Service Composer provides an administrator with the ability to define a scalable and tiered security policy independent of the underlying infrastructure or routed topology. This is the feature with the NSX platform that allows security to scale and allows for security policies that are enforced at a unit level, protecting virtual to physical or physical to virtual communications and allowing event-driven security actions.

Service Composer consists of security groups and security policies that allow you to provision security services to your virtual machines. Service Composer in effect has mappings between security groups, policies, and virtual machines.

Security groups are a collection of instances that you want to protect. You can group your virtual machines to be part of a security group or can have vCenter objects as part of a security group. You can have a security group that consists of other security groups. You can even define a security group to have instances that have security tags:

Service Composer helps you consume security services with ease.

Security policies are collections of security services and their service configurations. Firewall rules, endpoint services, and network introspection services are all part of the services in a security policy. You map security policies to security groups. When a security policy is mapped to a security group, the policy applies to all the virtual machines that are part of that security group.