Scripting: NSX-v – Security Groups with Dynamic membership

NSX-v allows the creation of Security Groups to group objects to be used in DFW rules and security policies. Each security group can have a mix of static and dynamic membership (If you want to get picky, you can also statically exclude objects). One of the possible ways to dynamically include members into the security group is to match on a security tag. This allows a VM to have security tags assigned to them, and based on the security tag, a VM can be dynamically added as a security group member.

Even though security groups and security tags go hand in hand, unfortunately they are not configured in the same part of the UI.

To configure a security group you must navigate to the following location

  • Click Networking & Security and then click Service Composer.
  • Click the Security Groups tab.

To configure a security tag you must navigate to the following location

  • Click Networking & Security and then click NSX Managers.
  • Click an NSX Manager in the Name column and then click the Manage tab.
  • Click the Security Tags menu.

I have a scenario come up where we want to create DFW rules which utilise security groups as both the source and destination of the rule.

So for any particular service/app we want to create DFW rules for, there needs to be two security groups created, one for the clients (source) and another for the servers (destination).

  • SG.S-CRM App (Security Group for the CRM Application Servers)
  • SG.C-CRM App (Security Group for the CRM Application Clients)

Now we also need the corresponding security tags created so that VMs can be tagged and dynamically added to the required groups.

  • ST.S-CRM App (Security Tag for the CRM Application Servers)
  • ST.C-CRM App (Security Tag for the CRM Application Clients)

Once the security tags are created, we can then configure dynamic membership within the security group to include the VMs which belong to the security tag entity.

For me personally, configuring this in the current NSX-v UI (6.1.2) consists of way too many clicks, so I decided to script it.

The following Python script reads from a CSV file which consists of the security Service/App/Group name and description and creates the corresponding security tags and security groups along with the security group dynamic membership configuration.

The script has also been uploaded on my GitHub site here


The csv file used as an input is as follows.

To run the script, do this.

The output will look like this.

After it’s all done, we can see the newly created security tags.


And the new security groups.


And if you open up one of the security groups, you can see the dynamic membership configuration all done for you.



If you look at the Summary page of a VM, you can manually add a security tag to the VM (Although adding a Security Tag to a VM is also easily scriptable – Check out Brett Draytons script).


Just choose the required Security Tag (This is actually one of the spots where if the Security Tag you want to use doesn’t exist, you can manually create it by clicking the Green +).


Now you can see the Security Tag assigned to the VM.


And if you refresh the Summary page, you will see it has been dynamically added to the appropriate Security Group.


You can also check members of the security group via the Security Groups tab in the Service Composer.


Or via the Canvas view in the Service Composer.


Now I can go about configuring my DFW rules utilising my new security groups 🙂

Leave a Reply