com", "*.azure.com" ], "datatype":"STRING" } Required Permissions: read Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Adds/Removes custom attribute values from list

This API adds/removes custom attribute values from list for a given attribute key. The values in the
request will be added or removed from the existing list.
Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/context-profiles/custom-attributes/default

/policy/api/v1/global-infra/context-profiles/custom-attributes/default

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/context-profiles/custom-attributes/default

Request Headers:

n/a

Query Parameters:

CustomAttributeAction+

Request Body:

PolicyCustomAttributes+

PolicyCustomAttributes (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
attribute_source	Source of attribute value i.e whether system defined or custom value	string	Enum: CUSTOM, SYSTEM Default: "CUSTOM"
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
datatype	Datatype for attribute	string	Required Enum: STRING
description	Description for attribute value	string
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
key	Key for attribute Policy Custom Attribute Key	string	Required Enum: DOMAIN_NAME, CUSTOM_URL
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
metadata	Provide additional meta information about key/values This is optional part that can hold additional data about the attribute key/values. Example - For Custom URL key , it specified url type for url value. This is generic array and can hold multiple meta information about key/values in future	array of ContextProfileAttributesMetadata
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value PolicyCustomAttributes	string
sub_attributes	Reference to sub attributes for the attribute	array of PolicySubAttributes
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly
value	Value for attribute key Multiple attribute values can be specified as elements of array.	array of string	Required Minimum items: 1

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/context-profiles/custom-attributes/default?action=add { "key":"DOMAIN_NAME", "value":[ "*.customdomainname5.com", "*.customdomainname6.com" ], "datatype":"STRING" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Example Response: 200 OK Required Permissions: crud Feature: policy_context_profile Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Profiles: L7 Access Profiles

Associated URIs:

GET /policy/api/v1/infra/l7-access-profiles
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles
DELETE /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}
GET /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}
PATCH /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}
PUT /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}
GET /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries
DELETE /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
GET /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
PATCH /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
PUT /policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}
GET /policy/api/v1/infra/l7-access-profiles/attributes
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/attributes

List l7 access Profiles

API will list all l7 access Profiles Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/l7-access-profiles

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles

Request Headers:

n/a

Query Parameters:

L7AccessProfileListRequestParameters+

L7AccessProfileListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
include_entry_count	Include the count of entries in L7 Profile If true, populate the entry_count field with the count of rules in the particular policy. By default, entry_count will not be populated.	boolean	Default: "False"
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/l7-access-profiles Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessProfileListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "l7_access_entries": [ { "sequence_number": 100, "attributes": [ { "key": "APP_ID", "value": [ "SSL" ], "datatype": "STRING", "sub_attributes": [ { "key": "TLS_VERSION", "value": [ "TLS_V13" ], "datatype": "STRING" }, { "key": "TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype": "STRING" } ], "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_0", "display_name": "entry_0", "path": "/infra/l7-access-profiles/profile-1/entries/entry_0", "relative_path": "entry_0", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "realization_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431167, "_last_modified_user": "admin", "_last_modified_time": 1631900431167, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 101, "attributes": [ { "key": "CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": false, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_1", "display_name": "entry_1", "path": "/infra/l7-access-profiles/profile-1/entries/entry_1", "relative_path": "entry_1", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "realization_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431168, "_last_modified_user": "admin", "_last_modified_time": 1631900431168, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 102, "attributes": [ { "key": "URL_CATEGORY", "value": [ "Auctions", "Abused Drugs" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_2", "display_name": "entry_2", "path": "/infra/l7-access-profiles/profile-1/entries/entry_2", "relative_path": "entry_2", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "realization_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431169, "_last_modified_user": "admin", "_last_modified_time": 1631900431169, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 103, "attributes": [ { "key": "URL_REPUTATION", "value": [ "Suspicious" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT_WITH_RESPONSE", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_3", "display_name": "entry_3", "path": "/infra/l7-access-profiles/profile-1/entries/entry_3", "relative_path": "entry_3", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "realization_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431171, "_last_modified_user": "admin", "_last_modified_time": 1631900431171, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "user_response_message": "", "default_action": "REJECT", "default_action_logged": false, "resource_type": "L7AccessProfile", "id": "profile-1", "display_name": "profile-1", "description": "Test Policy L7 Access Profile", "path": "/infra/l7-access-profiles/profile-1", "relative_path": "profile-1", "parent_path": "/infra", "unique_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "realization_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431163, "_last_modified_user": "admin", "_last_modified_time": 1631900431163, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update L7 Access Profile

API will create/update L7 Access Profile Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

L7AccessProfile+

L7AccessProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildL7AccessEntry
default_action		L7AccessEntryAction	Required
default_action_logged	Enable default logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
entry_count	Entry count The count of entries in the L7 profile.	int	Readonly
id	Unique identifier of this resource	string	Sortable
l7_access_entries	Array of Policy L7 Access Profile entries Property containing L7 access entries for Policy L7 Access Profile.	array of L7AccessEntry	Maximum items: 1000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1 { "resource_type": "L7AccessProfile", "display_name": "profile-1", "description":"Test Policy L7 Access Profile", "l7_access_entries": [ { "display_name": "entry_0", "sequence_number": 100, "attributes":[ { "key":"APP_ID", "value":[ "SSL" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V13" ], "datatype":"STRING" }, { "key":"TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ], "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged" : true }, { "display_name": "entry_1", "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false }, { "display_name": "entry_2", "sequence_number": 102, "attributes":[ { "key":"URL_CATEGORY", "value": [ "Auctions", "Abused Drugs" ], "datatype":"STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT", "logged" : true }, { "display_name": "entry_3", "sequence_number": 103, "attributes":[ { "key":"URL_REPUTATION", "value": [ "Suspicious" ], "datatype":"STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT_WITH_RESPONSE", "logged" : true } ], "default_action": "REJECT" } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessProfile+

L7AccessProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildL7AccessEntry
default_action		L7AccessEntryAction	Required
default_action_logged	Enable default logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
entry_count	Entry count The count of entries in the L7 profile.	int	Readonly
id	Unique identifier of this resource	string	Sortable
l7_access_entries	Array of Policy L7 Access Profile entries Property containing L7 access entries for Policy L7 Access Profile.	array of L7AccessEntry	Maximum items: 1000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "l7_access_entries": [ { "sequence_number": 100, "attributes": [ { "key": "APP_ID", "value": [ "SSL" ], "datatype": "STRING", "sub_attributes": [ { "key": "TLS_VERSION", "value": [ "TLS_V13" ], "datatype": "STRING" }, { "key": "TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype": "STRING" } ], "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_0", "display_name": "entry_0", "path": "/infra/l7-access-profiles/profile-1/entries/entry_0", "relative_path": "entry_0", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "realization_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431167, "_last_modified_user": "admin", "_last_modified_time": 1631900431167, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 101, "attributes": [ { "key": "CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": false, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_1", "display_name": "entry_1", "path": "/infra/l7-access-profiles/profile-1/entries/entry_1", "relative_path": "entry_1", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "realization_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431168, "_last_modified_user": "admin", "_last_modified_time": 1631900431168, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 102, "attributes": [ { "key": "URL_CATEGORY", "value": [ "Auctions", "Abused Drugs" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_2", "display_name": "entry_2", "path": "/infra/l7-access-profiles/profile-1/entries/entry_2", "relative_path": "entry_2", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "realization_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431169, "_last_modified_user": "admin", "_last_modified_time": 1631900431169, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 103, "attributes": [ { "key": "URL_REPUTATION", "value": [ "Suspicious" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT_WITH_RESPONSE", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_3", "display_name": "entry_3", "path": "/infra/l7-access-profiles/profile-1/entries/entry_3", "relative_path": "entry_3", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "realization_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431171, "_last_modified_user": "admin", "_last_modified_time": 1631900431171, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "user_response_message": "", "default_action": "REJECT", "default_action_logged": false, "resource_type": "L7AccessProfile", "id": "profile-1", "display_name": "profile-1", "description": "Test Policy L7 Access Profile", "path": "/infra/l7-access-profiles/profile-1", "relative_path": "profile-1", "parent_path": "/infra", "unique_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "realization_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431163, "_last_modified_user": "admin", "_last_modified_time": 1631900431163, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update L7 Access Profile

API will update L7 Access Profile Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

L7AccessProfile+

L7AccessProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildL7AccessEntry
default_action		L7AccessEntryAction	Required
default_action_logged	Enable default logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
entry_count	Entry count The count of entries in the L7 profile.	int	Readonly
id	Unique identifier of this resource	string	Sortable
l7_access_entries	Array of Policy L7 Access Profile entries Property containing L7 access entries for Policy L7 Access Profile.	array of L7AccessEntry	Maximum items: 1000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1 { "resource_type": "L7AccessProfile", "display_name": "profile-1", "description":"Test Policy L7 Access Profile", "l7_access_entries": [ { "display_name": "entry_0", "sequence_number": 100, "attributes":[ { "key":"APP_ID", "value":[ "SSL" ], "datatype":"STRING", "sub_attributes":[ { "key":"TLS_VERSION", "value": [ "TLS_V13" ], "datatype":"STRING" }, { "key":"TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype":"STRING" } ], "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged" : true }, { "display_name": "entry_1", "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false }, { "display_name": "entry_2", "sequence_number": 102, "attributes":[ { "key":"URL_CATEGORY", "value": [ "Auctions", "Abused Drugs" ], "datatype":"STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT", "logged" : true }, { "display_name": "entry_3", "sequence_number": 103, "attributes":[ { "key":"URL_REPUTATION", "value": [ "Suspicious" ], "datatype":"STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT_WITH_RESPONSE", "logged" : true } ], "default_action": "REJECT" } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessProfile+

