: Create Dynamic Address Groups
Focus
Focus

Create Dynamic Address Groups

Table of Contents

Create Dynamic Address Groups

A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. When you create a dynamic address group that meets the right criteria and commit your changes, a corresponding security group is created on the NSX-T Manager. Creating security groups is required to manage and secure the guests.
For a dynamic address group to become a security group on NSX-T, you must add match criteria in the dynamic address group in the following format: ‘_nsxt_<dynamic-address-group-name>’. The dynamic address name added in the match criteria must match the dynamic address group name exactly. For example, a dynamic address group called applications must include match criteria ‘_nsxt_applications’. Additionally, you must include the dynamic address group in a device group in a service definition, which is part of a service manager, and committed.
Each security group created from a dynamic address group is in the following format: <service-def-name>_<dynamic-address-group-name>. For example, ServiceDef1_applications.
Each dynamic address group you create must have a unique name across each device group configured on your Panorama.
  1. Configure a dynamic address group for each security group required for your deployment.
    1. Select ObjectsAddress Groups.
    2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-T service definition.
    3. Click Add and enter a Name and Description for the address group.
    4. Select Type as Dynamic.
    5. Define the match criteria.
      For the dynamic address group to become a security group in NSX-T Manager, the match criteria string must be enclosed in single quotes with the prefix _nsxt_ followed by the exact name of the Address Group. For example, ‘_nsxt_PAN_APP_NSX’.
    6. Repeat this process for each security group you require.
  2. Commit your changes.