Barracuda Load Balancer- Powershell

Great_Barracuda_off_the_Netherland_AntillesWorking on my Powershell skills, I was playing around with a Barracuda Load Balancer and noticed it supported some APIs which is kind of cool. At first I was playing around with it in postman and got to login and put some servers in maintenance mode, but then thought it would be really neat if I could get this working in Powershell, that way us humans can just run a script and even thinking in the “future” maybe have some automated process (a.k.a AI) handle this for us. 😉 So in this post I’ll talk about the script I created and some of the small challenges I had with this overall it was kind of neat putting this together.

TLDR: Here is the script if you don’t want to read:

# Barracuda Load Balancer Powershell Script
# Minimum version of Powershell is 6.0.4 – Can download stable releases @ https://github.com/PowerShell/PowerShell
# Puts servers in Maintenance, Disable or Enable status
# Put the URI API of the LB (example: "https://192.168.1.5/restapi/v2")
$uri = ""
# Put the group name, usually its "default" unless you have something different
$groupname = "default"
# Put the service name you would like to modify, you can find this in the LB going to BASIC->Services
$servicename = ""
# Put the server you would like to modify, you can find the names of the servers under BASIC->Services
# You can add additional servers to this list if you want to modify multiple servers at once, add additional variables
$realserver1 = ""
$realserver2 = ""
# What status would you change the servers in the LB to? Valid values are enable, disable, or maintenance. Values are lower-case sensitive
$status = "enable"
# Login into Barracuda you will get a prompt to login, currently only local accounts work for API.
$credential = Get-Credential Message "Please type a username and password to login into the Barracuda LB"
$password = $credential.GetNetworkCredential().password
$username = $credential.GetNetworkCredential().username
# POST Request to Login into Barracuda
$authUrl_Body = @{
password = $password
username = $username
}
# Convert this request into JSON and call it $jsonurlbody
$jsonauth_Body = $authUrl_Body | ConvertTo-Json
#Grab the token to and keep note of it, and use to login into Barracuda from now on
$auth = Invoke-RestMethod Uri "$uri/login" ContentType "application/json" Method POST Body $jsonauth_Body SkipCertificateCheck
$authtoken = $auth.token
# Barracuda only supports username only no password required when we have the token put this into a PSCredential to null the password
$lbcred = New-Object System.Management.Automation.PSCredential ("$authtoken", (new-object System.Security.SecureString))
# POST Request to put a server into Maintenance, Enable, or Disable
$statusURL_Body = @{
status = $status
}
# Convert this request into JSON and call it $jsonstatus_Body
$jsonstatus_Body = $statusURL_Body | ConvertTo-Json
# Put $realserver1 into $status "status"
Invoke-RestMethod Uri "$uri/virtual_service_groups/$groupname/virtual_services/$servicename/servers/$realserver1" Credential $lbcred Authentication Basic ContentType "application/json" Method PUT Body $jsonstatus_Body SkipCertificateCheck | ConvertTo-Json
# Put $realserver2 into $status "status"
Invoke-RestMethod Uri "$uri/virtual_service_groups/$groupname/virtual_services/$servicename/servers/$realserver2" Credential $lbcred Authentication Basic ContentType "application/json" Method PUT Body $jsonstatus_Body SkipCertificateCheck | ConvertTo-Json
# If you have additional servers copy the command above and replace it with a different variable

The first thing I was stuck on was the way Barracuda uses the API token, I was able to have to load balancer give me the token but Powershell also wanted a password with that API token. Barracuda only uses the username as the token to login. So I needed to configure Powershell to null the password when logging with the API token. A quick search on the web led me to create the $lbcred variable.

Another small gotcha was when using the default version of Powershell on Windows 10 I was having a problem with the login and really didn’t want to create a curl header or anything like that. I also wanted to keep the username and password out of the script. When you run the script it will ask you what the username and password is and use that while the script it running, I thought it would be easier. So when researching this, and I didn’t actually know this but there are different updated versions of Powershell which are available on GitHub and they work different operating systems besides Windows. So that’s pretty cool, and also tells you how much I pay attention to Powershell :).

When looking at the release notes for Powershell 6.0.4 they made some modifications to the Invoke-RestMethod command for -Authentication switch so I downloaded Powrshell 6.0.4 and then found it does not work with Powershell ISE. 😦

Which is what I have been using and I now needed to download Visual Studio Code which is a free download and install  the Powershell extenstion so that I could run it within that program. Again just goes to show you how much I know about this stuff. After all of that I was able to login into the load balancer using the token API!

The last command I just needed a json to tell the load balancer want I wanted to do with the servers, I could put them in maintenance, enable or disable status and if I had more than one server in the load balancer, I just copied the command again and used a different variable for each server. After that I was able to put servers in a different via Powershell!

6 thoughts on “Barracuda Load Balancer- Powershell

  1. Congrats! This almost works.

    Invoke-RestMethod : A parameter cannot be found that matches parameter name ‘SkipCertificateCheck’.
    At C:\curltest.ps1:27 char:111
    + … $jsonauth_Body -SkipCertificateCheck
    + ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Invoke-RestMethod], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

    Invoke-WebRequest : A parameter cannot be found that matches parameter name ‘Authentication’.
    At C:\curltest.ps1:38 char:123
    + … ential $lbcred -Authentication Basic -ContentType “application/json” -Method PUT …
    + ~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

    Like

    1. Hey Jeremy,

      For that Invoke-RestMethod to work with the -SkipCertificateCheck switch you need to at least have Powershell 6.0.0.

      https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-6

      For this script to work you need have Powershell 6.0.4 at least because of the -Authentication switch. Microsoft made some modifications to it and this script uses those modifications. So use Powershell 6.0.4 or above.

      Ryan

      Like

  2. Ryan, I updated to PowerShell 6.1.2 and ran the script again. That did fix the username/password issue, but I’m still getting an error. Also, how would we run this if we wanted the username and password to be kept in the script? My boss wants it fully automated with no user intervention.

    Invoke-RestMethod : The cmdlet cannot protect plain text secrets sent over unenc
    rypted connections. To suppress this warning and send plain text secrets over un
    encrypted networks, reissue the command specifying the AllowUnencryptedAuthentic
    ation parameter.
    At C:\curltest.ps1:38 char:1
    + Invoke-RestMethod -Uri “$uri/virtual_service_groups/$groupname/virtua …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (Microsoft.Power…stMethodCommand:In
    vokeRestMethodCommand) [Invoke-RestMethod], ValidationMetadataException
    + FullyQualifiedErrorId : WebCmdletAllowUnencryptedAuthenticationRequiredExcepti
    on,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

    Like

    1. Jeremy,
      That error tells me that you are connecting over HTTP instead of HTTPS, I would use HTTPS when doing anything that involves passwords, and really anything nowadays.

      If you read the error message it tells you what you need to do if you want to use HTTP add the -AllowUnencryptedAuthentication to the Invoke-RestMethod.

      There a multiple ways to put the username and password in the script, a common way is to create a key file and a password file. A search engine is your friend 🙂

      The reason I did not use it in this script is I didn’t have a good place to store to the the password or key file securely. By having the username and password prompt it also gives you time to cancel the script in case you run it by accident…

      Ryan

      Like

  3. I also already generated a token, so that part isn’t necessary for the script to generate if there is a way to incorporate the token into a field.

    Like

Leave a Reply...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s