PowerNSX and Security Group Membership Exclusions
Hey everyone - I've been helping a customer implement their NSX Distributed Firewall recently. I'm not a big fan of the GUI, but I can do just about everything that I need to do through PowerNSX, which I've found much faster and easier to manage... until I started working with Security Group membership exclusions.
NSX follows a fairly sophisticated process for determining what objects are members of a given Security Group. First, it checks the rules in that Security Group's Dynamic Membership section and adds all of the specified objects to the list (this can be a computationally expensive process, so you probably don't want to use a lot of dynamic membership rules). Next, it checks the list in that Security Group's Static Include section and adds all of the specified objects to the list (this is a cheaper operation and should be the go-to group membership method). Finally, it checks the list in the Exclude section and removes those objects from the list. Note that this removal happens last, meaning that it takes precedence over anything else that would add objects to the list.
We're taking advantage of this setting to help limit the scope of our rules during implementation. As such, we'll be doing a lot of work with that Exclude list, which would be a real pain in the GUI. Fortunately, we've got cmdlets that make it easy to manipulate via PowerShell, so that's not a problem!
A PowerNSX Security Group object has a lot of properties, but there are 3 that I find myself using over and over again: Name, Member, and ExcludeMember (there's also a DynamicMemberDefinition property, but I try to avoid dynamic membership rules). These properties let me build my Security Group exactly the way that I want it, although they're always manipulated through other cmdlets (rather than just changing them directly).
To make a new group, I start with new-nsxSecurityGroup -name myGroup. If I want to save some time, I can save the output of that command in a variable for future use, but I'm going to keep it simple here. That command will make a Security Group called myGroup, and at the moment, it's completely empty (I don't think that it'll even have the .member or .excludeMember properties).
I can next add a bunch of test VMs to that group with add-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm test*). If we take a look at that group now, we'll see that all of my VMs that begin with test are now members of that group. Great! But, what if we don't want the testSQL* VMs in there? Well, that's where the excludeMember property comes into play.
add-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -memberIsExcluded -member (get-vm testSQL*) will take care of that. Now, this group has a static membership list of all of the VMs that start with test*, but an excluded list of all of the VMs that start with testSQL*, thus removing them from the membership list.
So far, so good. But, what do we do if we want to remove members from either the static include or the exclude lists? Let's say that we really don't want the VM testDomainController in our include list. It's easy to remove it: remove-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm testDomainController). Now, that system is no longer on the include list.
So, how do we remove the VM testSQLReporting from the exclude list? remove-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm testSQLReporting). At least, that's how we should do it... but as of PowerNSX version 3.0.1118, that's going to throw an error stating that the VM "... is not a member of the specified SecurityGroup."
It looks like the current remove-SecurityGroupMember cmdlet has some error checking that doesn't check the excludeMember list for the object to be removed, meaning that there's currently no way to remove excluded members from a Security Group with PowerNSX. Fortunately, the fix is really simple; just have that error check look in both the member and excludeMember properties of the Security Group.
I went ahead and forked PowerNSX so that I could make and submit that fix. I don't know how often changes get rolled into the project (or even if mine will be approved), but if you need to manipulate the excludeMember list now, feel free to use my fork on GitHub (or, just check out lines 23,184 - 23,186 of powerNSX.psm1 in my fork and replicate them in your local version).
NSX follows a fairly sophisticated process for determining what objects are members of a given Security Group. First, it checks the rules in that Security Group's Dynamic Membership section and adds all of the specified objects to the list (this can be a computationally expensive process, so you probably don't want to use a lot of dynamic membership rules). Next, it checks the list in that Security Group's Static Include section and adds all of the specified objects to the list (this is a cheaper operation and should be the go-to group membership method). Finally, it checks the list in the Exclude section and removes those objects from the list. Note that this removal happens last, meaning that it takes precedence over anything else that would add objects to the list.
We're taking advantage of this setting to help limit the scope of our rules during implementation. As such, we'll be doing a lot of work with that Exclude list, which would be a real pain in the GUI. Fortunately, we've got cmdlets that make it easy to manipulate via PowerShell, so that's not a problem!
A PowerNSX Security Group object has a lot of properties, but there are 3 that I find myself using over and over again: Name, Member, and ExcludeMember (there's also a DynamicMemberDefinition property, but I try to avoid dynamic membership rules). These properties let me build my Security Group exactly the way that I want it, although they're always manipulated through other cmdlets (rather than just changing them directly).
To make a new group, I start with new-nsxSecurityGroup -name myGroup. If I want to save some time, I can save the output of that command in a variable for future use, but I'm going to keep it simple here. That command will make a Security Group called myGroup, and at the moment, it's completely empty (I don't think that it'll even have the .member or .excludeMember properties).
I can next add a bunch of test VMs to that group with add-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm test*). If we take a look at that group now, we'll see that all of my VMs that begin with test are now members of that group. Great! But, what if we don't want the testSQL* VMs in there? Well, that's where the excludeMember property comes into play.
add-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -memberIsExcluded -member (get-vm testSQL*) will take care of that. Now, this group has a static membership list of all of the VMs that start with test*, but an excluded list of all of the VMs that start with testSQL*, thus removing them from the membership list.
So far, so good. But, what do we do if we want to remove members from either the static include or the exclude lists? Let's say that we really don't want the VM testDomainController in our include list. It's easy to remove it: remove-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm testDomainController). Now, that system is no longer on the include list.
So, how do we remove the VM testSQLReporting from the exclude list? remove-nsxSecurityGroupMember -securityGroup (get-nsxSecurityGroup -name myGroup) -member (get-vm testSQLReporting). At least, that's how we should do it... but as of PowerNSX version 3.0.1118, that's going to throw an error stating that the VM "... is not a member of the specified SecurityGroup."
It looks like the current remove-SecurityGroupMember cmdlet has some error checking that doesn't check the excludeMember list for the object to be removed, meaning that there's currently no way to remove excluded members from a Security Group with PowerNSX. Fortunately, the fix is really simple; just have that error check look in both the member and excludeMember properties of the Security Group.
I went ahead and forked PowerNSX so that I could make and submit that fix. I don't know how often changes get rolled into the project (or even if mine will be approved), but if you need to manipulate the excludeMember list now, feel free to use my fork on GitHub (or, just check out lines 23,184 - 23,186 of powerNSX.psm1 in my fork and replicate them in your local version).
The blog was very helpful, thank you,
ReplyDeleteI actually forked it from GitHub and reinstalled it,then retry to "remove" operation, but the event did not change...
Could you please tell me how to perform the remove operation from the CLI?