VMware Networking Community
rajeevsrikant
Expert
Expert

NSX - Power NSX Scripting

I have the below scenario:

- Data Center A & Data Center B

- Data Center A - NSX Manager & vCenter

- Data  Center B - NSX Manager & vCenter

     No Cross vCenter

In DC B I have a Security Group A which is configured for Dynamic Membership using VMname match.

So VMs are dynamically assigned to this particular security group based on VNname match, based on this firewall policies are defined

In DC A, I have IPSet A which should have the IP Address of the VMs which are part of the Security Group A.

For this I am using Power Shell + Power NSX scripting to extract the IP address from the security group A & importing it in to IP Set A.

Question:

1. If security group is empty with no VM, it can not extract the IP address & in that case how will it write to the  IP set. Can IP set exists without IP Address ?

2. Is it possible to create IP Set with no IP set ?

pastedImage_0.png

Reply
0 Kudos
3 Replies
cnrz
Expert
Expert

If Cross-Vcenter with Universal Security groups is not possible, then it may be difficult to update SG on DC-A because Vcenter DCA does not know about Vcenter DCB objects.  The IP address field is mandatory as in this link whether global IP set or Universal IP Set:

http://vcrooky.com/2017/07/nsx-configure-universal-ip-sets/

Universal_IP_Set.png

Does the script needs to create an IP Set from scratch or can it append to an existing IP Set? If possible, then an unused /32 IP address could be added just to create statically, and merge with the IP addresses coming from SGA dynamically populated by VM names on DC-B.

Reply
0 Kudos
DaleCoghlan
VMware Employee
VMware Employee

There are some quirks around IP Sets.

  • The UI will NOT let you create an empty IP Set.
  • The API will ALLOW you to create an empty IP Set.
  • Both the UI and API will not let you remove all entries from an existing IP Set.

What I normally recommend for my customers to do in this case is to use a placeholder address in each of the IP Sets where you potentially need an "empty" IP Set. This way you can remove all your "real" addresses and just be left with your placeholder address. Just make sure that the placeholder address is not accessible/routable on your network Smiley Wink


Dale

Reply
0 Kudos
blshirey91
VMware Employee
VMware Employee

Rajeevsrikant,

I am working through this same exact scenario. Would you be able to share your code for "Power Shell + Power NSX scripting to extract the IP address from the security group A & importing it in to IP Set A."

I would be modifying this to work on a large number of IP Sets and would be happy to share this back when I am completed.

Reply
0 Kudos