Earlier this week I had published an article on how to get started with the new NSX-T Policy API in VMware Cloud on AWS (VMC), if you have not read through that guide yet, I recommend you take a look at that first as this covers the prerequisites which will be required. As mentioned in that article, I planned to add a few more NSX-T Policy API examples and now the community NSX-T Policy PowerShell includes 10 additional functions which you can see the complete list below:
After importing the module, to see the list of all functions, you can run the following command:
Get-Command -Module VMware.VMC.NSXT
Below are examples of each of the new functions and each function also supports a -Troubleshoot parameter which will provide debugging information on the REST method (GET, PUT, etc) as well as the URL and JSON payload (if applicable), this can be useful for both learning and troubleshooting purposes. All Get-* functions support filtering using the -Name parameter.
NSX-T Network Segments (Logical Networks)
List all Network Segments:
List a specific Network Segment by specifying -Name property:
Get-NSXTSegment -Name sddc-cgw-network-3
New-NSXTSegment -Name "sddc-cgw-network-4" -Gateway "192.168.4.1" -Prefix "24" -DHCP -DHCPRange "192.168.4.2-192.168.4.254"
Remove-NSXTSegment -Id sddc-cgw-network-4
NSX-T Network Security Groups
In NSX-T for VMC, you can create a logical Security Group which maps to a specific IP Address(s) or Network. These groups can then be referenced when creating Edge Firewall rule for ease of management without having to refer to the individual networks or IPs. Network security groups can be defined on either the MGW or CGW and you will need to specify the -GatewayType property when using these functions.
List all Network Security Groups on the MGW
Get-NSXTGroup -GatewayType MGW
New-NSXTGroup -GatewayType MGW -Name AppGroup-01 -IPAddress @("172.31.0.0/24")
Remove-NSXTGroup -GatewayType MGW -Id AppGroup-0
NSX-T Network Services
List all Network Services:
New-NSXTService -Name "MyHTTP2" -Protocol TCP -DestinationPorts @("8080","8081")
NSX-T Edge Firewall
Similarly to Network Security Group, you can create an Edge Firewall rule that is defined on either the MGW or CGW. The Source, Destination and Services refers to the IDs that have been defined in the NSX-T system as shown earlier. There is also a sequence number which determines the ordering of the firewall rules which you can control when creating a new Edge Firewall rule.
List all Edge Firewall rules for the MGW:
Get-NSXTFirewall -GatewayType MGW
New-NSXTFirewall -GatewayType MGW -Name TEST -Id TEST -SourceGroupId ESXI -DestinationGroupId ANY -Service ANY -Logged $true -SequenceNumber 7 -Action ALLOW
Remove-NSXTFirewall -GatewayType MGW -Id TEST