While working on an NSX-T project I got the question from the customer to deliver some firewall and network automation based on PowerShell. This to help them ramp up the creation of networks and firewall rules. I pointed them to the PowerCLI Preview for NSX-T, but I wasn’t aware that this fling only was able to retrieve information from NSX-T and not create items/objects. So, how can we do this then? I knew we were able to manage NSX-T since PowerCLI version 6.5.3, but how does this work?


After some google-fu I came across a blog post of Kyle Ruddy named: Getting Started with the PowerCLI Module for VMware NSX-T. This article describes how the NSX-T PowerShell Module works and which cmdlets where available:

  • Connect-NsxtServer
  • Disconnect-NsxtServer
  • Get-NsxtService
    Only 3 commands? Yes, only 3 commands! Because of the simple reason that with the 3rd command you have full access to NSX-T’s public API! And therefore you’re able to retrieve and create items/objects. In the blog article Kyle also gives some examples on how to Retrieve Transport Zone Information or perform Logical Switch and IP Pool Management. But how do we create an NSGroup or a Distributed Firewall Section? This post contains some additional examples and I’ll update this post as new scripts will come along.

    The first thing we need to do is connect to the NSX-T Manager:

    Connect-NsxtServer -Server <NSX-T FQDN/IP> -User <Username> -Password <Password>


    Create a NSGroup based on a Security Tag

    $nsgroupname = "NS-Test"
    $nstagname = "ST-Test"
    #Create NSGroup
    $nsgroupsvc = Get-NsxtService -Name com.vmware.nsx.ns_groups
    $nsgroupspec = $nsgroupsvc.Help.create.ns_group.Create()
    $nsgroupmemberspec = $nsgroupsvc.Help.create.ns_group.membership_criteria.Element.NS_group_tag_expression.create()
    $nsgroupspec.display_name = $nsgroupname
    $nsgroupmemberspec.tag_op = "EQUALS"
    $nsgroupmemberspec.tag = $nstagname
    $nsgroupmemberspec.target_type = "VirtualMachine"

    Delete a NSGroup

    $deletensgroupname = "NS-Test"
    #Delete NSGroup
    $nsgroupsvc = Get-NsxtService -Name com.vmware.nsx.ns_groups
    $nsgroups = $nsgroupsvc.list()
    $nsgroup = $nsgroups.results | Where-Object {$_.display_name -eq $deletensgroupname}

    List all NSGroups

    #List all NSGroups
    $nsgroupsvc = Get-NsxtService -Name com.vmware.nsx.ns_groups
    $nsgroups = $nsgroupsvc.list()
    $nsgroups.results | Format-Table -Autosize -Property id, display_name, members

    DFW Sections

    Search for DFW Section

    $fwsectionname = "3 Tier-App" 
    #Search for DFW Section
    $fwsectsvc = Get-NsxtService -Name com.vmware.nsx.firewall.sections
    $fwsections = $fwsectsvc.list()
    $fwsection = $fwsections.results | Where-Object {$_.display_name -eq $fwsectionname}

    Create Firewall Rule in DFW Section

    $fwrulename = "Test Rule"
    $fwruleaction = "ALLOW"
    #Create Firewall Rule in DFW Section
    $fwrulesvc = Get-NsxtService -Name com.vmware.nsx.firewall.sections.rules
    $fwrulespec = $fwrulesvc.Help.create.firewall_rule.Create()
    $fwrulespec.display_name = $fwrulename
    $fwrulespec.action = $fwruleaction
    $fwrulespec.logged = $true
    $fwrulespec.revision = $fwsection.revision
    $fwrule = $fwrulesvc.create($fwsection.id, $fwrulespec)

    Create DFW Section

    $fwsectname = "New Section"
    #Create DFW Section
    $fwsectspec = $fwsectsvc.Help.create.firewall_section.Create()
    $fwsectspec.section_type = "LAYER3"
    $fwsectspec.display_name = $fwsectname
    $fwsectspec.stateful = $true
    $fwsection = $fwsectsvc.create($fwsectspec, $fwsection.id, "insert_after")

    IP Sets

    Create IP Set

    $ipsetname = "IP-Google"
    $ipsetips = ","
    #Create IP Set
    $ipsetsvc = Get-NsxtService -Name com.vmware.nsx.ip_sets
    $ipsetspec = $ipsetsvc.Help.create.ip_set.Create()
    $ipsetspec.ip_addresses = New-Object System.Collections.Generic.List[string]
    $ipsetspec.display_name = $ipsetname
    $ipsetips.Split(",") | ForEach { $ipsetspec.ip_addresses.Add($_) }

    Delete IP Set

    $ipsetname = "IP-Google"
    #Delete IP Set
    $ipsets = $ipsetsvc.list()
    $ipsetid = $ipsets.results | Where-Object {$_.display_name -eq $ipsetname}

