Workflow
Alkira Cloud Network as a Service - Modular Automations
Overview
The integration of Itential and the Alkira - Cloud Network as a Service solution enables network teams to utilize its REST API to build automations that can include common tasks for hybrid and multi-cloud deployments. This is a library of related automations that can be used as modular components in your own larger, end-to-end workflows.
Workflows
| Name | Overview |
|---|---|
| Create AWS VPC Connector - Alkira | Creates AWS VPC connector over Alkira Cloud Network as a Service. |
| Create Azure VNet Connector - Alkira | Creates Azure VNet connector over Alkira Cloud Network as a Service. |
| Create Internet Connector - Alkira | Creates Internet connector over Alkira Cloud Network as a Service. |
| Create IPSec Connector - Alkira | Creates IPSec connector over Alkira Cloud Network as a Service. |
| Get ID for Segment - Alkira | Get ID for segment in Alkira Cloud Network as a Service. |
| Provision Palo Alto Firewall - Alkira | Provisions Palo Alto Firewall over Alkira Cloud Network as a Service. |
For further technical details on how to install and use this Workflow Project, please click the Technical Documentation tab.
Table of Contents
Getting Started
This section is helpful for deployments as it provides you with pertinent information on prerequisites and properties.
Helpful Background Information
Workflows often include logic that varies from business to business. As a result, we often find that our Workflow Projects are more useful as modular components that can be incorporated into a larger process. In addition, they often can add value as a learning tool on how we integrate with other systems and how we do things within the Itential Automation Platform.
While these can be utilized, you may find more value in using them as a starting point to build around.
Prerequisites
Itential Workflow Projects are built and tested on particular versions of IAP. In addition, Workflow Projects are often dependent on external systems and as such, these Workflow Projects will have dependencies on these other systems. This version of Alkira - Cloud Network as a Service has been tested with:
- IAP 2023.1
External Dependencies
| Name | OS Version | API Version |
|---|---|---|
| Alkira | v1 |
Adapters
| Name | Version | Configuration Notes |
|---|---|---|
| adapter-alkira | ^0.1.7 |
How to Install
To install the Workflow Project:
- Verify you are running a supported version of the Itential Automation Platform (IAP) as listed above in the Supported IAP Versions section in order to install the Example Project.
- Import the Example Project in Admin Essentials.
Testing
Cypress is generally used to test all Itential Example Projects. While Cypress is an opensource tool, at Itential we have internal libraries that have been built around Cypress to allow us to test with a deployed IAP.
When certifying our Example Projects for a release of IAP we run these tests against the particular version of IAP and create a release branch in GitLab. If you do not see the Example Project available in your version of IAP please contact Itential.
While Itential tests this Example Project and its capabilities, it is often the case the customer environments offer their own unique circumstances. Therefore, it is our recommendation that you deploy this Example Project into a development/testing environment in which you can test the Example Project.
Using this Workflow Project
Workflow Projects contain 1 or more workflows. Each of these workflows have different inputs and outputs.
Create AWS VPC Connector - Alkira
Creates AWS VPC connector over Alkira Cloud Network as a Service.
Capabilities include:
- Creates AWS VPC connector on Alkira Network as a Service
Entry Point IAP Component
The primary IAP component to run Create AWS VPC Connector - Alkira is listed below:
| IAP Component Name | IAP Component Type | Create AWS VPC Connector - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Create AWS VPC Connector - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| vpcId | string | yes | The id of the VPC | vpc-05cbeb1e27dbba348 |
| credentialId | string | yes | An opaque identifier generated when storing AWS VPC credentials | 42eba4a1-2a48-45b4-9479-1adae140e130 |
| vpcOwnerId | string | yes | The ownerId of the VPC | 462676810652 |
| connectorName | string | yes | Name of connector to create | ConnectorName |
| cxp | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-EAST |
| customerRegion | string | yes | The name of the AWS region associated with the VPC | us-east-1 |
| customerName | string | yes | The name of the customer that owns the VPC | Customer |
| size | string | yes | The size of the AWS VPC connector. Can be 'SMALL', 'MEDIUM', 'LARGE', '2LARGE' | SMALL |
