VMware NSX: Creating empty IPsets via the REST API (using CURL)

Within NSX there are several ways to define source and destination objects. These objects can range from virtual machines, clusters, vNICs,… and IP sets. The creation of empty IP sets is something I want to highlight here. Why do you want to create empty IP sets you may ask? Just because we can! …And maybe a little bit because recently I encountered a use-case at a customer where it was required to pre-create universal IP sets (multi-site NSX) and link them to a certain universal security group.

The problem

At first sight it may seem easy to create empty IP sets. Just go to the “Networking & Security” tab in the VMware vCenter web client, go to NSX managers, choose your NSX manager, click manage, Grouping Objects, IP Sets and click the plus icon, give it a name and try to press Ok… Unfortunately this will not work. You cannot create empty IP sets via the VMware vCenter web client.

Luckily we still have an option: the REST API!

To show you how to do it via VMware NSX REST API, I will use my favorite tool to make REST calls: curl.

First we will construct our XML payload for the create (POST) request:

<?xml version="1.0" encoding="UTF-8"?>
<ipset>
    <objectId />
    <type>
        <typeName />
    </type>
    <description>Empty IP set?</description>
    <name>EmptyIpSet</name>
    <revision>0</revision>
    <objectTypeName />
    <value />
    <isUniversal>true</isUniversal>
</ipset>

So we will convert this XML data with empty value to a single string and use it in our curl request:

curl -X POST https://<<NSX MANAGER>>/api/2.0/services/ipset/globalroot-0 -k –u <<USERNAME>>:<<PASSWORD>> -H "Content-Type: application/xml" -d "<ipset><objectId/><type><typeName/></type><description>Empty IP set?</description><name>EmptyIpSet</name><revision>0</revision><objectTypeName/><value></value><isUniversal>true</isUniversal></ipset>"

Will it work when we run this command? No… You will receive this output:

<?xml version="1.0" encoding="UTF-8"?>
curl: (56) SSLRead() return error -9806
<error>
     <details>
         The data format :  is invalid. Expected format : 192.168.1.1/32.
     </details>
     <errorCode>200</errorCode>
     <moduleName>core-services</moduleName>
</error>

So the REST API also checks for empty values…

The solution

The solution to the issues encountered above is rather easy. The REST API does check for empty value tags but it is not a requirement to have the value tags! So this means that with a simple modification to our XML data we can create our empty IP set:

<?xml version="1.0" encoding="UTF-8"?>
<ipset>
    <objectId />
    <type>
        <typeName />
    </type>
    <description>Empty IP set?</description>
    <name>EmptyIpSet</name>
    <revision>0</revision>
    <objectTypeName />
    <isUniversal>true</isUniversal>
</ipset>

So we modify our curl request:

curl -X POST https://<<NSX MANAGER>>/api/2.0/services/ipset/globalroot-0 -k –u <<USERNAME>>:<<PASSWORD>> -H "Content-Type: application/xml" -d "<ipset><objectId/><type><typeName/></type><description>Empty IP set?</description><name>EmptyIpSet</name><revision>0</revision><objectTypeName/><value></value><isUniversal>true</isUniversal></ipset>"

Afterwards we will receive the ID of the newly created IP set. When we check the VMware vCenter web client we will see that the empty IP set is present.

Conclusion

It is possible to create empty IP sets via the REST API. Just leave out the value XML tags and it will be created.

yannickstruyf