Why are VIP Groups not the same as Address Groups (nesting)
Is there any reason that anyone knows why VIPG's are not nestable?
Address Groups are nestable. I can create an Address, add it to an address group, and have that address group a member of a master address group that is set up on an outbound policy.
I want to do the same on an inbound policy with a VIP Group.
My use case is relatively simple - we run a multi tenant environment of somewhat standardised services, and I always prefer the other admins to edit group membership not policies. That way, it's less likely that a wayward change is made to a policy, and typically the most impact of an accidental action is to open additional ports up to servers that aren't listening to those ports anyway.... our structure would be Tenant-VIP is a member of tenant-vipgrp which is a member of service-vipgrp, and service-vipgrp is used on the policy. A new tenant using a service just requires adding their tenant-vipgrp to the service-vipgrp. That's safer in my view than having to crack open the policy and add the tenant's vipgrp there, and it matches exactly what we do with outbound services.