| group | string | yes | Name of group to add this connection to | PROD-AWS |
| segmentName | string | yes | Name of segment to associate with the connector | CORP |
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| enabled | boolean | yes | Flag to enable/disable the connector | true |
| directInterVPCCommunicationEnabled | boolean | yes | Setting directInterVPCCommunicationEnabled to true enables direct communication to/from the VPC associated with this connector to other customer VPCs instead of the communication being routed via the CXP. A connector which is created with this flag set to true cannot be later switched to false and vice versa. The only option is to first delete the connector, provision and then add the connector back. When directInterVPCCommunicationEnabled is set to true, the connector may not be used with any NAT Policy, Traffic Policy, Segment Resource or Internet Application. | false |
| adapterId | string | yes | Name of the adapter to use to send commands to Alkira | alkira |
Outputs
The following table lists the outputs for Create AWS VPC Connector - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| createdAWSVPCConnectorResult | object | Result of AWS VPC connector created successfully | {
"icode": "AD.201",
"response": {
"id": 11374,
"name": "ConnectorTest2",
"cxp": "US-EAST",
"segments": [
"CORP"
],
"vpcId": "vpc-0af55e16b6e371902",
"vpcOwnerId": "462676810652",
"customerName": "Customer",
"customerRegion": "us-east-1",
"credentialId": "42eba4a1-2a48-45b4-9479-1adae140e130",
"group": "PROD-AWS",
"groupId": 16766,
"implicitGroupId": 23386,
"billingTags": [],
"size": "SMALL",
"vpcRouting": {
"exportToCXPOptions": {
"userInputPrefixes": [
{
"id": null,
"value": "10.0.0.0/24",
"type": "CIDR"
}
],
"routeExportMode": "USER_INPUT_PREFIXES",
"selectedCidrPrefixes": [
"10.0.0.0/24"
],
"selectedSubnetPrefixes": [],
"selectedSubnetIds": []
},
"importFromCXPOptions": {
"routeTables": [
{
"id": "rtb-0d4d1c975c3f30312",
"prefixListIds": [],
"routeImportMode": "ADVERTISE_DEFAULT_ROUTE"
}
]
}
},
"enabled": true,
"primary": true,
"directInterVPCCommunicationEnabled": false,
"configStatus": {
"configValid": true,
"messages": []
}
}
} |
| alkiraError | object | Result of error when attempting to create an AWS VPC connector | {
"icode": "AD.500",
"IAPerror": {
"origin": "Alkira-connectorRest-handleEndResponse",
"displayString": "Error 400 received on request",
"recommendation": "Verify the request is accurate via debug logs and postman",
"code": 400
},
"response": {
"code": "AK000002",
"id": "ALK-b125b35f-98f1-41ed-b51f-f08f839d90d7",
"timestamp": 1691434299503,
"message": "The vpc ID 'vpc-05cbeb1e27dbba348' does not exist, context : [credentialId=42eba4a1-2a48-45b4-9479-1adae140e130, vpcId=vpc-05cbeb1e27dbba348]"
}
} |
Query Output
The following items show how to query successful results from the output of Create AWS VPC Connector - Alkira:
VPC Connector ID
createdAWSVPCConnectorResult.response.id
The following items show how to query failure results from the output of Create AWS VPC Connector - Alkira:
Alkira Error Message
alkiraError.response.message
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"vpcId": "vpc-05cbeb1e27dbba348",
"credentialId": "42eba4a1-2a48-45b4-9479-1adae140e130",
"vpcOwnerId": "462676810652",
"connectorName": "ConnectorTest1",
"cxp": "US-EAST-1",
"customerRegion": "us-west-1",
"customerName": "Customer",
"size": "SMALL",
"group": "PROD-AWS",
"segmentName": "CORP",
"tenantNetworkId": 170,
"enabled": true,
"directInterVPCCommunicationEnabled": false
} Output:
{
"createdAWSVPCConnectorResult": {
"icode": "AD.201",
"response": {
"id": 11374,
"name": "ConnectorTest2",
"cxp": "US-EAST",
"segments": [
"CORP"
],
"vpcId": "vpc-0af55e16b6e371902",
"vpcOwnerId": "462676810652",
"customerName": "Customer",
"customerRegion": "us-east-1",
"credentialId": "42eba4a1-2a48-45b4-9479-1adae140e130",
"group": "PROD-AWS",
"groupId": 16766,
"implicitGroupId": 23386,
"billingTags": [],
"size": "SMALL",
"vpcRouting": {
"exportToCXPOptions": {
"userInputPrefixes": [
{
"id": null,
"value": "10.0.0.0/24",
"type": "CIDR"
}
],
"routeExportMode": "USER_INPUT_PREFIXES",
"selectedCidrPrefixes": [
"10.0.0.0/24"
],
"selectedSubnetPrefixes": [],
"selectedSubnetIds": []
},
"importFromCXPOptions": {
"routeTables": [
{
"id": "rtb-0d4d1c975c3f30312",
"prefixListIds": [],
"routeImportMode": "ADVERTISE_DEFAULT_ROUTE"
}
]
}
},
"enabled": true,
"primary": true,
"directInterVPCCommunicationEnabled": false,
"configStatus": {
"configValid": true,
"messages": []
}
}
}
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Create AWS VPC Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createAWSVPCConnector | Private |
Create Azure VNet Connector - Alkira
Creates Azure VNet connector over Alkira Cloud Network as a Service.
