Press "Enter" to skip to content

Protecting VMs by tag with Rubrik REST APIs

Joshua Stenhouse 4

Following on from my last post on getting vSphere Tags by REST API, in this post I’m going to share my extension of the script to automate VM protection in Rubrik using vSphere tags via REST APIs.

If we boil it down the minimum PowerShell code required, then protecting VMs by tag is as simple as:

Import-Module Rubrik
Import-Module VMware.PowerCLI
$RubrikCreds = Get-Credential -Message "Enter Rubrik Creds"
$vCenterCreds = Get-Credential -Message "Enter vCenter Creds"
Connect-Rubrik -Server "" -Credential $RubrikCreds
Connect-VIServer -Server “hchlv2vcenter.lab.local” -Credential $vCenterCreds
Protect-RubrikTag -Category "Rubrik" -Tag "Protect" -SLA "Tier1-Gold" 

So if any vendor is telling you that their solution is superior because vSphere tag protection is in their UI, they just boiled down their competitive differentiation to 7 lines of PowerShell. Fail.

One challenge with the above script is that it does rely on PS modules. If you relate back to my vSphere tags by REST API post the use case was for a large health insurance provider who didn’t have internet access or permission to load modules locally.  This meant we needed to use Invoke-RestMethod directly from PowerShell to interact with both the vCenter and Rubrik REST APIs rather than use the modules.

The prospect also gave me some additional design requirements:

  • By default show “what if” and not make changes in Rubrik
  • Easily configurable to apply the protection
  • Support multiple vCenters
  • Process a CSV list of all categories/tags that need an SLA assigned to the VMs
  • Correct any VMs that have existing protection applied, but doesn’t match the vSphere tag
  • Run headless so it can be scheduled

Here’s the result of what I built both in PowerShell 5.1 and 6.x:

Both scripts come with a sample CSV. Simply edit the variables at the start, put your assigned tags into the CSV and run the scipt. On the first run the PowerShell 5.1 script will prompt then save your credentials securely into an XML file in the script directory for subsequent headless runs.

If you found this useful please follow me on twitter for future scripts and musings. Happy scripting,

  1. Greg Carter Greg Carter

    Hi Josh, thanks for the work on this. Do you have a script that instead of on-demand protecting via tags you can automatically add multiple VMs to SLAs based on tags? Thanks

    • Joshua Stenhouse Joshua Stenhouse

      No need anymore! Upgrade to CDM 5.1 and its native in the UI..

      • Greg Carter Greg Carter

        Sorry I mistyped, it should be automatically add multiple VMs to “Organizations” based on tags?

      • Joshua Stenhouse Joshua Stenhouse

        Ahh, that is certainly possible by the API but the native tag integration is for SLAs not for organizations. Put your name and email into the drift chatbot and I’ll have a look and come back to you.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: