After you add a cloud account in vRealize Automation Cloud Assembly, data collection discovers the cloud account's network and security information and makes that information available for use in network profiles and other options.

Security groups and firewall rules support network isolation. Security groups are data-collected. Firewall rules are not data-collected.

Security groups

Using the Infrastructure > Resources > Security menu sequence, you can view on-demand security groups that have been created in vRealize Automation Cloud Assembly cloud template designs and existing security groups that were created in source applications, such as NSX-T and Amazon Web Services. Available security groups are exposed by the data collection process.

You can view the available security groups and add or remove tags for selected security groups. A cloud template author can assign one or more security groups to a machine NIC to control security for the deployment.

In the cloud template design the securityGroupType parameter in the security group resource is specified as existing for an existing security group or new for an on-demand security group.

Existing security groups from the underlying cloud account endpoint, such as NSX-V, NSX-T, or Amazon Web Services applications, are available for use. On-demand security groups that were created in your organization's cloud template designs are also data-collected. On-demand security groups are currently available for NSX-V and NSX-T only.

Existing security groups are displayed and classified in the Origin column as Discovered. On-demand security groups that you create in vRealize Automation Cloud Assembly, either in a cloud template or in a network profile, are displayed and classified in the Origin column as Managed by Cloud Assembly. On-demand security groups that you create as part of a network profile are internally classified as an isolation security group with pre-configured firewall rules and are not added to a cloud template design as a security group resource. On-demand security groups that you create in a cloud template design, and that can contain express firewall rules, are added as part of a security group resource that is classified as new.

If you edit an existing security group directly in the source application, such an in the source NSX application rather than in vRealize Automation Cloud Assembly, the updates are not visible in vRealize Automation Cloud Assembly until you data collection runs and data collects the associated cloud account or integration point from within vRealize Automation Cloud Assembly. Data collection runs automatically ever 10 minutes.

A cloud administrator can assign one or more tags to an existing security group to allow it to be used in a cloud template. A cloud template author can use a Cloud.SecurityGroup resource in a cloud template design to allocate an existing security group by using tag constraints. An existing security group requires at least one constraint tag be specified in the security resource in the cloud template design.

Using firewall rules in security groups

You can create firewall rules for on-demand security groups for NSX-V and NSX-T directly in a security group resource in cloud template design code.

The Applied To column does not contain security groups that are classified or managed by an NSX Distributed Firewall (DFW). Firewall rules that apply to applications are for east/west DFW traffic.

Some firewall rules can only be managed in the source application and cannot be edited in vRealize Automation Cloud Assembly. For example, ethernet, emergency, infrastructure, and environment rules are managed in NSX-T.

Learn more

For more information about using security groups in network profiles, see Learn more about network profiles in vRealize Automation.

For information about defining firewall rules, see Using security group settings in network profiles and cloud template designs in vRealize Automation Cloud Assembly and Using a security group resource in a vRealize Automation cloud template.

For cloud template design code samples that contain security groups, see Network, security, and load balancer examples in vRealize Automation cloud templates.