Introduction
NSX-T security groups form the foundation for microsegmentation, dynamic firewalling, and tiered access. Manual group management is error-prone and inefficient. With PowerCLI and the NSX-T API modules, you can automate security group operations across thousands of workloads.
This article includes:
- Creating static and dynamic groups
- Managing tag-based group membership
- Auditing group content and effective scope
- Exporting group relationships for documentation
My Personal Repository on GitHub
Prerequisites
Connect to both vCenter and NSX Manager.
Ensure NSX-T PowerCLI module is loaded or use REST method fallback.
Import-Module VMware.Sdk.Nsx.Policy
Connect-NsxServer -Server "nsxmgr.lab.local" -Credential (Get-Credential)
Step 1: Create a Static Security Group
New-NsxPolicyGroup -Name "Web-Tier-Static" `
-Domain "default" `
-Description "Static group for web servers"
Assign VMs using their path or object ID:
$vm = Get-VM -Name "WebApp01"
Add-NsxPolicyGroupMember -GroupName "Web-Tier-Static" -Members $vm.ExtensionData.MoRef.Value
Step 2: Create a Dynamic Membership Group (Tag-Based)
New-NsxPolicyGroup -Name "App-Tier-Dynamic" `
-Domain "default" `
-Expression @(
New-NsxPolicyCondition -MemberType "VirtualMachine" -Key "Tag" -Operator "EQUALS" -Value "App"
)
This group auto-includes all VMs with the tag App.
Step 3: Tag VMs Using PowerCLI
$tag = Get-Tag -Name "App"
Get-VM -Name "AppServer*" | New-TagAssignment -Tag $tag
NSX-T must be configured to sync vCenter tags.
Step 4: List Group Members and Relationships
Get-NsxPolicyGroup -Name "App-Tier-Dynamic" | Get-NsxPolicyGroupMember
Export the mapping:
Get-NsxPolicyGroup -Name "App-Tier-Dynamic" | Get-NsxPolicyGroupMember | Export-Csv "C:\Reports\AppTierGroupMembers.csv" -NoTypeInformation
Diagram: Security Group Automation Flow
Use Case: Enforcing Tier-Based DFW Rules
Three security groups:
- Web-Tier
- App-Tier
- DB-Tier
Example rule:
New-NsxPolicyFirewallRule -Name "Allow Web to App" `
-SourceGroup "Web-Tier" `
-DestinationGroup "App-Tier" `
-Service "HTTPS" `
-Action "ALLOW" `
-SequenceNumber 100
Combine with dynamic groups for full microsegmentation automation.
Troubleshooting Group Logic
| Issue | Solution |
|---|---|
| Dynamic group not populating | Ensure tag sync between vCenter and NSX-T is active |
| Members not appearing | Verify tag spelling and case sensitivity |
| Group exists but cannot apply in rule | Use full path reference or UUID when using CLI |
| Tag assignment delayed | Allow a few minutes for sync or refresh via API |
Scheduled Group Audit Script
Run this weekly to log all members of key NSX groups:
$groups = "Web-Tier", "App-Tier", "DB-Tier"
foreach ($group in $groups) {
Get-NsxPolicyGroup -Name $group | Get-NsxPolicyGroupMember | Export-Csv "C:\Reports\NSX_$group.csv" -NoTypeInformation
}
What’s Next
Next article will focus on:
- Using PowerCLI to run guest OS customization and scripting inside VMs
- Deploying application stacks with post-clone automation
Table of Contents Introduction In today’s dynamic multi-cloud environments, network and security operations teams need more than just policy enforcement, they require...