I have the below scenario:
- Data Center A & Data Center B
- Data Center A - NSX Manager & vCenter
- Data Center B - NSX Manager & vCenter
No Cross vCenter
In DC B I have a Security Group A which is configured for Dynamic Membership using VMname match.
So VMs are dynamically assigned to this particular security group based on VNname match, based on this firewall policies are defined
In DC A, I have IPSet A which should have the IP Address of the VMs which are part of the Security Group A.
For this I am using Power Shell + Power NSX scripting to extract the IP address from the security group A & importing it in to IP Set A.
Question:
1. If security group is empty with no VM, it can not extract the IP address & in that case how will it write to the IP set. Can IP set exists without IP Address ?
2. Is it possible to create IP Set with no IP set ?
If Cross-Vcenter with Universal Security groups is not possible, then it may be difficult to update SG on DC-A because Vcenter DCA does not know about Vcenter DCB objects. The IP address field is mandatory as in this link whether global IP set or Universal IP Set:
http://vcrooky.com/2017/07/nsx-configure-universal-ip-sets/
Does the script needs to create an IP Set from scratch or can it append to an existing IP Set? If possible, then an unused /32 IP address could be added just to create statically, and merge with the IP addresses coming from SGA dynamically populated by VM names on DC-B.
There are some quirks around IP Sets.
What I normally recommend for my customers to do in this case is to use a placeholder address in each of the IP Sets where you potentially need an "empty" IP Set. This way you can remove all your "real" addresses and just be left with your placeholder address. Just make sure that the placeholder address is not accessible/routable on your network
Dale
Rajeevsrikant,
I am working through this same exact scenario. Would you be able to share your code for "Power Shell + Power NSX scripting to extract the IP address from the security group A & importing it in to IP Set A."
I would be modifying this to work on a large number of IP Sets and would be happy to share this back when I am completed.