Groups include different objects that are added both statically and dynamically, and can be used as the source and destination of a firewall rule.
Groups can be configured to contain a combination of virtual machines, IP sets, MAC sets, segment ports, segments, AD user groups, and other groups. Dynamic inclusion of groups can be based on tag, machine name, OS name, or computer name.
A single group can be used as the source only within a distributed firewall rule. If IP and Active Directory groups are needed at the source, create two separate firewall rules.Groups consisting of only IP addresses, MAC Addresses, or Active Directory groups cannot be used in the Applied to text box.
For Policy Groups containing IPs, MAC addresses, and Identity Groups the listing API will NOT display the ‘members’ attribute. This applies to Groups containing a combination of static members also. For example, a Policy Group containing IP and VMs, will not display the the members attribute.
For Policy Groups not containing IPs, MAC addresses, or Identity Groups, the member attribute will be displayed in the NSGroup response. However new members and criteria introduced in NSX (such as DVPort and DVPG) will not be included in the MP group definition. Users can view the definition in Policy.
Tags in NSX are case-sensitive, but a group that is based on tags is "case- insensitive." For example, if the dynamic grouping membership criterion is
VM Tag Equals 'quarantine', the group includes all VMs that contain either the tags 'quarantine' or 'QUARANTINE'.
If you are using NSX Cloud, see Group VMs using NSX and Public Cloud Tags for information on the how to use public cloud tags to group your workload VMs in NSX Manager.
- Select from the navigation panel.
- Click Add Group, then enter a group name.
- If you are adding a group from a Global Manager for NSX Federation, either accept the default region selection, or select a region from the drop-down menu. Once you create a group with a region, you cannot edit the region selection. However, you can change the span of the region itself by adding or removing locations from it. You can create customized regions before you create the group. See Create a Region from Global Manager.
For groups added from a Global Manager in an NSX Federation environment, selecting a region is mandatory. This text box is not available if you are not using the Global Manager.
- Click Set.
- In the Set Members window, select the Group Type.
Group Type Description Generic
This group type is the default selection. A Generic group definition can consist of a combination of membership criteria, manually added members, IP addresses, MAC addresses, and Active Directory groups.Generic groups with only manually added IP address members are not supported for use in the Applied To field in DFW rules. It is possible to create the rule, but it will not be enforced.
When you define membership criteria in the group, the members are dynamically added in the group based on one or more criteria. Manually added members include objects, such as segment ports, distributed ports, distributed port groups, VIFs, virtual machines, and so on.
IP Addresses Only
This group type contains only IP addresses (IPv4 or IPv6). IP Addresses Only groups with only manually added IP address members are not supported for use in the Applied To in DFW rules. It is possible to create the rule, but it will not be enforced.
If the group type is Generic, you can edit its type to IP Addresses Only group or IP Addresses Only with malicious IPs group. In this case, only the IP addresses are retained in the group. All the membership criteria and other group definitions are lost. After a group of type IP Addresses Only or IP Addresses Only with malicious IPs is realized in NSX, you cannot edit the group type to Generic.
IP Addresses Only group type is functionally similar to NSGroups with IP Set tag-based criterion in the Manager mode of earlier NSX releases.
IP Addresses Only with malicious IPs
If you have enabled Malicious IP Feeds, you can create an IP Addresses Only group with malicious IPs by switching on Add Pre-Defined Malicious IPs. For more information about configuring the feature, see Configure Malicious IP Feeds.
You can also specify IPs and IP addresses only groups that should be treated as exceptions and must not be blocked.
Note that once you have switched on the toggle Add Pre-Defined Malicious IPs, you cannot turn it off while editing the group.
This group type is available only when your NSX environment has one or more Antrea container clusters registered to it.
- (Optional) On the Membership Criteria page, click Add Criterion to add members in the group dynamically based on one or more membership criteria.
A membership criterion can have one or more conditions. The conditions can use the same member type or a mix of different member types. However, some restrictions apply to adding multiple conditions with mixed member types in a membership criterion. To learn about membership criteria, see Overview of Group Membership Criteria.
- (Optional) Click Members to add static members in the group.
The available member types are:
- Groups - If you are using NSX Federation, you can add a group as a member that has an equal or smaller span than the region you selected for the group you are creating from the Global Manager, see Security in NSX Federation
- NSX Segments - IP addresses assigned to a gateway interface, and NSX load balancer virtual IP addresses are not included as segment group members.
- Segment Ports
- Distibuted Port Groups
- Distributed Ports
- Virtual Machines
- Physical Servers
- Cloud Native Service Instances
- (Optional) Click IP/MAC Addresses to add IP and MAC addresses as group members. IPv4 addresses, IPv6 addresses, and multicast addresses are supported.
Clickto import IP/MAC Addresses from a TXT file or a CSV file containing comma-separated IP/MAC values.
- (Optional) Click AD Groups to add Active Directory Groups. Groups with Active Directory members can be used in the source text box of a distributed firewall rule for Identity Firewall. Groups can contain both AD and compute members.
Note: If you are using NSX Federation, you cannot create groups from the Global Manager to include AD user groups.
- (Optional) Enter a description and tag.
- Click Apply
Groups are listed, with an option to view the members and where the group is used.