A security group is a logical container that
assembles guests across multiple ESXi hosts in the cluster. When
you create a dynamic address group that meets the right criteria
and commit your changes, a corresponding security group is created
on the NSX-T Manager. Creating security groups is required to manage
and secure the guests; to understand how security groups enable
policy enforcement, see Policy Enforcement Using Dynamic
For a dynamic address group to become
a security group on NSX-T, you must add match criteria in the dynamic
address group in the following format:
The dynamic address name added in the match criteria must match
the dynamic address group name exactly. For example, a dynamic address
must include match criteria
Additionally, you must include the dynamic address group in a device
group in a service definition, which
is part of a service manager, and committed.
group created from a dynamic address group is in the following format:
dynamic address group you create must have a unique name across
each device group configured on your Panorama.
Configure a dynamic address group for each security
group required for your deployment.
Verify that you are configuring the dynamic address
groups in a device group associated with an NSX-T service definition.
and enter a
the address group.
Define the match criteria.
For the dynamic address group to become a security group
in NSX-T Manager, the match criteria string must be enclosed in
single quotes with the prefix _nsxt_ followed by the exact name
of the Address Group. For example,
Repeat this process for each security group you require.