IP groups are comma-separated lists of IP addresses that can be referenced by profiles, policies, and logs. Each entry in this list can be an IPv4 address, an IP range, an IP mask, or a country code. IP groups are reusable objects that can be referenced by any number of features attached to any number of virtual services. IP groups are commonly used for service classification, white listing, or black listing and can be automatically updated through external API calls. When an IP group is updated, the update is pushed from the Controller to any Service Engine that is hosting virtual services, leveraging the IP group.
IP Group Usage
The following are few examples of IP groups used within the NSX Advanced Load Balancer. Generally, the IP Group can be used in (or assigned to) any object that accepts an IP address. The following are the objects in NSX Advanced Load Balancer that can use IP Groups.
- Policies:
-
A network security or HTTP security policy can be configured to drop any clients coming from a blocklist of IP addresses. Instead of maintaining a long list within the policy, the NSX Advanced Load Balancer maintains the rule logic of that policy separately from the list of addresses kept in the IP group. A user can be granted a role that allows them to update the list of IP addresses without being able to change the policy itself.
- Logs:
-
Logs classify clients by their IP address and match them against an included geographic country location database. Override this database by using a custom IP group to create specific mappings such as internal IP addresses. For example, LA_Office can contain 10.1.0.0/16, while NY_Office contains 10.2.0.0/16. Logs show these clients as originating from these locations. Logs searches can also be performed on the group name such as LA_Office.
- DataScript:
-
Custom decisions can be made based on a client’s inclusion or exclusion in an IP group. For examples and syntax, see the DataScript function
avi.ipgroup.contains
in the VMware NSX Advanced Load Balancer DataScript Guide. - Pool Servers:
-
If multiple pools are needed with different configurations but with the same list of servers, the server IP address can be placed into the IP group. Each subscribing pool automatically inherits the change in membership if an IP is added or removed from the group.
The table on the
page contains the following information for each IP group:Name: Name of the IP address group.
IP Address or Ranges: Number of IP address, networks, or address ranges.
Country Codes or EPG: Any configured country codes that are listed.
Creating an IP Group
To create or edit an IP Group:
Name: Specify a unique name for the IP group.
Type: Select one of the following from the Type drop-down menu.
IP Address.
Country Code.
Import IP Address From File: Click IMPORT FILE to upload the comma-separated-value (CSV) file that contains any combination of IP addresses, range, or masks.
ADD: Click ADD to add single, comma separated or ranges of IP addresses.
Country Code: Populate the IP address ranges from the geo database for this country.
Select by Country Code: Select one or more countries, or type the country name into the search field to filter. Countries may not be combined within an IP group with individual IP addresses. An IP group that contains countries may not be used as a list of servers for pool membership.