L7AccessProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildL7AccessEntry
default_action		L7AccessEntryAction	Required
default_action_logged	Enable default logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
entry_count	Entry count The count of entries in the L7 profile.	int	Readonly
id	Unique identifier of this resource	string	Sortable
l7_access_entries	Array of Policy L7 Access Profile entries Property containing L7 access entries for Policy L7 Access Profile.	array of L7AccessEntry	Maximum items: 1000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete L7 Access Profile

API will delete L7 Access Profile Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1 Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get L7 Access Profile

API will get L7 Access Profile Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessProfile+

L7AccessProfile (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildL7AccessEntry
default_action		L7AccessEntryAction	Required
default_action_logged	Enable default logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
entry_count	Entry count The count of entries in the L7 profile.	int	Readonly
id	Unique identifier of this resource	string	Sortable
l7_access_entries	Array of Policy L7 Access Profile entries Property containing L7 access entries for Policy L7 Access Profile.	array of L7AccessEntry	Maximum items: 1000
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessProfile	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "l7_access_entries": [ { "sequence_number": 100, "attributes": [ { "key": "APP_ID", "value": [ "SSL" ], "datatype": "STRING", "sub_attributes": [ { "key": "TLS_VERSION", "value": [ "TLS_V13" ], "datatype": "STRING" }, { "key": "TLS_CIPHER_SUITE", "value": [ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" ], "datatype": "STRING" } ], "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_0", "display_name": "entry_0", "path": "/infra/l7-access-profiles/profile-1/entries/entry_0", "relative_path": "entry_0", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "realization_id": "6403f261-02fd-42ec-ac1f-4f6fb59f42a6", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431167, "_last_modified_user": "admin", "_last_modified_time": 1631900431167, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 101, "attributes": [ { "key": "CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "ALLOW", "logged": false, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_1", "display_name": "entry_1", "path": "/infra/l7-access-profiles/profile-1/entries/entry_1", "relative_path": "entry_1", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "realization_id": "f098b0c9-65ba-42ae-8798-19a4f4515447", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431168, "_last_modified_user": "admin", "_last_modified_time": 1631900431168, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 102, "attributes": [ { "key": "URL_CATEGORY", "value": [ "Auctions", "Abused Drugs" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_2", "display_name": "entry_2", "path": "/infra/l7-access-profiles/profile-1/entries/entry_2", "relative_path": "entry_2", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "realization_id": "7653be14-abe3-49d6-92bb-3f68303c6049", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431169, "_last_modified_user": "admin", "_last_modified_time": 1631900431169, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "sequence_number": 103, "attributes": [ { "key": "URL_REPUTATION", "value": [ "Suspicious" ], "datatype": "STRING", "attribute_source": "SYSTEM" } ], "action": "REJECT_WITH_RESPONSE", "logged": true, "disabled": false, "resource_type": "L7AccessEntry", "id": "entry_3", "display_name": "entry_3", "path": "/infra/l7-access-profiles/profile-1/entries/entry_3", "relative_path": "entry_3", "parent_path": "/infra/l7-access-profiles/profile-1", "unique_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "realization_id": "e099255b-ce22-4dd4-9e4c-73520ab54870", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431171, "_last_modified_user": "admin", "_last_modified_time": 1631900431171, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "user_response_message": "", "default_action": "REJECT", "default_action_logged": false, "resource_type": "L7AccessProfile", "id": "profile-1", "display_name": "profile-1", "description": "Test Policy L7 Access Profile", "path": "/infra/l7-access-profiles/profile-1", "relative_path": "profile-1", "parent_path": "/infra", "unique_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "realization_id": "ec0e9217-56a5-443c-997e-f73a75e0e2db", "marked_for_delete": false, "overridden": false, "_system_owned": false, "_create_user": "admin", "_create_time": 1631900431163, "_last_modified_user": "admin", "_last_modified_time": 1631900431163, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: read Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List l7 access profile entries

API will list all l7 access profiles entries Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries

Request Headers:

n/a

Query Parameters:

L7AccessEntryListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1/entries Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessEntryListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "L7AccessEntry", "id": "entry-1", "display_name": "entry-1", "description":"Test Policy L7 Access Profile entry", "path": "/infra/l7-access-profiles/profile-1/entries/entry-1" "relative_path": "entry-1", "marked_for_delete": false," "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false, "_create_user": "admin", "_create_time": 1516386404233, "_last_modified_user": "admin", "_last_modified_time": 1516431370604, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } ] } Required Permissions: read Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update L7 Access Profile entry

API will create/update L7 Access Profile entry Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

L7AccessEntry+

L7AccessEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action		L7AccessEntryAction	Required
attributes	Array of Policy L7 Access Profile attributes Property containing attributes/sub-attributes for Policy L7 Access Profile. APP_ID, CUSTOM_URL, URL_CATEGORY, are system created attributes, and user can use below API to get list of valid attributes and values and consume them in L7AccessEntry: GET /policy/api/v1/infra/l7-access-profiles/attributes?attribute_source=ALL CUSTOM_URL attribute value must be created explicitly by the user using below API: POST /policy/api/v1/infra/context-profiles/custom-attributes/default?action=add	array of L7AccessAttributes	Required Maximum items: 1
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
disabled	Flag to deactivate the entry Flag to deactivate the entry. Default is activated.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
logged	Enable logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessEntry	string
sequence_number	Policy L7 Access Entry Order Determines the order of the entry in this profile. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic.	int
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1/entries/entry-1 { "resource_type": "L7AccessEntry", "display_name": "entry-1", "description":"Test Policy L7 Access Profile entry", "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessEntry+

L7AccessEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action		L7AccessEntryAction	Required
attributes	Array of Policy L7 Access Profile attributes Property containing attributes/sub-attributes for Policy L7 Access Profile. APP_ID, CUSTOM_URL, URL_CATEGORY, are system created attributes, and user can use below API to get list of valid attributes and values and consume them in L7AccessEntry: GET /policy/api/v1/infra/l7-access-profiles/attributes?attribute_source=ALL CUSTOM_URL attribute value must be created explicitly by the user using below API: POST /policy/api/v1/infra/context-profiles/custom-attributes/default?action=add	array of L7AccessAttributes	Required Maximum items: 1
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
disabled	Flag to deactivate the entry Flag to deactivate the entry. Default is activated.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
logged	Enable logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessEntry	string
sequence_number	Policy L7 Access Entry Order Determines the order of the entry in this profile. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic.	int
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "L7AccessEntry", "id": "entry-1", "display_name": "entry-1", "description":"Test Policy L7 Access Profile entry", "path": "/infra/l7-access-profiles/profile-1/entries/entry-1" "relative_path": "entry-1", "marked_for_delete": false," "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false, "_create_user": "admin", "_create_time": 1516386404233, "_last_modified_user": "admin", "_last_modified_time": 1516431370604, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: crud Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create L7 Access Profile entry

API will create L7 Access Profile entry Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

L7AccessEntry+

L7AccessEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action		L7AccessEntryAction	Required
attributes	Array of Policy L7 Access Profile attributes Property containing attributes/sub-attributes for Policy L7 Access Profile. APP_ID, CUSTOM_URL, URL_CATEGORY, are system created attributes, and user can use below API to get list of valid attributes and values and consume them in L7AccessEntry: GET /policy/api/v1/infra/l7-access-profiles/attributes?attribute_source=ALL CUSTOM_URL attribute value must be created explicitly by the user using below API: POST /policy/api/v1/infra/context-profiles/custom-attributes/default?action=add	array of L7AccessAttributes	Required Maximum items: 1
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
disabled	Flag to deactivate the entry Flag to deactivate the entry. Default is activated.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
logged	Enable logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessEntry	string
sequence_number	Policy L7 Access Entry Order Determines the order of the entry in this profile. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic.	int
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1/entries/entry-1 { "resource_type": "L7AccessEntry", "display_name": "entry-1", "description":"Test Policy L7 Access Profile entry", "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessEntry+

L7AccessEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action		L7AccessEntryAction	Required
attributes	Array of Policy L7 Access Profile attributes Property containing attributes/sub-attributes for Policy L7 Access Profile. APP_ID, CUSTOM_URL, URL_CATEGORY, are system created attributes, and user can use below API to get list of valid attributes and values and consume them in L7AccessEntry: GET /policy/api/v1/infra/l7-access-profiles/attributes?attribute_source=ALL CUSTOM_URL attribute value must be created explicitly by the user using below API: POST /policy/api/v1/infra/context-profiles/custom-attributes/default?action=add	array of L7AccessAttributes	Required Maximum items: 1
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
disabled	Flag to deactivate the entry Flag to deactivate the entry. Default is activated.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
logged	Enable logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessEntry	string
sequence_number	Policy L7 Access Entry Order Determines the order of the entry in this profile. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic.	int
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete L7 Access Profile entry

API will delete L7 Access Profile entry Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1/entries/ Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read L7 Access Profile entry

Read Friewall L7 Access Profile entry Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/{l7-access-profile-id}/entries/{l7-access-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/l7-access-profiles/profile-1/entries/entry-1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

L7AccessEntry+

L7AccessEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
action		L7AccessEntryAction	Required
attributes	Array of Policy L7 Access Profile attributes Property containing attributes/sub-attributes for Policy L7 Access Profile. APP_ID, CUSTOM_URL, URL_CATEGORY, are system created attributes, and user can use below API to get list of valid attributes and values and consume them in L7AccessEntry: GET /policy/api/v1/infra/l7-access-profiles/attributes?attribute_source=ALL CUSTOM_URL attribute value must be created explicitly by the user using below API: POST /policy/api/v1/infra/context-profiles/custom-attributes/default?action=add	array of L7AccessAttributes	Required Maximum items: 1
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
disabled	Flag to deactivate the entry Flag to deactivate the entry. Default is activated.	boolean	Default: "False"
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
logged	Enable logging flag Flag to activate packet logging. Default is deactivated.	boolean	Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L7AccessEntry	string
sequence_number	Policy L7 Access Entry Order Determines the order of the entry in this profile. If no sequence number is specified in the payload, a value of 0 is assigned by default. If there are multiple rules with the same sequence number then their order is not deterministic.	int
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "L7AccessEntry", "id": "entry-1", "display_name": "entry-1", "description":"Test Policy L7 Access Profile entry", "path": "/infra/l7-access-profiles/profile-1/entries/entry-1" "relative_path": "entry-1", "marked_for_delete": false," "sequence_number": 101, "attributes":[ { "key":"CUSTOM_URL", "value": [ "*.cisco.com", "www.google.com" ], "datatype":"STRING", "attribute_source": "CUSTOM" } ], "action": "ALLOW", "logged" : false, "_create_user": "admin", "_create_time": 1516386404233, "_last_modified_user": "admin", "_last_modified_time": 1516431370604, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 2 } Required Permissions: read Feature: policy_security_profiles Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Policy L7 access profile supported attributes and sub-attributes

