You can set up micro-segmentation for managed workload VMs.

Do the following to apply distributed firewall rules to onboarded workload VMs:

  1. Create NSGroups using VM names or tags or other membership criteria, for example, for web, app, DB tiers. For instructions, see Create an NSGroup.
    Note: You can use any of the following tags for membership criteria. See Group VMs using NSX-T Data Center and Public Cloud Tags for details.
    • system-defined tags
    • tags from your VPC or VNet that are discovered by NSX Cloud
    • or your own custom tags
  2. Create a firewall rule section and apply to NSGroups, if required. See Add a Firewall Rule Section.
  3. Create firewall rules and use NSGroups for source and destination as required by your security policy. See Add a Firewall Rule.

This micro-segmentation takes effect when the inventory is either manually re-synchronized from CSM, or within about two minutes when the changes are pulled into CSM from your public cloud.