Enter NSX Policy API automation: PowerCLI v12.6!!

Starting from PowerCLI 12.6, a new module "VMware.Sdk.Nsx.Policy" has been added to the toolkit. Imagine if you were able to automate NSX policy management tasks just as we automate regular vSphere tasks using the same set of tools i.e. PowerCLI. The new NSX module would allow us to automate and report out NSX datacenter policies. The NSX datacenter provides a comprehensive network virtualization suite. With the addition of the new NSX module in PowerCLI, the end user would now be able to implement automation to their virtual network implementations, thus making on the fly network and security policies provisioning easier.

Let us take a look at few of the cmdlets added with this new module.

1- Connecting to NSX-T server:

Connect-NsxServer -Server <serverip/fdqn>  -User <adminuser>  -Password <password>

2- View object commands (example Tier1)

get-command -Module vmware.sdk.nsx.policy -Name Invoke-*Tier1

3- In general, you can use the "Get-Command" cmdlet for all the available commands in "vmware.sdk.nsx.policy":

get-command -Module vmware.sdk.nsx.policy

You will see a massive list of available commands, scroll through to understand all the cmdlets available with this module

Let us look into using the new cmdlets in my homelab setup to interrogate my t0 gateway firewall and add a new firewall rule. The cmdlet available for this is "Invoke-viewtier0gatewayfirewall":

get-help invoke-viewtier0gatewayfirewall

To read the information of existing t0 gateway firewall rules, we need to enter the id (display name) of or t0 gw:

Invoke-ViewTier0GatewayFirewall -Tier0Id t0gw-1

In order to get more details into the firewall rules, we can feed this command into a variable and interrogate the variable further:

In order to view the individual rules:

Keep a note of the "path" parameter here, it is in the format


We would need this information for creating a new rule using PowerCLI commands.

The command for creating a new firewall rule is:

In order to set the rule, we will need to use the "Initialize-Rule", which we will feed into a variable, for this example I will be adding an any to any drop rule, for any service:

$newrule= Initialize-Rule -DisplayName powerclitest101 -DestinationGroups ANY -SourceGroups ANY -Services ANY -Direction INOUT -Action DROP -Scope "/infra/tier-0s/t0gw-1"

Now, we can create the new firewall rule:

Invoke-CreateOrReplaceGatewayRule -DomainId default -GatewayPolicyId VirMystPolicy1 -RuleId powerclitest101 -Rule $newrule

This is a much awaited addition to the PowerCLI toolkit, and I am looking forward to utilize it more for managing NSX environments with ease!

17 views0 comments

Recent Posts

See All