Syntax for Security Group dynamic membership

cncallison123 · ‎11-28-2018

I am assigning security tags to each of my servers for the 4 following attributes:

Location

Environment (production, test, etc.)

Customer

Role (Oracle, MSSQL, MYSQL, etc)

I need to create security groups that use combination of these tags for dynamic membership.

For example,

a security group called "PROD-CUSTOMER1-Oracle" would include servers that have all three of the following tags assigned:

ST-ENV-PROD

ST-CUSTOMER-CUSTOMER1

ST-ROLE-ORACLE

a security group called "TEST-CUSTOMER2-MYSQL" would include servers that have all three of the following tags assigned:

ST-ENV-TEST

ST-CUSTOMER-CUSTOMER2

ST-ROLEMYSQL

singho · ‎11-30-2018

Can you create a SG with name "PROD-CUSTOMER1-Oracle" and include all tags you want.

cncallison123 · ‎11-30-2018

I can create a security group just fine with PowerNSX, but the syntax for creating a dynamic rule using 3 security tags while changing the logic from "Any" to "All" is what I need.

DaleCoghlan · ‎12-02-2018

Firstly you should be using "Security Tag" and "Equals To". The recommended method to achieve what you want is to use Entity Belongs To. If you've already configured them, see the following attachment for a method to remediate the configuration.

Now to configure your security group using PowerNSX, try the following:

$tag1 = Get-NsxSecurityTag -name HUB-CLIENT

$tag2 = Get-NsxSecurityTag -name ST-ENV-PROD

$tag3 = Get-NsxSecurityTag -name ROL-ORACLEDB

$Entity1 = New-NsxDynamicCriteriaSpec -Entity $tag3

$Entity2 = New-NsxDynamicCriteriaSpec -Entity $tag2

$Entity3 = New-NsxDynamicCriteriaSpec -Entity $tag1

Get-NsxSecurityGroup -name foo | Add-NsxDynamicMemberSet -SetOperator OR -CriteriaOperator AND -DynamicCriteriaSpec $Entity1,$Entity2,$Entity3

Regards

Dale