Method:

GET

URI Path(s):

/policy/api/v1/infra/l7-access-profiles/attributes

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/l7-access-profiles/attributes

Request Headers:

n/a

Query Parameters:

ProfileSupportedAttributesListRequestParameters+

ProfileSupportedAttributesListRequestParameters (schema)

Name	Description	Type	Notes
attribute_key	Fetch attributes and sub-attributes for the given attribute key It fetches attributes and subattributes for the given attribute key supported in the system which can be used for Policy Context Profile creation.	string
attribute_source	Source of the attribute, System Defined or custom It fetches attributes and sub attributes for the given attribute key based on the source of attribute which can be used for Policy Context Profile creation.	string	Enum: ALL, CUSTOM, SYSTEM Default: "SYSTEM"
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/l7-access-profiles/attributes Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyContextProfileListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Profiles: L7 Access Profiles: Static MIME Content

Associated URIs:

GET /policy/api/v1/infra/static-mime-contents
DELETE /policy/api/v1/infra/static-mime-contents/{static-mime-content-id}
GET /policy/api/v1/infra/static-mime-contents/{static-mime-content-id}
PATCH /policy/api/v1/infra/static-mime-contents/{static-mime-content-id}
PUT /policy/api/v1/infra/static-mime-contents/{static-mime-content-id}

List static mime contents

API will list all static mime contents Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/static-mime-contents

Request Headers:

n/a

Query Parameters:

StaticMimeContentListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/static-mime-contents Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

StaticMimeContentListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "resource_type": "StaticMimeContent", "id": "coke-response-page-1", "display_name": "coke-response-page-1", "description":"Coke response page for l7 profile 1", "unique_id": "4efdaa00-d0a4-473a-9dd7-b2c4836013e7", "path": "/infra/static-mime-contents/coke-response-page-1", "relative_path": "coke-response-page-1", "text_message": "Company internet access usage violation. Contact IT Help Desk for further details.", } ] } Required Permissions: read Feature: policy_edge_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update static mime content id

API will create/update static mime content id Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/static-mime-contents/{static-mime-content-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

StaticMimeContent+

StaticMimeContent (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value StaticMimeContent	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
text_message	text message text message.	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<nsx-mgr>/policy/api/v1/infra/static-mime-contents/coke-response-page-1" { "resource_type": "StaticMimeContent", "id": "coke-response-page-1", "display_name": "coke-response-page-1", "description":"Coke response page for l7 profile 1", "relative_path": "coke-response-page-1", "text_message": "Company internet access usage violation. Contact IT Help Desk for further details.", } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

StaticMimeContent+

StaticMimeContent (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value StaticMimeContent	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
text_message	text message text message.	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "StaticMimeContent", "id": "coke-response-page-1", "display_name": "coke-response-page-1", "description":"Coke response page for l7 profile 1", "unique_id": "4efdaa00-d0a4-473a-9dd7-b2c4836013e7", "path": "/infra/static-mime-contents/coke-response-page-1", "relative_path": "coke-response-page-1", "marked_for_delete": false," "text_message": "Company internet access usage violation. Contact IT Help Desk for further details.", "_create_user": "admin", "_create_time": 1516657975538, "_last_modified_user": "admin", "_last_modified_time": 1517353711231, "_system_owned": false, "_revision": 1 } Required Permissions: crud Feature: policy_edge_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Update static mime content id

API will create/update static mime content id Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/static-mime-contents/{static-mime-content-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

StaticMimeContent+

StaticMimeContent (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value StaticMimeContent	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
text_message	text message text message.	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<nsx-mgr>/policy/api/v1/infra/static-mime-contents/coke-response-page-1" { "resource_type": "StaticMimeContent", "id": "coke-response-page-1", "display_name": "coke-response-page-1", "description":"Coke response page for l7 profile 1", "relative_path": "coke-response-page-1", "text_message": "Company internet access usage violation. Contact IT Help Desk for further details.", } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

StaticMimeContent+

StaticMimeContent (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value StaticMimeContent	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
text_message	text message text message.	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete static Mime content

API will delete static mime content Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/static-mime-contents/{static-mime-content-id}

Request Headers:

n/a

Query Parameters:

OverrideRequestParameters+

Request Body:

n/a

Example Request: DELETE https://<nsx-mgr>/policy/api/v1/infra/static-mime-contents/ Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_edge_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get Static Mime content

API will get static mime content Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/static-mime-contents/{static-mime-content-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/policy/api/v1/infra/static-mime-contents/coke-response-page-1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

StaticMimeContent+

StaticMimeContent (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value StaticMimeContent	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
text_message	text message text message.	string	Required
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "StaticMimeContent", "id": "coke-response-page-1", "display_name": "coke-response-page-1", "description":"Coke response page for l7 profile 1", "unique_id": "4efdaa00-d0a4-473a-9dd7-b2c4836013e7", "path": "/infra/static-mime-contents/coke-response-page-1", "relative_path": "coke-response-page-1", "marked_for_delete": false," "text_message": "Company internet access usage violation. Contact IT Help Desk for further details.", "_create_user": "admin", "_create_time": 1516657975538, "_last_modified_user": "admin", "_last_modified_time": 1517353711231, "_system_owned": false, "_revision": 1 } Required Permissions: read Feature: policy_edge_security_settings Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Services

Associated URIs:

GET /policy/api/v1/infra/services
GET /policy/api/v1/global-infra/services
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services
DELETE /policy/api/v1/infra/services/{service-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}
GET /policy/api/v1/infra/services/{service-id}
GET /policy/api/v1/global-infra/services/{service-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}
PATCH /policy/api/v1/infra/services/{service-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}
PUT /policy/api/v1/infra/services/{service-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}
GET /policy/api/v1/infra/services/{service-id}/service-entries
GET /policy/api/v1/global-infra/services/{service-id}/service-entries
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries
DELETE /policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}
DELETE /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}
GET /policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}
GET /policy/api/v1/global-infra/services/{service-id}/service-entries/{service-entry-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}
PATCH /policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}
PATCH /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}
PUT /policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}

List Services for infra

Paginated list of Services for infra.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/services

/policy/api/v1/global-infra/services

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services

Request Headers:

n/a

Query Parameters:

ServiceListRequestParameters+

ServiceListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
default_service	Fetch all default services If set to true, then it will display only default services. If set to false, then it will display all user defined services. If it is not provided, then complete (default as well as user defined) list of services will be displayed.	boolean
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/services Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ServiceListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 402, "results": [ { "resource_type": "Service", "description": "AD Server", "id": "AD_Server", "display_name": "AD Server", "path": "/infra/services/AD_Server", "parent_path": "/infra/services/AD_Server", "relative_path": "AD_Server", "service_entries": [ { "resource_type": "L4PortSetServiceEntry", "id": "AD_Server", "display_name": "AD Server", "path": "/infra/services/AD_Server/service-entries/AD_Server", "parent_path": "/infra/services/AD_Server", "relative_path": "AD_Server", "destination_ports": [ "1024" ], "l4_protocol": "TCP", "_create_user": "system", "_create_time": 1517296380484, "_last_modified_user": "system", "_last_modified_time": 1517296380484, "_system_owned": true, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "_create_user": "system", "_create_time": 1517296380468, "_last_modified_user": "system", "_last_modified_time": 1517296380468, "_system_owned": true, "_protection": "NOT_PROTECTED", "_revision": 0 } } Required Permissions: read Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update a Service

Create a new service if a service with the given ID does not already
exist. Creates new service entries if populated in the service.
If a service with the given ID already exists, update the service
including the nested service entries. This is a full replace.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/services/{service-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Service+

Service (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildServiceEntry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
is_default	Flag for default services The flag, if true, indicates that service is created in the system by default. Such default services can't be modified/deleted.	boolean	Readonly Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Service	string
service_entries	Service type Service entries for this service	array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry
service_type	Type of service, ETHER or NON_ETHER	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/services/my-http { "description": "My HTTP", "display_name": "My HTTP", "_revision": 0, "service_entries": [ { "resource_type": "L4PortSetServiceEntry", "display_name": "MyHttpEntry", "destination_ports": [ "8080" ], "l4_protocol": "TCP" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Service+

Service (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildServiceEntry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
is_default	Flag for default services The flag, if true, indicates that service is created in the system by default. Such default services can't be modified/deleted.	boolean	Readonly Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Service	string
service_entries	Service type Service entries for this service	array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry
service_type	Type of service, ETHER or NON_ETHER	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "Service", "description": "My HTTP", "id": "my-http", "display_name": "My HTTP", "path": "/infra/services/my-http", "parent_path": "/infra/services/my-http", "relative_path": "my-http", "service_entries": [ { "resource_type": "L4PortSetServiceEntry", "id": "MyHttpEntry", "display_name": "MyHttpEntry", "path": "/infra/services/my-http/service-entries/MyHttpEntry", "parent_path": "/infra/services/my-http", "relative_path": "MyHttpEntry", "destination_ports": [ "8080" ], "l4_protocol": "TCP", "_create_user": "admin", "_create_time": 1517310677617, "_last_modified_user": "admin", "_last_modified_time": 1517310677617, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ], "_create_user": "admin", "_create_time": 1517310677604, "_last_modified_user": "admin", "_last_modified_time": 1517310677604, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a Service

