A transport zone is a container that defines the potential reach of transport nodes. Transport nodes are hypervisor hosts and NSX Edges that will participate in an NSX-T overlay. For a hypervisor host, this means that it hosts VMs that will communicate over NSX-T logical switches. For NSX Edges, this means that it will have logical router uplinks and downlinks.
When you create a transport zone, you must specify an N-VDS mode, which can be either Standard or Enhanced Datapath. When you add a transport node to a transport zone, the N-VDS associated with the transport zone is installed on the transport node. Each transport zone supports a single N-VDS. An enhanced datapath N-VDS has the performance capabilities to support NFV (Network Functions Virtualization) workloads, supports both VLAN and overlay networks, and requires an ESXi host that supports enhanced datapath N-VDS.
A transport node can belong to:
Multiple VLAN transport zones.
At most one overlay transport zone with a standard N-VDS.
Multiple overlay transport zones with advanced datapath N-VDS if the transport node is running on an ESXi host.
If two transport nodes are in the same transport zone, VMs hosted on those transport nodes can be attached to NSX-T logical switches that are also in that transport zone. This attachment makes it possible for the VMs to communicate with each other, assuming that the VMs have Layer 2/Layer 3 reachability. If VMs are attached to switches that are in different transport zones, the VMs cannot communicate with each other. Transport zones do not replace Layer 2/Layer 3 underlay reachability requirements, but they place a limit on reachability. Put another way, belonging to the same transport zone is a prerequisite for connectivity. After that prerequisite is met, reachability is possible but not automatic. To achieve actual reachability, Layer 2 and (for different subnets) Layer 3 underlay networking must be operational.
Suppose a single transport node contains both regular VMs and high-security VMs. In your network design, the regular VMs should be able to reach each other but should not be able to reach the high-security VMs. To accomplish this goal, you can place the secure VMs on hosts that belong to one transport zone named secure-tz. The regular and secure VMs cannot be on the same transport node. The regular VMs would then be on a different transport zone called general-tz. The regular VMs attach to an NSX-T logical switch that is also in general-tz. The high-security VMs attach to an NSX-T logical switch that is in the secure-tz. The VMs in different transport zones, even if they are in the same subnet, cannot communicate with each other. The VM-to-logical switch connection is what ultimately controls VM reachability. Thus, because two logical switches are in separate transport zones, "web VM" and "secure VM" cannot reach each other.
For example, the following figure shows an NSX Edge that belongs to three transport zones: two VLAN transport zones and overlay transport zone 2. Overlay transport zone 1 contains a host, an NSX-T logical switch, and a secure VM. Because the NSX Edge does not belong to overlay transport zone 1, the secure VM has no access to or from the physical architecture. In contrast, the Web VM in overlay transport zone 2 can communicate with the physical architecture because the NSX Edge belongs to overlay transport zone 2.