Compute inventory groups categorize compute VMs using criteria such as names, IP addresses, and tags.

Because compute inventory groups are made up of the compute VMs you deploy on your compute network segments. VMware Cloud on AWS cannot create them for you. You'll need to create them yourself before you can develop compute gateway firewall rules.


  1. Log in to VMware Cloud Services at
  2. Click Inventory > SDDCs, then pick an SDDC card and click VIEW DETAILS.
  3. Click OPEN NSX MANAGER and log in with the NSX Manager Admin User Account shown on the SDDC Settings page.
    You can also use the VMC Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.
  4. Open the Inventory page.
  5. On the Groups page, click Compute Groups, then click ADD GROUP and give the group a Name and an optional Description.
    To modify an existing group, select it and click the ellipsis button at the beginning of the group row.
  6. Click Set Members to open the Select Members page.
    Compute group members have a Type of Generic and can contain VMs or objects such as Compute network segments. There are several ways to designate membership in a compute group.
    Option Description
    Membership Criteria Click ADD CRITERIA and use the drop-down controls to specify one or more criteria in the form of
    Object Type, Property, Condition, Value
    tuples. For example, a group with these criteria:
    Virtual Machine Name Contains db_
    includes VMs whose names contain the string db_. You can also create groups of tagged network segments, segment ports, or IP sets by specifying a tag, or
    Segment Tag Equals testbeds
    to include network segments that have the tag testbeds.

    Objects that match all of the selected criteria are included in the group.

    Members Select a membership category from the Select Category drop-down list, then select members from the list.
    IP Addresses Enter an IP address, CIDR block, or a range of IP addresses in the form ip-ip (for example or click Import to import these values from a file.
    MAC Addresses Enter one or more MAC addresses. Separate multiple addresses with commas.
    AD Groups Groups with Active Directory members can be used in the source text box of a distributed firewall rule for Identity Firewall. Groups can contain both AD and compute members.
  7. (Optional) Tag the group.

    See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.

  8. Click SAVE to create the group.

What to do next

To review group members, select a group and click View Members to review the list of group members to view group members and membership criteria. Click Where Used to see a list of firewall rules that include the group.