In the NSX-T Data Center, a set of logical entities are created.

Important: Do not delete any of these auto-created entities.

System Entities

You can see the following entities under System:

Table 1. Auto-Created System Entities
Logical System Entity How many are created? Nomenclature Scope
Transport Zones Two Transport Zones are created for each Transit VPC/VNet
  • TZ-<VPC/VNet-ID>-OVERLAY
  • TZ-<VPC/VNet-ID>-VLAN

Scope: Global

Edge Transport Nodes One Edge Transport Node is created for each deployed PCG, two if deployed in high availability mode.
  • PublicCloudGatewayTN-<VPC/VNET-ID>
  • PublicCloudGatewayTN-<VPC/VNET-ID>-preferred

Scope: Global

Edge Cluster One Edge Cluster is created per deployed PCG, whether one or in a high availability pair. PCG-cluster-<VPC/VNet-ID>

Scope: Global

Inventory Entities

The following entities are created under Inventory:

Table 2. Auto-Created Inventory Entities
Logical Inventory Entity How many are created? Nomenclature Scope
Domain
Note: The Domain object is an experimental feature in NSX-T Data Center 2.4 and the auto-created Domains are visible in the user interface. However, Domains are no longer visible in the NSX-T Data Center 2.4.1 user interface.
One per Transit VPC/VNet cloud-<Transit VPC/VNet-ID> Scope: shared across all PCGs.
Groups Two Groups under the default Domain
Note: In NSX-T Data Center you can see the default Domain. However, in NSX-T Data Center 2.4.1, the Domain object is not visible.
  • cloud-default-route
  • cloud-metadata services
Scope: Shared across all PCGs
Groups One Group

created at Transit VPC/VNet level as a parent group for individual segments created at the Compute VPC/VNet level.

cloud-<Transit VPC/VNet ID>-all-segments Scope: shared across all Compute VPCs/VNets
Groups Two Groups:
  • Network CIDR Group for all CIDRs of the Compute VPC/VNet
  • Local Segment Group for all managed segments within the Compute VPC/VNet
  • cloud-<Compute VPC/VNet ID>-cidr
  • cloud-<Compute VPC/VNet ID>-local-segments
Scope: shared across all Compute VPC/VNets

Security Entities

Table 3. Auto-Created Security Entities
Logical Security Entity How many are created? Nomenclature Scope
Distributed Firewall (East-West) Two per Transit VPC/VNet:
  • Stateless
  • Stateful
  • cloud-stateless-<VPC/VNet ID>
  • cloud-stateful-<VPC/VNet ID>
  • Stateful rule to allow traffic within local managed segments
  • Stateful rule to reject traffic from unmanaged VMs
Gateway Firewall (North-South) One per Transit VPC/VNet cloud-<Transit VPC/VNet ID>

Networking Entities

The following entities are created at different stages of onboarding:

Figure 1. Auto-created NSX-T Data Center Networking Entities After PCG is Deployed
Table 4. Auto-Created Networking Entities
Onboarding Task Logical Entities Created in NSX-T Data Center
PCG deployed on Transit VPC/VNet
  • Tier-0 Gateway
  • Infra Segment (Default VLAN switch)
  • Tier-1 router
Compute VPC or VNet linked to the Transit VPC/VNet
  • Tier-1 router
A workload VM with the NSX agent installed on it is tagged with the "nsx.network:default" key:value in a subnet of a compute or self-managed VPC/VNet
  • A Segment is created for this specific subnet of the compute or self-managed VPC or VNet
  • Hybrid ports are created for each tagged workload VM that has the NSX agent installed on it
More workload VMs are tagged in the same subnet of the Compute or self-managed VPC/VNet
  • Hybrid ports are created for each tagged workload VM that has the NSX agent installed on it

Forwarding Policies

The following three forwarding rules are set up for a Compute VPC/VNet, including Self-managed Transit VPC/VNet:

  • Access any CIDR of the same Compute VPC over the public cloud's network (underlay)
  • Route traffic pertaining to public cloud metadata services over the public cloud's network (underlay)
  • Route everything not in the Compute VPC/VNet's CIDR block, or a known service, through the NSX-T Data Center network (overlay)