NSGroups can be configured to contain a combination of IP sets, MAC sets, logical ports, logical switches, and other NSGroups. You can specify NSGroups with Logical Switches, Logical ports and VMs as sources and destinations, and in the Applied To field of a firewall rule. NSGroups with IPset and MACSet will be ignored in a distributed firewall Applied To field.

NSX Cloud Note: If using NSX Cloud, see How to use NSX-T Data Center Features with the Public Cloud for a list of auto-generated logical entities, supported features, and configurations required for NSX Cloud.

An NSGroup has the following characteristics:

  • An NSGroup has direct members and effective members. Effective members include members that you specify using membership criteria, as well as all the direct and effective members that belong to this NSGroup's members. For example, assuming NSGroup-1 has direct member LogicalSwitch-1. You add NSGroup-2 and specify NSGroup-1 and LogicalSwitch-2 as members. Now NSGroup-2 has direct members NSGroup-1 and LogicalSwitch-2, and an effective member, LogicalSwitch-1. Next, you add NSGroup-3 and specify NSGroup-2 as a member. NSGroup-3 now has direct member NSGroup-2 and effective members LogicalSwitch-1 and LogicalSwitch-2. From the main groups table, clicking on a group and selecting Related > NSGroups would show NSGroup-1, NSGroup-2, and NSGroup-3 because all three have LogicalSwitch-1 as a member, either directly or indirectly.
  • An NSGroup can have a maximum of 500 direct members.
  • The recommended limit for the number of effective members in an NSGroup is 5000. The NSX Manager check the NSGroups regarding the limit twice a day, at 7 AM and 7 PM. Exceeding this limit does not affect any functionality but might have a negative impact on performance.
    • When the number of effective members for an NSGroup exceeds 80% of 5000, the warning message NSGroup xyz is about to exceed the maximum member limit. Total number in NSGroup is ... appears in the log file. When the number exceeds 5000, the warning message NSGroup xyz has reached the maximum numbers limit. Total number in NSGroup = ... appears.
    • When the number of translated VIFs/IPs/MACs in an NSGroup exceeds 5000, the warning message Container xyz has reached the maximum IP/MAC/VIF translations limit. Current translations count in Container - IPs:..., MACs:..., VIFs:... appears in the log file.
  • The maximum supported number of VMs is 10,000.
  • You can create a maximum of 10,000 NSGroups.
  • Edge_NSGroup is a policy owned group (system group) which is available on a local manager and is visible on the UI. This group is not available on a global manager. However, a migrated global manager setup contains stale Edge_NSGroup and UI displays the same, but the group holds no significance on a global manager.

For all the objects that you can add to an NSGroup as members, you can navigate to the screen for any of the objects and select Related > NSGroups.


Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.


  1. With admin privileges, log in to NSX Manager.
  2. Select Inventory > Groups > Add.
  3. Enter a name for the NSGroup.
  4. (Optional) Enter a description.
  5. (Optional) Click Membership Criteria.
    For each criterion, you can specify up to five rules, which are combined with the logical AND operator. The available member criterion can apply to the following:
    • Logical Port - can specify a tag and optional scope.
    • Logical Switch - can specify a tag and optional scope.
    • Virtual Machine - can specify a name, tag, computer OS name, or computer name that equals, contains, starts with, ends with, or doesn't equal a particular string.
    • Transport Node - can specify a node type that equals an edge node or a host node.
    • IP Set - can specify a tag and optional scope.
  6. (Optional) Click Members to select members.
    The available member types are:
    • AD Group - NSGroups with ADGroups can only be used in the extended_source field of a distributed firewall rule, and must be the only members in the group. For example, there cannot be an NSGroup with both ADGroup and IPSet together as members.
    • IP Set - can include both IPv4 an IPv6 addresses.
    • Logical Port - can include both IPv4 and IPv6 addresses.
    • Logical Switch - can include both IPv4 and IPv6 addresses.
    • MAC Set
    • NSGroup
    • Transport Node
    • VIF
    • Virtual Machine
  7. Click ADD.
    The group is added to the table of groups. Click a group name to display an overview and edit group information including membership criteria, members, applications, and related groups. Scroll to the bottom of the Overview tab to add and delete tags. See Add Tags to an Object for more information. Selecting Related > NSGroups displays all the NSGroups that have the selected NSGroup as a member.