Use PowerCLI to set your SDDC Firewall rules

Gilles Chekroun
Lead VMware Cloud on AWS Specialist
One thing I really like about VMware is the team spirit of that company. People are always here to help you, sharing their experiences and knowledge. We have our EPIC2 values and one guy in particular stands out for Passion and Community.
It's William Lam
He is well known in our community for his "virtuallyGhetto" blog and the 1000+ posts he wrote over many subjects and technologies. Recently, I asked him what API should i use to retrieve the VMC SDDC Public IP address and he replied to me with a blog post !! Amazing.
William wrote many PowerShell modules and in particular the ones for NSX-T and VMC.
Download and import VMware.VMC.NSXT and VMware.VMC PowerShell modules. We will need them later.
This article will describe how to automate tasks after SDDC deployment like creating logical segments, setting up Firewall rules on MGW (the Management Gateway) and most importantly on CGW (the Compute Gateway).

PowerShell Install on Mac OS-x

I am a Mac user and to install PowerShell do the following:
$ brew tap caskroom/cask 
$ brew cask install powershell
. . . snip. . .
installer: Package name is PowerShell - 6.1.1 
installer: Installing at base path / 
installer: The install was successful. 
powershell was successfully installed!
Verify if any upgrades are available
$ brew cask upgrade powershell 
==> Upgrading 1 outdated package:
powershell 6.1.1 -> 6.1.3
powershell was successfully installed! 
and check the current Version (should be > 6.0)
On Mac Terminal window, run:
$ pwsh 
PowerShell 6.1.3 
Copyright (c) Microsoft Corporation. All rights reserved. 
Type 'help' to get help. 
PS > 

Install PowerCLI

PS > Find-Module -Name VMware.PowerCLI 
Version Name Repository Description 
------- ---- ---------- ----------- VMware.PowerCLI PSGallery This Windows PowerShell module contains VMwa... 
PS >
Save module
PS > Save-Module -Name VMware.PowerCLI -Path . 
PS > 
Install Module
PS > Install-Module -Name VMware.PowerCLI -Force
Verify Module version
PS > Get-PowerCLIVersion
List available Modules
PS > get-module VMware.* -ListAvailable
Ignore certificate
PS > Set-PowerCLIConfiguration -InvalidCertificateAction Ignore

If necessary, update module with
Update-Module VMware.PowerCLI 
Install VMC Module
Find-Module -Name VMware.VMC
Install-Module -Name VMware.VMC 
Verify the connectivity with your Refresh Token
PS > Connect-Vmc -RefreshToken 62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0 
Server                         User
------                         ----                 gchekroun 

Installing VMware.VMC.NSXT module

Create an "init file" like init.ps1 and paste this code
$RefreshToken   = "62c26d4a-xxxx-xxxx-xxxx-913873b1dfe0"
$OrgName        = "YOUR ORG NAME" 
$SDDCName       = "YOUR SDDC NAME"
Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1
Connect-Vmc -RefreshToken $RefreshToken
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName  
The Org name is the NAME (not the ORG ID) and same for the SDDC Name.
The modules VMware.VMC.NSXT.psd1 and VMware.VMC.psd1 are the ones we got from the links above.
The Connect-NSXTProxy returns the Proxy-URL needed for every API call to NSX-T policy in VMware Cloud on AWS

Setting up a basic SDDC

A brand new SDDC comes with a default network segment of We can create a bunch of other Logical networks under the Compute Gateway.

Create Logical segments

The code below will create 4 logical segments
for($i = 2; $i -lt 6; $i++)
    Write-Output $i
    New-NSXTSegment -Name "sddc-cgw-network-$i" -Gateway "192.168.$i.1/24" -DHCP -DHCPRange "192.168.$i.2-192.168.$i.254"
Note the Attached VPC Route table updates

Create groups

Default SDDC comes with 3 Management Groups only.
Groups are used in Firewall rules and it's easy to create them.
The code below will create groups based on IP addresses.
New-NSXTGroup -GatewayType CGW -Name LS1 -IPAddress @("")
New-NSXTGroup -GatewayType CGW -Name LS2 -IPAddress @("")
New-NSXTGroup -GatewayType CGW -Name VPC1 -IPAddress @("")
New-NSXTGroup -GatewayType CGW -Name VPC2 -IPAddress @("")
New-NSXTGroup -GatewayType CGW -Name VPC3 -IPAddress @("")

Create Management Gateway rules

The default SDDC comes with 3 default management rules:
  • vCenter Outbound Rule
  • ESXi Outbound Rule
  • Default Deny All

vCenter inbound

To access vCenter from the outside world we need to create a vCenter inbound rule.
The code below deploys a vCenter inbound rule and allows "HTTPS", "ICMP" and "SSO".
A sequence number of "0" will put the rule on top of the existing list.
New-NSXTFirewall -GatewayType MGW`
    -Name "vCenter Inbound"`
    -SourceGroup @("ANY")`
    -DestinationGroup @("VCENTER")`
    -Service @("HTTPS","ICMP ALL","SSO”)`
    -Logged $false`
    -SequenceNumber 0`
    -Action ALLOW 

Create Compute Gateway rules

Compute Gateway rules are a little bit more complex. Within the Compute environment we have 2 default rules:
  • Default VTI Rule - drop by default
  • Default Uplink Rule - drop by default
The compute side has a field called "Applied To" and it is defining a scope on where the rule should be applied. Scopes are:
  • ALL uplinks
  • Internet Interface
  • Virtual Tunnel Interface
  • Direct Connect
  • Attached VPC interfaces
Also the "Source" or "Destination" can be specific Infra label like
  • Connected VPC prefixes
  • S3 Prefixes
  • Direct Connect Prefixes
and that should be taken into account differently than just a group we have created like LS1 or LS2
To illustrate that, let's create an "Internet-out" rule

"Internet-out" rule

The code below will allow any LS1 VMs access to internet.
New-NSXTFirewall -GatewayType CGW -Name "Internet-out"`
    -SourceGroup LS1`
    -DestinationGroup @("ANY")`
    -Service ANY`
    -Logged $false`
    -SequenceNumber 2`
    -Action ALLOW`
    -InfraScope "Internet Interface"
Note the -InfraScope parameter that refers to the "Applied To" field

VMC to AWS rule 

Let's now create a rule "vmc2aws" for the Elastic Network Interface to allow connections from LS1 to VPC attached subnet and S3.
New-NSXTFirewall -GatewayType CGW -Name "vmc2aws”`
    -SourceGroup @("ANY”)`
    -DestinationInfraGroup @("Connected VPC Prefixes", "S3 prefixes”)`
    -Service @("ANY”)`
    -Logged $false`
    -SequenceNumber 0`
    -Action ALLOW`
    -InfraScope @("VPC Interface")
Note the -DestinationInfraGroup labeled as "Connected VPC and S3"
Note also the -InfraScope labeled as "VPC Interface"
The reverse rule will look like:
New-NSXTFirewall -GatewayType CGW`
    -Name "aws2vmc”`
    -SourceInfraGroup @("Connected VPC Prefixes", "S3 prefixes”)`
    -DestinationGroup @("ANY”)`
    -Service @("ANY”)`
    -Logged $false`
    -SequenceNumber 0`
    -Action ALLOW`
    -InfraScope @("VPC Interface") 
With this we are now able to use PowerCLI to configure our Management and Compute Gateway Firewall rules.

Download the "Create_SDDC_FW.ps1" file here.




Egress VPC and AWS Transit Gateway (Part1)

AWS Transitive routing with Transit Gateways in the same region

Build a VMware Cloud on AWS Content Library using AWS S3