You can create groups to be used as source and destination for firewall rules. Groups include different objects that can be a combination of virtual machines, IP sets, MAC sets, segment ports, segments, AD user groups, and other groups. While configuring a group, you can add objects both statically and dynamically. To add objects dynamically, you have to specify a criteria based on tag, machine name, OS name, or computer name. When a rule has to be applied to a group, NSX-T Data Center processes the criteria to calculate members dynamically and adds or removes objects based on conditions of the criteria.

Note that if you delete any static object of a group from vCenter Server, you must also delete it from the group definition. Otherwise, though the NSX Group will not show that object as an effective member of the group, the group definition will keep showing the object as the group member.
Note: If you create a group in the API using LogicalPort based criteria, you cannot edit the group in the UI using the AND operator between SegmentPort criteria. If you create a group using Segment, Segment Port, Distributed Port Groups, or Distributed Ports based criteria, disable the "Trust on First Use" option in the group's IP Discovery Profile. Otherwise, the original IP Address of the interface will remain in your group even if its IP Address changes.

Groups can also be excluded from firewall rules, and there are a maximum of 100 groups that can be on the list. IP sets, MAC sets, and AD groups cannot be included as members in a group that is used in a firewall exclusion list. See Manage a Firewall Exclusion List for more information.

A single group can be used as the source only within a distributed firewall rule. If IP and Active Directory groups are needed at the source, create two separate firewall rules.

Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied to text box.

Note: When a host is added to or removed from a vCenter Server, the external ID of the VMs on the host changes. If a VM is a static member of a group and the VM's external ID changes, the NSX Manager UI will no longer show the VM as a member of the group. However, the API that lists the groups will still show that the group contains the VM with its original external ID. If you add a VM as a static member of a group and the VM's external ID changes, you must add the VM again using its new external ID. You can also use dynamic membership criteria to avoid this issue.

For Policy Groups containing IPs, MAC addresses, and Identity Groups the listing API will NOT display the ‘members’ attribute. This applies to Groups containing a combination of static members also. For example, a Policy Group containing IP and VMs, will not display the the members attribute.

For Policy Groups not containing IPs, MAC addresses, or Identity Groups, the member attribute will be displayed in the NSGroup response. However new members and criteria introduced in NSX-T Data Center (such as DVPort and DVPG) will not be included in the MP group definition. Users can view the definition in Policy.

Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is VM Tag Equals 'quarantine', the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.

If you are using NSX Cloud, see Group VMs using NSX-T Data Center and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.


If you are using NSX Federation, see Security in NSX Federation for details on configuration options.


  1. Select Inventory > Groups from the navigation panel.
  2. Click Add Group, then enter a group name.
  3. If you are adding a group from a Global Manager for NSX Federation, either accept the default region selection, or select a region from the drop-down menu. Once you create a group with a region, you cannot edit the region selection. However, you can change the span of the region itself by adding or removing locations from it. You can create customized regions before you create the group. See Create a Region from Global Manager.
    For groups added from a Global Manager in an NSX Federation environment, selecting a region is mandatory. This text box is not available if you are not using the Global Manager.
  4. Click Set.
  5. In the Set Members window, select the Group Type.
    Group Type Description

    This group type is the default selection. A Generic group definition can consist of a combination of membership criteria, manually added members, IP addresses, MAC addresses, and Active Directory groups.

    Generic groups with only manually added IP address members are not supported for use in the Applied To field in DFW rules. It is possible to create the rule, but it will not be enforced.

    When you define membership criteria in the group, the members are dynamically added in the group based on one or more criteria. Manually added members include objects, such as segment ports, distributed ports, distributed port groups, VIFs, virtual machines, and so on.

    IP Addresses Only

    This group type contains only IP addresses (IPv4 or IPv6). IP Addresses Only groups with only manually added IP address members are not supported for use in the Applied To in DFW rules. It is possible to create the rule, but it will not be enforced.

    After a group of type IP Addresses Only is realized in NSX-T Data Center, you cannot edit the group type to Generic. However, if the group type is Generic, you can edit the group type to IP Addresses Only. In this case, only the IP addresses are retained in the group. All the membership criteria and other group definitions are lost.

    This group type is functionally similar to NSGroups with IP Set tag-based criterion in the Manager mode of earlier NSX-T releases.


    This group type is available only when your NSX-T environment has one or more Antrea container clusters registered to it.

    For more information, see Antrea Groups and Add an Antrea Group.

  6. (Optional) On the Membership Criteria page, click Add Criterion to add members in the group dynamically based on one or more membership criteria.

    A membership criterion can have one or more conditions. The conditions can use the same member type or a mix of different member types. However, some restrictions apply to adding multiple conditions with mixed member types in a membership criterion. To learn about membership criteria, see Overview of Group Membership Criteria.

  7. (Optional) Click Members to add static members in the group.
    The available member types are:
    • Groups - If you are using NSX Federation, you can add a group as a member that has an equal or smaller span than the region you selected for the group you are creating from the Global Manager, see Security in NSX Federation
    • NSX Segments - IP addresses assigned to a gateway interface, and NSX load balancer virtual IP addresses are not included as segment group members.
    • Segment Ports
    • Distibuted Port Groups
    • Distributed Ports
    • VIFs
    • Virtual Machines
    • Physical Servers
    • Cloud Native Service Instances
  8. (Optional) Click IP/MAC Addresses to add IP and MAC addresses as group members. IPv4 addresses, IPv6 addresses, and multicast addresses are supported.
    Click Action > Import to import IP/MAC Addresses from a TXT file or a CSV file containing comma-separated IP/MAC values.
  9. (Optional) Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used in the source text box of a distributed firewall rule for Identity Firewall. Groups can contain both AD and compute members.
    Note: If you are using NSX Federation, you cannot create groups from the Global Manager to include AD user groups.
  10. (Optional) Enter a description and tag.
  11. Click Apply
    Groups are listed, with an option to view the members and where the group is used.