After you add a cloud account in Cloud Assembly, data collection discovers the cloud account's network and security information and makes that information available for use in network profiles and other options.

Security groups and firewall rules support network isolation. Security groups are data-collected. Firewall rules are not data-collected.

Using the Infrastructure > Resources > Security menu sequence, you can view on-demand security groups that have been created in Cloud Assembly cloud template designs and existing security groups that were created in source applications, such as NSX-T and Amazon Web Services. Available security groups are exposed by the data collection process.

You can use a tag to match the machine interface (NIC) with a security group in a cloud template definition or in a network profile. You can view the available security groups and add or remove tags for selected security groups. A cloud template author can assign one or more security groups to a machine NIC to control security for the deployment.

In the cloud template design the securityGroupType parameter in the security group resource is specified as existing for an existing security group or new for an on-demand security group.

Existing security groups

Existing security groups are displayed and classified in the Origin column as Discovered.

Existing security groups from the underlying cloud account endpoint, such as NSX-V, NSX-T, or Amazon Web Services applications, are available for use.

A cloud administrator can assign one or more tags to an existing security group to allow it to be used in a cloud template. A cloud template author can use a Cloud.SecurityGroup resource in a cloud template design to allocate an existing security group by using tag constraints. An existing security group requires at least one constraint tag be specified in the security resource in the cloud template design.

If you edit an existing security group directly in the source application, such an in the source NSX application rather than in Cloud Assembly, the updates are not visible in Cloud Assembly until you data collection runs and data collects the associated cloud account or integration point from within Cloud Assembly. Data collection runs automatically ever 10 minutes.

Existing security groups are supported for NSX-T global manager and local manager cloud accounts and the vCenter cloud accounts that are associated to the local managers. Cloud Assembly enumerates, or data collects, existing security groups and attaches them to the machine's network interfaces (NICs). You can create a global security group by adding an existing security group on an NSX-T global manager. The global security group can then be consumed by the associated local managers. Global security groups can span one, all, or a subset of the associated local managers.
  • Global existing security groups are supported and enumerated for all defined regions.
  • Global security groups are listed on the Infrastructure > Resources page with all the cloud accounts that they apply to.
  • You can associate a machine interface (NIC) with an existing global security group directly in a cloud template or in the selected network profile.
  • The following Day 2 operations are supported for global security groups:
    • Security group reconfiguration in a cloud template from a global to a local security group and vice versa.
    • Scale-out/scale-in of machines that are associated with global security groups.

On-demand security groups

On-demand security groups that you create in Cloud Assembly, either in a cloud template or in a network profile, are displayed and classified in the Origin column as Managed by Cloud Assembly. On-demand security groups that you create as part of a network profile are internally classified as an isolation security group with pre-configured firewall rules and are not added to a cloud template design as a security group resource. On-demand security groups that you create in a cloud template design, and that can contain express firewall rules, are added as part of a security group resource that is classified as new.


You can create firewall rules for on-demand security groups for NSX-V and NSX-T directly in a security group resource in cloud template design code. The Applied To column does not contain security groups that are classified or managed by an NSX Distributed Firewall (DFW). Firewall rules that apply to applications are for east/west DFW traffic. Some firewall rules can only be managed in the source application and cannot be edited in Cloud Assembly. For example, ethernet, emergency, infrastructure, and environment rules are managed in NSX-T.

On-demand security groups are not currently supported for NSX-T global manager cloud accounts.

Learn more

For more information about using security groups in network profiles, see Learn more about network profiles in vRealize Automation.

For information about defining firewall rules, see Using security group settings in network profiles and cloud template designs in vRealize Automation.

For more information about using security groups in a cloud template, see More about security group and tag resources in vRealize Automation cloud templates.

For cloud template design code samples that contain security groups, see Networks, security resources, and load balancers in vRealize Automation.