Re: Create NSX-T Security Groups with PowerCLI

ggovek · ‎04-14-2023

Hi,

With Code bellow I want to create Security Groups:

#VM NAME
#Variables
$VMs= Get-VM -Name "APP-01_8080"
$nsgroupname = $VMs.Name
#Create NSGroup
$nsgroupsvc = Get-NsxtService -Name com.vmware.nsx.ns_groups
$nsgroupspec = $nsgroupsvc.Help.create.ns_group.Create()
$nsgroupmemberspec = $nsgroupsvc.Help.create.ns_group.membership_criteria.Element.NS_group_simple_expression.Create()
$nsgroupspec.display_name = $nsgroupname
$nsgroupmemberspec.target_type = "VirtualMachine"
$nsgroupmemberspec.target_property= "name"
$nsgroupmemberspec.op ="EQUALS"
$nsgroupmemberspec.value= $VMs.Name
$nsgroupspec.membership_criteria.Add($nsgroupmemberspec)
$nsgroupsvc.create($nsgroupspec)

The Security Group is successfully created for me, but I can only see it in Manager Mode and not in Policy Mode in NSX-T Manager UI. What needs to be changed to see SG also in Policy Mode?

LucD · ‎04-14-2023

Looks like the method creates the group in Manager mode.
Afaik VMW advises not to mix both modes for creating objects, see When to Use Policy Mode or Manager Mode

Btw, this Get-NsxtService cmdlet is deprecated.
You should use the cmdlets in the VMware.Sdk.Nsx.Policy module.
See an excellent write-up on the subject in PowerCli 13 Create NSX Security Groups

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

ggovek · ‎04-14-2023

Thanks for the advice. It works for Local Managers, code is Bellow:

Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $true -Confirm:$false | Out-Null
Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false | Out-Null
# Connect to vCenter Server
Connect-VIServer -Server nsxt-vc-sdc.glab.local -User administrator@vsphere.local -Password C!sco123

# Connect to NSX-T Manager
$NSX_IP = "10.10.10.10"
$NSX_User = "admin"
$NSX_Password = "Password"

Write-Host "Connecting to NSX Manager ..."
$n = Connect-NsxServer -Server $NSX_IP -User $NSX_User -Password $NSX_Password

#Variables
$MemberType="VirtualMachine"
$Key="name"
$Operator="EQUALS"

#$GroupName="APP-02_8080"
#$Value="APP-02_8080"


$vm_names = Get-VM -Tag "NSX"
foreach ($vm_name in $vm_names) {
    $GroupName = Get-VM -Name $vm_name
    $allGroups = Invoke-ListGroupForDomain -DomainId default
    $gp = $allGroups.Results | where {$_.DisplayName -eq $GroupName}
    if ($gp) {
        Write-Host "Group $GroupName already exists."
    }else{
        $cond = Initialize-Condition -ResourceType Condition -Id $GroupName -MemberType $MemberType -Value $GroupName -Key $Key -Operator $Operator
        $group = Initialize-Group -DisplayName $GroupName -Expression @($cond)
        $createdGroup = Invoke-PatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName
        Write-Host "Created Group $GroupName ..."
    }
}

# Disconnect to NSX-T Manager
Write-Host "Disconnecting from NSX Manager ..."
Disconnect-NsxServer -Server $NSX_IP

Could someone help me with how I could create Security Groups on the Global Manager?

ggovek · ‎04-17-2023

I found a solution and changed only this command:

$createdGroup = Invoke-PatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName

to

$createdGroup = Invoke-GlobalInfraPatchGroupForDomain -Server $n -DomainId default -Group $group -GroupId $GroupName

With Get-Command -Module VMware.Sdk.Nsx.Policy we get all the necessary commands for NSX Module.