Capabilities include:
- Creates Azure VNet connector on Alkira Network as a Service
Entry Point IAP Component
The primary IAP component to run Create Azure VNet Connector - Alkira is listed below:
| IAP Component Name | IAP Component Type | Create Azure VNet Connector - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Create Azure VNet Connector - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| segmentName | string | yes | Name of segment to associate with the connector | CORP |
| credentialId | string | yes | An opaque identifier generated when storing AWS VPC credentials | a39a474b-34f4-41b3-b684-95fd6024b2a9 |
| connectorName | string | yes | Name of connector to create | ConnectorName |
| cxp | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-EAST |
| customerRegion | string | yes | The name of the AWS region associated with the VPC | west-us |
| size | string | yes | The size of the AWS VPC connector. Can be The size of the AWS VPC connector. Can be 'SMALL', 'MEDIUM', 'LARGE', '2LARGE' | SMALL |
| vnetId | string | yes | The id of the VNET | /subscriptions/subscriptionId/resourceGroups/resourcegroup/providers/Microsoft.Network/virtualNetworks/vnet1 |
| resourceGroupName | string | yes | The resource group that the VNET belongs to | resourcegroup |
| subscriptionId | string | yes | Subscription Id of the application | 34211a125-c6e3-2015-bc4e-84dbb14128f9 |
| group | string | yes | Name of group to add this connection to | PROD_AZURE |
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| enabled | boolean | yes | Flag to enable/disable the connector | true |
| alkiraId | string | yes | Name of Alkira adapter to use | alkira |
Outputs
The following table lists the outputs for Create Azure VNet Connector - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| createdAzureVNETConnectorResult | object | Result of Azure VNet connector created successfully | {
"icode": "AD.201",
"response": {
"id": 11378,
"gatewaySubnetPrefix": "10.12.1.0/27",
"name": "TestAzure2",
"group": "PROD_AZURE",
"groupId": 17663,
"implicitGroupId": 23390,
"vnetId": "/subscriptions/34211a125-c6e3-2015-bc4e-84dbb14128f9/resourceGroups/itential-poc-resourcegroup/providers/Microsoft.Network/virtualNetworks/itential-poc-vnet1",
"cxp": "US-EAST",
"customerRegion": "westus",
"credentialId": "a39a474b-34f4-41b3-b684-95fd6024b2a9",
"resourceGroupName": "itential-poc-resourcegroup",
"enabled": true,
"primary": true,
"deploymentMode": "VGW",
"connectionMode": "VNET_GATEWAY",
"segments": [
"CORP"
],
"billingTags": [],
"size": "SMALL",
"vnetRouting": {
"exportToCXPOptions": {
"userInputPrefixes": null
},
"importFromCXPOptions": {
"prefixListIds": [],
"routeImportMode": "ADVERTISE_DEFAULT_ROUTE",
"cidrs": null,
"subnets": null
},
"serviceRoutes": {
"cidrs": null,
"subnets": null
}
},
"subscriptionId": "34211a125-c6e3-2015-bc4e-84dbb14128f9",
"configStatus": {
"configValid": true,
"messages": []
},
"vgwdeployment": true
}
} |
| alkiraError | object | Result of error when attempting to create an Azure VNet connector | {
"icode": "AD.500",
"IAPerror": {
"origin": "Alkira-connectorRest-handleEndResponse",
"displayString": "Error 400 received on request",
"recommendation": "Verify the request is accurate via debug logs and postman",
"code": 400
},
"response": {
"code": "AK000001",
"id": "ALK-8fb5e79e-c35b-4bcd-aed9-cc76345ca94d",
"timestamp": 1691419213448,
"message": "Validation failed",
"errors": [
{
"field": "vnetId",
"code": "constraint.exists",
"message": "An Azure VNET with the vnetId : /subscriptions/34211a125-c6e3-2015-bc4e-84dbb14128f9/resourceGroups/itential-poc-resourcegroup/providers/Microsoft.Network/virtualNetworks/itential-poc-vnet1 already exists in the tenant network",
