You enable VMware NSX for vSphere security policies in Neutron by modifying the custom.yml file.

About this task

Additionally you must set the default security policy for the default security group for a new tenant and optionally, allow or forbid tenants to create own policies.


  1. Log in to the OpenStack Management Server.
  2. Create custom.yml file, if it does not exist.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample 
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Enable security policies in Neutron using VIO customization by editing the custom.yml file according to your configuration.
    1. Uncomment and edit nsxv_use_nsx_policies value to true, set the mandatory default policy for tenants nsxv_default_policy_id, and allow or forbid tenants to create their own policies nsxv_allow_tenant_rules_with_policy: false, for example:
      # Configure neutron security groups to use NSX policies
      nsxv_use_nsx_policies: true
      # (Optional) If use_nsx_policies is true, this policy will be used as the
      # default policy for new tenants.
      nsxv_default_policy_id: <YOUR_NSX_POLICY_ID>
      # (Optional) If use_nsx_policies is True, this value will determine if the
      # tenants can add rules to their security groups.
      nsxv_allow_tenant_rules_with_policy: false
    2. Save the custom.yml file.
  5. Push the new configuration to your VMware Integrated OpenStack deployment.

    Refresh of the configuration briefly interrupts the OpenStack services.

    viocli deployment configure