When App Isolation is enabled for a multi-machine blueprint, the firewall blocks all inbound and outbound traffic to the component machines of the blueprint. The component machines within a multi-machine blueprint can communicate with each other but cannot connect outside the firewall.

When a multi-machine service is provisioned with App isolation, vCloud Automation Center creates a security group corresponding to the multi-machine service and assigns the component machines as members of that security group. The security policy called vCAC App Isolation Policy in NSX is created and applied to the security group. The firewall rules are defined in the security policy to allow only internal traffic.

The vCAC App Isolation Policy has a lower precedence compared to other security policies in NSX. For example, if a multi-machine service contains a Web component machine and an App component machine and the Web component machine hosts a Web service, then the service must allow inbound traffic on ports 80 and 443. In this case, users must create a Web security policy in NSX with firewall rules defined to allow incoming traffic to these ports. In vCloud Automation Center, users must apply the Web security policy on the Web component of the multi-machine blueprint.

If the Web component machine needs access to the App component machine using a load balancer on ports 8080 and 8443, the Web security policy should also include firewall rules to allow outbound traffic to these ports in addition to the existing firewall rules that allow inbound traffic to ports 80 and 443.

Familiarize yourself with the security features that can be applied to a multi-machine blueprint. See Applying Security on a Component Machine.

Log in to the vCloud Automation Center console as a tenant administrator or business group manager.

Create a multi-machine blueprint. See Create a Multi-Machine Blueprint.

Verify that an IaaS administrator created a vCloud Networking and Security or NSX endpoint. See Create a vSphere Endpoint for Networking and Security Virtualization.

Verify that the supported version of VMware Tools is installed on the component machines. See NSX Installation and Upgrade Guide


Select Infrastructure > Blueprints > Blueprints.


Locate a multi-machine blueprint with at least one virtual component blueprint.


Click the Network tab.


Click the App isolation check box under Security to enable the option.


Click OK.

Publish your blueprint to make it available as a catalog item. See Publish a Blueprint.