In this article I will cover creating Global Groups in NSX-T Federation. Then we will create a policy and a rule to test web traffic in order to show that the new policy/rule applies at both site locations.
Log into the Global Manager
In the primary global manager go to Inventory > Groups
Add Group
Provide the group a name – my test is for web tier virtual machines
Choose Region as Global
Set Members
ADD Criteria
I am using VM Name as criteria even though I highly recommend leveraging tags in real world
Apply
Save
Click view members to ensure all your virtual machines have been added
Toggle between locations to see full list of members
Next we need to configure polices and rules
Security > East West Security > Distributed Firewall > Application
Add Policy
Click ellipsis
Add Rule
Provide a name – Sources: any – Destinations: Global web tier group – Services: Http – Applied to: Global Web Tier Group – Action Reject
Publish
Neither web virtual machine works because the rule above is set to reject. Since this is a Global Rule it is being applied at both Location 1 and Location 2
Change the rule to allow
PUBLISH
As you can now see the web pages are working from a workstation outside of the NSX-T network.