How to Delete an Unused Security Group via NSX Manager UI and Policy API
search cancel

How to Delete an Unused Security Group via NSX Manager UI and Policy API

book

Article ID: 443429

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Procedure to safely delete unused security groups in NSX to optimize datapath IP counts or clean up obsolete configurations.

Deletion attempts may fail if the target security group is still actively referenced by other platform components, violating relational integrity constraints.

Important Checks Before Deleting:

  • Dependency Check: If the Security Group is currently utilized in a firewall rule (Source/Destination/Applied To) or a Security Policy, NSX-T will block the deletion. You must first remove or update the firewall rules referencing the group. \

If the UI or API returns a failure, you must locate and remove the group from the following configurations before retrying:

    • Distributed Firewall (DFW) Rules or Policies

    • Gateway Firewall Rules

    • Nested parent Security Groups

    • Endpoint Protection or Service Insertion Rules.

To identify active dependencies, click the hyperlinked number under the References column in the NSX Manager UI to trace the exact policies preventing deletion.

  • Cache Expiration: After removing a group from firewall policies, wait a few minutes before attempting to delete the group itself to allow the system’s dependency checks to update.
 

Environment

VMware NSX

Cause

  • NSX enforces strict dependency checks. A security group cannot be deleted if its reference count is greater than 0.
  • This occurs when the group is currently mapped to active Distributed Firewall (DFW) Rules, Gateway Firewall Rules, nested parent Security Groups, or Endpoint Protection/Service Insertion Rules.

Resolution

Delete Unused Security Groups via NSX Manager UI

  1. Log in to the NSX Manager user interface with administrative privileges.

  2. Navigate to Inventory > Groups.

  3. Locate the unused group you intend to delete. Use the search or filter functions to isolate the specific object.

  4. Verify the References column for the group. The reference count must be 0 before deletion is permitted.

    • Note: To identify active dependencies, click the hyperlinked number under the References column to trace the exact policies preventing deletion. You must remove the group from these configurations before retrying.

  5. Click the vertical ellipsis (three dots) next to the target group and select Delete.

  6. Confirm the action in the prompt by clicking Delete.

Delete Unused Security Groups via Policy API For environments requiring programmatic deletion or bulk removal, utilize the NSX Policy API:

  1. Identify the target group-id.

  2. Execute the following DELETE payload against the NSX Manager: DELETE https://<REDACTED_IPS>/policy/api/v1/infra/domains/default/groups/<group-id>

Powered by Wolken Software