Security groups (or Endpoint Groups if you’re a Cisco ACI fan) are a nice traffic policy abstraction: instead of dealing with subnets and ACLs, define groups of hosts and the rules of traffic control between them… and let the orchestration system deal with IP addresses and TCP/UDP port numbers.

However, regardless of the level of abstraction you use, in the end someone needs to compile the security policy into ACLs and download it into the data path (VMware NSX is no exception, as Brad Hedlund explained in the NSX Microsegmentation podcast)… which might result in Cartesian product explosion unless your data path supports groups of L3/L4 objects (object groups in Cisco ASA or ipset in iptables).

Nuage Networks solved the problem with an interesting twist: they use BGP communities to propagate security group membership, and use Open vSwitch extensions to avoid the explosion of OpenFlow ruleset. For more details, watch the Scaling Security Groups video from the Scaling Overlay Virtual Networks webinar.