"metadata": {}
}
]
}
} |
Query Output
The following items show how to query successful results from the output of Create Azure VNet Connector - Alkira:
Created Azure VNet ID
createdAzureVNETConnectorResult.response.id
The following items show how to query failure results from the output of Create Azure VNet Connector - Alkira:
Alkira Error Message
alkiraError.response.errors[0].message
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"segmentName": "CORP",
"credentialId": "a39a474b-34f4-41b3-b684-95fd6024b2a9",
"connectorName": "TestAzure2",
"cxp": "US-EAST",
"customerRegion": "westus",
"size": "SMALL",
"vnetId": "/subscriptions/34211a125-c6e3-2015-bc4e-84dbb14128f9/resourceGroups/itential-poc-resourcegroup/providers/Microsoft.Network/virtualNetworks/itential-poc-vnet1",
"resourceGroupName": "itential-poc-resourcegroup",
"subscriptionId": "34211a125-c6e3-2015-bc4e-84dbb14128f9",
"group": "PROD_AZURE",
"tenantNetworkId": 170,
"enabled": true
} Output:
{
"createdAzureVNETConnectorResult": {
"icode": "AD.201",
"response": {
"id": 11378,
"gatewaySubnetPrefix": "10.12.1.0/27",
"name": "TestAzure2",
"group": "PROD_AZURE",
"groupId": 17663,
"implicitGroupId": 23390,
"vnetId": "/subscriptions/34211a125-c6e3-2015-bc4e-84dbb14128f9/resourceGroups/itential-poc-resourcegroup/providers/Microsoft.Network/virtualNetworks/itential-poc-vnet1",
"cxp": "US-EAST",
"customerRegion": "westus",
"credentialId": "a39a474b-34f4-41b3-b684-95fd6024b2a9",
"resourceGroupName": "itential-poc-resourcegroup",
"enabled": true,
"primary": true,
"deploymentMode": "VGW",
"connectionMode": "VNET_GATEWAY",
"segments": [
"CORP"
],
"billingTags": [],
"size": "SMALL",
"vnetRouting": {
"exportToCXPOptions": {
"userInputPrefixes": null
},
"importFromCXPOptions": {
"prefixListIds": [],
"routeImportMode": "ADVERTISE_DEFAULT_ROUTE",
"cidrs": null,
"subnets": null
},
"serviceRoutes": {
"cidrs": null,
"subnets": null
}
},
"subscriptionId": "34211a125-c6e3-2015-bc4e-84dbb14128f9",
"configStatus": {
"configValid": true,
"messages": []
},
"vgwdeployment": true
}
}
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Create Azure VNet Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createAzureVNETConnector | Private |
Create IPSec Connector - Alkira
Creates IPSec connector over Alkira Cloud Network as a Service.
Capabilities include:
- Creates IPSec connector on Alkira Network as a Service
Entry Point IAP Component
The primary IAP component to run Create IPSec Connector - Alkira is listed below:
| IAP Component Name | IAP Component Type | Create IPSec Connector - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Create IPSec Connector - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| cxp | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-EAST |
| connectorName | string | yes | Name of connector to create | TestConnectorName1 |
| siteName | string | yes | The name of the site/connector instance | TestConnectorName-1 |
| customerGwIp | string | yes | The IP address of the customer gateway. This should be null when gatewayIpType is DYNAMIC | 10.20.30.40 |
| presharedKeys | array | yes | An array of presharedKeys, one per tunnel. If presharedKeys are not provided then Alkira will generate random preshared key for each tunnel or if only one preshared key is provided, the same will be copied to the other tunnel | [
"abc",
"xyz"
] |
| size | string | yes | The size of the AWS VPC connector. Can be The size of the AWS VPC connector. Can be 'SMALL', 'MEDIUM', 'LARGE', '2LARGE' | SMALL |
| segmentName | string | yes | Name of segment to associate with the connector | CORP |
