NSX Cloud FAQs and Troubleshooting

This topic covers some frequently asked questions and troubleshooting information.

How can I verify that my NSX Cloud components are installed and running?

To verify that NSX Tools on your workload VM are connected to PCG, do the following:
1. Type the nsxcli command to open NSX CLI.
2. Type the following command to get the gateway connection status, for example:
```
get gateway connection status
Public Cloud Gateway  : nsx-gw.vmware.com:5555
Connection Status 	: ESTABLISHED 
```
The workload VMs must have the correct tags to connect to PCG:
1. Log in to the AWS console or the Microsoft Azure portal.
2. Verify the VM's eth0 or interface tag.
  The nsx.network key must have the value default.

My VMs launched using cloud-init are quarantined and do not allow installation of third-party tools. What should I do?

With the Quarantine Policy enabled, when launching VMs using cloud-init scripts with the following specifications, your VMs are quarantined upon launching and you are not able to install custom applications or tools on them:

tagged with nsx.network=default
custom services auto-installed or bootstrapped when the VM is powered on

Solution:

Update the default (AWS) or default-vnet-<vnet-ID>-sg (Microsoft Azure) security group to add inbound/outbound ports as required for the installation of custom or third-party applications.

I tagged my VM correctly and installed NSX Tools, but my VM is quarantined. What should I do?

If you encounter this problem, try the following:

Check whether the NSX Cloud tag: nsx.network and its value: default are correctly typed in. This is case-sensitive.
Resync the AWS or Microsoft Azure account from CSM:
- Log in to CSM.
- Go to Clouds > AWS/Azure > Accounts.
- Click on Actions from the public cloud account tile and click Resync Account.

What should I do if I cannot access my workload VM?

From your Public Cloud (AWS or Microsoft Azure):

Ensure that all ports on the VM, including those managed by NSX Cloud, the OS firewall (Microsoft Windows or IPTables), and NSX-T Data Center are properly configured in order to allow traffic,

For example, to allow ping to a VM, the following needs to be properly configured:
- Security Group on AWS or Microsoft Azure. See Threat Detection using the NSX Cloud Quarantine Policy for more information.
- NSX-T Data Center DFW rules. See Default Connectivity Strategy for NSX-Managed Workload VMs in the NSX Enforced Mode for details.
- Windows Firewall or IPTables on Linux.
Attempt resolving the issue by logging in to the VM using SSH or other methods, for example, the Serial Console in Microsoft Azure.
You can reboot the locked out VM.
If you still cannot access the VM, then attach a secondary NIC to the workload VM from which to access that workload VM.

Do I need a PCG even in the Native Cloud Enforced Mode?

Yes.

Can I change the IAM role for the PCG after I have onboarded my public cloud account in CSM?

Yes. You can rerun the NSX Cloud script applicable to your public cloud to regenerate the PCG role. Edit your public cloud account in CSM with the new rolename after you regenerate the PCG role . Any new PCG instances deployed in your public cloud account will use the new role.

Note that existing PCG instances continue to use the old PCG role. If you want to update the IAM role for an existing PCG instance, go to your public cloud and manually change the role for that PCG instance.

Can I use the NSX-T Data Center on-prem licenses for NSX Cloud?

Yes, you can if your ELA has a clause for it.

I am using the URL from CSM to deploy PCG but I get an error because the gateway name is unresolvable.

When the URL from the CSM UI for installing PCG fails because of gateway name being unresolvable, do the following in the respective public cloud for the OS of your workload VM:

On Microsoft Windows workload VMs in Microsoft Azure, run the following command and download the install script again using the URL from CSM:
```
Add-DnsClientNrptRule -Namespace "nsx-gw.vmware.local" -NameServers "168.63.129.16" -DnsSecEnable
```
On Microsoft Windows workload VMs in AWS, run the following command and download the install script again using the URL from CSM::
```
Add-DnsClientNrptRule -Namespace "nsx-gw.vmware.local" -NameServers "169.254.169.253" -DnsSecEnable
```
On Linux workload VMs in Microsoft Azure run the following command to get PCG's IP addresses and download the install script using these IP addresses with the URL from CSM.
```
nslookup nsx-gw.vmware.local 168.63.129.16 | awk '/^Address: / { print $2 }'
```
On Linux workload VMs in AWS run the following command to get PCG's IP addresses and download the install script using these IP addresses with the URL from CSM.:
```
nslookup nsx-gw.vmware.local 169.254.169.253 | awk '/^Address: / { print $2 }'
```