NSX-T Security Group Automation with PowerCLI: Static, Dynamic, and Tag-Based Membership

Paul Bryant

10 months ago

Introduction

NSX-T security groups form the foundation for microsegmentation, dynamic firewalling, and tiered access. Manual group management is error-prone and inefficient. With PowerCLI and the NSX-T API modules, you can automate security group operations across thousands of workloads.

This article includes:

Creating static and dynamic groups
Managing tag-based group membership
Auditing group content and effective scope
Exporting group relationships for documentation

My Personal Repository on GitHub

VMware Repository on GitHub

Prerequisites

Connect to both vCenter and NSX Manager.
Ensure NSX-T PowerCLI module is loaded or use REST method fallback.

Import-Module VMware.Sdk.Nsx.Policy
Connect-NsxServer -Server "nsxmgr.lab.local" -Credential (Get-Credential)

Step 1: Create a Static Security Group

New-NsxPolicyGroup -Name "Web-Tier-Static" `
    -Domain "default" `
    -Description "Static group for web servers"

Assign VMs using their path or object ID:

$vm = Get-VM -Name "WebApp01"
Add-NsxPolicyGroupMember -GroupName "Web-Tier-Static" -Members $vm.ExtensionData.MoRef.Value

Step 2: Create a Dynamic Membership Group (Tag-Based)

New-NsxPolicyGroup -Name "App-Tier-Dynamic" `
    -Domain "default" `
    -Expression @(
        New-NsxPolicyCondition -MemberType "VirtualMachine" -Key "Tag" -Operator "EQUALS" -Value "App"
    )

This group auto-includes all VMs with the tag App.

Step 3: Tag VMs Using PowerCLI

$tag = Get-Tag -Name "App"
Get-VM -Name "AppServer*" | New-TagAssignment -Tag $tag

NSX-T must be configured to sync vCenter tags.

Step 4: List Group Members and Relationships

Get-NsxPolicyGroup -Name "App-Tier-Dynamic" | Get-NsxPolicyGroupMember

Export the mapping:

Get-NsxPolicyGroup -Name "App-Tier-Dynamic" | Get-NsxPolicyGroupMember | Export-Csv "C:\Reports\AppTierGroupMembers.csv" -NoTypeInformation

Diagram: Security Group Automation Flow

Use Case: Enforcing Tier-Based DFW Rules

Three security groups:

Web-Tier
App-Tier
DB-Tier

Example rule:

New-NsxPolicyFirewallRule -Name "Allow Web to App" `
    -SourceGroup "Web-Tier" `
    -DestinationGroup "App-Tier" `
    -Service "HTTPS" `
    -Action "ALLOW" `
    -SequenceNumber 100

Combine with dynamic groups for full microsegmentation automation.

Troubleshooting Group Logic

Issue	Solution
Dynamic group not populating	Ensure tag sync between vCenter and NSX-T is active
Members not appearing	Verify tag spelling and case sensitivity
Group exists but cannot apply in rule	Use full path reference or UUID when using CLI
Tag assignment delayed	Allow a few minutes for sync or refresh via API

Scheduled Group Audit Script

Run this weekly to log all members of key NSX groups:

$groups = "Web-Tier", "App-Tier", "DB-Tier"

foreach ($group in $groups) {
    Get-NsxPolicyGroup -Name $group | Get-NsxPolicyGroupMember | Export-Csv "C:\Reports\NSX_$group.csv" -NoTypeInformation
}

What’s Next

Next article will focus on:

Using PowerCLI to run guest OS customization and scripting inside VMs
Deploying application stacks with post-clone automation

NSX Intelligence NAPP: Unlocking Distributed Security Analytics for Modern Data Centers

Table of Contents Introduction In today’s dynamic multi-cloud environments, network and security operations teams need more than just policy enforcement, they require...

PowerCLI for Guest OS Customization and In-Guest Scripting: Automating VM Configuration from the Inside

Introduction Provisioning a VM is only the first step. Guest-level configuration like hostname setup, IP assignment, domain join, and application bootstrapping are often manual, inconsistent, and time-consuming. With PowerCLI, you…