Create a new service if a service with the given ID does not already
exist. Creates new service entries if populated in the service.
If a service with the given ID already exists, patch the service
including the nested service entries.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/services/{service-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

Service+

Service (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildServiceEntry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
is_default	Flag for default services The flag, if true, indicates that service is created in the system by default. Such default services can't be modified/deleted.	boolean	Readonly Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Service	string
service_entries	Service type Service entries for this service	array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry
service_type	Type of service, ETHER or NON_ETHER	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/services/my-http { "description": "My HTTP Patched", "display_name": "My HTTP", "service_entries": [ { "resource_type": "L4PortSetServiceEntry", "display_name": "MyHttpEntry", "destination_ports": [ "8080" ], "l4_protocol": "TCP" } ] } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read a service

Read a service This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/services/{service-id}

/policy/api/v1/global-infra/services/{service-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/services/my-http Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

Service+

Service (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource (Abstract type: pass one of the following concrete types) ChildServiceEntry
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
is_default	Flag for default services The flag, if true, indicates that service is created in the system by default. Such default services can't be modified/deleted.	boolean	Readonly Default: "False"
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value Service	string
service_entries	Service type Service entries for this service	array of ServiceEntry (Abstract type: pass one of the following concrete types) ALGTypeServiceEntry EtherTypeServiceEntry ICMPTypeServiceEntry IGMPTypeServiceEntry IPProtocolServiceEntry L4PortSetServiceEntry NestedServiceServiceEntry
service_type	Type of service, ETHER or NON_ETHER	string
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Service

Delete Service This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/services/{service-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/services/my-http Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List Service entries for the given service

Paginated list of Service entries for the given service
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/services/{service-id}/service-entries

/policy/api/v1/global-infra/services/{service-id}/service-entries

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries

Request Headers:

n/a

Query Parameters:

ServiceEntryListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/services/my-http/service-entries Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ServiceEntryListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 2, "results": [ { "resource_type": "L4PortSetServiceEntry", "id": "MyHttpEntry", "display_name": "MyHttpEntry", "path": "/infra/services/my-http/service-entries/MyHttpEntry", "parent_path": "/infra/services/my-http", "relative_path": "MyHttpEntry", "destination_ports": [ "8080" ], "l4_protocol": "TCP", "_create_user": "admin", "_create_time": 1517310677617, "_last_modified_user": "admin", "_last_modified_time": 1517310677617, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 }, { "resource_type": "L4PortSetServiceEntry", "id": "https", "display_name": "MyHttps", "path": "/infra/services/my-http/service-entries/https", "parent_path": "/infra/services/my-http", "relative_path": "https", "destination_ports": [ "7443" ], "l4_protocol": "TCP", "_create_user": "admin", "_create_time": 1517316057383, "_last_modified_user": "admin", "_last_modified_time": 1517316057383, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } ] } Required Permissions: read Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Create or update a ServiceEntry

If a service entry with the service-entry-id is not already present,
create a new service entry. If it already exists, update the service
entry.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

ALGTypeServiceEntry+

ALGTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alg	The Application Layer Gateway (ALG) protocol The Application Layer Gateway (ALG) protocol. Please note, protocol NBNS_BROADCAST and NBDG_BROADCAST are deprecated. Please use UDP protocol and create L4 Port Set type of service instead.	string	Required Enum: ORACLE_TNS, FTP, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST, TFTP
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	The destination_port cannot be empty and must be a single value.	array of PortElement	Required Minimum items: 1 Maximum items: 1
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ALGTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports		array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

EtherTypeServiceEntry+

EtherTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
ether_type	Type of the encapsulated protocol	integer	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EtherTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

ICMPTypeServiceEntry+

ICMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
icmp_code	ICMP message code	integer	Minimum: 0 Maximum: 255
icmp_type	ICMP message type	integer	Minimum: 0 Maximum: 255
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol		string	Required Enum: ICMPv4, ICMPv6
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ICMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IGMPTypeServiceEntry+

IGMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IGMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IPProtocolServiceEntry+

IPProtocolServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol_number		integer	Required Minimum: 0 Maximum: 255
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IPProtocolServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

L4PortSetServiceEntry+

L4PortSetServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
l4_protocol		string	Required Enum: TCP, UDP
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L4PortSetServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

NestedServiceServiceEntry+

NestedServiceServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
nested_service_path	path of nested service	string	Required
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value NestedServiceServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/services/my-http/service-entries/https { "resource_type": "L4PortSetServiceEntry", "display_name": "MyHttps", "destination_ports": [ "7443" ], "l4_protocol": "TCP", "_revision": 0 } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ALGTypeServiceEntry+

ALGTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alg	The Application Layer Gateway (ALG) protocol The Application Layer Gateway (ALG) protocol. Please note, protocol NBNS_BROADCAST and NBDG_BROADCAST are deprecated. Please use UDP protocol and create L4 Port Set type of service instead.	string	Required Enum: ORACLE_TNS, FTP, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST, TFTP
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	The destination_port cannot be empty and must be a single value.	array of PortElement	Required Minimum items: 1 Maximum items: 1
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ALGTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports		array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

EtherTypeServiceEntry+

EtherTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
ether_type	Type of the encapsulated protocol	integer	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EtherTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

ICMPTypeServiceEntry+

ICMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
icmp_code	ICMP message code	integer	Minimum: 0 Maximum: 255
icmp_type	ICMP message type	integer	Minimum: 0 Maximum: 255
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol		string	Required Enum: ICMPv4, ICMPv6
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ICMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IGMPTypeServiceEntry+

IGMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IGMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IPProtocolServiceEntry+

IPProtocolServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol_number		integer	Required Minimum: 0 Maximum: 255
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IPProtocolServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

L4PortSetServiceEntry+

L4PortSetServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
l4_protocol		string	Required Enum: TCP, UDP
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L4PortSetServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

NestedServiceServiceEntry+

NestedServiceServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
nested_service_path	path of nested service	string	Required
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value NestedServiceServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "resource_type": "L4PortSetServiceEntry", "id": "https", "display_name": "MyHttps", "path": "/infra/services/my-http/service-entries/https", "parent_path": "/infra/services/my-http", "relative_path": "https", "destination_ports": [ "7443" ], "l4_protocol": "TCP", "_create_user": "admin", "_create_time": 1517316057383, "_last_modified_user": "admin", "_last_modified_time": 1517316057383, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Patch a ServiceEntry

If a service entry with the service-entry-id is not already present,
create a new service entry. If it already exists, patch the service
entry.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

PATCH

URI Path(s):

/policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

ALGTypeServiceEntry+

ALGTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alg	The Application Layer Gateway (ALG) protocol The Application Layer Gateway (ALG) protocol. Please note, protocol NBNS_BROADCAST and NBDG_BROADCAST are deprecated. Please use UDP protocol and create L4 Port Set type of service instead.	string	Required Enum: ORACLE_TNS, FTP, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST, TFTP
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	The destination_port cannot be empty and must be a single value.	array of PortElement	Required Minimum items: 1 Maximum items: 1
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ALGTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports		array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

EtherTypeServiceEntry+

EtherTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
ether_type	Type of the encapsulated protocol	integer	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EtherTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

ICMPTypeServiceEntry+

ICMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
icmp_code	ICMP message code	integer	Minimum: 0 Maximum: 255
icmp_type	ICMP message type	integer	Minimum: 0 Maximum: 255
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol		string	Required Enum: ICMPv4, ICMPv6
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ICMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IGMPTypeServiceEntry+

IGMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IGMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IPProtocolServiceEntry+

IPProtocolServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol_number		integer	Required Minimum: 0 Maximum: 255
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IPProtocolServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

L4PortSetServiceEntry+

L4PortSetServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
l4_protocol		string	Required Enum: TCP, UDP
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L4PortSetServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

NestedServiceServiceEntry+

NestedServiceServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
nested_service_path	path of nested service	string	Required
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value NestedServiceServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PATCH https://<policy-mgr>/policy/api/v1/infra/services/my-http/service-entries/https { "resource_type": "L4PortSetServiceEntry", "display_name": "MyHttps", "destination_ports": [ "9443" ], "l4_protocol": "TCP" } Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Service entry

Service entry This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}

/policy/api/v1/global-infra/services/{service-id}/service-entries/{service-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/services/my-http/service-entries/https Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

ALGTypeServiceEntry+

ALGTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
alg	The Application Layer Gateway (ALG) protocol The Application Layer Gateway (ALG) protocol. Please note, protocol NBNS_BROADCAST and NBDG_BROADCAST are deprecated. Please use UDP protocol and create L4 Port Set type of service instead.	string	Required Enum: ORACLE_TNS, FTP, SUN_RPC_TCP, SUN_RPC_UDP, MS_RPC_TCP, MS_RPC_UDP, NBNS_BROADCAST, NBDG_BROADCAST, TFTP
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	The destination_port cannot be empty and must be a single value.	array of PortElement	Required Minimum items: 1 Maximum items: 1
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ALGTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports		array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

EtherTypeServiceEntry+

EtherTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
ether_type	Type of the encapsulated protocol	integer	Required
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value EtherTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

ICMPTypeServiceEntry+

ICMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
icmp_code	ICMP message code	integer	Minimum: 0 Maximum: 255
icmp_type	ICMP message type	integer	Minimum: 0 Maximum: 255
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol		string	Required Enum: ICMPv4, ICMPv6
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value ICMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IGMPTypeServiceEntry+

IGMPTypeServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IGMPTypeServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

