Groups include different objects that are added both statically and dynamically and can be used as the source and destination field of a firewall rule.

Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, logical ports, logical switches, AD user groups, and other nested groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name.

A single ID based group can be used within a firewall rule. If IP and ID based groups are needed at the source, create two separate firewall rules.

Note: When a host is added to or removed from a vCenter Server, the external ID of the VMs on the host changes. If a VM is a static member of a group and the VM's external ID changes, the NSX Manager UI will no longer show the VM as a member of the group. However, the API that lists the groups will still show that the group contains the VM with its original external ID. If you add a VM as a static member of a group and the VM's external ID changes, you need to add the VM again using its new external ID. You can also use dynamic membership criteria to avoid this issue.

Procedure

  1. Select Inventory > Groups from the navigation panel.
  2. Click ADD GROUP.
  3. Enter a group name.
  4. (Required) Choose a domain from the drop-down menu, or use the default domain. A domain is a logical construct representing a security zone and all rules and groups. The default domain represents the entire NSX environment.
    Note that the domain object is an experimental feature in NSX-T Data Center 2.4 but is not available in NSX-T Data Center 2.4.1. In NSX-T Data Center 2.4.1 it is not necessary to create any domain.
  5. (Optional) Click Set Members.
    For each membership criterion, you can specify up to five rules, which are combined with the logical AND operator. The available member criterion can apply to the following:
    • Logical Port - can specify a tag and optional scope.
    • Logical Switch - can specify a tag and optional scope.
    • Virtual Machine - can specify a name, tag, computer OS name, or computer name that equals, contains, starts with, ends with, or does not equal a particular string.
    • Transport Node - can specify a node type that equals an edge node or a host node.
  6. (Optional) Click Members to select members.
    The available member types are:
    • Group
    • Segment
    • Segment Port
    • Virtual Network Interface
    • Virtual Machine
  7. Click IP/MAC Addresses to add IP and MAC addresses as group members.
  8. Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used to in the source or destination field of a distributed firewall rule for Identity Firewall, for and must be the only members in the group. For example, there cannot be an group with both ADGroup and IPSet together as members.
  9. Click Apply
    Groups are listed, with an option to view members and where the group is used.