Python Script to import Distributed Firewall Rules recommended by vRNI to NSX-T on-prem or VMC on AWS SDDC

vRealize Network Insight – Guide to importing recommended DFW rules to NSX-T or VMC SDDC using Python Script.


  • Python 3.7 or above
  • Requests, json, argparse, sys, requests, glob, os, xml.dom, xml.etree.Elementtree, getpass python libraries installed
  • Connectivity to the internet from where script will be executed
  • Connectivity to VMC SDDC over HTTPS (443)
  • Connectivity to NSX-T Manager or VIP over HTTPS (443)


Follow steps below:

Step: Download script by clicking “Download” button on this page


Step: Copy VMC Refresh token

Login to

Click ‘My Account’ -> ‘API Tokens’ tab -> ‘Generate Token’ or Regenerate an existing token

Token must have NSX Cloud Admin service role under VMC on AWS service.

Copy token


Step: Collect SDDC ID and VMC Organizational ID

Login to

Select “VMware Cloud on AWS” under “My Services” -> Click desired SDDC -> Click Support

Copy Org ID  and SDDC ID



Step: Copy NSX-T Manager or VIP URL ( https://manager.fqdn/ )

Note: Must use full url including Https:// and trailing /  



Step: Export application rules

  • Log into vRNI
  • Search for “Plan security of application NAME” (changing NAME to the application name you would like to secure)
  • Select the three dots at the top right of the security donut diagram -> click “Export to XML”
  • Unzip the .zip file
  • Take not of the directory or folder location of the data center folder you will be importing rules for



  • Run script
    • Use --help for details on available arguments ( [--help] [--orgid ORGID] [--rulefolder RULEFOLDER] [--sddcid SDDCID] [--refreshtoken REFRESHTOKEN] [--verbose] [--appname APPNAME] [--enablerules] [--nsxtusesr] [--nsxturl] )



***NOTE***  While security groups will be created based off the tier names within the application rules,  these created security groups are not populated with the respective VM or IP address members by this script.   In order for rules to apply to appropriate source and destination objects,  security group memberships should be populated. 




Trey Tyler <>

Kevin Forbes <>


Sign in to be able to add comments.

Comments 0