IPProtocolServiceEntry+

IPProtocolServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protocol_number		integer	Required Minimum: 0 Maximum: 255
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value IPProtocolServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

L4PortSetServiceEntry+

L4PortSetServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
destination_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
l4_protocol		string	Required Enum: TCP, UDP
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value L4PortSetServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
source_ports	Number of values should not exceed 15, ranges count as 2 values.	array of PortElement	Maximum items: 15
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

NestedServiceServiceEntry+

NestedServiceServiceEntry (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
nested_service_path	path of nested service	string	Required
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
resource_type	Must be set to the value NestedServiceServiceEntry	string	Required Enum: IPProtocolServiceEntry, IGMPTypeServiceEntry, ICMPTypeServiceEntry, ALGTypeServiceEntry, L4PortSetServiceEntry, EtherTypeServiceEntry, NestedServiceServiceEntry
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Delete Service entry

Delete Service entry This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

DELETE

URI Path(s):

/policy/api/v1/infra/services/{service-id}/service-entries/{service-entry-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/services/{service-id}/service-entries/{service-entry-id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: DELETE https://<policy-mgr>/policy/api/v1/infra/services/my-http/service-entries/https Successful Response:

Response Code:

200 OK

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_services Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Tags

Associated URIs:

GET /policy/api/v1/infra/tags
GET /policy/api/v1/global-infra/tags
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags
GET /policy/api/v1/infra/tags/effective-resources
GET /policy/api/v1/global-infra/tags/effective-resources
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/effective-resources
GET /policy/api/v1/infra/tags/tag-operations/{operation-id}
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}
PUT /policy/api/v1/infra/tags/tag-operations/{operation-id}
PUT /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}
GET /policy/api/v1/infra/tags/tag-operations/{operation-id}/status
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}/status

List all unique tags.

Returns paginated list of all unique tags. Supports filtering by scope, tag and
source from which tags are synced. Supports starts with, ends with, equals and
contains operators on scope and tag values.
To filter tags by starts with on scope or tag, use '*' as suffix after the value.
To filter tags by ends with on scope or tag, use '*' as prefix before the value.
To filter tags by contain on scope or tag, use '*' as prefix and suffix on the value.
Below special characters in the filter value needs to be escaped with hex values.
- Character '&' needs to be escaped as '%26'
- Character '[' needs to be escaped as '%5B'
- Character ']' needs to be escaped as '%5D'
- Character '+' needs to be escaped as '%2B'
- Character '#' needs to be escaped as '%23'
Sort option for list of unique tags is available only on tag and scope properties.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/tags

/policy/api/v1/global-infra/tags

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags

Request Headers:

n/a

Query Parameters:

TagInfoListRequestParameters+

TagInfoListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
scope	Tag scope	string
sort_ascending		boolean
sort_by	Field by which records are sorted	string
source	Source from which tags are synced.	string	Enum: Amazon, Azure, NSX, ANY
tag	Tag value	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/tags Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TagInfoListResult+

Example Response: ## For /infra/tags ## { "results": [ { "scope": "os", "tag": "windows", "tagged_objects": 250 }, { "scope": "os", "tag": "ubantu", "tagged_objects": 100 } ], "result_count": 2 } ## For /infra/tags?tag=win* ## { "results": [ { "scope": "os", "tag": "windows", "tagged_objects": 250 } ], "result_count": 1 } ## For /infra/tags?tag=*ban* ## { "results": [ { "scope": "os", "tag": "ubantu", "tagged_objects": 100 } ], "result_count": 1 } Required Permissions: read Feature: policy_vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List all objects assigned with matching scope and tag values

Paginated list of all objects assigned with matching scope and tag values. Objects
are represented in form of resource reference. Sort option is available only on
target_type and target_display_name properties.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/tags/effective-resources

/policy/api/v1/global-infra/tags/effective-resources

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/effective-resources

Request Headers:

n/a

Query Parameters:

TaggedObjectsListRequestParameters+

TaggedObjectsListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
enforcement_point_path	String Path of the enforcement point The path of the enforcement point from which the list of members needs to be fetched. Forward slashes must be escaped using %2F.	string
filter_by	Comma-separated list of field names to filter tagged objects. Comma-separated list of field names used to filter tagged objects. Supported field names are resource_type, display_name and external_id.	string
filter_text	Filter text to restrict tagged objects list with matching filter text.	string
include_mark_for_delete_objects	Include objects that are marked for deletion in results If true, resources that are marked for deletion will be included in the results. By default, these resources are not included.	boolean	Default: "False"
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
scope	Tag scope	string
sort_ascending		boolean
sort_by	Field by which records are sorted	string
tag	Tag value	string

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/tags/effective-resources?scope=type&tag=app Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

PolicyResourceReferenceListResult+

Example Response: { "results": [ { "target_type": "VirtualMachine", "target_display_name": "App-VM-1", "target_id": "564d8b81-983d-b8ef-686b-161205939c58" }, { "target_type": "Group", "target_display_name": "app-vms", "path": "/infra/domains/default/groups/app-vms" } ], "result_count": 2 } Required Permissions: read Feature: policy_vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Assign or Unassign tag on multiple Virtual Machines.

Tag can be assigned or unassigned on multiple objects. Supported object type is
restricted to Virtual Machine for now and support for other objects will be added
later. Permissions for tag bulk operation would be similar to virtual machine
tag permissions.
Request:

Method:

PUT

URI Path(s):

/policy/api/v1/infra/tags/tag-operations/{operation-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

TagBulkOperation+

TagBulkOperation (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
apply_to	List of resources on which tag needs to be applied List of resources on which tag needs to be applied.	array of ResourceInfo
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
remove_from	List of resources from which tag needs to be removed List of resources from which tag needs to be removed.	array of ResourceInfo
resource_type	Must be set to the value TagBulkOperation	string
tag	Tag	Tag	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Request: PUT https://<policy-mgr>/policy/api/v1/infra/tags/tag-operations/win-vm-update { "tag": { "scope": "os", "tag": "windows" }, "apply_to": [ { "resource_type": "VirtualMachine", "resource_ids": [ "ee98a906-7b84-42ae-9413-d812cdb64543" ] } ], "remove_from":[ { "resource_type": "VirtualMachine", "resource_ids": [ "564d8b81-983d-b8ef-686b-161205939c58" ] } ] } Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TagBulkOperation+

TagBulkOperation (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
apply_to	List of resources on which tag needs to be applied List of resources on which tag needs to be applied.	array of ResourceInfo
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
remove_from	List of resources from which tag needs to be removed List of resources from which tag needs to be removed.	array of ResourceInfo
resource_type	Must be set to the value TagBulkOperation	string
tag	Tag	Tag	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

Example Response: { "tag": { "scope": "os", "tag": "windows" }, "apply_to": [ { "resource_type": "VirtualMachine", "resource_ids": [ "ee98a906-7b84-42ae-9413-d812cdb64543" ] } ], "remove_from":[ { "resource_type": "VirtualMachine", "resource_ids": [ "564d8b81-983d-b8ef-686b-161205939c58" ] } ], "resource_type": "TagBulkOperation", "id": "win-vm-update", "display_name": "win-vm-update", "path": "/infra/tags/tag-operations/win-vm-update", "relative_path": "win-vm-update", "parent_path": "/infra/tags/tag-operations", "marked_for_delete": false, "_create_user": "admin", "_create_time": 1544641564432, "_last_modified_user": "admin", "_last_modified_time": 1544641564432, "_system_owned": false, "_protection": "NOT_PROTECTED", "_revision": 0 } Required Permissions: crud Feature: policy_vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get details of tag bulk operation request

Get details of tag bulk operation request with which tag is applied or removed
on virtual machines.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/tags/tag-operations/{operation-id}

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/tags/tag-operations/win-vm-update Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TagBulkOperation+

TagBulkOperation (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
apply_to	List of resources on which tag needs to be applied List of resources on which tag needs to be applied.	array of ResourceInfo
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.	string	Readonly
relative_path	Relative path of this object Path relative from its parent	string	Readonly
remote_path	Path of the object on the remote end. This path is populated only in case of multi-site scenario. Currently it is supported only for LM objects. When LM is onboarded to multi-site platform like NAPP or GM, remote_path will be set to the globally unique path across multi-site topology . It is generated based on local site-name and uses /org tree namespace. Note: It is populated only for LM objects. Not supported on the GM.	string	Readonly
remove_from	List of resources from which tag needs to be removed List of resources from which tag needs to be removed.	array of ResourceInfo
resource_type	Must be set to the value TagBulkOperation	string
tag	Tag	Tag	Required
tags	Opaque identifiers meaningful to the API user	array of Tag	Maximum items: 30
unique_id	A unique identifier assigned by the system This is a UUID generated by the GM/LM to uniquely identify entities in a federated environment. For entities that are stretched across multiple sites, the same ID will be used on all the stretched sites.	string	Readonly

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get status of tag bulk operation

Get status of tag bulk operation with details of tag operation on each virtual machine.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/tags/tag-operations/{operation-id}/status

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/tags/tag-operations/{operation-id}/status

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/tags/tag-operations/win-vm-update/status Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

TagBulkOperationStatus+

Example Response: { "tag": { "scope": "os", "tag": "windows" }, "status": "Error", "apply_to": [ { "resource_type": "VirtualMachine", "resource_tag_status": [ { "resource_id": "e98a906-7b84-42ae-9413-d812cdb64543", "tag_status": "Success" } ] } ], "remove_from":[ { "resource_type": "VirtualMachine", "resource_tag_status": [ { "resource_id": "564d8b81-983d-b8ef-686b-161205939c58", "tag_status": "Error", "details": "VM with external id not found" } ] } ], } Required Permissions: crud Feature: policy_vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Virtual Interfaces

Associated URIs:

GET /api/v1/fabric/vifs

Return the List of Virtual Network Interfaces (VIFs)

