One of the more powerful features that VMware has added to several product lines lately has been vSphere tags. As time has gone on support for these tags has been added to other products beyond just vSphere vCenter such as vRealize Operations and PowerCLI cmdlets. I still see engineers ask why someone would use tags instead of the older school custom attributes, so I figured I’d show how we use them in my job.

We utilize tags in two specific ways. The first is to use the tags to filter groups of VMs for PowerCLI reporting. In our case we have tags created for each Engineering team so we can customize these reports only for the virtual guests that they have access to.

The second use for these vSphere tags is to filter objects in vRealize Operations for dashboards, policies, alerts, etc. Eventually reports from vRealize Operations may even replace the PowerCLI reports since most of the properties and metrics are already collected from vCenter.


As an example we’ll create the tags for a team called the “SecurityTeam” which have the SystemOwner category role where they manage the OS. In our case we only have one team managing a server. But feel free to use multiple cardinality if you have multiple teams that manage the OS.

In PowerCLI to create the tag category and tags we would run the following:

    New-TagCategory -name "SystemOwner" -Cardinality "single" -EntityType "VirtualMachine"

Now we create the actual team tag:

    New-Tag -Name "SecurityTeam" -Category "SystemOwner"

The tricky part next is to apply the tag to the VMs. In our environment we typically have a VM folder for each team so it’s fairly easy to run the following to apply the tags:

    get-datacenter DC | get-folder SecurityTeam | Get-VM | New-TagAssignment -Tag "SecurityTeam"

In our large environment we’ve actually applied these tags to folders and have a nightly script automatically assign the tags to the VMs in the folders making it a bit easier to manage. I’ll discuss how that’s done in a future post.

PowerCLI Reports

Now that we have tags to filter on it’s a easy to customize any existing PowerCLI reports you may have. vCheck for example, or any other reporting scripts you may find around.

In the beginning of a report script you could have something like the following:

    $tagCategory = "SystemOwner"
    $tagTeam = "SecurityTeam"
    #Note that I'm not using the -category parameter due to differences between vCenter 6.0 and 6.5 currently.
    $tagsToFilterWith = Get-Tag $teamTag | Where-Object {$_.category -match     $tagCategory}
    $teamVMs = Get-VM -tag $tagsToFilterWith

Now that we have only the team VMs we can run a query or report. For example:

    $teamVMs | select Name, Description, PowerState, NumCpu, MemoryGB

You can even expand this idea if you turn your report scripts into functions or call the script from an external batch file by converting the tag variables to parameters. For example:

    Function ReportTeamVMs {
       $results = Get-VM -tag (Get-Tag $teamTag|Where-Object {$_.category -match $tagCategory})
      return $results

Now that you have a function you can run it for different teams in the same report, assuming you’ve setup all the tags.

    ReportTeamVMs -tagCategory "SystemOwner" -tagTeam "SecurityTeam"
    ReportTeamVMs -tagCategory "SystemOwner" -tagTeam "UnixTeam"


Hopefully this gives you some ideas on uses for PowerCLI reporting and tags. Some category examples we tend to use are SystemOwner, ApplicationOwner, ServiceOwner, etc. The nice thing is you can mix and match your searches and combine them if you wanted to.

In the next post I’ll show how we can now use the tags above in vRealize Operations to do similar groupings of our VMs.

Additional Resources

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s