NSX Cloud does not manage the public cloud security groups of untagged VMs when Quarantine Policy is disabled.
However, for VMs tagged with
nsx.network=default in the public cloud,
NSX Cloud assigns appropriate security groups depending on the VM's state. This behavior is similar to when the Quarantine Policy is enabled, but the rules in the quarantine security groups:
default-vnet-<vnet-id>-sg in Microsoft Azure and
default in AWS are configured similar to default public cloud security groups, allowing everything within the VPC/VNet and denying all other inbound traffic. Any manual changes to the security groups of tagged VMs are reverted to the
NSX Cloud-assigned security group within two minutes.
Note: If you do not want
NSX Cloud to assign security groups to your NSX-managed (tagged) VMs, add them to the User Manged list in CSM. See
User Managed List for VMs.
The following table shows how NSX Cloud manages the public cloud security groups of workload VMs when Quarantine Policy is disabled.
Is VM tagged with nsx.network=default in the public cloud? | Is VM added to the User Managed List? | VM's Public cloud security group when Quarantine Policy is disabled and explanation |
---|---|---|
VM could be tagged or not tagged | Added to the User Managed list. | Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list. |
Not tagged | Not added to the User Managed List | Retains existing public cloud security group because NSX Cloud doesn't take action on untagged VMs. |
Tagged | Not added to the User Managed List |
|
The following table shows how NSX Cloud manages the public cloud security groups of VMs if Quarantine policy was enabled before and is now disabled:
Is VM tagged with nsx.network=default in the public cloud? | Is VM in the User Managed list? | VM's existing public cloud security group when Quarantine Policy is enabled | VM's public cloud security group after Quarantine Policy is disabled |
---|---|---|---|
VM could be tagged or not tagged | Yes, VM is in the User Managed list | Any existing public cloud security group | Retains existing public cloud security group because NSX Cloud doesn't take any action on VMs in the User Managed list.
Note: If you have a VM in the User Managed list in any
NSX Cloud-assigned security groups, you must manually move it to
default security group in AWS and
default-vnet-<vnet-id>-sg security group in Microsoft Azure.
|
Not tagged | Not added to the User Managed List | default-vnet-<vnet-id>-sg (Microsoft Azure) Or default(AWS) | Remains in the existing security groups when disabling the Quarantine Policy because it is untagged and not considered NSX-managed. You can manually assign any other security group to this VM as required. |
Tagged | Not added to the User Managed List | vm-underlay-sg Or default-vnet-<vnet-id>-sg (Microsoft Azure) Or default(AWS) | Retains the NSX Cloud-assigned security group because that is consistent for tagged VMs in the Quarantine enabled or disabled modes. |