Returns information about all VIFs. A virtual network interface aggregates
network interfaces into a logical interface unit that is indistinuishable
from a physical network interface.
Request:

Method:

GET

URI Path(s):

/api/v1/fabric/vifs

Request Headers:

n/a

Query Parameters:

VifListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/vifs Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualNetworkInterfaceListResult+

Example Response: { "result_count": 2, "results": [ { "resource_type": "VirtualNetworkInterface", "device_key": "4000", "device_name": "Network adapter 1", "ip_address_info": [ { "ip_addresses": [ "172.16.20.10", "fe80::250:56ff:fe86:f2b2" ], "source": "VM_TOOLS" } ], "vm_local_id_on_host": "1", "mac_address": "00:50:56:86:f2:b2", "owner_vm_id": "5006d98a-352f-134f-df6b-33e7f8d5de65", "external_id": "5006d98a-352f-134f-df6b-33e7f8d5de65-4000", "lport_attachment_id": "3d4b208c-b986-47f7-8a29-a74610d33a13", "host_id": "74730a28-e52d-11e5-936e-6f061d405a28" }, { "resource_type": "VirtualNetworkInterface", "device_key": "4000", "device_name": "Network adapter 1", "ip_address_info": [ { "ip_addresses": [ "172.16.20.11", "fe80::250:56ff:feb1:705e" ], "source": "VM_TOOLS" } ], "vm_local_id_on_host": "3", "mac_address": "00:50:56:b1:70:5e", "owner_vm_id": "50314b00-d422-d5d0-0cb2-d8a904a31c16", "external_id": "50314b00-d422-d5d0-0cb2-d8a904a31c16-4000", "lport_attachment_id": "d0649784-6fb8-43f9-be9e-88d3ee357f6e", "host_id": "65bcd211-e570-11e5-8472-991cc87d670e" } ] } Required Permissions: read Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Virtual Machines

Associated URIs:

GET /api/v1/fabric/virtual-machines
POST /api/v1/fabric/virtual-machines?action=update_tags
POST /api/v1/fabric/virtual-machines?action=add_tags
POST /api/v1/fabric/virtual-machines?action=remove_tags
GET /api/v1/fabric/virtual-machines/tools-info
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines (Deprecated)
POST /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines?action=update_tags (Deprecated)
GET /policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines/{virtual-machine-id}/details
GET /policy/api/v1/infra/realized-state/system-excluded-virtual-machines
GET /policy/api/v1/infra/realized-state/system-virtual-machines
GET /policy/api/v1/infra/realized-state/unassociated-virtual-machines
GET /policy/api/v1/infra/realized-state/virtual-machines
GET /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/virtual-machines
POST /policy/api/v1/infra/realized-state/virtual-machines/{virtual-machine-id}/tags
POST /policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/virtual-machines/{virtual-machine-id}/tags

Return the List of Virtual Machines

Returns information about all virtual machines.
If you have not added NSX tags on the VM or removed
all the NSX tags that were earlier added to the VM,
then tags property is not returned in the API response.
Request:

Method:

GET

URI Path(s):

/api/v1/fabric/virtual-machines

Request Headers:

n/a

Query Parameters:

VirtualMachineListRequestParameters+

VirtualMachineListRequestParameters (schema)

Name	Description	Type	Notes
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
display_name	Display Name of the virtual machine	string
exclude_vm_type	VM types to be excluded Specifies VM types, which needs to be excluded. It will be comma seperated to specify multiple VM type.	string
external_id	External id of the virtual machine	string
host_id	Id of the host where this vif is located	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/virtual-machines Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineListResult+

Example Response: ## For /fabric/virtual-machines ## { "result_count" : 1, "results" : [ { "display_name" : "Iws-2", "resource_type" : "VirtualMachine", "local_id_on_host": "1", "external_id" : "420e72c9-55e7-a4f7-81bf-673a2af1a6cf", "host_id" : "cf0ffd7a-818a-11e4-9ab1-cb7a79b0af39", "compute_ids" : [ "locationId:420e72c9-55e7-a4f7-81bf-673a2af1a6cf", "instanceUuid:500e0c08-2ecc-2609-d9ba-ed489e48c787", "biosUuid:420e72c9-55e7-a4f7-81bf-673a2af1a6cf", "externalId:420e72c9-55e7-a4f7-81bf-673a2af1a6cf", "hostLocalId:1", "moIdOnHost:1" ], "source" : { "target_display_name" : "sc2-rdops-vm03-dhcp-102-35.eng.vmware.com", "is_valid" : true, "target_type" : "HostNode", "target_id" : "3d0574b8-267c-11e7-9126-0febdf149b8c" }, "type" : "REGULAR", "power_state" : "VM_RUNNING", "guest_info": { "os_name": "Ubuntu Linux (64-bit)", "computer_name": "app-vm" }, "_last_sync_time" : 1493291539130 } ] } ## For fabric/virtual-machines?external_id=5006d98a-352f-134f-df6b-33e7f8d5de65 ## { "result_count": 1, "results": [ { "resource_type": "VirtualMachine", "display_name": "app-vm", "compute_ids": [ "instanceUuid:5006d98a-352f-134f-df6b-33e7f8d5de65", "moIdOnHost:1", "externalId:5006d98a-352f-134f-df6b-33e7f8d5de65", "hostLocalId:1", "locationId:564d1012-15a8-dd22-9c13-f53d697678a8", "biosUuid:4206a555-5a2f-edaa-d215-dac9508da942" ], "external_id": "5006d98a-352f-134f-df6b-33e7f8d5de65", "source" : { "target_display_name" : "sc2-rdops-vm03-dhcp-102-35.eng.vmware.com", "is_valid" : true, "target_type" : "HostNode", "target_id" : "3d0574b8-267c-11e7-9126-0febdf149b8c" }, "type": "REGULAR", "host_id": "74730a28-e52d-11e5-936e-6f061d405a28", "local_id_on_host": "1", "power_state" : "VM_RUNNING", "guest_info": { "os_name": "Ubuntu Linux (64-bit)", "computer_name": "app-vm" }, "_last_sync_time" : 1493291539130 } ] } ## For fabric/virtual-machines?display_name=web-vm ## { "result_count": 1, "results": [ { "resource_type": "VirtualMachine", "display_name": "web-vm", "compute_ids": [ "instanceUuid:50069c43-e024-9fce-6017-001a87ef32be", "moIdOnHost:1", "externalId:50069c43-e024-9fce-6017-001a87ef32be", "hostLocalId:1", "locationId:564d6439-4abb-e39c-1a2f-d2524e3cc3e1", "biosUuid:42060137-3f57-15bb-1bfc-293c4ba89050" ], "external_id": "50069c43-e024-9fce-6017-001a87ef32be", "source" : { "target_display_name" : "sc2-rdops-vm03-dhcp-102-35.eng.vmware.com", "is_valid" : true, "target_type" : "HostNode", "target_id" : "3d0574b8-267c-11e7-9126-0febdf149b8c" }, "type": "REGULAR", "host_id": "65bcd211-e570-11e5-8472-991cc87d670e", "local_id_on_host": "1", "power_state" : "VM_RUNNING", "guest_info": { "os_name": "Ubuntu Linux (64-bit)", "computer_name": "web-vm" }, "_last_sync_time" : 1493291539130 } ] } ## For fabric/virtual-machines?display_name=db-vm-new&external_id=50314b00-d422-d5d0-0cb2-d8a904a31c16 ## { "result_count": 1, "results": [ { "resource_type": "VirtualMachine", "display_name": "db-vm-new", "compute_ids": [ "instanceUuid:50314b00-d422-d5d0-0cb2-d8a904a31c16", "moIdOnHost:3", "externalId:50314b00-d422-d5d0-0cb2-d8a904a31c16", "hostLocalId:3", "locationId:564d90f6-8f73-1baa-8226-82d85cc9c5c8", "biosUuid:4231c15f-ca24-b567-65b4-17bf1c0dd20e" ], "external_id": "50314b00-d422-d5d0-0cb2-d8a904a31c16", "source" : { "target_display_name" : "sc2-rdops-vm03-dhcp-102-35.eng.vmware.com", "is_valid" : true, "target_type" : "HostNode", "target_id" : "3d0574b8-267c-11e7-9126-0febdf149b8c" }, "type": "REGULAR", "host_id": "65bcd211-e570-11e5-8472-991cc87d670e", "local_id_on_host": "3", "power_state" : "VM_RUNNING", "guest_info": { "os_name": "Microsoft Windows 10 (64-bit)", "computer_name": "db-vm" }, "_last_sync_time" : 1493291539130 } ] } Required Permissions: read Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Return the list of tools and agents installed in VMs.

