WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / NSX / NSX-T Policy PowerShell Community Module for VMC

NSX-T Policy PowerShell Community Module for VMC

09.21.2018 by William Lam // 12 Comments

Earlier this week I had published an article on how to get started with the new NSX-T Policy API in VMware Cloud on AWS (VMC), if you have not read through that guide yet, I recommend you take a look at that first as this covers the prerequisites which will be required. As mentioned in that article, I planned to add a few more NSX-T Policy API examples and now the community NSX-T Policy PowerShell includes 37 additional functions which you can see the complete list below:

  • Connect-NSXTProxy
  • Get-NSXTFirewall
  • Get-NSXTGroup
  • Get-NSXTSegment
  • Get-NSXTService
  • New-NSXTFirewall
  • New-NSXTGroup
  • New-NSXTSegment
  • New-NSXTServiceDefinition (renamed as of 07/01/2019)
  • Remove-NSXTFirewall
  • Remove-NSXTGroup
  • Remove-NSXTSegment
  • Get-NSXTDistFirewallSection (as of 01/02/2019)
  • Get-NSXTDistFirewall (as of 01/02/2019)
  • New-NSXTDistFirewall (as of 01/03/2019)
  • Remove-NSXTDistFirewall (as of 01/03/2019)
  • Get-NSXTOverviewInfo (as of 02/02/2019)
  • Get-NSXTInfraScope (as of 03/14/2019)
  • Get-NSXTInfraGroup (as of 03/14/2019)
  • New-NSXTDistFirewallSection (as of 04/19/2019)
  • Remove-NSXTService (as of 04/19/2019)
  • Get-NSXTPolicyBasedVPN (as of 05/09/2019)
  • New-NSXTPolicyBasedVPN (as of 05/09/2019)
  • Remove-NSXTPolicyBasedVPN (as of 05/09/2019)
  • Get-NSXTDNS (as of 06/08/2019)
  • Set-NSXTDNS (as of 06/08/2019)
  • Get-NSXTPublicIP (as of 07/01/2019)
  • New-NSXTPublicIP (as of 07/01/2019)
  • Remove-NSXTPublicIP (as of 07/01/2019)
  • Get-NSXTNatRule (as of 07/01/2019)
  • New-NSXTNatRule (as of 07/01/2019)
  • Remove-NSXTNatRule (as of 07/01/2019)
  • Set-NSXTSegment (as of 03/05/2020)
  • Get-NSXTT0Stats (as of 07/16/2020)
  • Get-NSXTLinkedVpc (as of 08/01/2020)
  • Get-NSXTL2VPN (as of 08/01/2020)
  • Get-NSXTPortMirror (as of 08/01/2020)
  • Get-NSXTIPFIXCollector (as of 08/01/2020)
  • Get-NSXTDirectConnectVIF (as of 08/01/2020)
  • Get-NSXTVifPerHost (as of 08/01/2020)
  • Get-NSXTVM (as of 08/01/2020)
  • Get-NSXTSegmentPort (as of 08/01/2020)
  • Get-NSXTGroupMember (as of 08/01/2020)

After importing the module, to see the list of all functions, you can run the following command:

Get-Command -Module VMware.VMC.NSXT


Below are examples of each of the new functions and each function also supports a -Troubleshoot parameter which will provide debugging information on the REST method (GET, PUT, etc) as well as the URL and JSON payload (if applicable), this can be useful for both learning and troubleshooting purposes. All Get-* functions support filtering using the -Name parameter.

NSX-T Network Segments (Logical Networks)

List all Network Segments:

Get-NSXTSegment

List a specific Network Segment by specifying -Name property:

Get-NSXTSegment -Name sddc-cgw-network-3


Create a new Network Segment:

New-NSXTSegment -Name "sddc-cgw-network-4" -Gateway "192.168.4.1/24" -DHCP -DHCPRange "192.168.4.2-192.168.4.254"


Note: Due to changes to NSX-T Policy API, the input value for the Gateway property must use CIDR notation (e.g. 192.168.4.1/24) and instead of the old Prefix property.

