You can add NSX security components to the design canvas to make their configured settings available to one or more vSphere machine components in the blueprint.

Security groups, tags, and policies are configured outside of vRealize Automation in the NSX application.

The network and security component settings that you add to the design canvas are derived from your NSX configuration and require that you have run data collection for the NSX inventory for vSphere clusters. Network and security components are specific to NSX and are available for use with vSphere machine components only. For information about configuring NSX, see NSX Administration Guide.

You can add security controls to blueprints by configuring security groups, tags, and policies for the vSphere compute resource in NSX. After you run data collection, the security configurations are available for selection in vRealize Automation.

Security Group

A security group is a collection of assets or grouping objects from the vSphere inventory that is mapped to a set of security policies, for example distributed firewall rules and third party security service integrations such as anti-virus and intrusion detection. The grouping feature enables you to create custom containers to which you can assign resources, such as virtual machines and network adapters, for distributed firewall protection. After a group is defined, you can add the group as source or destination to a firewall rule for protection.

You can add NSX existing or on-demand security groups to a blueprint, in addition to the security groups specified in the reservation.

You can create one or more on-demand security groups. You can select one or more security policies to configure on a security group.

Security groups are managed in the source resource. For information about managing security groups for various resource types, see the NSX documentation.

If a blueprint contains one or more load balancers and app isolation is enabled for the blueprint, the load balancer VIPs are added to the app isolation security group as an IPSet. If a blueprints contains an on-demand security group that is associated to a machine tier that is also associated to a load balancer, the on-demand security group includes the machine tier and the IPSet with the load balancer VIP.

Security Tag

A security tag is a qualifier object or categorizing entry that you can use as a grouping mechanism. You define the criteria that an object must meet to be added to the security group you are creating. This gives you the ability to include machines by defining a filter criteria with a number of parameters supported to match the search criteria. For example, you can add all of the machines tagged with a specified security tag to a security group.

You can add a security tag to the design canvas.

Security Policy

A security policy is a set of endpoint, firewall, and network introspection services that can be applied to a security group. You can add security policies to a vSphere virtual machine by using an on-demand security group in a blueprint. You cannot add a security policy directly to a reservation. After data collection, the security policies that have been defined in NSX for a compute resource are available for selection in a blueprint.

App Isolation

When App isolation is enabled, a separate security policy is created. App isolation uses a logical firewall to block all inbound and outbound traffic to the applications in the blueprint. Component machines that are provisioned by a blueprint that contains an app isolation policy can communicate with each other but cannot connect outside the firewall unless other security groups are added to the blueprint with security policies that allow access.