This API returns the list of tools and agents installed in VMs. Request:

Method:

GET

URI Path(s):

/api/v1/fabric/virtual-machines/tools-info

Request Headers:

n/a

Query Parameters:

ListRequestParameters+

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/virtual-machines/tools-info Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VmToolsInfoListResult+

Example Response: { "result_count": 1, "results": [ { "resource_type": "VmToolsInfo", "external_id": "a46b3633-22b3-49f9-87bd-b888b1bd0656", "host_local_id": "vm-1", "source": { "target_display_name": "192.168.0.2", "is_valid": true, "target_type": "HostNode", "target_id": "d25ae6ce-e599-4c66-8583-b10e31fcdf48" }, "file_agent_version": "10.3.5.0", "network_agent_version": "1.9.1", "vmtools_version": "10.7.1.0" } ] } Required Permissions: read Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Perform action on specified virtual machine e.g. update tags

Perform action on a specific virtual machine. External id of the virtual machine needs to be
provided in the request body. Some of the actions that can be performed are update tags, add
tags, remove tags.
To add tags to existing list of tag, use action parameter add_tags.
To remove tags from existing list of tag, use action parameter remove_tags.
To replace existing tags with new tags, use action parameter update_tags.
To clear all tags, provide an empty list and action parameter as update_tags.
The vmw-async: True HTTP header cannot be used with this API.
Request:

Method:

POST

URI Path(s):

/api/v1/fabric/virtual-machines?action=add_tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

VirtualMachineTagUpdate+

Example Request: POST https://<nsx-mgr>/api/v1/fabric/virtual-machines?action=add_tags { "external_id": "ID-0", "tags": [ {"scope": "os", "tag": "win32"}, {"scope": "security", "tag": "PCI"} ] } Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Perform action on specified virtual machine e.g. update tags

Method:

POST

URI Path(s):

/api/v1/fabric/virtual-machines?action=remove_tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

VirtualMachineTagUpdate+

Example Request: POST https://<nsx-mgr>/api/v1/fabric/virtual-machines?action=remove_tags { "external_id": "ID-0", "tags": [ {"scope": "os", "tag": "win32"}, {"scope": "security", "tag": "PCI"} ] } Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Perform action on specified virtual machine e.g. update tags

Method:

POST

URI Path(s):

/api/v1/fabric/virtual-machines?action=update_tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

VirtualMachineTagUpdate+

Example Request: POST https://<nsx-mgr>/api/v1/fabric/virtual-machines?action=update_tags { "external_id": "ID-0", "tags": [ {"scope": "os", "tag": "win32"}, {"scope": "security", "tag": "PCI"} ] } Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Listing of Virtual machines on the NSX Manager (Deprecated)

This API filters objects of type virtual machines from the specified NSX Manager.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines

Request Headers:

n/a

Query Parameters:

AdditionalSearchParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/enforcement-points/default/virtual-machines Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

SearchResponse+

Example Response: { "cursor": "1", "result_count": 10004, "results": [ { "compute_ids": [ "moIdOnHost:1", "hostLocalId:1", "locationId:564d75b2-7e28-7e78-dd77-64e5fd6128e1", "instanceUuid:04fb2e78-e4bc-416f-b9dc-18b9f05e6227", "externalId:564d75b2-7e28-7e78-dd77-64e5fd6128e1", "biosUuid:564d75b2-7e28-7e78-dd77-64e5fd6128e1" ], "resource_type": "VirtualMachine", "external_id": "564d75b2-7e28-7e78-dd77-64e5fd6128e1", "source": { "target_display_name": "sc-rdops-vm09-dhcp-16-203.eng.vmware.com", "is_valid": true, "target_type": "HostNode", "target_id": "1afea8da-d4e2-11e7-93c3-c57b39f75a4f" }, "_last_sync_time": 1512031301409, "display_name": "1-vm_ubuntu_1404_srv_64-local-586-04fb2e78-e4bc-416f-b9dc-18b9f05e6227", "type": "REGULAR", "power_state": "VM_RUNNING", "host_id": "1afea8da-d4e2-11e7-93c3-c57b39f75a4f", "local_id_on_host": "1" } ] } Required Permissions: read Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Read the details of a virtual machine on the NSX Manager

This API return optional details about a virtual machines (e.g. user login session) from the
specified enforcement point.
In case of NSXT, virtual-machine-id would be the value of the external_id of the virtual machine.
This API is only available when using VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines/{virtual-machine-id}/details

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/enforcement-points/default/virtual-machines/564d75b2-7e28-7e78-dd77-64e5fd6128e1/details Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineDetails+

Example Response: { "active_sessions": [ { "domain_name": "test.com", "user_name": "test6", "login_time": 1540338056213, "logout_time": 0, "user_session_id": 0 }], "archived_sessions": [ { "domain_name": "test.com", "user_name": "test6", "login_time": 1540338057355, "logout_time": 154033872131, "user_session_id": 3, }, { "domain_name": "test.com", "user_name": "test6", "login_time": 1540338059011, "logout_time": 1540338061036, "user_session_id": 4 } ] } Required Permissions: read Feature: policy_identity Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Apply tags on virtual machine (Deprecated)

Allows an admin to apply multiple tags to a virtual machine. This operation
does not store the intent on the policy side. It applies the tag directly
on the specified enforcement point. This operation will replace the existing
tags on the virtual machine with the ones that have been passed. If the
application of tag fails on the enforcement point, then an error is
reported. The admin will have to retry the operation again. Policy
framework does not perform a retry. Failure could occur due to multiple
reasons. For e.g enforcement point is down, Enforcement point could not
apply the tag due to constraints like max tags limit exceeded, etc.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/realized-state/enforcement-points/{enforcement-point-name}/virtual-machines?action=update_tags

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

VirtualMachineTagsUpdate+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/realized-state/enforcement-points/default/virtual-machines?action=update_tags { "virtual_machine_id": "ID-0", "tags": [ {"scope": "web", "tag": "web-vm"}, {"scope": "ostype", "tag": "WINDOWS"} ] } Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: vm_vm_info Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Lists all the system excluded virtual machines.

Lists all the system virtual machines that are auto excluded in
firewall exclude list (example -Partner and Edge VMs etc)
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/system-excluded-virtual-machines

Request Headers:

n/a

Query Parameters:

SystemVMListRequestParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/system-excluded-virtual-machines Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineListResult+

Example Response: { "results": [ { "host_id": "f8aeaa94-3e3b-48dd-bbd4-595676b87aaa", "source": { "target_id": "f8aeaa94-3e3b-48dd-bbd4-595676b87aaa", "target_display_name": "TN-1", "target_type": "HostNode", "is_valid": true }, "external_id": "6ab92268-3ae3-443f-b073-c8020fe783a5", "power_state": "VM_RUNNING", "local_id_on_host": "2", "compute_ids": [ "moIdOnHost:2", "hostLocalId:2", "locationId:564dc3dc-7e69-5e4f-102a-c29b5dddba49", "instanceUuid:6ab92268-3ae3-443f-b073-c8020fe783a5", "externalId:6ab92268-3ae3-443f-b073-c8020fe783a5", "biosUuid:564dc3dc-7e69-5e4f-102a-c29b5dddba49" ], "type": "INTELLIGENCE", "resource_type": "VirtualMachine", "display_name": "vsphere_vm_2", "_last_sync_time": 1589890824000 } ] } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Lists all the system virtual machines.

Lists all the system virtual machines (example -Partner and Edge VMs etc)
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/system-virtual-machines

Request Headers:

n/a

Query Parameters:

SystemVMListRequestParameter+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/system-virtual-machines Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List all virtual machines which are not part of any group

This API filters objects of type virtual machine which are not part of any group. This API also gives some VM
details such as VM name, IDs and the current state of the VMs.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/unassociated-virtual-machines

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/unassociated-virtual-machines?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineListResult+

Example Response: { "sort_ascending": true, "sort_by": "display_name", "result_count": 1, "results": [ { "compute_ids": [ "moIdOnHost:1", "hostLocalId:1", "locationId:564d75b2-7e28-7e78-dd77-64e5fd6128e1", "instanceUuid:04fb2e78-e4bc-416f-b9dc-18b9f05e6227", "externalId:564d75b2-7e28-7e78-dd77-64e5fd6128e1", "biosUuid:564d75b2-7e28-7e78-dd77-64e5fd6128e1" ], "resource_type": "VirtualMachine", "external_id": "564d75b2-7e28-7e78-dd77-64e5fd6128e1", "source": { "target_display_name": "sc-rdops-vm09-dhcp-16-203.eng.vmware.com", "is_valid": true, "target_type": "HostNode", "target_id": "1afea8da-d4e2-11e7-93c3-c57b39f75a4f" }, "_last_sync_time": 1512031301409, "display_name": "1-vm_ubuntu_1404_srv_64-local-586-04fb2e78-e4bc-416f-b9dc-18b9f05e6227", "type": "REGULAR", "power_state": "VM_RUNNING", "host_id": "1afea8da-d4e2-11e7-93c3-c57b39f75a4f", "local_id_on_host": "1" } ] } Required Permissions: read Feature: infra_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

List all virtual machines

This API filters objects of type virtual machine. This API also gives some VM
details such as VM name, IDs and the current state of the VMs.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

GET

URI Path(s):

/policy/api/v1/infra/realized-state/virtual-machines

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/virtual-machines

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

n/a

Example Request: GET https://<policy-mgr>/policy/api/v1/infra/realized-state/virtual-machines?enforcement_point_path=/infra/deployment-zones/default/enforcement-points/ep1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VirtualMachineListResult+

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Apply tags on virtual machine

Allows an admin to apply multiple tags to a virtual machine. This operation
does not store the intent on the policy side. It applies the tag directly
on the specified enforcement point. This operation will replace the existing
tags on the virtual machine with the ones that have been passed. If the
application of tag fails on the enforcement point, then an error is
reported. The admin will have to retry the operation again. Policy
framework does not perform a retry. Failure could occur due to multiple
reasons. For e.g enforcement point is down, Enforcement point could not
apply the tag due to constraints like max tags limit exceeded, etc.
NOTE: The "virtual_machine_id" field in the payload will be ignored and the
virtual machine ID provided in the URL will be honored.
This API is available when using VMware Cloud (AWS, Dell-EMC, Outpost, Hyperscalers) or VMware NSX. Request:

Method:

POST

URI Path(s):

/policy/api/v1/infra/realized-state/virtual-machines/{virtual-machine-id}/tags

/policy/api/v1/orgs/{org-id}/projects/{project-id}/infra/realized-state/virtual-machines/{virtual-machine-id}/tags

Request Headers:

n/a

Query Parameters:

RealizationListRequestParameters+

Request Body:

VirtualMachineTagsUpdate+

Example Request: POST https://<policy-mgr>/policy/api/v1/infra/realized-state/virtual-machines//tags { "tags": [ {"scope": "web", "tag": "web-vm"}, {"scope": "ostype", "tag": "WINDOWS"} ] } Successful Response:

Response Code:

