An NSX app isolation policy acts as a firewall to block all inbound and outbound traffic to and from the provisioned machines in the deployment. When you specify a defined NSX app isolation policy, the machines provisioned by the blueprint can communicate with each other but cannot connect outside the firewall.

You can apply app isolation at the blueprint level by using the New Blueprint or Blueprint Properties page.

When using an NSX app isolation policy, only internal traffic between the machines provisioned by the blueprint is allowed. When you request provisioning, a security group is created for the machines to be provisioned. An app isolation security policy is created in NSX and applied to the security group. Firewall rules are defined in the security policy to allow only internal traffic between the components in the deployment. For related information, see Create an NSX Endpoint and Associate to a vSphere Endpoint.


When provisioning with a blueprint that uses both an NSX edge load balancer and an NSX app isolation security policy, the dynamically provisioned load balancer is not added to the security group. This prevents the load balancer from communicating with the machines for which it is meant to handle connections. Because edges are excluded from the NSX distributed firewall, they cannot be added to security groups. To allow load balancing to function properly, use another security group or security policy that allows the required traffic into the component VMs for load balancing.

The app isolation policy has a lower precedence compared to other security policies in NSX. For example, if the provisioned deployment contains a web component machine and an app component machine and the web component machine hosts a web service, then the service must allow inbound traffic on ports 80 and 443. In this case, users must create a web security policy in NSX with firewall rules defined to allow incoming traffic to these ports. In vRealize Automation, users must apply the web security policy on the web component of the provisioned machine deployment.

If a blueprint contains one or more load balancers and app isolation is enabled for the blueprint, the load balancer VIPs are added to the app isolation security group as an IPSet. If a blueprints contains an on-demand security group that is associated to a machine tier that is also associated to a load balancer, the on-demand security group includes the machine tier and the IPSet with the load balancer VIP.

If the web component machine needs access to the app component machine using a load balancer on ports 8080 and 8443, the web security policy should also include firewall rules to allow outbound traffic to these ports in addition to the existing firewall rules that allow inbound traffic to ports 80 and 443.

For information about security features that can be applied to a machine component in a blueprint, see Using Security Components in the Design Canvas.