Working with Security Groups

A security group is a collection of assets or grouping objects from your vSphere inventory.

Security Groups are containers that can contain multiple object types including logical switch, vNIC, IPset, and Virtual Machine (VM). Security groups can have dynamic membership criteria based on security tags, VM name or logical switch name. For example, all VM's that have the security tag "web" will be automatically added to a specific security group destined for Web servers. After creating a security group, a security policy is applied to that group.

Important: If a VM’s VM-ID is regenerated due to move or copy, the security tags are not propagated to the new VM-ID.

Security groups for use with Identity Firewall for RDSH, must use security policies that are marked Enable User Identity at Source when created. Security groups for use with Identity Firewall for RDSH can only contain Active Directory (AD) groups, and all nested security groups must also be AD groups.

Security groups used in Identity Firewall can contain only AD directory groups. Nested groups can be non-AD groups or other logical entities such as virtual machines.

See Firewall Rule Behavior in Security Groups for more information.

In a cross-vCenter NSX environment, universal security groups are defined on the primary NSX manager and are marked for universal synchronization with secondary NSX managers. Universal security groups cannot have dynamic membership criteria defined unless they are marked for use in an active standby deployment scenario.

In a cross-vCenter NSX environment with an active standby deployment scenario, the SRM creates a placeholder VM on the recovery site for every protected VM on the active site. The placeholder VMs are not active, and stay in the standby mode. When the protected VM goes down, the placeholder VMs on the recovery site are powered on and take over the tasks of the protected VM. Users create distributed firewall rules with universal security groups containing universal security tags on the active site. The NSX manager replicates the distributed firewall rule with the universal security groups containing universal security tags on the placeholder VMs and when the placeholder VMs are powered on the replicated firewall rules with the universal security groups and universal security tags are enforced correctly.

Note:

Universal security groups created prior to 6.3 cannot be edited for use in active standby deployments.