Configure Global Policies in VMware NSX-T Federation

Posted by

In this article I will cover creating Global Groups in NSX-T Federation.  Then we will create a policy and a rule to test web traffic in order to show that the new policy/rule applies at both site locations.

Log into the Global Manager

In the primary global manager go to Inventory > Groups

Add Group

Provide the group a name – my test is for web tier virtual machines

Choose Region as Global

Set Members

ADD Criteria

I am using VM Name as criteria even though I highly recommend leveraging tags in real world



Click view members to ensure all your virtual machines have been added

Toggle between locations to see full list of members

Next we need to configure polices and rules

Security > East West Security > Distributed Firewall > Application

Add Policy

Click ellipsis

Add Rule

Provide a name – Sources: any – Destinations: Global web tier group – Services: Http – Applied to: Global Web Tier Group – Action Reject


Neither web virtual machine works because the rule above is set to reject.  Since this is a Global Rule it is being applied at both Location 1 and Location 2

Change the rule to allow


As you can now see the web pages are working from a workstation outside of the NSX-T network.

Leave a Reply