NSX Cloud creates a network topology for your public cloud and you must not edit or delete the auto-generated NSX-T Data Center logical entities.

Use this list as a quick reference for what is auto-generated and how you should use NSX-T Data Center features as they apply to the public cloud.

NSX Manager Configurations

The following entities are automatically created in NSX Manager:

Important:

Do not edit or delete any of these auto-created entities.

  • An Edge Node named Public Cloud Gateway (PCG) is created.

  • The PCG is added to Edge Cluster. In a High Availability deployment, there are two PCGs.

  • The PCG (or PCGs) is registered as a Transport Node with two Transport Zones created.

  • Two default logical switches are created.

  • One Tier-0 logical router is created.

  • An IP Discovery Profile is created. This is used for overlay logical switches.

  • A DHCP Profile is created. This is used for DHCP servers.

    Note:

    Although the DHCP profile is created, it is not supported in the current release because it is used for overlay networking.

  • A default NSGroup with the name PublicCloudSecurityGroup is created that has the following members:

    • The default VLAN logical switch

    • Logical ports, one each for the PCG uplink ports, if you have HA enabled.

    • IP address

  • Three default distributed firewall rules are created:

    • LogicalSwitchToLogicalSwitch

    • LogicalSwitchToAnywhere

    • AnywhereToLogicalSwitch

    Note:

    These DFW rules block all traffic and need to be adjusted according to your specific requirements.

Verify these configurations in NSX Manager:

  1. From the NSX Cloud dashboard, click NSX Manager.

  2. Go to Fabric > Nodes > Edges. You should see PCG-<your-VPC-or-VNet-name> as an Edge Node.

    Note:

    Verify that Deployment Status, Manager Connection and Controller Connection are connected (status shows Up with a green dot).

  3. Browse to Fabric > Nodes > Edge Clusters to verify that the PCG-Cluster-<your-VPC-or-VNet-name> is added.

  4. Browse to Fabric > Nodes > Transport Nodes to verify that PCG is registered as a Transport Node and is connected to two Transport Zones that were auto-created while deploying PCG:

    • Traffic type VLAN -- this connects to the PCG uplink

    • Traffic type Overlay -- this is for overlay logical networking

      Note:

      Overlay is not supported in the current release.

  5. Verify whether the logical switches and the tier-0 logical router have been created and the logical router added to the Edge Cluster.

    • Go to Networking > Switching > Switches. You should see DefaultSwitch-Overlay-<your-VPC-or-VNet-name> and DefaultSwitch-VLAN-<your-VPC-or-VNet-name> switches auto-created.

    • Go to Networking > Routing > Routers. You should see the PCG-Tier0-LR-<your-VPC-or-VNet-name> router auto-created.

Logical Switching FAQs

Table 1.

Question

Answer

Does NSX Cloud create any default switches when a PCG is deployed?

Yes. NSX Cloud creates two default switches for each VPC or VNet on which you deploy the PCG. The switches are named as follows:

DefaultSwitch-Overlay-<vpc-or-vnet-name>

DefaultSwitch-VLAN-<vpc-or-vnet-name>

Can I create a VLAN logical switch in addition to the default logical switches created by NSX Cloud?

No. Do not create a VLAN logical switch.

Can I edit or delete the default logical switches created by NSX Cloud?

The UI allows you to edit or delete the default logical entities, however, do not edit or delete anything auto-created by NSX Cloud.

Should I create ports?

No. You don't need to create any ports. NSX Cloud creates ports when you tag VMs in AWS or Microsoft Azure. Do not edit or delete any ports auto-created by NSX Cloud.

Should I create switching profiles?

No. You don't need to create any switching profiles. Use the PublicCloud-Global-SpoofGuardProfile. Do not edit or delete the default switching profile.

Where can I find detailed information on logical switches?

See Logical Switches and Configuring VM Attachment.

Logical Routers FAQs

Table 2.

Question

Answer

Does NSX Cloud auto-create a logical router when a PCG is deployed?

Yes. A Tier-0 logical router is auto-created by NSX Cloud when PCG is deployed on a VPC or VNet.

Where can I find more information on logical routers?

See Tier-0 Logical Router.

IPFIX FAQs

Table 3.

Question

Answer

Are any specific configurations required for IPFIX to work in the public cloud?

Yes:

  • IPFIX is supported in NSX Cloud only on UDP port 4739.

  • The collector must be in the same VPC or VNet as the VM on which the IPFIX profile has been applied.

  • Switch and DFW IPFIX: If the collector is in the same subnet as the Windows VM on which IPFIX profile has been applied, a static ARP entry for the collector on the Windows VM is needed because Windows silently discards UDP packets when no ARP entry is found.

Where can I find more information on IPFIX?

See Configure IPFIX.

Port Mirroring FAQs

Table 4.

Question

Answer

Are any specific configurations required for Port Mirroring in the public cloud?

Port Mirroring is supported only in AWS in the current release.

  • For NSX Cloud, configure Port Mirroring from Tools > Port Mirroring Session.

  • Only L3SPAN Port Mirroring is supported.

  • The collector must be in the same VPC as the source workload VM.

Where can I find more information on Port Mirroring?

See Monitor Port Mirroring Sessions .

Other FAQs

Table 5.

Question

Answer

Are the tags that I apply to my workload VMs in the public cloud available in NSX-T Data Center?

Yes. See Group VMs using NSX-T Data Center and Public Cloud Tags for details.

How do I set up micro-segmentation for my workload VMs that are managed by NSX-T Data Center?

See Set up Micro-segmentation for Workload VMs.