If Cross-Vcenter with Universal Security groups is not possible, then it may be difficult to update SG on DC-A because Vcenter DCA does not know about Vcenter DCB objects. The IP address field is mandatory as in this link whether global IP set or Universal IP Set:
Does the script needs to create an IP Set from scratch or can it append to an existing IP Set? If possible, then an unused /32 IP address could be added just to create statically, and merge with the IP addresses coming from SGA dynamically populated by VM names on DC-B.
There are some quirks around IP Sets.
- The UI will NOT let you create an empty IP Set.
- The API will ALLOW you to create an empty IP Set.
- Both the UI and API will not let you remove all entries from an existing IP Set.
What I normally recommend for my customers to do in this case is to use a placeholder address in each of the IP Sets where you potentially need an "empty" IP Set. This way you can remove all your "real" addresses and just be left with your placeholder address. Just make sure that the placeholder address is not accessible/routable on your network
I am working through this same exact scenario. Would you be able to share your code for "Power Shell + Power NSX scripting to extract the IP address from the security group A & importing it in to IP Set A."
I would be modifying this to work on a large number of IP Sets and would be happy to share this back when I am completed.