NSX Cloud does not manage the public cloud security groups of untagged VMs when Quarantine Policy is disabled.

However, for VMs tagged with nsx.network=default in the public cloud, NSX Cloud assigns appropriate security groups depending on the VM's state. This behavior is similar to when the Quarantine Policy is enabled, but the rules in the quarantine security groups: default-vnet-<vnet-id>-sg in Microsoft Azure and default in AWS are configured similar to default public cloud security groups, allowing everything within the VPC/VNet and denying all other inbound traffic. Any manual changes to the security groups of tagged VMs are reverted to the NSX Cloud-assigned security group within two minutes.
Note: If you do not want NSX Cloud to assign security groups to your NSX-managed (tagged) VMs, add them to the User Manged list in CSM. See User Managed List for VMs.

The following table shows how NSX Cloud manages the public cloud security groups of workload VMs when Quarantine Policy is disabled.

Table 1. NSX Cloud assignment of public cloud security groups when Quarantine Policy is disabled
Is VM tagged with nsx.network=default in the public cloud? Is VM added to the User Managed List? VM's Public cloud security group when Quarantine Policy is disabled and explanation
VM could be tagged or not tagged Added to the User Managed list. Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list.
Not tagged Not added to the User Managed List Retains existing public cloud security group because NSX Cloud doesn't take action on untagged VMs.
Tagged Not added to the User Managed List
  • If VM has no threats: vm-underlay-sg
  • If VM has potential threats (see note): default-vnet-<vnet-id>-sg in Microsoft Azure; default in AWS
    Note: The assignment of public cloud security groups is triggered within 90 seconds of applying the nsx.network=default tag to your workload VMs. You still need to install NSX Tools for the VMs to be NSX-managed. Until NSX Tools are installed, your tagged workload VMs remain in the default security group.
,

The following table shows how NSX Cloud manages the public cloud security groups of VMs if Quarantine policy was enabled before and is now disabled:

Table 2. NSX Cloud assignment of public cloud security groups when Quarantine Policy is disabled from being enabled at first
Is VM tagged with nsx.network=default in the public cloud? Is VM in the User Managed list? VM's existing public cloud security group when Quarantine Policy is enabled VM's public cloud security group after Quarantine Policy is disabled
VM could be tagged or not tagged Yes, VM is in the User Managed list Any existing public cloud security group Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list.
Note: If you have a VM in the User Managed list in any NSX Cloud-assigned security groups, you must manually move it to default security group in AWS and default-vnet-<vnet-id>-sg security group in Microsoft Azure.
Not tagged Not added to the User Managed List default-vnet-<vnet-id>-sg (Microsoft Azure) Or default(AWS) Remains in the existing security groups when disabling the Quarantine Policy because it is untagged and not considered NSX-managed. You can manually assign any other security group to this VM as required.
Tagged Not added to the User Managed List vm-underlay-sg Or default-vnet-<vnet-id>-sg (Microsoft Azure) Or default(AWS) Retains the NSX Cloud-assigned security group because that is consistent for tagged VMs in the Quarantine enabled or disabled modes.