Leave us your email address and be the first to receive a notification when Robin posts a new blog.
“The Get-NsxtPolicyService, Get-NsxtGlobalManagerService, and Get-VmcSddcNetworkService cmdlets have been deprecated. Use the cmdlets from the VMware.Sdk.Nsx.Policy module instead.”
Since I’m using the Get-NsxtPolicyService quite a lot in scripts to import and export NSX Distributed Firewall configuration, I decided to have a closer look.
As stated in the release notes for PowerCLI 13 the Get-NsxtPolicyService cmdlet will be deprecated. The cmdlet will be replaced by the VMware.Sdk.Nsx.Policy in PowerCLI 13. The VMware.Sdk.Nsx.Policy module was already introduced in PowerCLI 12.6, in May 2022. The Get-NsxtPolicyService cmdlet is still working in PowerCLI 13, as I will show later. For now you will see a message that the cmdlet is deprecated. But as always it is better to be prepared for the change and update your scripts in advance.
The people at VMware have already written a nice blog about the changes and some basic examples. They also provide some examples in a script. So, I will not go to deep into that, but in this blog I wanted to provide some additional examples and point out some of the changes.
The first change that I like a lot is the new method for connecting. With the Get-NsxtPolicyService cmdlet it took quite a while to get connected to the NSX Manager. In a normal environment around a minute, but in lab environment, with limited resources, it can easily exceed 5 minutes.
The new connect cmdlet is now called Connect-NsxServer, the difference is in the T. The old cmdlet was called Connect-NsxtServer. The new cmdlet is much faster in connecting to the NSX manager, in my lab within a minute. For me that is a great improvement.
This is a result of the new direction VMware has chosen for the new VMware.Sdk.Nsx.Policy module. Previously the only cmdlet was Get-NsxtPolicyService and with the new VMware.Sdk.Nsx.Policy module the options have been split into smaller cmdlets.
So, let’s talk about the new cmdlets. The complete list of cmdlets for the new VMware.Sdk.Nsx.Policy module can be viewed with:
Get-Command –Module VMware.Sdk.Nsx.Policy
But is it is also possible to search for cmdlets to create a group:
Get-Command -Module VMware.Sdk.Nsx.Policy -name Invoke-*group*
As you can see this is still a large list, so not very useful for now. Even with the new Get-NsxOperation cmdlet the list is quite long when searching for a specific command, like creating a group. But to me this is easier than the previous method for Get-NsxtPolicyService:
$groupfunc = Get-NsxOperation -Method GET -Name '*group*'
$groupfunc.Name
I always find examples are much more useful. In the PowerCLI 12.6 blog VMware wrote an example for creating a dynamic group, based on Tags:
$cond = Initialize-Condition -ResourceType Condition -Id $GroupName `
-MemberType $MemberType -Value $Value -Key $Key `
-Operator $Operator
$group = Initialize-Group -DisplayName $GroupName -Expression @($cond)
$createdGroup = Invoke-PatchGroupForDomain -DomainId default `
-Group $group -GroupId $GroupName
First a condition is created, then the group is initialized and finally the group is created. The structure of the groups in NSX hasn’t changed. It is still based on different types of expressions. So, it is useful to know how the relationships for Security Groups work. The following tree helps with this. I will refer to it when we start to create different types of groups.
Back to the example for creating a dynamic group. With the previous method we had similar steps, but I found the commands a little more complicated to figure out:
$GroupData = Get-NsxtPolicyService -Name com.vmware.nsx_policy.infra.domains.groups
$GroupExpSpec = $GroupData.Help.patch.group.expression.Element.nested_expression.Create()
$ExpSpec = $GroupData.Help.patch.group.expression.Element.condition.Create()
$ExpSpec.member_type = $groupmember_type
$ExpSpec.value = $Tag
$ExpSpec.key="Tag"
$ExpSpec.operator = "EQUALS"
$GroupExpSpec.expressions.add($ExpSpec) | Out-Null
$GroupSpec = $GroupData.Help.patch.group.Create()
$GroupSpec.display_name = $Groupid
$GroupData.patch($Domain, $Groupid, $GroupSpec)
Creating a Security Group based on an IP-address or set
Let’s get started, because although the information above gives a nice introduction, it doesn’t show anything new. We will use the same steps to create a Security group with IP-addresses as members. As you can see in the relations tree above, there is an IPAddressExpression. So, we are going to create that first. We will need to provide the IP-addresses as an array to the expression. With the expression we will initialize and create the group. Similar to the example.
