You can add an existing security group to a network profile. When a cloud template uses that network profile, its machines are members of the security group. This method does not require that you add a security group resource to a cloud template. You can also use a load balancer in this configuration. For related information, see More about load balancer resources in vRealize Automation cloud templates.

You can drag and drop a security group resource onto a cloud template and bind the security group resource to a machine NIC by using constraint tags on the existing security group in the cloud template and on the existing security group in the data-collected resource. You can also make this association by connecting the objects on the cloud template design canvas, similar to how you associate networks to machines.

When you drag and drop a security group resource onto the cloud template design canvas, it can be of type existing or new. If it’s an existing security group type, add a tag constraint value as prompted. If it's a new security group type, you can configure firewall rules.

You can associate a security group resource with a machine NIC (in a machine resource) in the cloud template by matching tags between the two resources.

As an example for NSX-T when tags are specified in the source endpoint, you can use NSX-T tags specified in your NSX-T application. You can then use an NSX-T tag, specified as a constraint on a network resource in a cloud template, where the network resource is connected to a machine NIC in the cloud template. NSX-T tags allow you to dynamically group machines by using a pre-defined NSX-T tag that is data-collected from the NSX-T source endpoint. Use a logical port when you create the NSX-T tag in NSX-T.

You can add firewall rules to an on-demand security group in a cloud template.

For information about available firewall rules, see More about security group and tag resources in vRealize Automation cloud templates.