| segmentId | number | yes | ID of segment to associate with the connector | 2878 |
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| adapterId | string | yes | Name of the adapter to use to send commands to Alkira | alkira |
Outputs
The following table lists the outputs for Create IPSec Connector - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| createdIPSecConnectorResult | object | Result of IPSec connector created successfully | {
"icode": "AD.201",
"response": {
"id": 11377,
"name": "TestConnectorName1",
"segments": [
"CORP"
],
"segmentOptions": {
"CORP": {
"segmentId": 2878,
"disableInternetExit": true,
"advertiseOnPremRoutes": false
}
},
"cxp": "US-EAST",
"group": "OnPrem",
"groupId": 20028,
"implicitGroupId": 23389,
"size": "SMALL",
"sites": [
{
"id": 3131,
"name": "TestConnectorName-1",
"connectorId": 11377,
"gatewayIpType": "STATIC",
"gatewayNo": 0,
"customerGwIp": "10.20.30.40",
"presharedKeys": [
"abc",
"xyz"
],
"state": "PENDING",
"billingTags": [],
"enableTunnelRedundancy": true,
"haMode": "ACTIVE",
"remoteAuthValueKey": "STATIC--"
}
],
"state": "PENDING",
"type": "IP_SEC",
"vpnMode": "ROUTE_BASED",
"routingOptions": {
"staticRouting": null,
"dynamicRouting": {
"customerGwAsn": "65000",
"bgpAuthKeyAlkira": null,
"availability": "IPSEC_INTERFACE_PING"
}
},
"enabled": true,
"primary": true,
"secondaryCXPs": []
}
} |
| alkiraError | object | Result of error when attempting to create an IPSec connector | {
"icode": "AD.500",
"IAPerror": {
"origin": "Alkira-connectorRest-handleEndResponse",
"displayString": "Error 404 received on request",
"recommendation": "Verify the request is accurate via debug logs and postman",
"code": 404
},
"response": {
"code": "AK000003",
"id": "ALK-011e2edd-309d-475a-8855-f882a6d5c12a",
"timestamp": 1691437709296,
"message": "tenant network with id: 250 was not found"
}
} |
Query Output
The following items show how to query successful results from the output of Create IPSec Connector - Alkira:
Created IPSec ID
createdIPSecConnectorResult.response.id
The following items show how to query failure results from the output of Create IPSec Connector - Alkira:
Alkira Error Message
alkiraError.response.message
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"cxp": "US-EAST",
"connectorName": "TestConnectorName",
"siteName": "TestConnectorName-1",
"customerGwIp": "10.20.30.40",
"presharedKeys": ["abc","xyz"],
"size": "SMALL",
"segmentName": "CORP",
"segmentId": 2878,
"tenantNetworkId": 170
} Output:
{
"createdIPSecConnectorResult": {
"icode": "AD.201",
"response": {
"id": 11377,
"name": "TestConnectorName1",
"segments": [
"CORP"
],
"segmentOptions": {
"CORP": {
"segmentId": 2878,
"disableInternetExit": true,
"advertiseOnPremRoutes": false
}
},
"cxp": "US-EAST",
"group": "OnPrem",
"groupId": 20028,
"implicitGroupId": 23389,
"size": "SMALL",
"sites": [
{
"id": 3131,
"name": "TestConnectorName-1",
"connectorId": 11377,
"gatewayIpType": "STATIC",
"gatewayNo": 0,
"customerGwIp": "10.20.30.40",
"presharedKeys": [
"abc",
"xyz"
],
"state": "PENDING",
"billingTags": [],
"enableTunnelRedundancy": true,
"haMode": "ACTIVE",
"remoteAuthValueKey": "STATIC--"
}
],
"state": "PENDING",
"type": "IP_SEC",
"vpnMode": "ROUTE_BASED",
"routingOptions": {
"staticRouting": null,
"dynamicRouting": {
"customerGwAsn": "65000",
"bgpAuthKeyAlkira": null,
"availability": "IPSEC_INTERFACE_PING"
}
},
"enabled": true,
"primary": true,
"secondaryCXPs": []
}
}
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Create IPSec Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createIPSecConnector | Private |
Create Internet Connector - Alkira
Creates Internet connector over Alkira Cloud Network as a Service.
