Security tags are VMware Cloud Director labels which can be associated with a virtual machine or a group of virtual machines.
Security tags are designed to be used with security groups. Once you create the security tags, you associate them with a security group which can be used in firewall rules. You can create, edit, or assign a user-defined security tag. You can also view which virtual machines or security groups have a particular security tag applied.
A common use case for security tags is to dynamically group objects to simplify firewall rules. For example, you might create several different security tags based on the type of activity you expect to occur on a given virtual machine. You create a security tag for database servers and another one for email servers. Then you apply the appropriate tag to virtual machines that house database servers or email servers. Later, you can assign the tag to a security group, and write a firewall rule against it, applying different security settings depending on whether the virtual machine is running a database server or an email server. Later, if you change the functionality of the virtual machine, you can remove the virtual machine from the security tag rather than editing the firewall rule.
Create and Assign Security Tags by Using Your VMware Cloud Director Tenant Portal
By using the VMware Cloud Director Tenant Portal, you can create a security tag and assign it to a virtual machine or a group of virtual machines.
You create a security tag and assign it to a virtual machine or a group of virtual machines.
Procedure
Results
The security tag is created, and if you chose, is assigned to selected virtual machines.
What to do next
Security tags are designed to work with a security group. For more information about creating security groups, see Create a Security Group by Using Your VMware Cloud Director Tenant Portal.
Change the Security Tag Assignment by Using Your VMware Cloud Director Tenant Portal
After you create a security tag, by using the VMware Cloud Director Tenant Portal, you can manually assign it to virtual machines. You can also edit a security tag to remove the tag from the virtual machines to which you have already assigned it.
If you have created security tags, you can assign them to virtual machines. You can use security tags to group virtual machines for writing firewall rules. For example, you might assign a security tag to a group of virtual machines with highly sensitive data.
Procedure
Results
The security tag is assigned to the selected virtual machines.
What to do next
Security tags are designed to work with a security group. For more information about creating security groups, see Create a Security Group by Using Your VMware Cloud Director Tenant Portal.
View Applied Security Tags by Using Your VMware Cloud Director Tenant Portal
By using the VMware Cloud Director Tenant Portal, you can view the security tags applied to virtual machines in your environment. You can also see the security tags that are applied to security groups in your environment.
Prerequisites
A security tag must have been created and applied to a virtual machine or to a security group.
Procedure
- On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
- Select a security service and click Configure services.
- View the assigned tags from the Security Tags tab.
- On the Security Tags tab, select the security tag for which you want to see assignments, and click the Edit icon.
- Under the Assign/Unassign VMs, you can see the list of virtual machines assigned to the security tag.
- Click Discard.
- View the assigned tags from the Security Groups tab.
- Click the Grouping Objects tab, and click Security Groups.
- Select a security group.
- From the list under Include Members, you can see the security tag assigned to a security group.
Results
You can view the existing security tags and associated virtual machines and security groups. This way, you can determine a strategy for creating firewall rules based on security tags and security groups.
Edit a Security Tag by Using Your VMware Cloud Director Tenant Portal
By using the VMware Cloud Director Tenant Portal, you can edit a user-defined security tag.
If you change the environment or function of a virtual machine, you might also want to use a different security tag so that firewall rules are correct for the new machine configuration. For example, if you have a virtual machine where you no longer store sensitive data, you might want to assign a different security tag so that firewall rules that apply to sensitive information are no longer run against the virtual machine.
Procedure
- On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
- Select a security service and click Configure services.
- Click the Security Tags tab.
- From the list of security tags, select the security tag that you want to edit.
- Click the Edit button.
- Edit the name and the description of the security tag.
- Assign the tag to or remove the assignment from the virtual machines that you select.
- To save your changes, click Keep.
What to do next
If you edit a security tag, you might also need to edit an associated security group or firewall rules. For more information about security groups, see Working with Security Groups for NSX Data Center for vSphere Edge Gateways by Using Your VMware Cloud Director Tenant Portal
.Delete a Security Tag by Using Your VMware Cloud Director Tenant Portal
By using the VMware Cloud Director Tenant Portal, you can delete a user-defined security tag.
You might want to delete a security tag if the function or environment of the virtual machine changes. For example, if you have a security tag for Oracle databases, but you decide to use a different database server, you can remove the security tag so that firewall rules that apply to Oracle databases no longer run against the virtual machine.
Procedure
- On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and under Networking, select Security.
- Select a security service and click Configure services.
- Click the Security Tags tab.
- From the list of security tags, select the security tag that you want to delete.
- Click the Delete button.
- To confirm the deletion, click OK.
Results
The security tag is deleted.