In your public clouds, cloud-native security groups are created.

Public Cloud Configurations

In AWS:
  • In the AWS VPC, a new Type A Record Set gets added with the name nsx-gw.vmware.local into a private hosted zone in Amazon Route 53. The IP address mapped to this record matches the Management IP address of the PCG which is assigned by AWS using DHCP and will differ for each VPC. This DNS entry in the private hosted zone in Amazon Route 53 is used by NSX Cloud to resolve the PCG's IP address.
    Note: When you use custom DNS domain names defined in a private hosted zone in Amazon Route 53, the DNS Resolution and DNS Hostnames attributes must be set to Yes for your VPC settings in AWS.
  • A secondary IP for the uplink interface for PCG is created. An AWS Elastic IP is associated with this secondary IP address. This configuration is for SNAT.

In AWS and Microsoft Azure:

The gw security groups are applied to the respective PCG interfaces.

Table 1. Public Cloud Security Groups created by NSX Cloud for PCG interfaces
Security Group name Available in Microsoft Azure? Available in AWS? Full Name
gw-mgmt-sg Yes Yes Gateway Management Security Group
gw-uplink-sg Yes Yes Gateway Uplink Security Group
gw-vtep-sg Yes Yes Gateway Downlink Security Group
Table 2. Public Cloud Security Groups created by NSX Cloud for Workload VMs
Security Group name Available in Microsoft Azure? Available in AWS? Descriptiom
quarantine Yes No Quarantine security group for Microsoft Azure
default No Yes Quarantine security group for AWS
vm-underlay-sg Yes Yes VM Non-Overlay security group
vm-override-sg Yes Yes VM Override Security Group
vm-overlay-sg Yes Yes VM Overlay security group (this is not used in the current release)
vm-outbound-bypass-sg Yes Yes VM Outbound Bypass Security Group (this is not used in the current release)
vm-inbound-bypass-sg Yes Yes VM Inbound Bypass Security Group (this is not used in the current release)