Technical VMware Cloud on AWS

Use PowerCLI to set your SDDC Firewall rules

One thing I really like about VMware is the team spirit of that company. People are always here to help you, sharing their experiences and knowledge. We have our EPIC2 values and one guy in particular stands out for Passion and Community. It’s William Lam.

He is well known in our community for his “virtuallyGhetto” blog and the 1,000+ posts he wrote over many subjects and technologies. Recently, I asked him what API I should use to retrieve the VMC SDDC Public IP address and he replied to me with a blog post! Amazing.

William wrote many PowerShell modules and, in particular, the ones for NSX-T and VMC. Download and import VMware.VMC.NSXT and VMware.VMC PowerShell modules. We will need them later.

This article will describe how to automate tasks after SDDC deployment like creating logical segments, setting up Firewall rules on MGW (the Management Gateway) and most importantly on CGW (the Compute Gateway).


PowerShell Install on Mac OS-x

I am a Mac user and to install PowerShell, do the following:

$ brew tap caskroom/cask
$ brew cask install powershell

. . . snip. . .

installer: Package name is PowerShell – 6.1.1
installer: Installing at base path /
installer: The install was successful.
powershell was successfully installed!

Verify if any upgrades are available:

$ brew cask upgrade powershell
==> Upgrading 1 outdated package:
powershell 6.1.1 -> 6.1.3
powershell was successfully installed!

and check the current Version (should be > 6.0)

On Mac Terminal window, run:

$ pwsh
PowerShell 6.1.3
Copyright (c) Microsoft Corporation. All rights reserved.
Type ‘help’ to get help.
PS >

Install PowerCLI

PS > Find-Module -Name VMware.PowerCLI
Version Name Repository Description
——- —- ———- ———– VMware.PowerCLI PSGallery This Windows PowerShell module contains VMwa…
PS >

Save module:

PS > Save-Module -Name VMware.PowerCLI -Path
PS >

Install Module:

PS > Install-Module -Name VMware.PowerCLI

List available Modules:

PS > get-module VMware.* -ListAvailable

Ignore certificate:

PS > Set-PowerCLIConfiguration
-InvalidCertificateAction Ignore

If necessary, update module with:

Update-Module VMware.PowerCLI

Install VMC Module:

Find-Module -Name VMware.VMC
Install-Module -Name VMware.VMC

Verify the connectivity with your Refresh Token:

PS > Connect-Vmc -RefreshToken
Server User
—— —- gchekroun

Installing VMware.VMC.NSXT module

Create an “init file” like init.ps1 and paste this code

$RefreshToken =
$OrgName = “YOUR ORG NAME”
Import-Module ./VMware.VMC.NSXT.psd1
Import-Module ./VMware.VMC.psd1
Connect-Vmc -RefreshToken $RefreshToken
Connect-NSXTProxy -RefreshToken $RefreshToken -OrgName $OrgName -SDDCName $SDDCName

The Org name is the NAME (not the ORG ID) and same for the SDDC Name.

The modules VMware.VMC.NSXT.psd1 and VMware.VMC.psd1 are the ones we got from the links above.

The Connect-NSXTProxy returns the Proxy-URL needed for every API call to NSX-T policy in VMware Cloud on AWS

Setting up a basic SDDC

A brand new SDDC comes with a default network segment of We can create a bunch of other Logical networks under the Compute Gateway.

Create logical segments

The code below will create 4 logical segments:

for($i = 2; $i -lt 6; $i++)
Write-Output $i
New-NSXTSegment -Name “sddc-cgw-network-$i” -Gateway “192.168.$i.1/24” -DHCP -DHCPRange “192.168.$i.2-192.168.$i.254”

Note the attached VPC Route table updates:

Create groups

Default SDDC comes with 3 Management Groups only.

Groups are used in Firewall rules and it’s easy to create them.

The code below will create groups based on IP addresses.

New-NSXTGroup -GatewayType CGW -Name LS1 -IPAddress @(“”)
New-NSXTGroup -GatewayType CGW -Name LS2 -IPAddress @(“”)
New-NSXTGroup -GatewayType CGW -Name VPC1 -IPAddress @(“”)
New-NSXTGroup -GatewayType CGW -Name VPC2 -IPAddress @(“”)
New-NSXTGroup -GatewayType CGW -Name VPC3 -IPAddress @(“”)

Create Management Gateway rules

The default SDDC comes with 3 default management rules:

  • vCenter Outbound Rule
  • ESXi Outbound Rule
  • Default Deny All

vCenter inbound

To access vCenter from the outside world we need to create a vCenter inbound rule. The code below deploys a vCenter inbound rule and allows “HTTPS”, “ICMP” and “SSO”.

A sequence number of “0” will put the rule on top of the existing list.

New-NSXTFirewall -GatewayType MGW -Name “vCenter Inbound” -SourceGroup @(“ANY”)
-DestinationGroup @(“VCENTER”) -Service @(“HTTPS”,”ICMP-ALL”,”SSO”) -Logged $false
-SequenceNumber 0 -Action ALLOW

Create Compute Gateway rules

Compute Gateway rules are a little bit more complex. Within the Compute environment we have 2 default rules:

  • Default VTI Rule – drop by default
  • Default Uplink Rule – drop by default

The compute side has a field called “Applied To” and it is defining a scope on where the rule should be applied. Scopes are:

  • ALL uplinks
  • Internet Interface
  • Virtual Tunnel Interface
  • Direct Connect
  • Attached VPC interfaces

Also the “Source” or “Destination” can be specific Infra label like:

  • Connected VPC prefixes
  • S3 Prefixes
  • Direct Connect Prefixes

That should be taken into account differently than just a group we have created like LS1 or LS2. To illustrate that, let’s create an “Internet-out” rule.

“Internet-out” rule

The code below will allow any LS1 VMs access to internet.

New-NSXTFirewall -GatewayType CGW -Name
“Internet-out” -SourceGroup LS1 -DestinationGroup @(“ANY”) -Service ANY -Logged $false
-SequenceNumber 2 -Action ALLOW -InfraScope “Internet Interface”

Note the -InfraScope parameter that refers to the “Applied To” field.

VMC to AWS rule

Let’s now create a rule “vmc2aws” for the Elastic Network Interface to allow connections from LS1 to VPC attached subnet and S3.

New-NSXTFirewall -GatewayType CGW -Name
“vmc2aws” -SourceGroup @(“ANY”) -DestinationInfraGroup @(“Connected VPC Prefixes”, “S3
prefixes”) -Service @(“ANY”) -Logged $false -SequenceNumber 0 -Action ALLOW -InfraScope
@(“VPC Interface”)

Note the -DestinationInfraGroup labeled as “Connected VPC and S3”. Note also the -InfraScope labeled as “VPC Interface”.

The reverse rule will look like:

New-NSXTFirewall -GatewayType CGW -Name
“aws2vmc” -SourceInfraGroup @(“Connected VPC Prefixes”, “S3 prefixes”) -DestinationGroup
@(“ANY”) -Service @(“ANY”) -Logged $false -SequenceNumber 0 -Action ALLOW -InfraScope @(“VPC Interface”)

With this, we are now able to use PowerCLI to configure our Management and Compute Gateway Firewall rules.

Download the “Create_SDDC_FW.ps1” file here.