Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.

Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, segment ports, segments, AD user groups, and other groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name.
Note: If you create a group in the API using LogicalPort based criteria, you cannot edit the group in the UI using the AND operator between SegmentPort criteria.

Groups can also be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and AD groups cannot be included as members in a group that is used in a firewall exclusion list. See Manage a Firewall Exclusion List for more information.

A single IP or AD group can be used as the source only within a distributed firewall rule. If IP and AD groups are needed at the source, create two separate firewall rules.

Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied to text box.

Note: When a host is added to or removed from a vCenter Server, the external ID of the VMs on the host changes. If a VM is a static member of a group and the VM's external ID changes, the NSX Manager UI will no longer show the VM as a member of the group. However, the API that lists the groups will still show that the group contains the VM with its original external ID. If you add a VM as a static member of a group and the VM's external ID changes, you must add the VM again using its new external ID. You can also use dynamic membership criteria to avoid this issue.

Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is VM Tag Equals 'quarantine', the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.

If you are using NSX Cloud, see Group VMs using NSX-T Data Center and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.


If you are using Federation, see Security in NSX Federation for details on configuration options.
Note: If you are using NSX Federation, you cannot create groups from the Global Manager that include AD user groups.


  1. Select Inventory > Groups from the navigation panel.
  2. Click Add Group.
  3. Enter a group name.
  4. If you are adding a group from a Global Manager for Federation, either accept the default region selection, or select a region from the drop-down menu. Once you create a group with a region, you cannot edit the region selection. However, you can change the span of the region itself by adding or removing locations from it. You can create customized regions before you create the group. See Create a Region from Global Manager.
    Note: For groups added from a Global Manager in a Federation environment, selecting a region is mandatory. This text box is not available if you are not using the Global Manager.
  5. (Optional) Click Set Members.
    For each membership criterion, you can specify up to five rules, which are combined with the logical AND operator. The available member criterion can apply to the following:
    • Segment Port - specify a tag, scope, or both.
    • Segment - specify a tag, scope, or both.
    • Virtual Machine - specify a name, tag, computer OS name, or computer name that equals, contains, starts with, ends with, or does not equal a particular string.
    • IP Set - specify a tag, scope, or both.
  6. (Optional) Click Members to select members.
    The available member types are:
    • Groups
      Note: If you are using Federation, you can add a group as a member that has an equal or smaller span than the region you selected for the group you are creating from the Global Manager, see Security in NSX Federation.
    • Segments
      Note: IP addresses assigned to a gateway interface, and NSX load balancer virtual IP addresses are not included as segment group members.
    • Segment Ports
    • VIFs
    • Virtual Machines
    • Physical Servers
    • Cloud Native Service Instances
  7. (Optional) Click IP/MAC Addresses to add IP and MAC addresses as group members. IPv4 addresses, IPv6 addresses, and multicast addresses are supported.
    Click Action > Import to import IP/MAC Addresses from a .TXT file or a .CSV file containing comma-separated IP/MAC values.
  8. (Optional) Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used in the source text box of a distributed firewall rule for Identity Firewall. Groups can contain both AD and compute members.
    If you are using NSX Federation, you cannot create groups from the Global Manager to include AD groups.
  9. (Optional) Enter a description and tag.
  10. Click Apply
    Groups are listed, with an option to view members and where the group is used.