You can use "Applied to" to apply the rules within policy to a selected group. By default, the policy Applied to field is set to DFW, and the policy rules are applied to all workloads.
Applied to defines the scope of enforcement per policy, and is used mainly for optimization of resources on ESXi and KVM hosts. It helps in defining a targeted policy for specific zones, tenants or applications, without interfering with other policy defined for other applications, tenants and zones.
In this example I have three security groups: App, DB and Web. When I apply the "Allow DB Traffic" rule to the DFW, all rules including the highlighted App to DB rule are tied to the Web VM.
When I use a security group instead of DFW, I can narrow down the rules that are tied to the network adapter of the Web VM.
In the next screenshot we can see that the highlighted rule has disappeared from the list.