Essential NSX entities are created and configured in your AWS account and in NSX Manager after the three-step process of enabling CSM to access your AWS inventory.

NSX Manager Configurations

The following configurations are automatically made in NSX Manager:

  • Edge Node named Cloud Gateway is created.

  • Cloud Gateway is added to Edge Cluster.

  • Cloud Gateway is registered as a Transport Node with two Transport Zones created.

  • Two default logical switches are created.

  • One tier-0 logical router is created.

  • An IP Discovery Profile is created. This is to be used for overlay logical switches.

  • A DHCP Profile is created. This is to be used for DHCP servers.

Verify these configurations in NSX Manager:

  1. From the NSX Cloud dashboard, click NSX Manager.

  2. Browse to Fabric > Nodes > Edge. Cloud Gateway should be listed as an Edge Node.

  3. Verify that Deployment Status, Manager Connection and Controller Connection are connected (status shows Up with a green dot).

  4. Browse to Fabric > Nodes > Edge Clusters to verify that the Edge Cluster and PCG were added as part of this cluster.

  5. Browse to Fabric > Nodes > Transport Nodes to verify that PCG is registered as a Transport Node and is connected to two Transport Zones that were auto-created while deploying PCG:

    1. Traffic type VLAN -- this connects to gateway uplink

    2. Traffic type Overlay -- this is for logical networking

  6. Verify whether the logical switches and the tier-0 logical router have been created and the logical router added to the Edge Cluster.


Do not delete any of the NSX-created entities.

AWS Configurations

In the AWS Compute VPC, the following is configured after PCG is deployed:

  • A set of Security Groups (SG) are created in AWS that allow NSX Cloud to apply the Quarantine policy when it is enabled for a VPC.

    • The "gw" SGs are applied to the respective PCG interfaces.

      Table 1. AWS Security Groups created by NSX Cloud for CGW Interfaces

      AWS Security Group name

      Full Name


      Gateway Management Security Group


      Gateway Uplink Security Group


      Gateway Downlink Security Group

    • The "vm" SGs are applied to workload VMs. If the Quarantine Policy is enabled, the SG assignment for all interfaces for any VMs belonging to this VPC is managed by NSX Cloud.

      Table 2. AWS Security Groups created by NSX Cloud for Workload VMs

      AWS Security Group name

      Full Name


      Default Security Group


      VM Non-Overlay Security Group


      VM Overlay Security Group


      VM Override Security Group


      VM Outbound Bypass Security Group


      VM Inbound Bypass Security Group


      NSX Cloud provides the minimum required access for using NSX. To allow any other access beyond that, add a custom SG in addition to the appropriate SG assigned by NSX Cloud.

    See Manage Quarantine Policy for more details.

  • In the AWS VPC, a new Type A Record Set is added with the name nsx-gw.vmware.local. The IP address mapped to this record matches the Management IP address of PCG. This is assigned by AWS using DHCP and will differ for each VPC.

  • A secondary IP for the uplink interface for PCG is created. An AWS Elastic IP is associated with this secondary IP address. This configuration is for SNAT.