In your public clouds, cloud-native security groups are created.
Public Cloud Configurations
- In the AWS VPC, a new Type A Record Set gets added with the name nsx-gw.vmware.local into a private hosted zone in Amazon Route 53. The IP address mapped to this record matches the Management IP address of the PCG which is assigned by AWS using DHCP and will differ for each VPC. This DNS entry in the private hosted zone in Amazon Route 53 is used by NSX Cloud to resolve the PCG's IP address.
Note: When you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, the DNS Resolution and DNS Hostnames attributes must be set to Yes for your VPC settings in AWS.
A secondary IP for the uplink interface for PCG is created. An AWS Elastic IP is associated with this secondary IP address. This configuration is for SNAT.
In AWS and Microsoft Azure:
The gw security groups are applied to the respective PCG interfaces.
|Security Group name||Available in Microsoft Azure?||Available in AWS?||Full Name|
|gw-mgmt-sg||Yes||Yes||Gateway Management Security Group|
|gw-uplink-sg||Yes||Yes||Gateway Uplink Security Group|
|gw-vtep-sg||Yes||Yes||Gateway Downlink Security Group|
|Security Group name||Available in Microsoft Azure?||Available in AWS?||Descriptiom|
|quarantine||Yes||No||Quarantine security group for Microsoft Azure|
|default||No||Yes||Quarantine security group for AWS|
|vm-underlay-sg||Yes||Yes||VM Non-Overlay security group|
|vm-override-sg||Yes||Yes||VM Override Security Group|
|vm-overlay-sg||Yes||Yes||VM Overlay security group (this is not used in the current release)|
|vm-outbound-bypass-sg||Yes||Yes||VM Outbound Bypass Security Group (this is not used in the current release)|
|vm-inbound-bypass-sg||Yes||Yes||VM Inbound Bypass Security Group (this is not used in the current release)|