Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.
Groups can also be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and AD groups cannot be included as members in a group that is used in a firewall exclusion list. See Manage a Firewall Exclusion List for more information.
A single IP or AD group can be used as the source only within a distributed firewall rule. If IP and AD groups are needed at the source, create two separate firewall rules.
Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied to text box.Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is VM Tag Equals 'quarantine'
, the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.
If you are using NSX Cloud, see Group VMs using NSX-T Data Center and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.