When creating Security Groups in vDefend, dynamic criteria (like VM Names, OS Names, or Security Tags—Options B, C, and D) are heavily preferred for internal workloads because vCenter and NSX have direct administrative control and visibility over those virtual machines.
However, External DNS servers reside outside of the vSphere/NSX compute boundary (they are often physical servers or managed by a separate network team). Because vDefend cannot assign a vSphere metadata tag or read the VM Name of an external physical server, dynamic grouping will fail. Therefore, the only technically viable and recommended method for grouping external infrastructure is to build an IP Set or Security Group and statically assign the IP addresses of those external resources.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit