I created the below script in order to allow only IP by service, I'm not sure if it's the right way or No but I would like to discuss this and get the best option for the same
$vmhosts = Get-VMHost -Location MyCluster foreach($vmhost in $vmhosts){ $esxcli=get-esxcli -vmhost $vmhost -V2 $ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs() $ntpRuleSet.allowedall="false" $ntpRuleSet.rulesetid="ntpClient" $esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) $ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $ntpAllowIP.rulesetid="ntpClient" $ntpAllowIP.ipaddress="192.168.0.1" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) $ntpAllowIP.ipaddress="192.168.0.2" $esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) }
any comments are welcome 🙂
To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.
In your case, using the Get-EsxCli for everything is the more obvious choice.
There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.
Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this
Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
$esxcli = Get-EsxCli -VMHost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall = "false"
$ntpRuleSet.rulesetid = "ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid = "ntpClient"
$ntpAllowIP.ipaddress = "192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
$ntpAllowIP.ipaddress = "192.168.0.2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Post moved to the VMware PowerCLI Discussions.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
To enable/disable a FW rule you could also use the Set-VMHostFirewallException cmdlet.
But for adding IP addresses you would still need to use the Get-EsxCli.
In your case, using the Get-EsxCli for everything is the more obvious choice.
There is no single right way to do things in PowerCLI, if the script does what you want it to do it is a good script.
Personally, I would make use of the pipeline, the PipelineVariable parameter, avoid the foreach statement, and suppress the Boolean values that are returned (since you don't use them).
Something like this
Get-Cluster -Name MyCluster |
Get-VMHost -PipelineVariable vmhost |
ForEach-Object -Process {
$esxcli = Get-EsxCli -VMHost $vmhost -V2
$ntpRuleSet = $esxcli.network.firewall.ruleset.set.CreateArgs()
$ntpRuleSet.allowedall = "false"
$ntpRuleSet.rulesetid = "ntpClient"
$esxcli.network.firewall.ruleset.set.Invoke($ntpRuleSet) | Out-Null
$ntpAllowIP = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$ntpAllowIP.rulesetid = "ntpClient"
$ntpAllowIP.ipaddress = "192.168.0.1"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
$ntpAllowIP.ipaddress = "192.168.0.2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
}
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
thank you for your help and clarification.
for the 2 last lines in the script is there a way to change it in one line
Like this
$ntpAllowIP.ipaddress = "ntp1","ntp2"
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($ntpAllowIP) | Out-Null
by the way this way will be used also for other services like SSH NFS where the Allowed IP should be not "All IP"
Afaik that is a limitation of the esxcli command itself.
It allows a single IP address (192.168.0.1) or a range (192.168.0.0/24), not an array of IP addresses.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference