Earlier this week I had published an article on how to get started with the new NSX-T Policy API in VMware Cloud on AWS (VMC), if you have not read through that guide yet, I recommend you take a look at that first as this covers the prerequisites which will be required. As mentioned in that article, I planned to add a few more NSX-T Policy API examples and now the community NSX-T Policy PowerShell includes 37 additional functions which you can see the complete list below:
- Connect-NSXTProxy
- Get-NSXTFirewall
- Get-NSXTGroup
- Get-NSXTSegment
- Get-NSXTService
- New-NSXTFirewall
- New-NSXTGroup
- New-NSXTSegment
- New-NSXTServiceDefinition (renamed as of 07/01/2019)
- Remove-NSXTFirewall
- Remove-NSXTGroup
- Remove-NSXTSegment
- Get-NSXTDistFirewallSection (as of 01/02/2019)
- Get-NSXTDistFirewall (as of 01/02/2019)
- New-NSXTDistFirewall (as of 01/03/2019)
- Remove-NSXTDistFirewall (as of 01/03/2019)
- Get-NSXTOverviewInfo (as of 02/02/2019)
-
Get-NSXTInfraScope (as of 03/14/2019)
-
Get-NSXTInfraGroup (as of 03/14/2019)
- New-NSXTDistFirewallSection (as of 04/19/2019)
- Remove-NSXTService (as of 04/19/2019)
- Get-NSXTPolicyBasedVPN (as of 05/09/2019)
- New-NSXTPolicyBasedVPN (as of 05/09/2019)
- Remove-NSXTPolicyBasedVPN (as of 05/09/2019)
- Get-NSXTDNS (as of 06/08/2019)
- Set-NSXTDNS (as of 06/08/2019)
-
Get-NSXTPublicIP (as of 07/01/2019)
- New-NSXTPublicIP (as of 07/01/2019)
- Remove-NSXTPublicIP (as of 07/01/2019)
- Get-NSXTNatRule (as of 07/01/2019)
- New-NSXTNatRule (as of 07/01/2019)
- Remove-NSXTNatRule (as of 07/01/2019)
- Set-NSXTSegment (as of 03/05/2020)
- Get-NSXTT0Stats (as of 07/16/2020)
- Get-NSXTLinkedVpc (as of 08/01/2020)
- Get-NSXTL2VPN (as of 08/01/2020)
- Get-NSXTPortMirror (as of 08/01/2020)
- Get-NSXTIPFIXCollector (as of 08/01/2020)
- Get-NSXTDirectConnectVIF (as of 08/01/2020)
- Get-NSXTVifPerHost (as of 08/01/2020)
- Get-NSXTVM (as of 08/01/2020)
- Get-NSXTSegmentPort (as of 08/01/2020)
- Get-NSXTGroupMember (as of 08/01/2020)
After importing the module, to see the list of all functions, you can run the following command:
Get-Command -Module VMware.VMC.NSXT
Below are examples of each of the new functions and each function also supports a -Troubleshoot parameter which will provide debugging information on the REST method (GET, PUT, etc) as well as the URL and JSON payload (if applicable), this can be useful for both learning and troubleshooting purposes. All Get-* functions support filtering using the -Name parameter.
NSX-T Network Segments (Logical Networks)
List all Network Segments:
Get-NSXTSegment
List a specific Network Segment by specifying -Name property:
Get-NSXTSegment -Name sddc-cgw-network-3
New-NSXTSegment -Name "sddc-cgw-network-4" -Gateway "192.168.4.1/24" -DHCP -DHCPRange "192.168.4.2-192.168.4.254"
Note: Due to changes to NSX-T Policy API, the input value for the Gateway property must use CIDR notation (e.g. 192.168.4.1/24) and instead of the old Prefix property.
Delete a Network Segment by specifying its ID:
Remove-NSXTSegment -Id sddc-cgw-network-4
NSX-T Network Security Groups
In NSX-T for VMC, you can create a logical Security Group which maps to a specific IP Address(s) or Network. These groups can then be referenced when creating Edge Firewall rule for ease of management without having to refer to the individual networks or IPs. Network security groups can be defined on either the MGW or CGW and you will need to specify the -GatewayType property when using these functions.
List all Network Security Groups on the MGW
Get-NSXTGroup -GatewayType MGW
Create a new Network Security Group on the MGW
New-NSXTGroup -GatewayType MGW -Name AppGroup-01 -IPAddress @("172.31.0.0/24")
Delete a Network Security group on the MGW by specifying its ID
Remove-NSXTGroup -GatewayType MGW -Id AppGroup-0
NSX-T Network Services
List all Network Services:
Get-NSXTServiceDefinition
New-NSXTServiceDefinition -Name "MyHTTP2" -Protocol TCP -DestinationPorts @("8080","8081")
NSX-T Edge Firewall
Similarly to Network Security Group, you can create an Edge Firewall rule that is defined on either the MGW or CGW. The Source, Destination and Services refers to the IDs that have been defined in the NSX-T system as shown earlier. There is also a sequence number which determines the ordering of the firewall rules which you can control when creating a new Edge Firewall rule.
