Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.
Groups can also be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and AD groups cannot be included as members in a group that is used in a firewall exclusion list. See Manage a Firewall Exclusion List for more information.
A single IP or AD group can be used as the source only within a distributed firewall rule. If IP and AD groups are needed at the source, create two separate firewall rules.Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied to text box.
Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is
VM Tag Equals 'quarantine', the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.
If you are using NSX Cloud, see Group VMs using NSX-T Data Center and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.
- Select from the navigation panel.
- Click Add Group.
- Enter a group name.
- If you are adding a group from a Global Manager for Federation, either accept the default region selection, or select a region from the drop-down menu. Once you create a group with a region, you cannot edit the region selection. However, you can change the span of the region itself by adding or removing locations from it. You can create customized regions before you create the group. See Create a Region from Global Manager.
Note: For groups added from a Global Manager in a Federation environment, selecting a region is mandatory. This text box is not available if you are not using the Global Manager.
- (Optional) Click Set Members.
For each membership criterion, you can specify up to five rules, which are combined with the logical AND operator. The available member criterion can apply to the following:
- Segment Port - specify a tag, scope, or both.
- Segment - specify a tag, scope, or both.
- Virtual Machine - specify a name, tag, computer OS name, or computer name that equals, contains, starts with, ends with, or does not equal a particular string.
- IP Set - specify a tag, scope, or both.
- (Optional) Click Members to select members.
The available member types are:
Note: If you are using Federation, you can add a group as a member that has an equal or smaller span than the region you selected for the group you are creating from the Global Manager, see Security in NSX Federation.
Note: IP addresses assigned to a gateway interface, and NSX load balancer virtual IP addresses are not included as segment group members.
- Segment Ports
- Virtual Machines
- Physical Servers
- Cloud Native Service Instances
- (Optional) Click IP/MAC Addresses to add IP and MAC addresses as group members. IPv4 addresses, IPv6 addresses, and multicast addresses are supported.
Clickto import IP/MAC Addresses from a .TXT file or a .CSV file containing comma-separated IP/MAC values.
- (Optional) Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used in the source text box of a distributed firewall rule for Identity Firewall. Groups can contain both AD and compute members.
If you are using NSX Federation, you cannot create groups from the Global Manager to include AD groups.
- (Optional) Enter a description and tag.
- Click Apply
Groups are listed, with an option to view members and where the group is used.