Delete a Network Segment by specifying its ID:

Remove-NSXTSegment -Id sddc-cgw-network-4

NSX-T Network Security Groups

In NSX-T for VMC, you can create a logical Security Group which maps to a specific IP Address(s) or Network. These groups can then be referenced when creating Edge Firewall rule for ease of management without having to refer to the individual networks or IPs. Network security groups can be defined on either the MGW or CGW and you will need to specify the -GatewayType property when using these functions.

List all Network Security Groups on the MGW

Get-NSXTGroup -GatewayType MGW


Create a new Network Security Group on the MGW

New-NSXTGroup -GatewayType MGW -Name AppGroup-01 -IPAddress @("172.31.0.0/24")


Delete a Network Security group on the MGW by specifying its ID

Remove-NSXTGroup -GatewayType MGW -Id AppGroup-0

NSX-T Network Services

List all Network Services:

Get-NSXTServiceDefinition


Create a new Network Service:

New-NSXTServiceDefinition -Name "MyHTTP2" -Protocol TCP -DestinationPorts @("8080","8081")

NSX-T Edge Firewall

Similarly to Network Security Group, you can create an Edge Firewall rule that is defined on either the MGW or CGW. The Source, Destination and Services refers to the IDs that have been defined in the NSX-T system as shown earlier. There is also a sequence number which determines the ordering of the firewall rules which you can control when creating a new Edge Firewall rule.

List all Edge Firewall rules for the MGW:

Get-NSXTFirewall -GatewayType MGW


Create a new Edge Firewall rules for the MGW:

New-NSXTFirewall -GatewayType MGW -Name TEST -SourceGroup @("ANY") -DestinationGroup @("ESXI") -Service ANY -Logged $true -SequenceNumber 0 -Action ALLOW


Delete an Edge Firewall rule by specifying its ID:

Remove-NSXTFirewall -GatewayType MGW -Id [ID]

NSX-T Distributed Firewall

Here are some "GET" examples of retrieving the distributed firewall (DFW) rules which in VMC are broken down into 4 categories: Emergency, Infrastructure, Environment and Application rules. For reach of these categories, users can then define individual "Sections"which then contain individual DFW rules.

List all Distributed Firewall Sections:

Get-NSXTDistFirewallSection


List only a specific Distributed Firewall Section given a specific Category:

Get-NSXTDistFirewallSection -Category Emergency


List all Distributed Firewall rules for a given Section:

Get-NSXTDistFirewallSection -Category Emergency

Create Distributed Firewall rule for a given Section:

New-NSXTDistFirewall -Name "App1 to Web1" -Section "App Section 1" `
-SourceGroup "App Server 1" `
-DestinationGroup "Web Server 1" `
-Service HTTPS -Logged $true `
-SequenceNumber 10 `
-Action ALLOW


Remove Distributed Firewall rule:

Remove-NSXTDistFirewall -Id [ID] -Section "App Section 1"

More from my site

  • 2 Hidden Virtual Machine Gems in the vSphere 5 API
  • SPBM APIs are now included in pyvmomi (vSphere SDK for Python)
  • sk8s - Simple Kubernetes (k8s) Virtual Appliance
  • How to upgrade VMware Cloud Foundation (VCF) with PVSCSI controller incompatibility?
  • No suitable disk was found when upgrading to ESXi 6.5 on USB?

Categories // NSX, PowerCLI, VMware Cloud on AWS

Comments

  1. *protectedGert Van Gorp says

    01/17/2019 at 12:44 am

    Hi William,
    nice work you have done.
    Is there a way to automate CRUD management of VPN extentions?

    gert

    Reply
    • William Lam says

      01/18/2019 at 6:26 am

      Did you mean L2/L3 VPN setup, if so, yes. Take a look at the NSX-T Policy API doc https://www.vmware.com/support/nsxt/doc/nsxt_23_policy_api.html#Sections.Policy.L2Vpn and https://www.vmware.com/support/nsxt/doc/nsxt_23_policy_api.html#Sections.Policy.L3Vpn

      Reply
  2. *protectedGert Van Gorp says

    03/25/2019 at 9:50 am

    Hi,
    I see in the module functions as new, get and remove, do you also implement set or update? to change the dhcp from on to off e.g.?

    thanks

    Reply
  3. *protectedDavid Maurice says

    06/19/2019 at 10:34 am

    is there a way to enable/disable vpns vs removing/re-adding them?

