If previously enabled, Quarantine Policy must be disabled to undeploy PCG.

With Quarantine Policy enabled, your VMs are assigned security groups defined by NSX Cloud. When you undeploy PCG, you need to disable Quarantine Policy and specify a fallback security group that the VMs can be assigned to when they are removed from the NSX Cloud security groups.
Note: The fallback security group must be an existing user-defined security group in your public cloud. You cannot use any of the NSX Cloud security groups as a fallback security group. See Auto-Created Logical Entities and Cloud-native Security Groups for a list of NSX Cloud security groups.
Disable Quarantine Policy for the VPC or VNet from which you are undeploying PCG:
  • Go to the VPC or VNet in CSM.
  • From Actions > Edit Configurations >, turn off the setting for Default Quarantine .
  • Enter a value for a fallback security group that VMs will be assigned.
  • All VMs that are unmanaged or quarantined in this VPC or VNet will get the fallback security group assigned to them.
  • If all VMs are unmanaged, they get assigned to the fallback security group.
  • If there are managed VMs while disabling Quarantine Policy, they retain their NSX Cloud-assigned security groups. The first time you remove the nsx.network tag from such VMs to take them out from NSX management, they are also assigned the fallback security group.
Note: See Managing Quarantine Policy in the NSX-T Data Center Administration Guide for instructions and more information on the effects of enabling and disabling the Quarantine Policy.