You can create an IP address group and then add this group as the source or destination in a firewall rule. Such a rule can help protect physical machines from virtual machines or the reverse.

Prerequisites

  • Install VMware Tools on each VM.
  • If you plan to use grouping objects instead of IP addresses, enable an IP discovery method, such as DHCP snooping or ARP snooping, or both. For more information, see IP Discovery for Virtual Machines.

Procedure

  1. In the vSphere Web Client, click Networking & Security > Groups and Tags.
  2. Navigate to IP Sets:
    • In NSX 6.4.1 and later, ensure that you are in the IP Sets tab.
    • In NSX 6.4.0, ensure that you are in the Grouping Objects > IP Sets tab.
  3. If multiple IP addresses are available in the NSX Manager drop-down menu, select an IP address, or keep the default selection.
    • You must select the primary NSX Manager if you want to manage universal IP address groups.
  4. Click Add or the Add (Add) icon.
  5. Type a name for the address group.
  6. (Optional) Type a description for the address group.
  7. Type the IP addresses or a range of IP addresses to be included in the group.
    Caution: While entering IPv6 address ranges in the IP sets, ensure that you break the address ranges into /64. Otherwise, the publishing of the firewall rules fails.
  8. (Optional) Select Inheritance or Enable inheritance to allow visibility at underlying scopes.
    When inheritance is enabled, grouping objects created at the global scope are accessible from derived scopes, such as datacenter, Edge, and so on.
  9. (Optional) To create a universal IP address group:
    • In NSX 6.4.1 and later, click the Universal Synchronization toggle button to On.
    • In NSX 6.4.0, select Mark this object for Universal Synchronization .
  10. Click Add or OK.