Essential NSX entities are created and configured in your AWS account and in NSX Manager after the three-step process of enabling CSM to access your AWS inventory.
NSX Manager Configurations
The following configurations are automatically made in NSX Manager:
Edge Node named Cloud Gateway is created.
Cloud Gateway is added to Edge Cluster.
Cloud Gateway is registered as a Transport Node with two Transport Zones created.
Two default logical switches are created.
One tier-0 logical router is created.
An IP Discovery Profile is created. This is to be used for overlay logical switches.
A DHCP Profile is created. This is to be used for DHCP servers.
Verify these configurations in NSX Manager:
From the NSX Cloud dashboard, click NSX Manager.
Browse to Fabric > Nodes > Edge. Cloud Gateway should be listed as an Edge Node.
Verify that Deployment Status, Manager Connection and Controller Connection are connected (status shows Up with a green dot).
Browse to Fabric > Nodes > Edge Clusters to verify that the Edge Cluster and PCG were added as part of this cluster.
Browse to PCG is registered as a Transport Node and is connected to two Transport Zones that were auto-created while deploying PCG:to verify that
Traffic type VLAN -- this connects to gateway uplink
Traffic type Overlay -- this is for logical networking
Verify whether the logical switches and the tier-0 logical router have been created and the logical router added to the Edge Cluster.
Do not delete any of the NSX-created entities.
In the AWS Compute VPC, the following is configured after PCG is deployed:
A set of Security Groups (SG) are created in AWS that allow NSX Cloud to apply the Quarantine policy when it is enabled for a VPC.
The "gw" SGs are applied to the respective PCG interfaces.
Table 1. AWS Security Groups created by NSX Cloud for CGW Interfaces
AWS Security Group name
Gateway Management Security Group
Gateway Uplink Security Group
Gateway Downlink Security Group
The "vm" SGs are applied to workload VMs. If the Quarantine Policy is enabled, the SG assignment for all interfaces for any VMs belonging to this VPC is managed by NSX Cloud.
Table 2. AWS Security Groups created by NSX Cloud for Workload VMs
AWS Security Group name
Default Security Group
VM Non-Overlay Security Group
VM Overlay Security Group
VM Override Security Group
VM Outbound Bypass Security Group
VM Inbound Bypass Security GroupNote:
NSX Cloud provides the minimum required access for using NSX. To allow any other access beyond that, add a custom SG in addition to the appropriate SG assigned by NSX Cloud.
See Manage Quarantine Policy for more details.
In the AWS VPC, a new Type A Record Set is added with the name nsx-gw.vmware.local. The IP address mapped to this record matches the Management IP address of PCG. This is assigned by AWS using DHCP and will differ for each VPC.
A secondary IP for the uplink interface for PCG is created. An AWS Elastic IP is associated with this secondary IP address. This configuration is for SNAT.