Tag VMs with NSX agent installed on them as either overlay or non-overlay (underlay) in AWS. This is the final step in the two-step process to enable NSX to manage VMs.

About this task

Overlay VMs are assigned the overlay NSX-T logical switch ID. Non-overlay VMs are assigned a network by AWS.


You can also create your own logical switch in NSX Manager and assign a DHCP server to it. See instructions in the NSX-T Administration Guide.

You can apply the AWS tag either at the VM-level or the interface-level, but once you decide where to apply the tag, you must use the same level to apply the other tags. For example, if you tagged the interface with the nsx:network tag, you cannot apply other tags for this VM at the VM-level, you must choose the interface for any other tag.

The AWS tag’s key is nsx:network.

For VMs in non-overlay mode, type in default (case-sensitive) for the tag value.

For VMs in overlay mode, do the following to find the tag value information:

  1. From the CSM dashboard, select Cross-Cloud > AWS > <AWS_account_name>

  2. From the VPC section, select <your-compute-VPC> > Logical Switches

  3. Double-click and copy the value in the column NSX Switch Tag.


  1. Log in to the AWS console.
  2. In the AWS console, select the VM with the NSX agent installed.
  3. Add the tag details for the VM and save your changes.




    Enter nsx:network


    For overlay VMs: Paste the NSX logical switch tag ID you copied from CSM.

    Example: c26b5f59-1648-462e-b747-287c72e82a87#OOUeB/I1M+v+zOXFoE4e5+UxCTmlsZpD4z7AQIhiFoG=

    For underlay VMs: Type in default (case-sensitive).


    If you have the Quarantine Policy enabled, and you assigned the vm-override-sg security group to this VM to prevent it from being quarantined while your prepare it for NSX, remove the vm-override-sg security group after applying the tag. NSX Cloud automatically assigns the vm-overlay-sg or vm-underlay-sg to the VM depending on the tag you applied.