Workload VMs connect to the Internet by default. NAT rules and distributed firewall rules give you fine-grained control over these connections.
- The traffic is not subject to CGW firewall rules.
- Distributed firewall rule processing by a source VM uses the destination public IP address and source public IP of the destination VM, and must be IP-based. Distributed firewall rules based on VM attributes do not affect workload-to-workload traffic.
Workload VM communication to the vCenter Server public IP is subject to MGW firewall rules, but the workload VM IP is translated to its public IP before the firewall rule is applied.