In this article I will cover creating Global Groups in NSX-T Federation. Then we will create a policy and a rule to test web traffic in order to show that the new policy/rule applies at both site locations.
Log into the Global Manager

In the primary global manager go to Inventory > Groups
Add Group

Provide the group a name – my test is for web tier virtual machines
Choose Region as Global
Set Members

ADD Criteria

I am using VM Name as criteria even though I highly recommend leveraging tags in real world
Apply

Save

Click view members to ensure all your virtual machines have been added


Toggle between locations to see full list of members

Next we need to configure polices and rules
Security > East West Security > Distributed Firewall > Application
Add Policy

Click ellipsis
Add Rule

Provide a name – Sources: any – Destinations: Global web tier group – Services: Http – Applied to: Global Web Tier Group – Action Reject

Publish


Neither web virtual machine works because the rule above is set to reject. Since this is a Global Rule it is being applied at both Location 1 and Location 2

Change the rule to allow
PUBLISH


As you can now see the web pages are working from a workstation outside of the NSX-T network.