Inventory groups categorize VMs based on VM names, IP addresses, and matching criteria of VM name and tag. You use inventory groups to specify sources and destinations when you create firewall rules, and to simplify managing workload VMs that require similar configurations.

Firewall rules often apply to a group of VMs that have certain common characteristics including:
  • names that follow a naming convention (like Win* for Windows VMs or Photon* for Photon VMs)
  • IP addresses within a specific range or CIDR block
  • security tags
VMC Networking & Security inventory groups, like AWS Security Groups, give you a way to create named groups of management or workload VMs that you can reference in firewall rules.


  1. Log in to the VMC Console at
  2. On the Networking & Security tab, click Inventory > Groups.
  3. On the Groups card, click Management Groups or Workload Groups, then click ADD GROUP.
    Management groups contain VMs on the Management Network. Workload groups contain VMs on the Compute network. To modify an existing group, select it and click the ellipsis button.
  4. Enter a descriptive Name for the group.
  5. Select a Member Type.
    The choices are Virtual Machine, IP address, or Membership Criteria.
  6. Enter a definition for your group.
    The group definition comprises one or more membership criteria. VMs that match all of the selected criteria are included in the group.
    Option Description
    Virtual Machine Select one or more VMs from the list.
    Note: This member type is available only for Workload Groups
    IP address Enter an IP address, CIDR block, or a range of IP addresses in the form ip-ip (for example .
    Membership Criteria Click Set Membership Criteria to open the Membership Criteria page. Click ADD CRITERIA and specify one or more criteria as Property, Condition, Value tuples. For example:
    VM Name Contains db_
    to include VMs whose names contain the string db_ in the group, or
    Tag Equals Secure
    to include VMs tagged with the tag Secure.
    Note: This member type is available only for Workload Groups
  7. Click SAVE to create the group.
  8. (Optional) Review group members. Select the newly created group and click the ellipsis button.
    Option Description
    View Members View the members of the group.
    View References View any firewall rules that reference the group.