A few weeks back I mentioned on twitter that i was working on automating the VMware Validated Design NSX-V Distributed Firewall Configuration in my lab. (I admit it took longer than i had planned!) Currently this is a manual post deployment step once VMware Cloud Builder has completed the deployment. This will likely be picked up by Cloud Builder in a future release but for now its a manual, and somewhat tedious, but required, step!

Full details on the manual steps required for this configuration can be found here. Please take the time to understand what these rules are doing before implementing them.

So in an effort to make this post configuration step a little less painful i set out to automate it. I’ve played with the NSX-V API in the past and found it much easier to interact with by using PowerNSX, rather than leveraging PostMan and the API directly. PowerNSX is the unofficial, official automation tool for NSX. Hats off to VMware engineers Nick Bradford, Dale Coghlan & Anthony Burke for creating and documenting this tool. Anthony also published a FREE book on Automating NSX for vSphere with PowerNSX. More on that here.

Disclaimer: This script is not officially supported by VMware. Use at your own risk & test in a development/lab environment before using in production.

I’ve posted the script to GitHub here as its a bit lengthy! There may be a more efficient way to do some parts of it and if anyone wants to contribute please feel free!

As with a lot of the scripts i create it is menu based and has 2 main options:

1. Create DFW exclusions, IP Sets & Security Groups
2. Create DFW Rules

The reason i split it into 2 distinct operations is to allow you to inspect the exclusion list, IP Sets & Security Groups before creating the firewall rules. This will ensure that you dont lock yourself out of vCenter by creating an incorrect rule.

Required Software

• PowerCli
  • The script will check for PowerCli and if not found will attempt to install the latest version from the PowerShell Gallery
  • Currently tested on Windows only
  • If you dont have internet access you can manually install PowerCli by opening a PowerShell console as administrator and running:
  • Find-Module -Name VMware.PowerCLI | Install-Module
• PowerNSX
  • The script will check for PowerNSX and if not found will attempt to install the latest version from the PowerShell Gallery
  • Currently tested on Windows only
  • If you dont have internet access you can manually install PowerNSX by opening a PowerShell console as administrator and running:
  • Find-Module -Name PowerNSX | Install-Module

Required Variables

Before you can run the script you need to edit the User Variables to provide the following:

• Target vCenter details
  • Required to establish a PowerCli Connection with vCenter Server. This is used when updating the DFW exclusion list
• Target NSX Manager details
  • Required to establish a connection with NSX manager to configure the DFW
• IP Addresses for the various SDDC components

Hopefully you will find this useful!