Capabilities include:
- Creates Internet connector on Alkira Network as a Service
Entry Point IAP Component
The primary IAP component to run Create Internet Connector - Alkira is listed below:
| IAP Component Name | IAP Component Type | Create Internet Connector - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Create Internet Connector - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| cxp | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-EAST |
| connectorName | string | yes | Name of connector to create | ConnectorName |
| segment | string | yes | Name of segment to associate with the connector | CORP |
| description | string | yes | Description of connector | CORP |
| group | string | yes | Name of group to add this connection to | inet-zone |
| algorithm | string | yes | The type of algorithm to be used for traffic distribution | HASHING |
| keys | string | yes | Keys for algorithm for traffic distribution. Values are DEFAULT or SRC_IP | DEFAULT |
| adapterId | string | yes | Name of the adapter to use to send commands to Alkira | alkira |
Outputs
The following table lists the outputs for Create Internet Connector - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| createdInternetConnectorResult | object | Result of Internet connector created successfully | {
"icode": "AD.201",
"response": {
"id": 11377,
"name": "TestConnectorName1",
"segments": [
"CORP"
],
"segmentOptions": {
"CORP": {
"segmentId": 2878,
"disableInternetExit": true,
"advertiseOnPremRoutes": false
}
},
"cxp": "US-EAST",
"group": "OnPrem",
"groupId": 20028,
"implicitGroupId": 23389,
"size": "SMALL",
"sites": [
{
"id": 3131,
"name": "TestConnectorName-1",
"connectorId": 11377,
"gatewayIpType": "STATIC",
"gatewayNo": 0,
"customerGwIp": "10.20.30.40",
"presharedKeys": [
"abc",
"xyz"
],
"state": "PENDING",
"billingTags": [],
"enableTunnelRedundancy": true,
"haMode": "ACTIVE",
"remoteAuthValueKey": "STATIC--"
}
],
"state": "PENDING",
"type": "IP_SEC",
"vpnMode": "ROUTE_BASED",
"routingOptions": {
"staticRouting": null,
"dynamicRouting": {
"customerGwAsn": "65000",
"bgpAuthKeyAlkira": null,
"availability": "IPSEC_INTERFACE_PING"
}
},
"enabled": true,
"primary": true,
"secondaryCXPs": []
}
} |
| alkiraError | object | Result of error when attempting to create an Internet connector | {
"icode": "AD.500",
"IAPerror": {
"origin": "Alkira-connectorRest-handleEndResponse",
"displayString": "Error 404 received on request",
"recommendation": "Verify the request is accurate via debug logs and postman",
"code": 404
},
"response": {
"code": "AK000003",
"id": "ALK-805e39bd-6465-4a62-92bf-6744e23f3e9d",
"timestamp": 1691437223595,
"message": "tenant network with id: 230 was not found"
}
} |
Query Output
The following items show how to query successful results from the output of Create Internet Connector - Alkira:
Created Internet ID
createdInternetConnectorResult.response.id
The following items show how to query failure results from the output of Create Internet Connector - Alkira:
Alkira Error Message
alkiraError.response.message
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"tenantNetworkId": 170,
"cxp": "US-EAST",
"connectorName": "TestConnectorName2",
"segment": "CORP",
"description": "Internet Connector",
"group": "inet-zone",
"algorithm": "HASHING",
"keys": "DEFAULT"
} Output:
{
"createdInternetConnectorResult": {
"icode": "AD.201",
"response": {
"id": 11375,
"name": "TestConnectorName2",
"description": "Internet Connector",
"group": "inet-zone",
"groupId": 20501,
"implicitGroupId": 23387,
"cxp": "US-EAST",
"segments": [
"CORP"
],
"billingTags": [],
"size": "SMALL",
"trafficDistribution": {
"algorithm": "HASHING",
"algorithmAttributes": {
"keys": "DEFAULT"
}
},
"numOfPublicIPs": 2,
"enabled": true
}
}
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Create Internet Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createInternetConnector | Private |
Get ID for Segment - Alkira
Get ID for segment in Alkira Cloud Network as a Service.
Capabilities include:
- Gets ID for segment from Alkira Network as a Service
Entry Point IAP Component
The primary IAP component to run Get ID for Segment - Alkira is listed below:
| IAP Component Name | IAP Component Type | Get ID for Segment - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Get ID for Segment - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| segmentName | string | yes | Name of segment to associate with the connector | CORP |
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| adapterId | string | yes | Name of the adapter to use to send commands to Alkira | alkira |
Outputs
The following table lists the outputs for Get ID for Segment - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| segmentId | number | Segment ID found given segment name and tenant network ID | 2878 |
| alkiraError | object | Result of error when attempting to get segment ID | {
"icode": "AD.500",
"IAPerror": {
"origin": "Alkira-connectorRest-handleEndResponse",
"displayString": "Error 404 received on request",
"recommendation": "Verify the request is accurate via debug logs and postman",
"code": 404
},
"response": {
"code": "AK000003",
"id": "ALK-c0ac71de-72ca-47ae-ab71-b9910f2d1d40",
"timestamp": 1691438388376,
"message": "tenant network with id: 280 was not found"
}
} |
Query Output
The following items show how to query successful results from the output of Get ID for Segment - Alkira:
Segment ID
segmentId
The following items show how to query failure results from the output of Get ID for Segment - Alkira:
Alkira Error Message
alkiraError.response.message
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"segmentName": "CORP",
"tenantNetworkId": 170
} Output:
{
"segmentId": 2878
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| List all Segments | https://{instance_name}.portal.alkira.com/doc/api.html#operation/getsegments | Private |
Provision Palo Alto Firewall - Alkira
Provisions Palo Alto Firewall over Alkira Cloud Network as a Service.
