You can create an IP address group and then add this group as the source or destination in a firewall rule. Such a rule can help protect physical machines from virtual machines or vice versa.


VMware Tools must be installed on each VM, or an enabled IP discovery method (DHCP snooping or ARP snooping, or both) must be in place to when using grouping objects instead of IP addresses. For more details, refer to IP Discovery for Virtual Machines.


  1. Log in to the vSphere Web Client.
  2. Click Networking & Security and then under Networking & Security Inventory click NSX Managers.
  3. Click an NSX Manager in the Name column and then click the Manage tab.
    • You must select the primary NSX Manager if you need to manage universal IP address groups.

  4. Click the Grouping Objects tab, then click IP Sets.
  5. Click the Add (add) icon.
  6. Type a name for the address group.
  7. (Optional) Type a description for the address group.
  8. Type the IP addresses to be included in the group.
  9. (Optional) Select Enable inheritance to allow visibility at underlying scopes.
  10. (Optional) Select Mark this object for Universal Synchronization to create a universal IP address group.
  11. Click OK.