NSX supports creation of groups when setting up multi-tenancy in your environment.
- Default group created by the system in the project.
- User-created groups that are owned by the project.
If the Enterprise Admin has shared groups with the project, you can optionally choose to view the shared groups.
- Default groups created by the system in the NSX VPCs.
- User-created groups in the NSX VPCs.
- To view shared groups, click the Shared objects check box.
- (Starting with NSX 4.1.1): To view groups inside NSX VPCs, click the VPC realized objects check box.
You can find these check boxes at the bottom of the Groups page.
For example, see the following screen capture.
- Groups that are owned by the default space and shared with the project.
- (Starting NSX 4.1.1): Groups that are created in the NSX VPCs, both system-created and user-created VPC groups.
Default Group in a Project
NSX creates a default group of type Generic for every project that is added in your environment. This default group represents the project itself.
By default, the system adds all the segments that users have created inside a project to the project’s default group. The VM interfaces (VIFs) that are attached to the segments in the project are members of the default group. If the VM is dual-homed, for example, when one interface is connected to a a segment in the default space, and the other interface is connected to a segment in the project, then the VIF on the segment in the default space will not be a member of the project's default group.
The default group helps you to restrict the scope of the firewall rules to a particular project. For example, when adding DFW policies in the default space, the Enterprise Admin can use the default group of the projects in the Source, Destination, or Applied To fields of the firewall rules. However, the firewall policies in the default space cannot consume groups other than the default group of the projects.
The following naming convention is used to identify the default group in a project:
ORG-default-PROJECT-<Project_Name>-defaultProject_Name is replaced with actual value in your system.
User-Created Groups in a Project
Groups of type Generic and IP Addresses Only are supported in a project.
- Segments
- Segment Ports
- VIFs
- Virtual Machines
- Groups
On the Members tab of the Set Members dialog box, the system displays only those objects that are owned by the project. Objects that are shared with the project are not listed in this dialog box because shared objects cannot be added as members in a project group.
- Virtual Machine
- Segment
- Segment Port
- Group
- Dynamic group membership evaluates to all the VMs in the NSX system, including the VMs in the projects and in the NSX VPCs within the projects.
For example, if a group in the default space includes VMs with the Web tag, the effective members of this group will include VMs with the Web tag in:
- Projects
- NSX VPCs within the projects
- Outside the projects (default space)
Note: Tags are metadata of the VMs in NSX. If a VM is attached to a segment in a project, both the Project Admin and the Enterprise Admin can assign tags to the VM. For example, let us say that in the default space, the Enterprise Admin has assigned a tag to a VM that is inside project 1. The Project Admin of project 1 can modify the tag that is assigned to this VM because the VM is seen in the project 1 inventory. - For groups with static membership in the default space, you can add workload VMs that are connected to a project either by explicitly referring to the VMs (Members > Virtual Machines) or by adding the project default groups (ORG-default-PROJECT-<Project_Name>-default).
Other objects created under a project cannot be added as static members to groups inside the default space.
Adding Groups to a Project
The UI workflow for adding a group in a project remains the same as it currently exists for adding groups in the Default view (default space) of your NSX deployment.
The only difference is that in the UI, you must first select a project from the Project drop-down menu on the application bar at the top, and then navigate to for adding groups in that selected project.