When Quarantine Policy is enabled:

  • The Security Group (SG) or Network Security Group (NSG) assignment for all interfaces for any workload VMs belonging to this VPC or VNet is managed by NSX Cloud as under:
    • Unmanaged VMs are assigned the quarantine NSG in Microsoft Azure and default Security Group in AWS and are quarantined. This limits the outbound traffic and stops all inbound traffic to such VMs.
    • Unmanaged VMs can become NSX-Managed VMs when you install the NSX agent on the VM and tag them in the public cloud with nsx.network. In the default scenario, NSX Cloud assigns the vm-underlay-sg to allow appropriate inbound/outbound traffic.
    • An NSX-Managed VM can still be assigned the quarantine or default security group and be quarantined if a threat is detected on the VM, for example, if the NSX agent is stopped on the VM.
    • Any manual changes to the security groups will be reverted to the NSX-determined security group(s) within two minutes.
    • If you want to move any VM out of quarantine, assign the vm-override-sg as the only security group for this VM. NSX Cloud does not auto-change the vm-override-sg security group and allows SSH and RDP access to the VM. Removing the vm-override-sg will again cause the VM security group(s) to revert to the NSX-determined security group.
Note: When the Quarantine Policy is enabled, assign the vm-override-sg to your VMs before installing the NSX agent on them. After you follow the process of installing the NSX agent and tagging the VM as underlay, remove the vm-override-sg NSG from the VM. NSX Cloud wil automatically assign the appropriate security group to NSX-managed VMs thereafter. This step is necessary because it ensures the VM is not assigned the quarantine or default security group while you are preparing it for NSX Cloud.