PowerNSX – Automating Security Buckets

PowerNSX has been out for a while. I am hearing great things about people using it. The main author Nick has been deploying entire customer environments from scratch with it. That’s right – NSX Manager, Host and Cluster preparation, Controller deployment and more!

Well I have moved from QA monkey to poor  contributor. In my dev branch of PowerNSX I have created three new cmdlets. New-NsxSecurityTag, Get-NsxSecurityTag, and Remove-NsxSecurityTag. Along with modifying the validation checks of included members on Security Group creation it is now possible to Create and Delete Security Tags as well as attach them to new Security Groups.

Note that some other Security Tag operations are not available yet – I need to figure out how to deal with multiple pipeline items and draw out certain properties and append them to URIs. I am learning and I will get there.

The code below is used to create 10 sets of buckets each with their own Web, App, and Database Security Groups. These are then nested inside an application specific security group.

I am not advocating this topology is best practice or design. I can think of more designs that work better. More so this is to prove that API consumption is quick, efficient, and approachable.

## Loops for the low and high range defined below in the for-each
foreach ($i in 1..10){
    #Create a new security group and assign it to $NewSG. #Name 
    write-host -foregroundcolor "Green" "Segmentation Bucket $i "

    $WebTagName = "ST-Web $i",
    $AppTagName = "ST-App $i",
    $DbTagName = "ST-Db $i",

    $WebSgName = "SG-Web $i",
    $AppSgName = "SG-App $i",
    $DbSgName = "SG-Db $i",
    $BooksSgName = "SG-Books $i"

    $WebSgDescription = "Web SecurityGroup $i"
    $AppSgDescription = "App SecurityGroup $i"
    $DbSgDescription = "Db SecurityGroup $i"

    $webtag = New-NsxSecurityTag -name $webtagname
    $apptag = New-NsxSecurityTag -name $apptagname
    $dbtag = New-NsxSecurityTag -name $dbtagname

    $WebSg = New-NsxSecurityGroup -name $WebSgName -description $WebSgDescription -includemember $webtag
     #Creates the App SecurityGroup and creates a static includes based on VMname App0 which will match App01 and App02
    $AppSg = New-NsxSecurityGroup -name $AppSgName -description $AppSgDescription -includemember $apptag
     #Creates the Db SecurityGroup and creates a static includes based on VMname Db0 which will match Db01
    $DbSg = New-NsxSecurityGroup -name $DbSgName -description $DbSgDescription -includemember $dbtag
     #Creates the Books SecurityGroup and creates a static includes Security Group Web/App/Db and in turn its members
    $BooksSg = New-NsxSecurityGroup -name $BooksSgName -description $BooksSgName  -includemember $WebSg,$AppSg,$DbSg


Attached here is the counter to the above creation script – the removal script. It will go through and pulldown exactly what was created above.

$RemoveSelectedTags = (Get-NsxSecurityTag | ? {$_.name -match "ST-"})
$RemoveSelectedTags | Remove-NsxSecurityTag -force -confirm:$false
$RemoveSelectedSG = (Get-NsxSecurityGroup | ? {$_.name -match "SG-"})
$RemoveSelectedSG | Remove-NsxSecurityGroup -force -confirm:$false

Remember – this is a dev branch of PowerNSX. It will be in Main soon!

Enjoy. Go GIT some. What will you create with PowerNSX?



2 thoughts on “PowerNSX – Automating Security Buckets”

  1. Hi

    Just wanted to let you know this is amazing stuff!
    In regards to NSX security tags, any idea when those additional cmdlets will be available? eg Get-NsxSecurityTag.
    I could really make use of them.

    Thanks for all your work!

Leave a Reply

Your email address will not be published. Required fields are marked *