topic Re: Create NSX-T Security Groups with PowerCLI in VMware PowerCLI Discussions

Create NSX-T Security Groups with PowerCLI

ggovek — Fri, 14 Apr 2023 10:36:31 GMT

Hi,

With Code bellow I want to create Security Groups:

#VM NAME
#Variables
$VMs= Get-VM -Name "APP-01_8080"
$nsgroupname = $VMs.Name
#Create NSGroup
$nsgroupsvc = Get-NsxtService -Name com.vmware.nsx.ns_groups
$nsgroupspec = $nsgroupsvc.Help.create.ns_group.Create()
$nsgroupmemberspec = $nsgroupsvc.Help.create.ns_group.membership_criteria.Element.NS_group_simple_expression.Create()
$nsgroupspec.display_name = $nsgroupname
$nsgroupmemberspec.target_type = "VirtualMachine"
$nsgroupmemberspec.target_property= "name"
$nsgroupmemberspec.op ="EQUALS"
$nsgroupmemberspec.value= $VMs.Name
$nsgroupspec.membership_criteria.Add($nsgroupmemberspec)
$nsgroupsvc.create($nsgroupspec)

The Security Group is successfully created for me, but I can only see it in Manager Mode and not in Policy Mode in NSX-T Manager UI. What needs to be changed to see SG also in Policy Mode?

Re: Create NSX-T Security Groups with PowerCLI

LucD — Fri, 14 Apr 2023 11:07:16 GMT

Looks like the method creates the group in Manager mode.
Afaik VMW advises not to mix both modes for creating objects, see When to Use Policy Mode or Manager Mode

Btw, this Get-NsxtService cmdlet is deprecated.
You should use the cmdlets in the VMware.Sdk.Nsx.Policy module.
See an excellent write-up on the subject in PowerCli 13 Create NSX Security Groups

Re: Create NSX-T Security Groups with PowerCLI

ggovek — Fri, 14 Apr 2023 14:07:54 GMT

Thanks for the advice. It works for Local Managers, code is Bellow:

Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $true -Confirm:$false | Out-Null Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false | Out-Null # Connect to vCenter Server Connect-VIServer -Server nsxt-vc-sdc.glab.local -User administrator@vsphere.local -Password C!sco123 # Connect to NSX-T Manager $NSX_IP = "10.10.10.10" $NSX_User = "admin" $NSX_Password = "Password" Write-Host "Connecting to NSX Manager ..." $n = Connect-NsxServer -Server $NSX_IP -User $NSX_User -Password $NSX_Password #Variables $MemberType="VirtualMachine" $Key="name" $Operator="EQUALS" #$GroupName="APP-02_8080" #$Value="APP-02_8080" $vm_names = Get-VM -Tag "NSX" foreach ($vm_name in $vm_names) { $GroupName = Get-VM -Name $vm_name $allGroups = Invoke-ListGroupForDomain -DomainId default $gp = $allGroups.Results | where {$_.DisplayName -eq $GroupName} if ($gp) { Write-Host "Group $GroupName already exists." }else{ $cond = Initialize-Condition -ResourceType Condition -Id $GroupName -MemberType $MemberType -Value $GroupName -Key $Key -Operator $Operator $group = Initialize-Group -DisplayName $GroupName -Expression @($cond) $createdGroup = Invoke-PatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName Write-Host "Created Group $GroupName ..." } } # Disconnect to NSX-T Manager Write-Host "Disconnecting from NSX Manager ..." Disconnect-NsxServer -Server $NSX_IP

Could someone help me with how I could create Security Groups on the Global Manager?

Re: Create NSX-T Security Groups with PowerCLI

ggovek — Mon, 17 Apr 2023 11:51:19 GMT

I found a solution and changed only this command:

$createdGroup = Invoke-PatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName

$createdGroup = Invoke-GlobalInfraPatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName

With Get-Command -Module VMware.Sdk.Nsx.Policy we get all the necessary commands for NSX Module.