Security groups are logical groupings created to define what needs to be protected by the VMware NSX distributed firewall or similar devices. A typical strategy is to add vCenter Server inventory objects as security group members. The underlying firewall rules configured within the kernel are IP-based, despite being abstracted as objects at the configuration layer. This requires VMware Tools™ to be run in all virtual machines so that their addresses are reported in the vCenter Server.

Membership of a security group can be achieved in a number of ways ranging from vCenter Server objects, security tags, IPsets, MACsets or other security groups, directory groups, or regular expressions.