NSX supports the creation of groups when setting up multi-tenancy in your environment.

The groups of a Project apply only to the VMs in the Project, that is, VMs connected to the networks in the Project. The rules within a Project, including those with ANY applied to DFW, do not impact workloads outside the Project.
Note: The grouping from the /infra space apply to every VM in the NSX deployment, including those in the Projects. For instance, a group based on a tag includes all VMs with the same tag as members, both from within and outside the Project.

A default group is created by the system for every Project you create. The default group represents the Project itself. All the segments created in a Project are added to the Project’s default group by the system. Only those VMs that are attached to the segments of the group are added to the group. The default group helps restrict the scope of the rules to a particular Project.

Default Group

The default group has a group scope expression that defines the path of the group scope. Administrators can apply rules from the /infra space only to Projects under the Default group, either directly or through a static membership in a group from the /infra space.

Custom Groups

The following are supported for any additional groups that you create:

  • Static members – VM, segments, segment ports, IP addresses
  • Dynamic members - VM
Create a group by making the following API call: 
PATCH /policy/api/v1/orgs/default/projects/<project-id>/infra/domains/default/groups/<group-id>
Sample request for creating a VM-based group:
URL: 
PATCH https://{{nsx-manager-ip}}/policy/api/v1/orgs/default/projects/project-1/infra/domains/default/groups/group-1
Body: 
{
  "expression": [
  {
    "member_type": "VirtualMachine",    
    "key": "Name",
    "operator": "CONTAINS",
    "value": "App",
    "resource_type": "Condition"
  }
  ],
  "description": "my group",
  "display_name": "g1",
  "_revision": 0
}