    Reply
  4. *protectedKarl Robert says

    08/25/2020 at 7:47 am

    Hi William, don't know if you can help me, but every command that i pass i receive this error :

    PS U:\Vmware\Script> Get-NSXTSegment

    Retrievig NSX-T Segments ...
    Get-NSXTSegment: Error in retrieving NSX-T Segments
    Get-NSXTSegment:
    (Authentication failed, see inner exception..Exception.Message)

    i'm able to connect with

    Connect-Vmc -RefreshToken $RefreshToken
    Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName

    and i'm able to retrieve $global:nsxtProxyConnection

    But every time i have
    (Authentication failed, see inner exception..Exception.Message)

    any idea ?

    Reply
    • William Lam says

      08/25/2020 at 9:08 am

      Ensure that you properly created the CSP Token, you need to include both Admin + NSX Cloud Admin and make sure its scoped as Org Owner, 99.9% issue is related to not properly creating the token

      Reply
  5. *protectedKarl Robert says

    08/25/2020 at 10:43 am

    Thank William, I have ask the account owner to create an API token with is account and make sure he was Adminstrator and NSX Cloud admin.

    Unfortunately I have the same result.

    I'm able to retrieve the csp-auth-token in $global:nsxtProxyConnection.headers.'csp-auth-token'

    but if i try get-nsxtsegment i have this :

    PS U:\Vmware\Script> Get-NSXTSegment

    Retrievig NSX-T Segments ...
    Get-NSXTSegment: Error in retrieving NSX-T Segments
    Get-NSXTSegment:
    (Authentication failed, see inner exception..Exception.Message)

    really not sure what i'm doing wrong.

    Reply
    • William Lam says

      08/25/2020 at 8:44 pm

      Make sure token is also scoped to Org Owner

      Reply
  6. *protectedKarl Robert says

    08/26/2020 at 5:56 am

    Hi William,

    The token is scoped to Org Owner

    By using the csp Token created by the script found here :

    https://www.williamlam.com/2018/09/getting-started-with-the-new-nsx-t-policy-api-in-vmc.html

    I was able to retrieve segment by using the private IP and postman by following this :

    https://www.williamlam.com/2019/05/connecting-to-nsx-t-policy-api-using-nsx-t-private-ip-in-vmc.html

    But if i try to use the same csp token that is stored in $Global:nsxtProxyConnection.headers.'csp-auth-token' by the script i still have the following error :

    PS U:\Vmware\Script> Get-NSXTSegment

    Retrievig NSX-T Segments ...
    Get-NSXTSegment: Error in retrieving NSX-T Segments
    Get-NSXTSegment:
    (Authentication failed, see inner exception..Exception.Message)

    Reply
    • William Lam says

      08/26/2020 at 6:28 am

      What SDDC Version are you on? Are you on VMware Code Slack by any chance, its a bit difficult to troubleshoot and may need to take a closer look.

      Reply
      • *protectedKarl Robert says

        08/26/2020 at 7:33 am

        Hi Willian,

        Thank for taking the time

        i'm on SDDC Version: 1.10v7

        and yes i'm on vmware code slack you can find me with robertkarl

        Reply
  7. *protectedKarl Robert says

    08/27/2020 at 8:14 am

    Hi William,

    After digging in the module and try to wrap my head around the error I got the message

    The SSL connection could not be established, see inner exception.
    > Authentication failed, see inner exception.
    >> The message received was unexpected or badly formatted.

    Which probably indicate a problem with the protocol use by my client. I have try many thing but nothing works.

    So i have build a fresh VM 2016 with only VSCode, powershell 7, powercli module and VMware.VMC.NSXT module installed and i was able to connect and configure segment.

    I would like to thank you again for your time and advice.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...