You can set up micro-segmentation for managed workload VMs.

Do the following to apply distributed firewall rules to onboarded workload VMs:

  1. Create NSGroups using VM names or tags or other membership criteria, for example, for web, app, DB tiers. For instructions, see Create an NSGroup.


    You can use any of the following tags for membership criteria. See Group VMs using NSX-T Data Center and Public Cloud Tags for details.

    • system-defined tags

    • tags from your VPC or VNet that are discovered by NSX Cloud

    • or your own custom tags

  2. Create a firewall rule section and apply to NSGroups, if required. See Add a Firewall Rule Section.

  3. Create firewall rules and use NSGroups for source and destination as required by your security policy. See Add a Firewall Rule.

This micro-segmentation takes effect when the inventory is either manually re-synchronized from CSM, or within about two minutes when the changes are pulled into CSM from your public cloud.