You can enforce NSX Data Center for vSphere security policies through Neutron security groups. This feature can also be used to insert third-party network services.

Provider and standard security groups can both consume NSX Data Center for vSphere security policies. Rule-based provider and standard security groups can also be used together with security policy-based security groups. However, a security group associated with a security policy cannot also contain rules.

Security policies take precedence over all security group rules. If more than one security policy is enforced on a port, the order in which the policies are enforced is determined by NSX Data Center for vSphere. You can change the order in the vSphere Client on the Security > Firewall page under Networking and Security.


Create the desired security policies in NSX Data Center for vSphere. See Create a Security Policy in the NSX Administration Guide.


  1. Log in to the OpenStack Management Server as viouser.
  2. If your deployment is not using a custom.yml file, copy the template custom.yml file to the /opt/vmware/vio/custom directory.
    sudo mkdir -p /opt/vmware/vio/custom
    sudo cp /var/lib/vio/ansible/custom/custom.yml.sample /opt/vmware/vio/custom/custom.yml
  3. Open the /opt/vmware/vio/custom/custom.yml file in a text editor.
  4. Uncomment the nsxv_use_nsx_policies, nsxv_default_policy_id, and nsxv_allow_tenant_rules_with_policy parameters and configure them.
    Option Description

    Enter true.


    Enter the ID of the NSX Data Center for vSphere security policy that you want to associate with the default security group for new projects. If you do not want to use a security policy by default, you can leave this parameter commented out.

    To find the ID of a security policy, select Menu > Networking & Security and click Service Composer. Open the Security Policies tab and click the Show Columns icon at the bottom left of the table. Select Object Id and click OK. The ID of each security policy is displayed in the table.


    Enter true to allow tenants to create security groups and rules or false to prevent tenants from creating security groups or rules.

  5. Deploy the updated configuration.
    sudo viocli deployment configure

    Deploying the configuration briefly interrupts OpenStack services.

  6. Log in to the controller node as viouser.
  7. Switch to the root user and load the cloud administrator credentials file.
    sudo su -
    source ~/cloudadmin.rc
  8. If you want to use additional security groups with security policies, you can perform the following steps:
    • To associate an NSX Data Center for vSphere security policy with a new security group, create the group and update it with the desired policy:
      neutron security-group-create security-group-name --tenant-id tenant-uuid
      neutron security-group-update --policy=policy-id security-group-uuid
    • To migrate an existing security group to a security policy-based group, run the following command:
      sudo -u neutron nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-id --property security-group-id=security-group-uuid
      Note: This command removes all rules from the specified security group. Ensure that the target policy is configured such that the network connection will not be interrupted.
  9. Configure Neutron to prioritize NSX Data Center for vSphere security policies over security groups.
    sudo -u neutron nsxadmin --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/vmware/nsxv.ini -r firewall-sections -o nsx-reorder