NSX 3.x The case of the lost security group

Submitted by Robin van Altena on Mon, 09/25/2023 - 07:49
Follow your favourite author

Leave us your email address and be the first to receive a notification when Robin posts a new blog.

NSX 3.x The case of the lost security group
Mon 25 Sep, 2023
There are tons of reasons to automate or script against NSX. It can be so rewarding to let a script do your repeating tasks. But when a script doesn’t do what you want, it’s very frustrating. And then, there are times you stumble over strange results. Recently, my Danish colleague Thomas Ullerslev Christensen and I, have been improving our scripts to add IP-addresses to an existing group. But Thomas couldn't find the security groups that I just created. The reason was a bit awkward, so we decided to do something about it.

Let me explain the situation. In the NSX GUI you create a normal security group. Once you have created the security group, you use a script to enumerate all security groups with ‘PRD’ (for production) in the name. After connecting to NSX with PowerCLI, you can start with a command like:

Code (new)

(Invoke-ListGroupForDomain -DomainId "default").Results | where {$_.DisplayName -match "PRD"} | ft displayname


This command listed most groups, but not the once started with an underscore. These where not mentioned at all in the results. Our first thought, it must have something to do with the scripting. But after a bit of searching we discovered that the issues were in the API itself. That’s really stupid. Let’s show an example.

Create a group called Test-Blog.

Creating the Test-BLOG group

Use Postman to retrieve the group. This can be done with an API call like:

GET https://<NSX Manager>/policy/api/v1/infra/domains/default/groups/

As you can see there are 4 items when searching for Test-BLOG in the results.

Postman API results for searching Test-BLOG group

Rename the group in NSX to _Test-BLOG.

Renaming the Test-BLOG group

And repeat the same Postman query.

Postman API results for searching Test-BLOG group with underscore

As you can see, the group is missing from the results. Although the group is missing from the ‘get all groups’ API call, it can be searched directly. That’s because the ID of the group has not changed.

Postman API results for searching directly for Test-BLOG group

This issue occurs in the NSX 3.x API and at least in version 4.1 of NSX it works correctly. So it appears that the NSX 3.x API is skipping security groups in the ‘get all groups’ API call when the display name starts with an ‘_’ underscore. But the group can still be found using a direct search or search query. The only question is: how does your script know if it is there…

Hopefully you enjoyed reading this blog and by reading it you avoided debugging your script. But I guess that your search started after debugging 😉

If you have any questions or would like to see more? Then use the message option below.


Questions, Remarks & Comments

If you have any questions and need more clarification, we are more than happy to dig deeper. Any comments are also appreciated. You can either post it online or send it directly to the author, it’s your choice.
Let us know  

Questions, Remarks & Comments

Message Robin directly, in order to receive a quick response.

More about RedLogic