Capabilities include:
- Provisions Palo Alto Firewall over Alkira Cloud Network as a Service.
Entry Point IAP Component
The primary IAP component to run Provision Palo Alto Firewall - Alkira is listed below:
| IAP Component Name | IAP Component Type | Provision Palo Alto Firewall - Alkira | Workflow |
|---|
Inputs
The following table lists the inputs for Provision Palo Alto Firewall - Alkira:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| username | string | yes | Username credential for provisioning firewall | username |
| password | string | yes | Password credential for provisioning firewall | password |
| name | string | yes | The name of the service | Firewall1 |
| cxp | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-EAST |
| version | string | yes | The version of PAN firewall that should be deployed | 9.1.3 |
| segmentId | number | yes | ID of segment to associate with the connector | 2878 |
| segmentName | string | yes | Name of segment to associate with the connector | CORP |
| registrationPinValue | string | yes | PAN Registration value required for automated deployments to securely access the device certificate and other Palo Alto cloud-delivered services | 2abfbad825a4233b8d1e243a07925a2c |
| registrationPinId | string | yes | PAN Registration ID required for automated deployments to securely access the device certificate and other Palo Alto cloud-delivered services | a52685ac-1fb8-4a90-b891-18cf9b461237 |
| expires | string | yes | Expiration date of PAN registration PIN | Wed Aug 09 2024 |
| panoramaEnabled | boolean | yes | This should be set to true if Panorama is enabled | true |
| size | string | yes | The size of the Palo Alto Firewall. Can be 'SMALL', 'MEDIUM', 'LARGE' | SMALL |
| licenseType | string | yes | Type of license to use, values are 'BRING_YOUR_OWN' or 'PAY_AS_YOU_GO' | PAY_AS_YOU_GO |
| bundle | string | yes | This indicates the software image bundle that would be used for PAN instance deployment. This is applicable for licenseType 'PAY_AS_YOU_GO' only. If not provided default 'PAN_VM_300_BUNDLE_2' would be used. However 'PAN_VM_300_BUNDLE_2' is legacy bundle and is no more supported on AWS. It is recommended to use 'VM_SERIES_BUNDLE_1' and 'VM_SERIES_BUNDLE_2' (supports Global Protect) | VM_SERIES_BUNDLE_1 |
| maxInstanceCount | number | yes | The maximum number of PAN instances that should be deployed when auto-scale is enabled | 1 |
| minInstanceCount | number | yes | The minimum number of PAN instances that should be deployed at any point of time. In case of Global Protect minInstanceCount should be same as maxInstanceCount as the auto-scale is not supported with Global Protect enabled | 1 |
| tunnelProtocol | string | yes | Supported tunnel protocol types, 'IPSEC' and 'GRE'. For Azure regions, only IPSEC is supported | IPSEC |
| globalProtectEnabled | boolean | yes | Indicates if global protect feature should be supported or not for the given pan service. For global protect to work bundle must be set to 'VM_SERIES_BUNDLE_2' | false |
| onPremZone | array | yes | Mapping of zone name 'on-prem-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"OnPrem"
] |
| prodAwsZone | array | yes | Mapping of zone name 'prod-aws-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"PROD-AWS"
] |
| prodAzureZone | array | yes | Mapping of zone name 'prod-azure-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"PROD_AZURE"
] |
| inetZone | array | yes | Mapping of zone name 'inet-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"INET-Connector"
] |
| adapterId | string | yes | Name of the adapter to use to send commands to Alkira | alkira |
Outputs
The following table lists the outputs for Provision Palo Alto Firewall - Alkira:
| Name | Type | Description | Example Value |
|---|---|---|---|
| panFW | object | Palo Alto Networks firewall created | {
"icode": "AD.201",
"response": {
"id": 1527,
"name": "Firewall500",