$ipexpress = Initialize-IPAddressExpression -IpAddresses $ArrayIPSets -ResourceType "IPAddress"
$group = Initialize-Group -DisplayName $GroupName -Expression @($ipexpress)
$createdGroup = Invoke-PatchGroupForDomain -DomainId "default" -Group $group -GroupId "Name or ID"
You can retrieve additional information for the Initialize-IPAddressExpression cmdlet with:
Get-Help Initialize-IPAddressExpression
The complete code can look something like this:
$Groupname = 'IP-Addresses'
$IPSets = '10.20.30.40,11.21.31.41'
$ArrayIPSets = @($IPSets.Split("{,}"))
$ipexpress = Initialize-IPAddressExpression -IpAddresses $ArrayIPSets -ResourceType "IPAddress"
$group = Initialize-Group -DisplayName $GroupName -Expression @($ipexpress)
$createdGroup = Invoke-PatchGroupForDomain -DomainId "default" -Group $group -GroupId $Groupname
After connecting to the NSX manager and running this code you should get the following result:
Creating a Security Group based on Active-Directory groups
In the next example we will create a Security group based on Active-Directory groups. This group can be used for the Identity based firewall. Thus the Active-Directory needs to be configured for the Identity based Firewall.
Again the steps are relatively similar to the example above. But as shown in the relations tree above, we need to use the IdentityGroupExpression.
$idexpress = Initialize-IdentityGroupExpression -IdentityGroups $ArrayIDGroups -ResourceType IdentityGroup
$group = Initialize-Group -DisplayName $GroupName -ExtendedExpression @($idexpress)
$createdGroup = Invoke-PatchGroupForDomain -DomainId $Domain -Group $group -GroupId $Groupid
And again you can use the Get-Help command to get additional information about the Initialize-IdentityGroupExpression cmdlet. The difference between the IdentityGroupExpression and the IPAddressExpression is that the IdentityGroupExpression is an ExtendedExpression. You need to specify this when initializing the group.
Before creating the IdentityGroupExpression we need to retrieve some additional information about the Active Directory group. Like the name, domain base name, and distinguished name. This information needs to be placed in an array, similar to the IP-addresses. You can use the following as a guidance:
$Groupname = 'ID-Group'
$ADGroupName = 'vCenter-Administrators'
$Domain = "redlogic.local"
$DNBase = "DC=redlogic,DC=local"
$ADDSGroup = Get-ADGroup -Server $Domain -Filter "name -eq '$ADGroupName'"
$DNGroup = $ADDSGroup.DistinguishedName
$IDGroup = Initialize-IdentityGroupInfo -DistinguishedName $DNGroup -DomainBaseDistinguishedName $DNBase
$ArrayIDGroups = @()
$ArrayIDGroups += $IDGroup
The groups can also be added based on their SID, but I’m simply reusing the logic I already build before and have all the information already available.
When combining this the result should look something like this:
Another thing that I like about the new PowerCLI 13 modules is that the errors give a more clearer perspective on the issue. For example if you don’t use the ExtendedExpression to create the group with Active-Directory groups. The error will look like this:
Of course there is still a learning curve in figuring out how to script with the PowerCLI 13 modules, but it is much better than the PowerCLI 12 methods.
In another blog I will provide some addition examples for creating services, since creating services isn’t included in the examples provided by VMware.
Hopefully, you have enjoyed reading this blog. If you have any questions or would like to see some more, please use the message option below.
LinkedIn
Twitter
Questions, Remarks & Comments
If you have any questions and need more clarification, we are more than happy to dig deeper. Any comments are also appreciated. You can either post it online or send it directly to the author, it’s your choice.