NSX Cloud uses AWS Security Groups (SG) in conjunction with the VPC’s Quarantine Policy for threat detection by quarantining rogue VMs.

For example, if a person with malicious intent forcibly stops the NSX agent on a managed VM, the compromised VM will be quarantined using the default SG in AWS. This is only possible for VPCs that have the Quarantine Policy enabled.

You can enable or disable Quarantine Policy for a VPC by right-clicking the VPC and selecting Edit Quarantine.

Quarantine Policy Enabled

When Quarantine Policy is enabled:

  • The SG assignment for all interfaces for any EC2 Workload Instance (VMs) belonging to this VPC is managed by NSX Cloud. Appropriate Workload VM Security Group(s) are assigned to such interfaces.

    • Un-managed VMs are assigned the default SG and are quarantined. This limits the outbound traffic and stops all inbound traffic to such VMs.

    • Un-managed VMs can become NSX-Managed VMs when you install the NSX agent on the VM and tag them in AWS with nsx:network. In the default scenario, NSX will assign the vm-overlay-sg or vm-underlay-sg to allow appropriate inbound/outbound traffic.

    • An NSX-Managed VM can still be assigned the default SG and be quarantined if a threat is detected on the VM, for example, if the NSX agent is stopped on the VM.

    • Any manual changes to the security groups will be reverted to the NSX-determined security group(s) within 120 seconds.

    • If you want to move any VM out of quarantine, that is, move it out of the default SG, assign the vm-override-sg as the only SG to the VM. NSX Cloud does not auto-change the vm-override-sg SG and allows SSH and RDP access to the VM. Removing the vm-override-sg will again cause the VM security group(s) to revert to the NSX-determined security group(s).

Note:

When the Quarantine Policy is enabled, assign the vm-override-sg to your VMs before installing the NSX agent on them. After you follow the process of installing the NSX agent and tagging the VM in AWS as overlay or underlay, remove the vm-override-sg SG from the VM. NSX Cloud will automatically assign the appropriate SG to NSX managed VMs thereafter. This step is necessary because it ensures the VM is not assigned the default SG while you are preparing it for NSX.

Quarantine Policy Disabled

When Quarantine Policy is disabled:

  • NSX Cloud does not assign any SG to the VMs launched in this VPC. You must assign the appropriate NSX Cloud SG in AWS to VMs to enable NSX Cloud functionality.

    From the AWS console:

    • Assign vm-overlay-sg to VMs that you want to manage using the NSX overlay network.

    • Assign vm-underlay-sg to VMs for which you want to use the underlay network provided by AWS.

    • Assign vm-outbound-bypass-sg and/or vm-inbound-bypass-sg to VMs for which you want to enable Distributed Services Routing.

AWS Security Groups

The following AWS Security Groups are created by NSX Cloud at the time of CGW deployment:

Table 1. AWS Security Groups created by NSX Cloud for Workload VMs

AWS Security Group name

Full Name

default

Default Security Group

vm-underlay-sg

VM Non-Overlay Security Group

vm-overlay-sg

VM Overlay Security Group

vm-override-sg

VM Override Security Group

vm-outbound-bypass-sg

VM Outbound Bypass Security Group

vm-inbound-bypass-sg

VM Inbound Bypass Security Group

Recommendations for Brownfield and Greenfield deployments

Brownfield: It is recommend to disable Quarantine Policy if you already have VMs set up in your VPC and you do not plan to have all your existing VMs to be managed by NSX. Disabling the Quarantine Policy ensures that your existing VMs are not automatically quarantined by being moved to the “default” SG in AWS.

Greenfield: For greenfield deployments, it is recommended that you enable Quarantine Policy to allow all threat detection workflows for your VMs to be managed by NSX Cloud.