"cxp": "US-EAST",
"segments": [
2878
],
"panoramaEnabled": false,
"managementSegment": 2878,
"maxInstanceCount": 1,
"minInstanceCount": 1,
"licenseType": "PAY_AS_YOU_GO",
"version": "9.1.3",
"credentialId": "40a6186d-e691-4a81-8e1f-f4a43416af12",
"instances": [
{
"id": 1934,
"uniqueId": "c3d08fd9-2add-466b-af9c-c1cdabeb56aa",
"name": "Firewall500",
"credentialId": "96af7b91-426e-4c0e-b427-6cfa3402c846",
"dormant": false,
"hostName": "Firewall500",
"masterKeyEnabled": false,
"internalName": "svci-pan-afae0629-23fa-4f0a-85e7-432f6cc4"
}
],
"size": "SMALL",
"segmentOptions": {
"CORP": {
"segmentId": 2878,
"zonesToGroups": {
"on-prem-zone": [
"OnPrem"
],
"ALKIRA_MGMT_ZONE": [],
"prod-aws-zone": [
"PROD-AWS"
],
"prod-azure-zone": [
"PROD_AZURE"
],
"inet-zone": [
"INET-Connector"
]
}
}
},
"billingTags": [],
"tunnelProtocol": "IPSEC",
"panWarmBootEnabled": false,
"bundle": "VM_SERIES_BUNDLE_1",
"globalProtectEnabled": false,
"masterKeyEnabled": false,
"registrationCredentialId": "a52685ac-1fb8-4a90-b891-18cf9b461237",
"internalName": "svc-pan-14af6dba-bd57-4351-a322-fc13d784",
"panSubLicenseType": "MODEL_BASED"
}
} |
Query Output
The following items show how to query successful results from the output of Provision Palo Alto Firewall - Alkira:
Palo Alto Networks Firewall ID
panFW.response.id
Example Inputs and Outputs
Example 1
Input:
{
"adapterId": "alkira",
"tenantNetworkId": 170,
"username": "username",
"password": "password",
"name": "Firewall500",
"cxp": "US-EAST",
"version": "9.1.3",
"segmentId": 2878,
"segmentName": "CORP",
"registrationPinValue": "2abfbad825a4233b8d1e243a07925a2c",
"registrationPinId": "a52685ac-1fb8-4a90-b891-18cf9b461237",
"expires": "Wed Aug 09 2023",
"panoramaEnabled": false,
"size": "SMALL",
"licenseType": "PAY_AS_YOU_GO",
"bundle": "VM_SERIES_BUNDLE_1",
"maxInstanceCount": 1,
"minInstanceCount": 1,
"tunnelProtocol": "IPSEC",
"globalProtectEnabled": false,
"onPremZone": ["OnPrem"],
"prodAwsZone": ["PROD-AWS"],
"prodAzureZone": ["PROD_AZURE"],
"inetZone": ["INET-Connector"]
} Output:
{
"panFW": {
"icode": "AD.201",
"response": {
"id": 1527,
"name": "Firewall500",
"cxp": "US-EAST",
"segments": [
2878
],
"panoramaEnabled": false,
"managementSegment": 2878,
"maxInstanceCount": 1,
"minInstanceCount": 1,
"licenseType": "PAY_AS_YOU_GO",
"version": "9.1.3",
"credentialId": "40a6186d-e691-4a81-8e1f-f4a43416af12",
"instances": [
{
"id": 1934,
"uniqueId": "c3d08fd9-2add-466b-af9c-c1cdabeb56aa",
"name": "Firewall500",
"credentialId": "96af7b91-426e-4c0e-b427-6cfa3402c846",
"dormant": false,
"hostName": "Firewall500",
"masterKeyEnabled": false,
"internalName": "svci-pan-afae0629-23fa-4f0a-85e7-432f6cc4"
}
],
"size": "SMALL",
"segmentOptions": {
"CORP": {
"segmentId": 2878,
"zonesToGroups": {
"on-prem-zone": [
"OnPrem"
],
"ALKIRA_MGMT_ZONE": [],
"prod-aws-zone": [
"PROD-AWS"
],
"prod-azure-zone": [
"PROD_AZURE"
],
"inet-zone": [
"INET-Connector"
]
}
}
},
"billingTags": [],
"tunnelProtocol": "IPSEC",
"panWarmBootEnabled": false,
"bundle": "VM_SERIES_BUNDLE_1",
"globalProtectEnabled": false,
"masterKeyEnabled": false,
"registrationCredentialId": "a52685ac-1fb8-4a90-b891-18cf9b461237",
"internalName": "svc-pan-14af6dba-bd57-4351-a322-fc13d784",
"panSubLicenseType": "MODEL_BASED"
}
}
} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Add Palo Alto Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANCredentialsUsingPOST | Private |
| Add Palo Alto Registration Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANRegistrationCredentialsUsingPOST | Private |
| Add Palo Alto Instance Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANInstanceCredentialsUsingPOST | Private |
| Create a Palo Alto Firewall Service | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createPANFWService | Private |
Additional Information
Support
Please use your Itential Customer Success account if you need support when using this Workflow Project.