204 No Content

Response Headers:

n/a

Response Body:

n/a

Required Permissions: crud Feature: policy_vm_vm_tags Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Virtual Switches

Associated URIs:

GET /api/v1/fabric/virtual-switches

Return the List of Virtual Switches

Returns information about all Distributed virtual switches based on the request parameters.
Request:

Method:

GET

URI Path(s):

/api/v1/fabric/virtual-switches

Request Headers:

n/a

Query Parameters:

VirtualSwitchListRequestParameters+

VirtualSwitchListRequestParameters (schema)

Name	Description	Type	Notes
cm_local_id	Local Id of the virtual switch	string
cursor	Opaque cursor to be used for getting next page of records (supplied by current result page)	string
discovered_node_id	Discovered node ID All virtual switches connected to this discovered node.	string
display_name	Display name of the virtual switch	string
external_id	External id of the virtual switch	string
included_fields	Comma separated list of fields that should be included in query result Note - this parameter currently only works when used with the search APIs /policy/api/v1/search/query and /policy/api/v1/search/dsl. It is ignored for other list APIs.	string
origin_id	ID of the compute manager	string
page_size	Maximum number of results to return in this page (server may return fewer)	integer	Minimum: 0 Maximum: 1000 Default: "1000"
sort_ascending		boolean
sort_by	Field by which records are sorted	string
uuid	UUID of the switch	string

Request Body:

n/a

Example Request: GET https://<nsx-mgr>/api/v1/fabric/virtual-switches Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

DistributedVirtualSwitchListResult+

Example Response: { "results" : [ { "uuid" : "50 20 7e d8 ed 6e 2c c8-66 ae d8 12 f7 a0 a4 b1", "origin_properties" : [ { "key" : "maxMtu", "value" : "1500" }, { "key" : "productInfo.vendor", "value" : "VMware, Inc." }, { "key" : "policy.autoUpgradeAllowed", "value" : "true" }, { "key" : "policy.partialUpgradeAllowed", "value" : "true" }, { "key" : "productInfo.forwardingClass", "value" : "cswitch" }, { "key" : "multicastFilteringMode", "value" : "snooping" }, { "key" : "productInfo.version", "value" : "7.0.0" }, { "key" : "productInfo.name", "value" : "DVS" }, { "key" : "productInfo.bundleUrl", "value" : "" }, { "key" : "lacpApiVersion", "value" : "multipleLag" }, { "key" : "productInfo.bundleId", "value" : "" }, { "key" : "policy.autoPreInstallAllowed", "value" : "true" }, { "key" : "productInfo.build", "value" : "00000" } ], "uplink_port_names" : [ "Uplink 1", "Uplink 2", "Uplink 3", "Uplink 4" ], "lacp_group_configs" : [ ], "discovered_nodes" : [ { "external_id" : "748f7736-4807-4007-ad5c-6ef082975719:host-16", "ip_addresses" : [ "10.160.132.101", "fd01:0:101:2604:0:9ff:feb2:ca8a", "fd01:0:101:2604:0:a:0:45b" ], "origin_id" : "748f7736-4807-4007-ad5c-6ef082975719", "cm_local_id" : "host-16", "node_type" : "HostNode", "display_name" : "10.160.132.101" } ], "uplink_portgroup" : { "overall_status" : "GREEN", "key" : "dvportgroup-3002", "display_name" : "DSwitch-DVUplinks-3001", "external_id" : "748f7736-4807-4007-ad5c-6ef082975719:dvportgroup-3002", "cm_local_id" : "dvportgroup-3002", "origin_type" : "DistributedVirtualPortgroup" }, "display_name" : "DSwitch", "external_id" : "748f7736-4807-4007-ad5c-6ef082975719:dvs-3001", "origin_id" : "748f7736-4807-4007-ad5c-6ef082975719", "cm_local_id" : "dvs-3001", "owner_nsx" : MULTIPLE, "origin_type" : "VmwareDistributedVirtualSwitch" } ], "result_count" : 1 } Required Permissions: read Feature: compute_managers_inventory Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Policy: Inventory: Vm

Associated URIs:

GET /policy/api/v1/global-infra/vm-tag-replication-policies
GET /policy/api/v1/global-infra/vm-tag-replication-policies/{id}

List all VM tag replication policies

List all VM tag replication policies.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/vm-tag-replication-policies

Request Headers:

n/a

Query Parameters:

VMTagReplicationPolicyListRequestParameters+

Request Body:

n/a

Example Request: GET https://<global-manager>/global_manager/api/v1/global-infra/vm-tag-replication-policies Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VMTagReplicationPolicyListResult+

Example Response: { "result_count": 1, "results": [ { "display_name": "VMTag replication policy 1", "description": "VMTag replication policy 1", "protected_site": "/global-infra/sites/pune", "recovery_sites": [ "/global-infra/sites/london" ], "vm_match_criteria": "MATCH_NSX_ATTACHMENT_ID", "groups": [ "/global-infra/domains/d1/groups/g1", "/global-infra/domains/d2/groups/g2" ], "id": "policy1", "path": "/global-infra/vm-tag-replication-policies/policy1", "_revision": 2 } ] } Required Permissions: read Feature: site_admin Additional Errors:

301 Moved Permanently
307 Temporary Redirect
400 Bad Request
403 Forbidden
404 Not Found
405 Method Not Allowed
409 Conflict
412 Precondition Failed
415 Unsupported Media Type
428 Precondition Required
429 Too Many Requests
500 Internal Server Error
503 Service Unavailable

Get the VM tag replication policy specified by id

Get the VM tag replication policy specified by id.
Request:

Method:

GET

URI Path(s):

/policy/api/v1/global-infra/vm-tag-replication-policies/{id}

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

n/a

Example Request: GET https://<global-manager>/global_manager/api/v1/global-infra/vm-tag-replication-policies/policy1 Successful Response:

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

VMTagReplicationPolicy+

VMTagReplicationPolicy (schema)

Name	Description	Type	Notes
_create_time	Timestamp of resource creation	EpochMsTimestamp	Readonly Sortable
_create_user	ID of the user who created this resource	string	Readonly
_last_modified_time	Timestamp of last modification	EpochMsTimestamp	Readonly Sortable
_last_modified_user	ID of the user who last modified this resource	string	Readonly
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_protection	Indicates protection status of this resource Protection status is one of the following: PROTECTED - the client who retrieved the entity is not allowed to modify it. NOT_PROTECTED - the client who retrieved the entity is allowed to modify it REQUIRE_OVERRIDE - the client who retrieved the entity is a super user and can modify it, but only when providing the request header X-Allow-Overwrite=true. UNKNOWN - the _protection field could not be determined for this entity.	string	Readonly
_revision	Generation of this resource config The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected.	int
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
_system_owned	Indicates system owned resource	boolean	Readonly
children	Subtree for this type within policy tree Subtree for this type within policy tree containing nested elements. Note that this type is applicable to be used in Hierarchical API only.	array of ChildPolicyConfigResource Children are not allowed for this type
description	Description of this resource	string	Maximum length: 1024 Sortable
display_name	Identifier to use when displaying entity in logs or GUI Defaults to ID if not set	string	Maximum length: 255 Sortable
groups	Paths of groups Paths of groups (VM tag-based, VM name-based, etc.) that translates into VMs to be replicated from protected site to recovery sites. If no group is specified, none of the VM tag will be replicated from protected site to recovery sites.	array of string
id	Unique identifier of this resource	string	Sortable
marked_for_delete	Indicates whether the intent object is marked for deletion Intent objects are not directly deleted from the system when a delete is invoked on them. They are marked for deletion and only when all the realized entities for that intent object get deleted, the intent object is deleted. Objects that are marked for deletion are not returned in GET call. One can use the search API to get these objects.	boolean	Readonly Default: "False"
origin_site_id	A unique identifier assigned by the system for knowing which site owns an object This is a UUID generated by the system for knowing which site owns an object. This is used in NSX+.	string	Readonly
overridden	Indicates whether this object is the overridden intent object Global intent objects cannot be modified locally by the user. However, certain global intent objects can be overridden locally by use of this property. In such cases, the overridden local values take precedence over the globally defined values for the properties.	boolean	Readonly Default: "False"
owner_id	A unique identifier assigned by the system for the ownership of an object This is a UUID generated by the system for knowing who owns this object. This is used in NSX+.	string	Readonly
parent_path	Path of its parent Path of its parent	string	Readonly
path	Absolute path of this object Absolute path of this object	string	Readonly
protected_site	A path of protected site A path of protected site, from where tags of selected VMs will be replicated to recovery sites.	string	Required
realization_id	A unique identifier assigned by the system for realizing intent This is a UUID generated by the system for realizing the entity object. In most cases this should be same as 'unique_id' of the entity. However, in some cases this can be different because of entities have migrated their unique identifier to NSX Policy intent objects later in the timeline and did not use unique_id for realization. Realization id is helpful for users to debug data path to correlate the configuration with corresponding intent.

NSX API Guide

Table of Contents

Introduction

API Data Types and Allowed Ranges

Formats

Request Failures

Request Authentication

HTTP Basic Authentication

Session-Based Authentication

Authentication using an X.509 certificate and a Principal Identity

Authentication in VMware Cloud on AWS (VMC)

API Pagination

Example Requests and Responses

Restrictions on Certain Fields in a Request

Collection List Pagination

Optimistic Concurrency Control and the _revision property

Overview

Exceptions for /policy APIs

PATCH and _revision for /policy APIs

PUT Operations

API Rate Limiting

Designing API client code to work gracefully with rate limits

OpenAPI Specification of NSX APIs

Get infra segment cross site traffic statistics (Deprecated)

Get segment cross site traffic statistics (Deprecated)

Get L2 forwarder remote mac addresses (Experimental)

Get L2 forwarder statistics (Experimental)

Get L2 forwarder status (Experimental) (Deprecated)

Get inter-site BGP summary of edge node (Deprecated)