You can add an on-demand NSX security group component to the design canvas in preparation for associating its settings to one or more vSphere machine components or other available component types in the blueprint.

When you create an on-demand security group you add security policies to create the group. The security policies can be globally exposed or hidden by default. Policies are only exposed in tenants for which the associated NSX endpoint has a reservation in that tenant.

By default, security groups that are applicable to the current tenant are exposed when authoring a blueprint. Specifically, security groups are made available if the associated endpoint has a reservation in the current tenant. For additional information about controlling tenancy access, see Controlling Tenant Access for Security Objects.


  • Create and configure a security policy in NSX. See NSX Administration Guide.

  • Verify that the NSX inventory has executed successfully for your cluster.

    To use NSX configurations in vRealize Automation, you must run data collection.

  • Log in to vRealize Automation as an infrastructure architect.

  • Review security component concepts. See Using Security Components in the Design Canvas.

  • Open a new or existing blueprint in the design canvas by using the Design tab.


  1. Click Network & Security in the Categories section to display the list of available network and security components.
  2. Drag an On-Demand Security Group component onto the design canvas.
  3. Enter a name and, optionally, a description.
  4. Add one or more security policies by clicking the Add icon in the Security policies area and selecting available security policies.
  5. Click OK.
  6. Click Finish to save the blueprint as draft or continue configuring the blueprint.


You can continue configuring security settings by adding additional security components and by selecting settings in the Security tab of a vSphere machine component in the design canvas.