Security tags that you create and assign to virtual machines help you to define NSX-T Data Center edge gateway firewall rules and distributed firewall rules for data center groups with an NSX-T Data Center network provider type.

  • Verify that your system administrator has published the Security tag edit right to your organization and that your role includes this right.
  • Verify that your role includes the vApp: Edit Properties right.

Starting with VMware Cloud Director 10.3, you can create security groups with a dynamic membership that is based on VM characteristics, such as VM names and VM tags. To include a VM in a dynamic security group, you create security tags to assign to the VM. You use dynamic groups to create distributed firewall rules and edge gateway firewall rules that are applied on a per-VM basis in a data center group networking context.


  1. In the top navigation bar, click Applications and then click the Virtual Machines tab.
  2. In the card of the virtual machine you want to edit, click Details.
  3. Click Security Tags and click Add.
  4. To add an existing security tag to the VM, click the drop-down menu and select a tag.
  5. To create a new security tag to assign to the VM, enter a value for the tag and click Add tag.
  6. To save the changes, click Submit.

What to do next

  1. Create dynamic groups of virtual machines based on the tags that you assigned.
  2. Use the dynamic groups that you created to add distributed firewall rules to the data center group or to add firewall rules to an NSX-T Data Center edge gateway that is scoped to the data center group. See: