top of page
  • Rajeshkumar M

SRM - NSX-T Federation Tag replication and recovery

Updated: Jan 28, 2023

NSX-T TAG’s are location specific, if we create any group based on the TAG to apply global distributed firewall rule, the rule will not get applied at recovery site since the recovery site doesn’t have primary site NSX-T TAG visibility on the recovery site local manager.

From NSX-T 3.2 version we have an option to replicate the TAG’s from one location to other location.

I have created a NSX-T Tag named vrops-ssh-disable and included the vROPS nodes vrops01 and vrops02, then created a group with the members based on this TAG, also a firewall rule created to disable ssh access to the vROPS VM’s.

I did setup tag replication form Primary Site A to recovery Site B, when the VM’s recovered on Site B the tag will get created in NSX-T and the DWF rule will enforced.

This is only for TAG based group members, if we use name or IP based group it will get enforced automatically.

Fig 1

Fig 1, created a NSX-T tag named vrops-ssh-disable then assigned the TAG to two vROPS nodes connected over stretched network in the Primary location Site-A local manager.

Fig 2

Fig 2, vrops01 and vrops02 VM’s are assigned with the NSX-T tag vrops-ssh-disable.

Fig 3

Fig 3, created a group named Infra_vROPS in global manager with Global region.

Fig 4

Fig 4, defined a criteria to include VM’s based on the vrops-ssh-disable tag in Infra_vROPS group.

Fig 5

Fig 5, a distributed firewall rule defined to drop SSH traffic for Infra_vROPS group.

Fig 6

Fig 6, the Site B location manager doesn’t have the TAG, I’m going to replicate the tag vrops-ssh-disbale to Site B local manager.

Tag Replication

I used below API call to setup tag replication associated with Infra_vROPS from Site-A-Local manager to recover site Site-B-Local. We have two match criteria to copy the TAG’s MATCH_BIOS_UUID_NAME or MATCH_NSX_ATTACHMENT_ID. SRM supports both, we can use any of this based on the support of your DR solution. If you have different recovery solution make which criteria that will support your DR solution.

curl -k -X PUT -H "Accept: application/json" -H "Content-Type: application/json" -u 'username:password' 'https://site-a-nsxg.corp.local/global-manager/api/v1/global-infra/vm-tag-replication-policies/infra-vrops-rep-policy' -d '@data.json'

Post JSON data.json

    "display_name":"vm tag replication policy Site A to Site B",
   "description":"vm tag replication ",
   "protected_site": "/global-infra/sites/Site-A-Local",
   "recovery_sites": [
   "vm_match_criteria": "MATCH_BIOS_UUID_NAME"

Replication Policy Check

Replication policy can be checked with below API call.

curl -k -X GET -H "Accept: application/json" -H "Content-Type: application/json" -u 'username:password' 'https://site-a-nsxg.corp.local/global-manager/api/v1/global-infra/vm-tag-replication-policies'


 "result_count" : 1,
  "results" : [ {
   "protected_site" : "/global-infra/sites/Site-A-Local",
   "recovery_sites" : [ "/global-infra/sites/Site-B-Local" ],
   "vm_match_criteria" : "MATCH_BIOS_UUID_NAME",
    "groups" : [ "/global-infra/domains/default/groups/Infra_vROPS" ],
   "resource_type" : "VMTagReplicationPolicy",
    "id" : "infra-vrops-rep-policy",
   "display_name" : "vm tag replication policy Site A to Site B",
   "description" : "vm tag replication ",
    "path" : "/global-infra/vm-tag-replication-policies/infra-vrops-rep-policy",
    "relative_path" : "infra-vrops-rep-policy",
   "parent_path" : "/global-infra",
   "unique_id" : "3e28a56c-0179-4583-86cd-0b7d19c11089",
   "marked_for_delete" : false,
   "overridden" : false,
   "_create_time" : 1672244584834,
   "_create_user" : "admin",
   "_last_modified_time" : 1672244584834,
   "_last_modified_user" : "admin",
   "_system_owned" : false,
   "_protection" : "NOT_PROTECTED",
   "_revision" : 0
  } ],
  "sort_by" : "display_name",
 "sort_ascending" : true

In the groups field i have include a group Infra_vROPS in the api call, if we have multiple group then comma separated value can be added like below.

"groups" : [ "/global-infra/domains/default/groups/Infra_vROPS", "/global-infra/domains/default/groups/another_group" ],

VM recovery on Site B

Fig 7

Fig 7, Using SRM to recover VM’s on the Site B recovery site.

Fig 8

Fig 8, after recover the tag vrops-ssh-disable appeared on local location manager Site-B-Local.

Fig 9

Fig 9, Now the global group Infra_vROPS tag criteria matched and the VM are listed in the group members as Site-B-Local.

Fig 10

Fig 10, the distributed firewall rule get enforced to the vROPS VM’s recovered in Site-B.

If you want to delete the TAG replication policy use below command

curl -k -X DELETE -H "Accept: application/json" -H "Content-Type: application/json" -u 'user:password' 'https://site-a-nsxg.corp.local/global-manager/api/v1/global-infra/vm-tag-replication-policies/infra-vrops-rep-policy' 

138 views0 comments

Recent Posts

See All

vSphere Tags to NSX-T Tags

I created a simple powercli script to copy the vSphere Tags to NSX-T, it helped me to copy the NSX-T tags on the recovery VM's in non-federated/local NSX-T managers. Since SRM retain the vSphere TAG's

vIDM Locl user password reset without email link

When resetting config admin or any local user password in VMware identity manager will trigger an email link, if in case the smtp is not working/configured we can use API call to reset the password. Y


bottom of page