You can set up micro-segmentation for managed workload VMs.
Do the following to apply distributed firewall rules to onboarded workload VMs:
Create NSGroups using VM names or tags or other membership criteria, for example, for web, app, DB tiers. For instructions, see Create an NSGroup.Note:
You can use any of the following tags for membership criteria. See Group VMs using NSX-T Data Center and Public Cloud Tags for details.
tags from your VPC or VNet that are discovered by NSX Cloud
or your own custom tags
Create a firewall rule section and apply to NSGroups, if required. See Add a Firewall Rule Section.
Create firewall rules and use NSGroups for source and destination as required by your security policy. See Add a Firewall Rule.
This micro-segmentation takes effect when the inventory is either manually re-synchronized from CSM, or within about two minutes when the changes are pulled into CSM from your public cloud.