NSX-v – How to find Object IDs for almost everything! 2

When starting out with the NSX-v API, you will quickly learn that there are times where you are required to reference an object, like when you want to add a member to a security group, you are required to know the object ID of the object you want to add as a member to the security group, as well as the object ID of the security  group itself.

When using the NSX-v UI, you can try as hard as you want, but your aren’t going to be able to find the security group object ID. So how do you find it?

There are 2 ways via the NSX-v API.

The first is to hit the following API that will return all the configured Security Groups along with their complete configuration.

In the response you will be able to parse the xml and match the name to the security group you are looking for, and then find the Object ID.

This is a perfectly valid method, however its not the most efficient method when working at scale. I will explain why.

When you are working on a scale environment, you can potentially have 1000’s of security groups and the configuration of the security group contains the dynamic rules configured along with the object details of every statically included and excluded member. In smaller environments retrieving the configuration of all security groups may be acceptable, but imagine pulling down the complete configuration of 5000 security groups, each with at least a couple of member objects, thats a lot of data just to find an object id of a single security group.

Although there is no native filtering ability in the NSX-v API, knowing your way around can mean that use can use other APIs to your advantage.

Applicable Members API.

Within the NSX-v UI, when you edit a security group and want to include an object as a member, it presents you with a dialog box that give you a list of objects to choose from.


Everything that you can choose in this window to add as a member of the security group is referred to as an applicable member.

It is possible to retrieve the complete list of applicable member objects for a security group via the following API.

For all the examples I am showing here, whenever scopeId is used, we will be referring to the scope called globalroot-0.

The output will be something similar to the following.

What you will also notice is that every object in the list has an associated memberType, that is shown in the objectTypeName element. To retrieve a list of all the possible memberTypes, you can use the following API:

This is the list of member types returned.

Now that you know the different memberTypes, it is possible to filter the objects your looking for with the following API:

So as an example, to filter just on security groups in globalroot-0, you could use the following API:

And as another example, you could retrieve a list of virtual machines using the following:

Which would return a list of all the virtual machines as reported by vCenter.

So in the example above, you can see that I can actually retrieve the moref(objectId) for a virtual machine without ever making a connection to vCenter!

The concept that I have just shown you also applies to NSX Services and Service Groups.

The APIs for this is as follows:

Example output containing both services and service groups.

This little bit of knowledge may not be very useful when writing quick and dirty scripts, however when it comes to writing scripts that will need to perform 100’s or maybe 1000’s of lookups of objectIds, I use the output of the applicable members APIs to download a local cache so that I can perform quick lookups on it. I will cover how to do that in a future post.




Leave a Reply

2 thoughts on “NSX-v – How to find Object IDs for almost everything!