NSX Public Cloud Gateway(PCG) can connect your compute VPC with NSX after you install the NSX agent on VMs and tag these VMs appropriately in AWS. Currently the supported Operating Systems are: Windows 2012 Server R2 and Ubuntu 14.04.05.

This is a two-step process.

  1. Install the NSX Agent on your Windows or Linux VM.

  2. Tag the VM in AWS with the nsx:network key with the appropriate value for your overlay or underlay (non-overlay) VM.

Requirements and Recommendations

  • Before launching a workload VM, make sure it is connected to the downlink subnet of PCG. If the VM is already on a specific subnet, make sure the downlink subnet is attached to it.

  • It is recommended to use a jump host to access your workload VM. A jump host is a VM in your compute VPC that has a public IP address and provides a secure way of accessing other VMs in the VPC. Set up a jump host VM for each of the supported Operating Systems.

  • If you have the Quarantine Policy enabled for your compute VPC, before installing the NSX agent, assign the vm-override-sg security group to the VM to ensure that NSX Cloud does not quarantine this VM by auto-assigning the default security group to the VM. See Manage Quarantine Policy for more information.

  • If you have Quarantine Policy disabled, NSX Cloud does not apply any security groups to VMs. After installing the agent and tagging the VM as either underlay or overlay, assign the appropriate security group to the VM. See Manage Quarantine Policy for more information.

  • Workload VM communication with PCG is permitted for essential protocols. For uncommon use cases, for example the use of DNS-UDP, you need to create a DFW permit rule.

About Overlay VMs

An overlay VM has the following features:

  • Has the nsx:network tag key with the value of the logical switch assigned to this VM.

  • Assigned the vm-overlay-sg in AWS, if you have the Quarantine Policy enabled. If not enabled, you must assign this security group to the overlay VM to ensure it is NSX-managed.

  • Assigned an IP address from the NSX overlay network.

  • See Remote log in to an Overlay VM for instructions on how to access an overlay VM using SSH or RDP if Quarantine Policy is enabled.

About Underlay VMs

An underlay VM has the following features:

  • Gets the nsx:network tag key with the value default.

  • Assigned the vm-underlay-sg security group in AWS, if you have the Quarantine Policy enabled. If not enabled, you must assign this security group to the underlay VM to ensure it is NSX-managed.