VMware Cloud on AWS network administrators can use NSX inventory objects to define collections of services, groups, context profiles, and virtual machines to use in firewall rules.

Firewall rules typically apply to a group of VMs that have certain common characteristics including:
  • names that follow a naming convention (like Win* for Windows VMs or Photon* for Photon VMs)
  • IP addresses within a specific range or CIDR block
  • tags
They can also apply to network services, which are distinguished by characteristics like service type and network protocol. The NSX Inventory page simplifies the process of creating groups of VMs that have similar needs for firewall protection. It also allows you to add new network services to the built-in list of services, so that you can include those services in firewall rules.
See Add Tags to an Object in the NSX Data Center Administration Guide for more information about tagging NSX objects.
Note: System-defined NSX tags should not be applied to user objects such as VMs or groups. Doing so may impact the ability to view or manage those objects. System-defined tags include NSX_POLICY_INTERNAL, SYSTEM_DEFINED_GROUP, HCX, and tags with scopes of autoPlumbing, hybridity, applianceId and ServiceName.

VMware Cloud on AWS creates management groups and a service inventory in all new SDDCs. It also maintains a list of your workload VMs and their tags. You can add or modify your own inventory groups of management or compute VMs.

See Inventory in the NSX Data Center Administration Guide for more about how to create and use NSX inventory groups.
Add a Service
You can configure a service, and specify parameters for matching network traffic such as a port and protocol pairing
Add a Group
Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.