Automate NSX-T with PowerCLI

While working on an NSX-T project I got the question from the customer to deliver some firewall and network automation based on PowerShell. This to help them ramp up the creation of networks and firewall rules. I pointed them to the PowerCLI Preview for NSX-T, but I wasn’t aware that this fling only was able to retrieve information from NSX-T and not create items/objects. So, how can we do this then? I knew we were able to manage NSX-T since PowerCLI version 6.5.3, but how does this work?

PowerCLI NSX-T

After some google-fu I came across a blog post of Kyle Ruddy named: Getting Started with the PowerCLI Module for VMware NSX-T. This article describes how the NSX-T PowerShell Module works and which cmdlets where available:

  • Connect-NsxtServer
  • Disconnect-NsxtServer
  • Get-NsxtService
  •  
    Only 3 commands? Yes, only 3 commands! Because of the simple reason that with the 3rd command you have full access to NSX-T’s public API! And therefore you’re able to retrieve and create items/objects. In the blog article Kyle also gives some examples on how to Retrieve Transport Zone Information or perform Logical Switch and IP Pool Management. But how do we create an NSGroup or a Distributed Firewall Section? This post contains some additional examples and I’ll update this post as new scripts will come along.

    The first thing we need to do is connect to the NSX-T Manager:

    NSGroups

    Create a NSGroup based on a Security Tag

    Delete a NSGroup

    List all NSGroups

    DFW Sections

    Search for DFW Section

    Create Firewall Rule in DFW Section

    Create DFW Section

    IP Sets

    Create IP Set

    Delete IP Set

    List all IP Sets

    NS Services

    Create NS Service

    Delete NS Service

    List all NS Services

    Logical Switches

    Create Logical Switch

    Delete Logical Switch

    Fabric

    Update vCenter Compute Manager Credentials

    The examples above should be used with care and are on your own risk!

    And if you have any cool new scripts or additions please let me know in the comments section below!

    Marco van Baggum

    Marco van Baggum

    Marco works as a Staff Consulting Architect at VMware. Want to learn more about Marco? Check out Marco's About page.

    5 thoughts on “Automate NSX-T with PowerCLI

    1. Hello Marco,

      Thank you very much for sharing this valuable lines of code ! I am now able to mass create lot of Logical Switches from a csv file with TransportZone/vlan/LS name.

      The very different approach of NSX-T powershell commands compairing to VDS ones are really time consumming !

      A question NSX specific: the Logical Switches are handled by NSX Controllers (until NSX-T 2.3, and handled by NSX Mgr starting from NSX-T 2.4). Looking at NSX Manager GUI meanwhile LS are mass created, there is a “Config State” item per LS showing how it is deployed on each NSX Ctrl nodes. Is there a way to get this info from Powershell in order to monitor proper configuration ?

      Thank you !

      Stéphane

    2. Thanks for this.

      I have noticed there is not a lot of updating of existing nsgroups and IPset examples which would be helpful.

      Dion

    3. I was finally able to do a simple update:

      Connect-NsxtServer virttest.local
      $ipsetsvc = Get-NsxtService -Name com.vmware.nsx.ip_sets
      $ipset_guid = $ipsetsvc.list().results | Where-Object -Property display_name -eq ‘mydisplayname’
      $ipsetspec = $ipsetsvc.Help.create.ip_set.Create()
      $ipsetips = “8.8.8.8,8.8.4.4”
      $ipsetspec.display_name = “theupdatedname”
      $ipsetspec.revision = $ipset_guid.revision #This Line was important and wouldnt update without it
      $ipsetips.Split(“,”) | ForEach { $ipsetspec.ip_addresses.Add($_) }
      $ipsetsvc.update($ipset_guid.id, $ipsetspec)

      Key seemed to be the revision variable.

      Dion

      1. response a little late but here you go. This PS creates T0’s. Please let me know if you have questions.

        # PowerCLI to create NSX-T T0’s
        # Created 3/22/2021
        # by Ray Brittner

        $newt0 = import-csv C:\temp\t0s.csv
        ForEach($t0 in $newt0){

        $newlrt0 = Get-NsxtPolicyService com.vmware.nsx_policy.infra.tier0s

        $lrid = $t0.id
        $lrha_mode = $t0.ha_mode
        $lrfail = $t0.failover_mode
        $lrresource = $t0.resource_type

        $newlrt0spec = $newlrt0.Help.patch.tier0.Create()

        $newlrt0spec[0].id = $lrid
        $newlrt0spec[0].ha_mode = $lrha_mode
        $newlrt0spec[0].failover_mode = $lrfail

        $newlrt0spec[0].resource_type = $lrresource

        $newlrt0.patch($newlrt0spec[0].id, $newlrt0spec[0])
        write-host(“Teir0 “+ $lrid + ” created.”)

        }

        CSV:
        Help transit_subnets internal_transit_subnets ha_mode failover_mode ipv6_profile_paths force_whitelisting default_rule_logging disable_firewall resource_type id display_name path relative_path parent_path marked_for_delete create_user create_time last_modified_user last_modified_time system_owned protection revision links schema self description tags children dhcp_config_paths
        @{Documentation=Tier-0 configuration for external connectivity.; links=; schema=; self=; revision=; create_time=; create_user=; last_modified_time=; last_modified_user=; protection=; system_owned=; description=; display_name=; id=; resource_type=; tags=; parent_path=; path=; relative_path=; children=; marked_for_delete=; default_rule_logging=; dhcp_config_paths=; disable_firewall=; failover_mode=; force_whitelisting=; ha_mode=; internal_transit_subnets=; ipv6_profile_paths=; transit_subnets=} System.Collections.Generic.List1[System.String] System.Collections.Generic.List1[System.String] ACTIVE_STANDBY PREEMPTIVE System.Collections.Generic.List`1[System.String] FALSE FALSE FALSE Tier0 t0-tnt06 t0-tnt06 /infra/tier-0s/t0-tnt06 t0-tnt06 /infra/tier-0s/t0-tnt06 FALSE admin 1.61E+12 admin 1.61E+12 FALSE NOT_PROTECTED 2

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.