List all Edge Firewall rules for the MGW:
Get-NSXTFirewall -GatewayType MGW
Create a new Edge Firewall rules for the MGW:
Delete an Edge Firewall rule by specifying its ID:
Remove-NSXTFirewall -GatewayType MGW -Id [ID]
NSX-T Distributed Firewall
Here are some "GET" examples of retrieving the distributed firewall (DFW) rules which in VMC are broken down into 4 categories: Emergency, Infrastructure, Environment and Application rules. For reach of these categories, users can then define individual "Sections"which then contain individual DFW rules.
List all Distributed Firewall Sections:
Get-NSXTDistFirewallSection
List only a specific Distributed Firewall Section given a specific Category:
Get-NSXTDistFirewallSection -Category Emergency
List all Distributed Firewall rules for a given Section:
Get-NSXTDistFirewallSection -Category Emergency
Create Distributed Firewall rule for a given Section:
New-NSXTDistFirewall -Name "App1 to Web1" -Section "App Section 1" `
-SourceGroup "App Server 1" `
-DestinationGroup "Web Server 1" `
-Service HTTPS -Logged $true `
-SequenceNumber 10 `
-Action ALLOW
Remove Distributed Firewall rule:
Remove-NSXTDistFirewall -Id [ID] -Section "App Section 1"
Gert Van Gorp says
Hi William,
nice work you have done.
Is there a way to automate CRUD management of VPN extentions?
gert
William Lam says
Did you mean L2/L3 VPN setup, if so, yes. Take a look at the NSX-T Policy API doc https://www.vmware.com/support/nsxt/doc/nsxt_23_policy_api.html#Sections.Policy.L2Vpn and https://www.vmware.com/support/nsxt/doc/nsxt_23_policy_api.html#Sections.Policy.L3Vpn
Gert Van Gorp says
Hi,
I see in the module functions as new, get and remove, do you also implement set or update? to change the dhcp from on to off e.g.?
thanks
David Maurice says
is there a way to enable/disable vpns vs removing/re-adding them?
Karl Robert says
Hi William, don't know if you can help me, but every command that i pass i receive this error :
PS U:\Vmware\Script> Get-NSXTSegment
Retrievig NSX-T Segments ...
Get-NSXTSegment: Error in retrieving NSX-T Segments
Get-NSXTSegment:
(Authentication failed, see inner exception..Exception.Message)
i'm able to connect with
Connect-Vmc -RefreshToken $RefreshToken
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName
and i'm able to retrieve $global:nsxtProxyConnection
But every time i have
(Authentication failed, see inner exception..Exception.Message)
any idea ?
William Lam says
Ensure that you properly created the CSP Token, you need to include both Admin + NSX Cloud Admin and make sure its scoped as Org Owner, 99.9% issue is related to not properly creating the token
Karl Robert says
Thank William, I have ask the account owner to create an API token with is account and make sure he was Adminstrator and NSX Cloud admin.
Unfortunately I have the same result.
I'm able to retrieve the csp-auth-token in $global:nsxtProxyConnection.headers.'csp-auth-token'
but if i try get-nsxtsegment i have this :
PS U:\Vmware\Script> Get-NSXTSegment
Retrievig NSX-T Segments ...
Get-NSXTSegment: Error in retrieving NSX-T Segments
Get-NSXTSegment:
(Authentication failed, see inner exception..Exception.Message)
really not sure what i'm doing wrong.
William Lam says
Make sure token is also scoped to Org Owner
Karl Robert says
Hi William,
The token is scoped to Org Owner
By using the csp Token created by the script found here :
https://www.williamlam.com/2018/09/getting-started-with-the-new-nsx-t-policy-api-in-vmc.html
I was able to retrieve segment by using the private IP and postman by following this :
https://www.williamlam.com/2019/05/connecting-to-nsx-t-policy-api-using-nsx-t-private-ip-in-vmc.html
But if i try to use the same csp token that is stored in $Global:nsxtProxyConnection.headers.'csp-auth-token' by the script i still have the following error :
PS U:\Vmware\Script> Get-NSXTSegment
Retrievig NSX-T Segments ...
Get-NSXTSegment: Error in retrieving NSX-T Segments
Get-NSXTSegment:
(Authentication failed, see inner exception..Exception.Message)
William Lam says
What SDDC Version are you on? Are you on VMware Code Slack by any chance, its a bit difficult to troubleshoot and may need to take a closer look.
Karl Robert says
Hi Willian,
Thank for taking the time
i'm on SDDC Version: 1.10v7
and yes i'm on vmware code slack you can find me with robertkarl
Karl Robert says
Hi William,
After digging in the module and try to wrap my head around the error I got the message
The SSL connection could not be established, see inner exception.
> Authentication failed, see inner exception.
>> The message received was unexpected or badly formatted.
Which probably indicate a problem with the protocol use by my client. I have try many thing but nothing works.
So i have build a fresh VM 2016 with only VSCode, powershell 7, powercli module and VMware.VMC.NSXT module installed and i was able to connect and configure segment.
I would like to thank you again for your time and advice.