    List all IP Sets

    #List all IP Sets
    $ippoolsvc = Get-NsxtService -Name com.vmware.nsx.pools.ip_pools
    $ippoolsvc.list().results | Format-Table -Autosize -Property id, display_name,@{Name="subnets";Expression={$_.subnets.cidr}}

    NS Services

    Create NS Service

    $servicename = "NSS-80-TCP" 
    $serviceport = "80"
    $serviceprot = "TCP"
    #Create NS Service
    $servicesvc = Get-NsxtService -Name com.vmware.nsx.ns_services
    $servicespec = $servicesvc.Help.create.ns_service.Create()
    $servicespec.display_name = $servicename
    $servicedetailspec = $servicesvc.Help.create.ns_service.nsservice_element.l4_port_set_NS_service.Create()
    $servicedetailspec.destination_ports = New-Object System.Collections.Generic.List[string]
    $servicedetailspec.l4_protocol = $serviceprot
    $servicedetailspec.resource_type = "L4PortSetNSService"
    $servicespec.nsservice_element = $servicedetailspec

    Delete NS Service

    $servicename = "NSS-80-TCP"
    #Delete Service
    $servicesvc = Get-NsxtService -Name com.vmware.nsx.ns_services
    $service = $services.results | Where-Object {$_.display_name -eq $servicename}

    List all NS Services

    #List NS Services
    $servicesvc = Get-NsxtService -Name com.vmware.nsx.ns_services
    $services = $servicesvc.list()
    $services.results | Where-Object {$_.nsservice_element.l4_protocol -ne $null} | Format-Table -Autosize -Property id, display_name,@{Name="l4_protocol";Expression={$_.nsservice_element.l4_protocol}},@{Name="destination_ports";Expression={$_.nsservice_element.destination_ports}}

    Logical Switches

    Create Logical Switch

    $tzoneoverlayname = "TZ-Overlay"
    $logswitchname = "PowerCLI Created LS"
    #Get Transport Zone 
    $tzonesvc = Get-NsxtService -Name com.vmware.nsx.transport_zones
    $tzones = $tzonesvc.list()
    $tzoneoverlay = $tzones.results | Where-Object {$_.display_name -eq $tzoneoverlayname}
    #Create Logical Switch
    $logswitchsvc = Get-NsxtService -Name com.vmware.nsx.logical_switches 
    $logswitchspec = $logswitchsvc.Help.create.logical_switch.Create()
    $logswitchspec.admin_state = "UP"
    $logswitchspec.display_name = $logswitchname
    $logswitchspec.replication_mode = "MTEP"
    $logswitchspec.transport_zone_id = $tzoneoverlay.id

    Delete Logical Switch

    $logswitchname = "PowerCLI Created LS"
    #Delete Logical Switch
    $logswitchsvc = Get-NsxtService -Name com.vmware.nsx.logical_switches 
    $logswitches = $logswitchsvc.list().results
    $logswitch = $logswitches | Where-Object {$_.display_name -eq $logswitchname}


    Update vCenter Compute Manager Credentials

    $compmanagerusername = "[email protected]"
    $compmanagerpassword = "VMware1!"
    $compmanagername = ""
    #Update vCenter Credentials
    $compmanagersvc = Get-NsxtService -Name com.vmware.nsx.fabric.compute_managers
    $compmanagers = $compmanagersvc.list()
    $compmanager = $compmanagers.results | Where-Object {$_.server -eq $compmanagername} 
    $compmanagerspec = $compmanagersvc.help.update.compute_manager.Create()
    $compmanagerspec.server = $compmanager.server
    $compmanagerspec.origin_type = $compmanager.origin_type
    $compmanagerspec.revision = $compmanager.revision
    $compmanagercredspec = $compmanagersvc.Help.update.compute_manager.credential.username_password_login_credential.Create()
    $compmanagercredspec.username = $compmanagerusername
    $compmanagercredspec.password = $compmanagerpassword
    $compmanagercredspec.thumbprint = $compmanager.credential.thumbprint
    $compmanagercredspec.credential_type = "UsernamePasswordLoginCredential"
    $compmanagerspec.credential = $compmanagercredspec
    $compmanagersvc.update($compmanager.id, $compmanagerspec)

    The examples above should be used with care and are on your own risk!

    And if you have any cool new scripts or additions please let me know in the comments section below!

    The post Automate NSX-T with PowerCLI appeared first on vMBaggum.

    The original article was posted on: www.vmbaggum.nl


    Let's talk!

    Knowledge is key for our existence. This knowledge we use for disruptive innovation and changing organizations. Are you ready for change?

    "*" indicates required fields

    First name*
    Last name*